Meeting of the Parliament

Meeting date: Tuesday, May 16, 2017

Official Report 899KB pdf

---

Global Ransomware Incident

The next item of business is a statement by Shona Robison on the impact on and response by the national health service in Scotland to the global ransomware incident. The cabinet secretary will take questions at the end of her statement, so there should be no interventions or interruptions.

14:04  

Thank you, Presiding Officer, for giving me the opportunity to make a statement on the impact on and response by the national health service in Scotland to the recent global ransomware attack.

Members will have seen news reports about the global impact of Friday’s attack. In the United Kingdom, the main area affected has been the NHS. Across NHS England, 47 health organisations were infected with the malware, including 27 acute trusts. In Scotland, 13 health boards have experienced some impact from the attack, although they have been less severely affected than health service bodies in England.

I wanted to come to Parliament today to update members on the current situation. Members will be aware that a UK-wide criminal investigation is under way, which is being led by the national cybersecurity centre and supported by Police Scotland. Health boards will fully support those inquiries.

Yesterday afternoon, my Cabinet colleague Michael Matheson, the Cabinet Secretary for Justice, participated in a meeting of the Cabinet Office briefing room A—COBRA—committee, which was chaired by the Home Secretary, to consider the consequences of the cyberattack. Ensuring that services recover from the cyberattack as quickly as possible has been a priority for health boards. It is clear that, since Friday, health board staff, as well as staff within general practices, have been working extremely hard to ensure that the attack’s impact does not affect the quality of the care that is provided by vital NHS services. I thank them all for their efforts.

Of the 13 boards that have been affected, NHS Lanarkshire and NHS Borders have experienced the most significant impact. In response to that, contingency arrangements, including manual standby systems, were put in place—as they were in other health board areas—to ensure that appropriate patient information was still being captured and that patient services were being delivered across the NHS.

I would like to take the opportunity to reassure patients in Scotland that there have not been any reported breaches of patient data or personal details as a result of the attacks. Over the weekend, all boards have made good progress on recovery and mitigation. Most services, computer devices and systems were back on line and operational on Monday morning. Many boards’ information technology staff are working on a 24-hour basis to ensure that appropriate fixes—and the guidance that was issued by the national cyber security centre—are in place so that services are available to the public as quickly as possible. However, boards will continue to work to ensure that staff report any issues, so that they can be investigated.

I have written to health boards to record my thanks to all the staff who have been involved in responding to the attacks and to thank them for the additional work that they have carried out since Friday to ensure that the impact has been managed appropriately.

Although investigations and reviews are under way, initial assessment highlighted that, across health boards, less than 1 per cent of devices—around 1,500 in total—have been affected. NHS Lanarkshire and NHS Borders have reported that they have made considerable progress in restoring systems, and that patient services continue to be provided. NHS Lanarkshire has reported that fewer than 20 patients who are waiting for routine appointments have had to be rescheduled.

Although the response from health boards and their staff is to be commended, I am sure that, as I do, many members will want to understand why the cyberattack has affected the NHS. My officials are working closely with health boards to gain an understanding of why the situation arose in the first place. As part of that work, we will seek to understand whether health boards had appropriate patching regimes in place. Patching is the process of applying fixes from software and hardware suppliers on to IT systems to improve security. We can draw some comfort from the fact that less than 1 per cent of devices have been infected, but we must not be complacent. I should also make it clear that the adoption of any patch from a supplier requires a technical assessment to ensure that there are no unintended consequences on NHS systems.

My Cabinet colleagues are seeking assurances across the wider public, private and voluntary sectors in relation to cyberpreparedness, and the Scottish Government has contacted more than 120 public bodies to seek assurance that they have appropriate resilience in place. The Cabinet Secretary for Justice will today chair a meeting of the national cyberresilience leaders board, which draws together a range of partners, including partners from industry.

