NHS response to global ransomware attack

Presiding officer, thank you for the opportunity to make a statement on the impact and response of the NHS in Scotland to the recent global ransomware attack.

Members will have seen news reports about the global impact of Friday's attack. In the UK the main area affected has been the NHS. Across NHS England, 47 health organisations were infected with the malware, including 27 acute trusts. In Scotland, 13 Health Boards have experienced some impact from this attack, although less severely than in England.

I wanted to come to Parliament today to update members on the current situation. Members will be aware that a UK-wide criminal investigation is underway, led by the National Cyber Security Centre, and supported by Police Scotland. Health Boards will fully support these enquiries.

My Cabinet colleague Michael Matheson, the Cabinet Secretary for Justice, participated in a meeting of the Cabinet Office Briefing Rooms (COBR) committee yesterday afternoon, which was chaired by the Home Secretary, to consider the consequences of this cyber-attack.

Ensuring services recover from the cyber-attack as quickly as possible has been a priority for Health Boards. What is clear is that, since Friday, Health Board staff, as well as staff within GP practices, have been working extremely hard to ensure that the impact of this attack does not affect the quality and the care provided by vital NHS services. I want to take the opportunity to thank them for their efforts.

Of the 13 Boards affected, NHS Lanarkshire and NHS Borders have experienced the most significant impact. In response to this, as with other Health Boards, contingency arrangements were put in place, including manual standby ‎systems, to ensure that appropriate patient information was still being captured and that patient services were being delivered across the NHS.

I would like to take this opportunity today to reassure patients in Scotland that there have not been any reported breaches of patient data or personal details as a result of the attacks.

Good progress has been made by all Boards over the weekend in terms of recovery and mitigation. Most services, computer devices and systems were back online and operational on Monday morning. Many Boards' IT staff are working on a 24-hour basis to ensure that appropriate fixes and the guidance issued by the National Cyber Security Centre are in place so that services are available to the public as quickly as possible. There will however still remain ongoing work by Boards to ensure that staff report any issues so that these can be investigated.

I have written to Health Boards to record my thanks to all staff involved in responding to these attacks, and thanking them for the additional work they have carried out since Friday to ensure the impact has been managed appropriately.

While investigations and reviews are underway, initial assessment highlighted that, across Health Boards, less than 1% of devices have been affected – this is around 1,500 devices. NHS Lanarkshire and NHS Borders have now reported that they have made considerable progress in restoring systems and that patient services continue to be provided. NHS Lanarkshire has reported that fewer than 20 patients waiting for routine appointments have had to be rescheduled.

While the response from Health Boards and their staff is to be commended, I am sure that, like me, many members will want to understand why the impact from this cyber-attack has affected the NHS.

My officials are working closely with Health Boards to gain an understanding of why this situation arose in the first place. Issues that will be considered through this work will be to understand whether Health Boards had appropriate patching regimes in place.

This is the process of applying fixes from software and hardware suppliers onto IT systems to improve security. With less than 1% of devices infected, I think we can draw some comfort from that position. However, we must not be complacent. I should also make clear that the adoption of any patch from a supplier requires a technical assessment to ensure that there are no unintended consequences on NHS systems.

My Cabinet colleagues are also seeking assurance across the wider public, private and voluntary sectors in relation to cyber-preparedness, and the Scottish Government have contacted over 120 public bodies to seek assurance that they have the appropriate resilience in place.

The Cabinet Secretary for Justice will today chair a meeting of the National Cyber Resilience Leaders Board – which draws together a range of partners, including industry. The Board will consider the circumstances that led to the attack, the multi-agency response, and the steps that can be taken to enhance the future resilience across sectors. This is not a threat that Government can combat alone. This is about all of us, across all sectors, working, sharing and learning together to reduce the impacts these criminal attacks have on our organisations and the public.

There continues to be substantial investment in IT across NHS Scotland. The Scottish Government provides funding of around £100 million per annum to Health Boards for IT investment and for maintaining cybersecurity resilience. Health Boards spend at least the same amount per annum; however we know that in 2016 to 2017, total spend was around £257 million.

Although the attack was unprecedented in its scope, with hundreds of organisations affected across the globe, it was not an isolated incident. In fact NHS Scotland along with other organisations face similar attacks every day, most of which are thwarted by the controls and protections that are in place.

All Health Boards have IT security frameworks and policies in place; the IT environment across Health Boards is complex, with a mixture of legacy and new systems and technology. There is a continuing work programme in place to ensure all systems are updated as soon as possible as developments in technology move on.

I can assure Parliament that the NHS in Scotland remains at the forefront of using digital technology to support the quality of the patient services we provide.

There will be a number of lessons arising from these ransomware attacks that we must learn from. Reviews are already underway to capture what can be improved to ensure that we reduce the chances of a similar attack happening in the future.

The Scottish Government will also be arranging a 'lessons learned' exercise to help Health Boards and other agencies to mitigate the risks from further ransomware and other cyber-attacks.

However, due to these criminal activities, the NHS and all other parts of the public sector need to be vigilant and keep their systems up-to-date and fully protected at all time. This is a lesson that all parts of society can learn from.

In conclusion, I want to reiterate that while the impact of these attacks has affected NHS Boards, there has been no reported breaches of patient data or loss of personal details, or any reported impact on patient safety. In addition, I commend the response of Health Board staff who have worked tirelessly to ensure the impact has been kept to a minimum.

However, we cannot be complacent and we must ensure that the lessons identified are adopted by all Health Boards going forward, so that we minimise as far as we can the impact such attacks have on systems we use to deliver not just health but our public services in Scotland.

Thank you.