Action plan for cyber resilience in Scotland to be accelerated following cyber attacks on NHS

Cyber security - Image credit: Fotolia

An action plan to help defend the public sector in Scotland against cyber attacks is to be accelerated after the attacks on the NHS on Friday.

This follows an urgently convened meeting of the National Cyber Resilience Leaders' Board, chaired by Justice Secretary Michael Matheson.

On Friday the NHS across the UK, as well as high profile organisations across the world, including FedEx and Telefónica, were hit by the Wannacry ransomware program in the biggest cyber attack in internet history.

RELATED CONTENT

National Cyber Security Centre tells public sector domain owners to improve email security

Philip Hammond tells business to ‘sharpen its approach’ to preventing cyber attacks, as Queen opens new cyber security centre

Cyber security is no longer just about financial and reputational loss

At the meeting the Justice Secretary discussed the impact of the global cyber attack on Scotland, the multi-agency response and the steps that can be taken to boost cyber resilience across all sectors. 

He also committed to take forward the public sector action plan, which includes developing a set of preventative guidelines and standards for all Scottish public sector bodies to achieve by 2018, support for all 121 public sector organisations to achieve accreditation to the Cyber Essentials standard as a minimum requirement and production of a public awareness strategy for public sector organisations.

Chair of the board CBI chief executive Hugh Aitken, said the board aimed to have its proposals on taking the action plan forward to ministers for their approval by June.

Matheson said: “What is evident from this week’s events is that this was a global attack on an unprecedented scale and, whilst we are now seeing systems returning to normal, we cannot be complacent.

“Today I chaired a meeting of the National Cyber Resilience Leaders’ Board which discussed what lessons we can learn from this incident and how we can take forward the publication of an action plan to ensure we are as prepared as possible for future incidents.

“We need to be clear that combatting threats of this nature isn’t something government can achieve alone.

“Cyber security is everyone’s business and we need to ensure that all organisations have appropriate safeguards in place.

“I would like to thank all NHS staff who have been working hard to make sure the impact of this attack has been effectively managed.”

In Scotland 13 health boards were hit by the attacks, although they were less badly affected than NHS trusts in England.

Police Scotland is supporting the UK-wide criminal investigation into the attacks led out by the National Cyber Security Centre in London and Michael Matheson attended a meeting of the COBRA committee, chaired by the Home Secretary, to consider the consequences of the cyber attack.

In a statement to the Scottish Parliament today Health Secretary Shona Robison said that initial investigations suggested that less than one per cent of NHS devices were affected and there had been no reported breaches of patient data as a result of the attack.

She added that the Scottish Government would be looking into whether health boards had appropriate patching regimes in place, which are the application of hardware and software fixes to improve security.

Robison highlighted that around £257m was spent by health boards on IT systems and cyber resilience, with £100m of that contributed by the Scottish Government.

She said: “Although the attack was unprecedented in its scope, with hundreds of organisations affected across the globe, it was not an isolated incident.

“In fact, NHS Scotland, along with other organisations, faces similar attacks every day, most of which are thwarted by the controls and protections that are in place.

“All health boards have IT security frameworks and policies in place, but the IT environment across health boards is complex, with a mixture of legacy and new systems and technology.

“There is a continuing work programme in place to ensure that all systems are updated as soon as possible as developments in technology move on.

“I can assure parliament that the NHS in Scotland remains at the forefront of using digital technology to support the quality of the patient services that we provide.

“There will be a number of lessons arising from the ransomware attacks that we must learn from.

“Reviews are already under way to capture what can be improved, to ensure that we reduce the chances of a similar attack happening in the future.

“The Scottish Government will also be arranging a lessons-learned exercise to help health boards and other agencies to mitigate the risks from further ransomware and other cyberattacks.

“However, due to those criminal activities, the NHS and all other parts of the public sector need to be vigilant and keep their systems up to date and fully protected at all times, which is a lesson that all parts of society can learn from.”

The Lib Dems have suggested that the cyber attack on the NHS backs up their opposition to a centralised national ID database.