Committee claims one recommendation from a draft review of Wannacry could cost £1bn

NHS Improvement has been told that implementing just one recommendation included in an NHS England draft report on learning from the Wannacry cyber-attack will cost £1 billion.

Minutes from a meeting of NHS Improvement’s technology and data assurance committee in December reveal NHS England CIO, Will Smart, presented a “draft lessons learned review” following the attack in May and included recommendations.

The committee’s papers note that “to implement the first recommendation as set out in the review would cost £1 billion”, though the details of what the recommendation are not revealed.

The committee then states this unknown recommendation is considered a “core patient safety issue” by NHS England and the funding for it “would have to be found”.

“There had been a suggestion that the funding allocated to the Paperless 2020 programme should be used for this purpose but doing so would mean cancelling the balance of the Paperless 2020 programme,” the minutes add.

The Paperless 2020 programme set aside £1.3bn of government funding to go towards making the NHS paperless to the point at the point of care.  Cancelling the already limited national investments in clinical systems that are most likely to directly benefit patient care would be contentious.

The call for funding is likely to partly to modernise and bootstrap the infrastructure and software run across all parts of the NHS, through investment in networks and the latest version of operating and application software.  Smart is known to be currently in negotiations for a new Enterprise Wide Agreement with Microsoft and negotiations are also underway for a national cloud licensing deal.

The idea of reallocating funds away from the programme had previously been brought up at an NHS Improvements board meeting, which was also attended by Smart.

Minutes from the meeting suggest that funds have already started to be reallocated, and that

“The Board discussed the Paperless 2020 programme,” it states.

“It was noted that there was not sufficient funding for the programme, and that this situation had been exacerbated by the requirement to fund cybersecurity investment from the Paperless 2020 programme budget.”

A previous report by the National Audit Office (NAO) revealed that simple measures could have been taken to protect the NHS from the global cyber-attack.