The board will consider the circumstances that led to the attack, the multi-agency response and the steps that can be taken to enhance future resilience across sectors. It is not a threat that Government can combat alone; it is about all of us across all sectors working, sharing and learning together to reduce the impacts that such criminal attacks have on our organisations and the public. There continues to be substantial investment in IT across NHS Scotland. The Scottish Government provides funding of around £100 million per annum to health boards for IT investment and for maintaining cybersecurity resilience, and health boards spend at least the same amount per annum. We know that the total spend in 2016-17 was around £257 million.

Although the attack was unprecedented in its scope, with hundreds of organisations affected across the globe, it was not an isolated incident. In fact, NHS Scotland, along with other organisations, faces similar attacks every day, most of which are thwarted by the controls and protections that are in place. All health boards have IT security frameworks and policies in place, but the IT environment across health boards is complex, with a mixture of legacy and new systems and technology. There is a continuing work programme in place to ensure that all systems are updated as soon as possible as developments in technology move on. I can assure Parliament that the NHS in Scotland remains at the forefront of using digital technology to support the quality of the patient services that we provide.

There will be a number of lessons arising from the ransomware attacks that we must learn from. Reviews are already under way to capture what can be improved, to ensure that we reduce the chances of a similar attack happening in the future. The Scottish Government will also be arranging a lessons-learned exercise to help health boards and other agencies to mitigate the risks from further ransomware and other cyberattacks. However, due to those criminal activities, the NHS and all other parts of the public sector need to be vigilant and keep their systems up to date and fully protected at all times, which is a lesson that all parts of society can learn from.

I reiterate that, although the impact of the attacks has affected NHS boards, there have been no reported breaches of patient data or loss of personal details, or any reported impact on patient safety. In addition, I commend the response of health board staff, who have worked tirelessly to ensure that the impact has been kept to a minimum. However, we cannot be complacent. We must ensure that the lessons identified are adopted by all health boards so that we can minimise as far as we can the impact that such attacks have on the systems that we use to deliver not just health but our public services in Scotland.

The cabinet secretary will now take questions on the contents of her statement. We have about 20 minutes. I call Donald Cameron.

I refer members to my register of interests and to the fact that I am on the board of two companies that invest in health technology.

I thank the cabinet secretary for the advance view of her statement on an incident that is unjustifiable and indiscriminate. I, too, thank the IT staff across Scotland who have worked tirelessly to get the NHS back online and the medical staff who have continued to provide care in the face of adversity. I welcome the fact that no breach of patient data has been reported, but we must bear in mind the fact that it was not only infrastructure that was affected; patients in our hospitals and health centres were affected as well, with operations cancelled and people unable to get to their scheduled appointments.

One of the reasons why IT systems have failed might be that, across the NHS, out-of-date software is still being used. How will the continuing work programme that the cabinet secretary referred to in her statement ensure that systems not only are upgraded now but continue to be kept up to date in the future?

I thank Donald Cameron for his questions and his comments about the efforts of staff.

IT systems across the NHS are complex and are different because they serve different purposes. The NHS systems that will be used in an acute hospital will be different from those used by special boards, for example. Having the same system in all our NHS boards, therefore, is not the issue; the systems will be different because they serve different purposes.

At the moment, we understand that it was mainly Windows 2007 and Windows 2003 devices that were affected and that only a small number of Windows XP devices were affected. I know that Windows XP has been raised as an issue in the media. There are approximately 6,500 XP devices out of a total of about 150,000 devices, which is less than 5 per cent.

What I am saying is that it is not as straightforward as being about one piece of software compared with another. What we need to understand is why some pieces of software were affected and others were not, and that piece of work will now be undertaken.

I am sure that Donald Cameron will appreciate that all the efforts have been about getting the systems back up and running and sorting out problems, so that the patient impact can be minimised. The next phase is to understand more about what went wrong in those areas where things went wrong and, more important, about what we can do to make sure that we improve the resilience of those systems.

