The decision by the Department of Health and Social Care to assign real values to the ‘lost outputs’ experienced by the NHS during the 2017 WannaCry attack is indicative of how organisations are taking a much more holistic view of the financial impact of IT downtime. This is according to business continuity and disaster recovery firm, Databarracks.
Recently, the Department of Health and Social Care (DHSC) revealed the WannaCry attack which hit the NHS last year cost the health service £92m.
It estimates around £19 million was lost in terms of patient care output, based on the findings that 1 per cent of NHS services were disrupted over a one-week period. In addition to the lost services, it’s believed a further £500,000 was spent on dealing with the immediate effects of the IT failure, including the hiring of additional consultants.
The biggest costs came in the June-July period immediately following WannaCry, which is estimated to have cost a further £72 million as the NHS worked to restore its services to full operation and to recover its data. Peter Groucutt, managing director of Databarracks states contextualising these lost outputs as a cost is a positive action from the DHSC.
Increasingly, organisations are improving their understanding of the costs of IT downtime. Databarracks’ 2017 Data Health Check survey revealed – 35 per cent of participants did not know what downtime would cost their business. In 2018, that figure dropped to only 22 per cent.
Groucutt says: “IT downtime, whether it be from a data breach or the result of an IT outage, impacts an organisation in several ways but will always carry a cost. Calculating that cost is not easy, but it is essential in order to understand the full impact to the organisation and to help decide what improvements must be made.”
Groucutt continued: “There are several types of costs that need to be considered when estimating the financial impact of downtime on an organisation. The first are immediate tangible costs, such as lost revenue and the direct costs to fix the issue. In the NHS’ case it did not ‘lose revenue’, so instead, it quantified the impact through lost outputs, including cancelled appointments and operations.
“Assigning a value to those appointments allowed it easily clarify the financial impact of cancelling 19,000 appointments during the attack. Additionally, it was also welcoming to see it recognise not just the IT costs experienced within the immediate attack but also later costs which included £72m on IT support in the months following.”
Groucutt states the DHSC assigning real values to these lost outputs, could prove critical in securing the necessary budgets needed to strengthen IT resilience across the service.
“In the wake of the NHS WannaCry attack the NHS England’s chief information officer Will Smart outlined 22 recommendations for local NHS organisations to adopt to improve resilience. This included ensuring contracts with IT suppliers “factor in and budget for” keeping software up-to-date, including security patches. While this should be fundamental to any good security practices, assigning real monetary values to these specific areas could prove the tipping point in helping the NHS to secure the funds needed to strengthen resilience.”
Groucutt continued: “In addition to tangible costs there are often ‘hidden’ costs associated with IT downtime. For most organisations these hidden costs might materialise through damage to reputation. A publicly listed company will immediately see the impact of reputational damage in a drop in its share price. Private companies can calculate the impact of reputational damage by estimating the value of customers deferring to competitors.
“For the NHS – as a public service – this is much more difficult for the DHSC to determine.
Although these hidden costs can be difficult to calculate, it is important to at least include an estimate. With the NHS, they could have published their costs as £73m plus “other costs relating to lost output”. By also making sensible estimates for other costs, and including the addition £19m, they have a much more complete picture of the impact,” Groucutt concluded.