Question reference: S6W-26702
- Asked by: Jackie Baillie, MSP for Dumbarton, Scottish Labour
- Date lodged: 5 April 2024
-
Current status: Answered by Neil Gray on 23 April 2024
Question
To ask the Scottish Government what tests of IT systems regarding their vulnerability to cyber attacks are undertaken (a) by individual NHS boards and (b) on an NHS Scotland-wide basis.
Answer
The Network and Information System Regulations set out standards which NHS Scotland Health Boards must comply with. Boards must test themselves against these standards which cover managing security risk, defending systems against cyber-attack, detecting cyber security events, and minimising the impact of cyber security incidents. This is in addition to mandatory information security and data protection risk/impact assessments and routine penetration testing on all major IT systems.
The NHS Scotland Cyber Centre of Excellence (CCoE), works nationally across health boards to prioritise the security capabilities of existing technologies and deployment of new tooling. This allows real time discovery of vulnerabilities and potential issues across a national view.