I reiterate that less than 1 per cent of devices were affected, which means that over 99 per cent were not affected by the malware. That provides some context, but Donald Cameron can be assured that I am in no way complacent about that.

I thank the cabinet secretary for prior sight of the statement and I join her in thanking all those IT and NHS staff who worked round the clock to get the situation under control.

In December, following freedom of information requests that showed that almost every health board in Scotland had been targeted by a ransomware attack, Scottish Labour called for a review of cybersecurity. In February, we exposed a security breach that involved NHS staff details being leaked, and we repeated our call for a review. That follows seven years of questions from my colleague Richard Simpson, who is no longer in this Parliament.

Will we now have a review of cybersecurity right across the NHS? Secondly, given that we have a history of ransomware attacks, can the cabinet secretary confirm whether we have ever had to pay out any ransoms? Thirdly, can she give an indication of the pressures on NHS boards from savings that they have to make and confirm that they will not impact on their budgets for cybersecurity?

I am sure that all members in the chamber want our NHS staff to be focused on patient care rather than having to worry about the hacking scandal, which I am sure we all find unjustifiable and abhorrent.

I thank Anas Sarwar for his questions. Back in February, the chief operating officer of the NHS wrote to boards reminding them of the need to make sure that they had the best resilience in place and were following the best advice to ensure that their systems were as good as they could be. I reiterate what I said to Donald Cameron: there are regular attacks on our NHS systems and the fact that, until the situation on Friday, their impact has been very limited says something about the strength of that resilience. Indeed, even though there has been an impact from the attack on Friday, it was on less than 1 per cent of devices. We have over 150,000 devices across the NHS and the attack affected fewer than 1,500 of them.

However, Anas Sarwar is quite right to talk about lessons being learned. Any recommendations that flow from the review of what has happened and what needs to happen in the light of the attack will, of course, be taken forward.

There have been no pay-outs. It is not the policy of the NHS to pay out against such attacks. That would send out completely the wrong message.

Finally, on budgets, as I said in my statement, the NHS puts a lot of resources into IT, of which cybersecurity is a key element. The Scottish Government invests around £100 million each year and that is matched by health board funding. As I said, in 2016-17, the total was over £250 million, and this year it is set to be at least £200 million. In fact, over the past two years, investment in IT has gone up.

I hope that that provides some reassurance to Anas Sarwar on the issues that he raised.

Given that the opportunity for the cyberattack lay in a vulnerability in obsolete software and, critically, the publicising of that vulnerability, will the cabinet secretary consider whether it would be appropriate to have a database that gives us knowledge of the use of obsolete software in public services and, therefore, enables us to target news of potential vulnerabilities of which we become aware at the appropriate people before potential attacks?

Stewart Stevenson makes an important point. In response to Donald Cameron, I made the point that this is not about one type of software. The ransomware appears to have affected a number of different software and has particularly impacted on GP practices, rather than on acute hospitals, with NHS Lanarkshire being the exception.

We need to understand a bit more about what lies underneath the more vulnerable areas, because there appears to be a different pattern in different places—we need to understand all that more readily before we decide what action to take. The national cyberresilience leaders board, which is meeting today, chaired by my colleague, Michael Matheson, has the requisite experts and we will draw on further experts, so I can assure Stewart Stevenson that the recommendations that we take forward on how we make our systems more resilient will be based on the best available advice that we can find.

I echo my colleagues’ thanks to all IT and NHS staff who have worked so hard over the weekend to restore key IT systems and deliver care to patients. Is the cabinet secretary confident that sufficient resilience planning is in place to cope with larger-scale incidents, should they occur? When did the Scottish Government last undertake an audit of those IT systems?

We have confidence in the systems that we have in place, given that, as I have said, fewer than 1 per cent of devices were affected, but we are in no way complacent. The attack is a wake-up call for not only the NHS but the whole of the public sector and industry. Globally, a wide range of organisations were impacted.

We need to look at what more we can do on resilience planning. As I said, back in February, we wrote to all boards, reminding them of the need to implement best practice and getting their assurances that they were doing so.

