NHS Dumfries and Galloway (Cyberattack)

– in the Scottish Parliament at on 19 March 2024.

Alert me about debates like this

Photo of Colin Smyth Colin Smyth Labour

1. To ask the Scottish Government what its response is to the reported cyberattack on NHS Dumfries and Galloway. (S6T-01869)

Photo of Neil Gray Neil Gray Scottish National Party

I wish to outline at the outset that the incident is the subject of a live police investigation, so colleagues will appreciate that I am limited in the detail I can share. However, I assure Colin Smyth and other colleagues that the Scottish Government continues to fully support NHS Dumfries and Galloway as it responds to the cyberattack.

Although I understand that the news will have been alarming for patients and staff, I assure Parliament that the board responded swiftly and in line with established protocol. I have spoken to the chief executive of NHS Dumfries and Galloway and I am assured that my officials are fully supporting the board as part of a multi-agency approach. In addition, I can advise that other national health service boards have been mobilised at the Government’s request to provide technical support to NHS Dumfries and Galloway.

Photo of Colin Smyth Colin Smyth Labour

So far, the attacks do not appear to have caused any major disruption to patient services, which is welcome. However, it is deeply worrying that there is a risk that hackers were able to acquire a significant amount of information, which could include identifying data on patients and staff. We know from past attacks on the NHS that the motive can often be related to extortion attempts on organisations or individuals.

What actions are being taken to protect staff and patients from extortion attempts? Will the cabinet secretary give a clear assurance that there will be clear, open and transparent communication with staff and patients about the possibility that they could be approached by someone claiming to be in possession of data relating to them, so that they know what to do in such circumstances? People are worried, and communication so far has been very limited.

Photo of Neil Gray Neil Gray Scottish National Party

NHS Dumfries and Galloway made the situation public last week and advised people that if they are concerned about anyone approaching them with information about their data, whether that be a patient or a member of staff, they should contact the police immediately by calling 101.

On Colin Smyth’s earlier point, I am pleased to say that there has been a minimal impact on patient services. However, it is important to note that we know that the incident has resulted in the need for some staff to change working practices in the short term. I am grateful to everyone who is working to ensure that people still receive the best possible care while we work at pace to ensure a return to normal working practices.

I am limited in what I can say because of the live police investigation, but I note that the difficulty is in how we can directly contact patients, given that we do not know exactly what data has been taken. We know the scale of the data loss and what the data will be used for, however, and, as NHS Dumfries and Galloway has suggested, the likelihood is that it might include patient and staff information.

Photo of Colin Smyth Colin Smyth Labour

Cyberattacks on the NHS are not new, obviously, but it is clear from this attack that they are becoming more common and more sophisticated. Of course, they are not unique to NHS Dumfries and Galloway. Following the attack, which has led to a breach of confidential data, and given that the security that is used by the health board will have been very similar to that which is used by the NHS across Scotland, will there now be a review of the cybersecurity protections that are used by the NHS?

Photo of Neil Gray Neil Gray Scottish National Party

Obviously, a breach of confidential data is an extremely serious matter, which is why there is a multi-agency response to it. I am confident in what I have been advised by NHS Dumfries and Galloway about its preparedness for such a cyberattack, and I am happy to share that confidence in a more private way with Colin Smyth or any other colleagues.

The attack demonstrates the clear need for continued investment in the cybercapability of our public sector, not just here in Scotland but across the United Kingdom. Recently, we have seen attacks in very similar circumstances that happened to the University of Manchester and NHS England, and Colin Smyth is right to point to there being a pattern that we need to be alive to.

The Scottish Government and NHS boards have continued to invest in the development of the Cyber Centre of Excellence in recent years. The centre has been delivered organically and is already the focal point of cyberdefence. The response to this incident allows for that work to be done on a national scale.

On Colin Smyth’s question, we will continue to monitor and keep under review the implications of the attack and ensure that our cyberresilience continues to be as strong as possible.

Photo of Emma Harper Emma Harper Scottish National Party

My question is in a similar vein to Colin Smyth’s.

The NHS board is working with the National Crime Agency, the UK National Cyber Security Centre, the Scottish Government and the Information Commissioner to mitigate and investigate the recent cyberattack. It was clear at yesterday’s NHS briefing that the board was not able to provide full information, as advised by those professional agencies, but one thing that is clear is that cyberattacks will become more commonplace. Will the cabinet secretary provide further information on how the lessons that are learned from the NHS D and G event, including the business continuity plan, will be shared with other public bodies in Scotland to ensure that they are prepared to prevent, as far as possible, a similar attack in the future?

Photo of Neil Gray Neil Gray Scottish National Party

I thank Emma Harper for her question. I am glad that she and colleagues from the Scottish Parliament and Westminster found yesterday’s briefing from NHS Dumfries and Galloway helpful, although it was caveated, as my replies have been, by the fact that this is a live police investigation.

I assure Emma Harper that my officials have already started a lessons-identified exercise, the learning from which will be shared at a suitable time. I want to be clear that, as detail about the incident becomes available, I will continue to share as much information as I can with other public bodies—through the multi-agency arrangements that Emma Harper mentioned in her question—so that they are able to take preventative steps to defend against similar attacks in the future.

Photo of Finlay Carson Finlay Carson Conservative

My constituents have raised concerns about how the leaked personal and sensitive data might be used. Therefore, information, guidance and support from NHS Dumfries and Galloway will be crucial in the coming days and weeks. Will the cabinet secretary give details on what assistance the Scottish Government is giving the health board to ensure that patients and staff are aware of potential risks and the actions that they might need to take to protect themselves? Can he confirm whether he believes that NHS Dumfries and Galloway has abided by data protection legislation in the manner and timing in which it has informed patients and staff of those risks?

Photo of Neil Gray Neil Gray Scottish National Party

I thank Finlay Carson for the way that he approached that question. In line with the offer that I made to Colin Smyth and Emma Harper, I would be happy to write to Mr Carson about some of the preventative steps that were taken by NHS Dumfries and Galloway to try to prevent the attack happening in the first place and the steps that it has taken since.

He is absolutely right to say—and I reiterate—that the breach of confidential data is an extremely important and serious matter. I would be happy to set out for Finlay Carson the steps that were taken to provide public information at the earliest possible opportunity, to ensure that people could protect themselves against misuse of the data that was gathered.

I reiterate NHS Dumfries and Galloway’s call for staff and the public to be on their guard against any attempt to access their systems and against approaches from anyone claiming to be in possession of their data. Anyone who finds themselves in that situation should contact Police Scotland immediately by calling 101.