UK’s £92 Million in Damages Due to 2017 Cyber Attacks

The Health and Social Care Department of the United Kingdom has recently revealed publicly that last year, WannaCry cost the government’s national health care system an additional £92 million. Majority of the additional cost was due to lost patient records, most of which need to be reconstructed by contracting external IT consultants and cybersecurity professional teams.

In May 2017 alone, due to WannaCry hospitals across the country needed to cancel 19,000 appointments. The output of the healthcare institutions was disrupted heavily by the ransomware, with the frequency of interruptions happening almost on a weekly basis. From the data obtained in the report, £500,000 was spent in IT consultancy in order to perform immediate damage control from June to July 2017. But later on, the cost ballooned to £72 million.

However, the Department needed more time for the comprehensive cost estimate of the damages and recovery. Took them until June 2018 in order to cover all the facts and capture necessary data for the report. In September 2018, the US government as represented by its intelligence agencies has pinned down an unnamed North Korean as the perpetrator for the spread of WannaCry.

The North Korean government has strongly denied the allegation, claiming the person which remained unnamed does not exist. “The act of cybercrimes mentioned by the Justice Department has nothing to do with us. The U.S. should seriously ponder over the negative consequences of circulating falsehoods and inciting antagonism against the DPRK that may affect the implementation of the joint statement adopted at the DPRK-US summit,” said Han Yong Song of North Korea’s Institute for American studies.

“A tremendously positive step to see cost metrics being assessed in relation to the impact of WannaCry. One area that is difficult and requires time to gauge, though, is the impact on long-term morbidity caused by WannaCry. For example, how does a canceled appointment delaying treatment effect a patient outcome? Was a discharge delayed that led to a patient being exposed to more clinical risks. We need to continue to formalize our risk assessments for healthcare cybersecurity, especially as it becomes more targeted and sophisticated. We have to also remember that every granular cost identified also becomes the basis for the business case for further cybersecurity investment. For this to be successful it’s only right that there is engagement at ministerial levels,” explained NHS.

Unfortunately, the UK’s Ministers are not all IT professionals, hence has not a complete grasp of the whole cybersecurity issue affecting the country. As the country prepares itself with the Brexit process, it may or may not lessen the security of the country with its full implementation. GDPR, which is temporarily implemented in the UK pending Brexit will lose its grip in the country once Brexit process is concluded. “If we look ahead 3-5 years it’s inevitable that the GDPR will be updated. what will happen to the UK version of the text and what if it chooses to change the penalties or other parts independently to the EU refresh cycle? What complicates these extra processes and frameworks is that they may be argued to be ineffective at providing equivalent protection of data if they can be overridden by national law. this exact situation was seen with the predecessor to Privacy Shield, which was called the International Safe Harbor Principles and declared invalid in 2015 due to the fact that it could not override national laws which did not provide equivalent protections for personal data,” explained Bridget Kenyon of Thales Security.