Today, with the extraordinary meeting of the leaders’ board, we are bringing together experts from across not just the public sector but industry to look at whether we can do more in response to the attack and to build on-going resilience. I am happy to keep Parliament updated as that work progresses.

In light of the continuing threat, will the cabinet secretary provide detail on what measures are in place to monitor the safety of patient data?

I reiterate the important point that no patient data has been compromised. Data security is an incredibly important issue for patients. I know that, on Friday, as the news was breaking, patients were concerned that their personal data might have been compromised. It was incredibly important that we checked out the situation as quickly as we could so that we could give that public reassurance. We were able to do so. I reiterate that point today.

It is important that our systems are resilient and that they provide security for patient data. I very much understand the sensitivity and the personal nature of the patient data that is held in NHS systems. It is important that we reassure patients about the security of their data. That security will be a key priority.

I, too, thank the NHS staff who have worked extremely hard around the clock in response to the cyberattack. As has been mentioned, NHS Lanarkshire—in Central Scotland, which I represent—was one of the most significantly impacted health boards in Scotland, but the e-health department worked tirelessly over the weekend to restore critical systems, and NHS Lanarkshire staff have continued to provide care of the highest quality.

However, concerns have been raised with me about the impact of cancelled operations and appointments at Hairmyres hospital in East Kilbride. What assurances can the cabinet secretary give to my constituents about the timescale in which they can expect performance in Lanarkshire to recover fully, and can she provide further details on what action is being taken, in partnership with NHS Lanarkshire, to upgrade and develop IT systems so that patients can have confidence that all possible actions are being taken to prevent similar attacks in the future?

I thank Monica Lennon for her comments. I agree that staff in NHS Lanarkshire—one of the worst-affected boards—pulled out all the stops to prevent the attack from impacting on patients. Their communication was also good, as they tried to get across to patients the message that they should avoid coming to accident and emergency unless it was absolutely necessary, and to bring medication information with them, because manual systems were being used. I should say that the manual systems that kicked in are there ready to use should an IT system fail. They were put in place very quickly indeed, and were successful in ensuring continuity of care over Friday night and into the weekend. I wanted to put that on the record.

NHS Lanarkshire experienced a widespread attack on its personal computer environment, with around 1,100 devices being affected. It happened during a programme of PC replacement, so we need to understand whether that was part of the issue. We are still working on information about that. More than 200 infected devices have been replaced through targeted prioritisation that has focused on keeping key clinical services running because it was important to ensure that we got those key clinical services back up and running as quickly as possible. As I said in my statement, it is reported that fewer than 20 patients who were waiting for routine appointments have had to have those appointments rescheduled. I understand that they are being rescheduled as quickly as possible; I will certainly ensure that there is communication with those patients.

What has happened in NHS Lanarkshire will be a key part of our learning. We were fortunate that NHS Lanarkshire hospitals were the only acute hospitals that were impacted on: I know that the impact on acute hospitals in England was very challenging. Most of the impact in Scotland was on general practice surgeries, apart from in NHS Lanarkshire. Monica Lennon was quite right to pay tribute to the hard work and efforts of staff there to minimise the impact on patients.

I thank the cabinet secretary for her statement. What steps is NHS Scotland taking to learn lessons from the attack and to minimise the impact of disruption from potential future attacks?

Ivan McKee will appreciate that health boards have been focused on recovering their systems and computers. The next phase is about the reviews to ensure that we learn all the lessons from the attack, and that we make the necessary improvements that are identified. Health boards are working to implement patches and to ensure that system security arrangements are updated. The lessons-learned review with health boards will be getting under way. We already have a lot of information, but we need to ensure that we have full investigation of all the details.

As I said in my opening remarks, my work with the national cybersecurity centre will be important, because the centre has a lot of the expertise that will be called for. We will work with it to take matters forward.

Finally, the national cyberresilience leaders board—which, as I mentioned, the Cabinet Secretary for Justice is chairing—is drawing together a range of partners from across the public and private sectors and will consider how we can enhance future resilience across all sectors, and not just the NHS. Again, I am happy to keep Parliament informed of that work.

Clinicians and healthcare providers often have limited time to work with patients, and protocols that make patient data more secure should not impact on front-line staff, who need to be able to do their jobs without recalling and updating strings of long passwords. Can the cabinet secretary give us assurances that improvements that will be made to the security of NHS IT systems will not have a negative impact on the workloads of healthcare professionals?

What further engagement will there be with patient groups and organisations that have concerns about the safety and privacy of patient data?

I reiterate that there was no breach of patient data security in the attack. It is important that patients and the public are reassured about that.

There should be engagement with patient groups and the public around everybody’s involvement in making sure that IT security is maintained at the highest level and in deciding what improvements we need.

I accept Alison Johnstone’s point about not adding to staff workload, but IT security is everybody’s responsibility. We do not want it to be onerous, but there is good practice—from individuals backing up and changing passwords, to collective responsibility for IT security systems and the patching that organisations should have in place. Security is everybody’s responsibility, although I take the point that that should not be onerous.

I thank the cabinet secretary for advance sight of her statement, and echo other members in praising NHS staff, many of whom are working on their days off to make good, following the audacious and cowardly attack.

The cabinet secretary mentioned that NHS Scotland faces similar attacks almost daily and explored some of that in her reply to Anas Sarwar. Can she give Parliament details of how many such attacks have taken place and whether each or any is the subject of criminal investigation? How successful have criminal investigations proved to be in bringing the perpetrators to justice?

There are regular attacks on the NHS and on other public services and organisations. Some are more serious than others: what we saw on Friday was a very serious global attack across many different countries and organisations.

Some attacks have led to the involvement of the criminal investigation agencies, and the cyberexperts in Police Scotland have bolstered their resources. Given the changing nature of cyberattacks, it is important that Police Scotland has the expertise to deal with them, so it has a number of cybersecurity experts who investigate crimes of that nature.

I will write to Alex Cole-Hamilton, following the statement and questions, on whether there are any current criminal investigations. I assure him that, in this instance, Police Scotland is working with the National Crime Agency and is treating the attack as serious. They will give their full attention to the attack in trying to bring the perpetrators to justice.

Does the cabinet secretary agree that, given the international scale of the attack, it is vital—now more than ever—that Scotland is represented at international discussions about security and international threats?

Yes. The attacks were global, so Scotland must be involved in any discussions about our international or national response to them. That is why Michael Matheson took part in the COBRA meeting that was chaired by the Home Secretary. It is important that we understand the threat collectively and that, whether in the criminal investigation, in the lessons learned or in ensuring resilience in our systems, we draw on the available expertise. That is why Michael Matheson has taken part in the COBRA discussions.

On international work that is being done, we want to make sure that the information from and impact on Scotland are recognised on the global stage, and that we can recognise and apply here relevant lessons from elsewhere on how the issue has been addressed by other countries and organisations.

Will the cabinet secretary tell Parliament how the backlog following the cyberattack will be managed?

It was important yesterday morning first to get organisations up and running again, as much as we could. In the case of general practices, I am pleased to say that none was closed—they were all open, although work needed to be done to retrieve data from back-up systems. That process is well under way. The situation is more complex in NHS Lanarkshire, where it has taken a little longer to get systems up and running again. The process has to be done in a safe way and the systems have to be tested.

However, we are now very much in the recovery stage, which is why we have, by and large, been able to get systems working normally. We can now turn our attention to the lessons-learned phase and what more we need to do to build resilience and to learn lessons for the future. We are making sure that the impact on patients is kept to a minimum. We need to make sure that the 20 NHS Lanarkshire patients’ appointments that have had to be rescheduled are rescheduled as quickly as possible. Every effort has been made to minimise the impact on patients.