NHS Dumfries and Galloway (Data Breach)
To ask the Scottish Government what its response is to reports that a large volume of data has been published on the dark web, following the recent cyberattack on NHS Dumfries and Galloway. (S6T-01965)
The Scottish Government is working with NHS Dumfries and Galloway, Police Scotland and other agencies, as we have done since we were first alerted to the cyberattack, to assess the level of the breach and the implications for the individuals concerned.
At my request, NHS Dumfries and Galloway has briefed local MSPs on the situation and issued a statement to staff and the public. A dedicated telephone helpline is now open to the public, and the Scottish Government continues to provide support to the board as it deals with the on-going situation and the live police investigation.
There is nothing more personal than someone’s medical data, so this serious development will be deeply worrying for patients and staff of NHS Dumfries and Galloway, who will all be asking whether the breach affects them and their loved ones.
NHS Dumfries and Galloway now knows what data files have been released, and that they include a substantial amount of data, including on children’s health. We also know, however, that it will take time for the board to work through its data to identify which individuals are affected. Given how important it is to identify any vulnerable people who might be impacted by the breach, what specific resources is the Scottish Government providing to NHS Dumfries and Galloway to ensure that the search of data is conducted as quickly as possible and that individuals are identified and supported?
I thank Colin Smyth for his question, and I concur with him that for patients and staff across NHS Dumfries and Galloway the incident is very personal and it is a very worrying time. I accept and acknowledge that.
As I mentioned, I am limited in what I can say. However, I can inform Colin Smyth that the Scottish cyber co-ordination centre within the Scottish Government has stood up the Scottish multi-agency cyber incident support arrangements. Those arrangements bring together national agencies, including the National Cyber Security Centre, Police Scotland, the National Crime Agency, the NHS Scotland cyber security centre of excellence and Scottish Government policy leads, to support NHS Dumfries and Galloway to respond to and recover from the incident.
In addition to providing practical advice and support, the Scottish Government has alerted the wider public sector to the incident and has shared relevant information. That will, I hope, enable public sector organisations to take preventative steps to defend themselves against similar attacks.
The ransom demands from the perpetrators of the cyberattack were never going to be met, so it was always highly likely that they would follow through on their threats to release the data and cause maximum disruption and distress. Now that the data is on the dark web, what assessment has the Government made of the likelihood of other criminals being able to access the information, notwithstanding how challenging that is, and then being able to use it to target individuals whose data has been released? That will be a concern for patients and staff in Dumfries and Galloway.
Again, I thank Colin Smyth for his question, because he is absolutely right. A breach of confidential data is an incredibly serious matter, and I reiterate NHS Dumfries and Galloway’s call for staff and the public to be on their guard for any attempt to access their systems, or for any approaches from anyone who claims to be in possession of data relating to them. If anyone finds themselves in that situation, they should contact Police Scotland immediately by calling 101.
The worrying attack comes at the worst possible time and is adding more pressure on already hard-pressed staff and on a health board that is struggling to meet huge funding cuts. In addition to making information technology support available, will the cabinet secretary explore what additional emergency funding can be put in place to ease the pressures on the board and ensure that the chief executive can focus, at this exact minute, on sorting out the issue of the breach rather than having to balance the books?
There has been minimal impact on patient care as a result of the breach. However, I know that the incident has resulted in the need for some staff to change working practices in the short term, so I am very grateful to everyone who is working to ensure that people still receive the best possible care while we work at pace to ensure a return to normal working practices.
The Government has made significant investments in all boards; we have seen a real-terms increase to NHS boards as a result of the most recent budget. Across the country, our teams continue to work with boards on their financial resilience. Should there be particular asks, I would be receptive to at least hearing them, even during the difficult financial situation that we are all facing across the public sector, although I might not be able to commit to being able to realise them fully.
The latest announcement about the cyberattack displays the very real implications for staff and the public of cyberattacks, with personal details now bring freely published on the dark web. We also saw just yesterday that China successfully hacked the United Kingdom Ministry of Defence. Such attacks will continue to happen and will have serious consequences. Can the cabinet secretary give a commitment that the Scottish Government is examining the cyber resilience of all our public institutions to protect the public and those who work in those vital services? Can the cabinet secretary also reconfirm that the Government is adequately supporting NHS Dumfries and Galloway to have the resources that are needed to assess and act on the cyberattack?
I thank Emma Harper for her question. I can give those assurances. We continually review and regularly audit all health boards’ cyber resilience. I know that Emma Harper will understand that, for security reasons, I cannot go into detail on that. Health boards take part in an annual audit process that assesses their effectiveness against the public sector cyber resilience framework. It allows them to be as resilient as possible in reducing the likelihood and impact of cyberattacks. That has aided their ability to respond promptly when an attack is discovered, thereby minimising the impact on staff and the public.
In the most recent round of audits, the Scottish Health Competent Authority noted that auditors found that NHS Dumfries and Galloway had demonstrated clear commitment to the audit process.
We know that 91 folders have been published on the dark web, including highly sensitive information from patients’ confidential records and staff details. I appreciate that there will be details of the attack that cannot be discussed and that the cabinet secretary will be taking advice from the National Cyber Security Centre, but does he know whether the network was exploited because of a weakness in the security system or because someone’s credentials were used? Furthermore, can he set out exactly how NHS Dumfries and Galloway is being technically supported to ensure that all systems are back online and to help to address the anxiety and concerns of patients and staff?
I reiterate what I said in response to Emma Harper, which is that NHS boards go through regular annual audits of their cybersecurity. The authority that conducted that audit noted NHS Dumfries and Galloway’s clear commitment to that audit process. Finlay Carson will understand that I cannot go into significant detail on that, for obvious security reasons.
In answer to his follow-up question, I note that there has been minimal impact on patient services, which have continued as normal: patients should have noticed very little change. However, I am conscious that there is the possibility of further impact, which is why we are continuing to support the health board and ensuring that it recovers as quickly as possible.
A major cyberattack on NHS Scotland in 2022 crippled NHS systems and disrupted services. What steps were implemented to prevent a major breach like that from happening again and why did they fail?
As I have said in response to previous questions, the audit process for reviewing cybersecurity across all areas of the health service is kept under constant review. It is an annual audit process and, as I have already said, the Scottish Health Competent Authority has confirmed that NHS Dumfries and Galloway co-operated with the process and has done everything possible to stop the attack.
As we have seen from cyberattacks elsewhere, this is an incredibly difficult time to defend against increasingly sophisticated actors that are looking to infiltrate our systems, including that of the Ministry of Defence most recently. All we can do is continue to offer support, learn from the situations that have passed and ensure that our resilience is as strong as possible. That is what the Government will continue to do—not just with NHS Dumfries and Galloway, but with other health boards and public sector organisations.
Grangemouth Refinery (Support)
To ask the Scottish Government, in light of recently reported developments, what plans are being made to support the continued operation of the Grangemouth refinery. (S6T-01964)
The Scottish Government continues to engage extensively with the owners of the Grangemouth refinery and is committed to securing a long-term sustainable future for the industrial cluster. The future configuration of the Grangemouth refinery is a commercial matter for the owners. However, we have a track record of supporting businesses at Grangemouth as they progress their low-carbon projects, and we are committed to working collaboratively with Petroineos to accelerate its own projects at the site.
I hope that the cabinet secretary will join me in paying tribute to the positive campaign that has been run by Unite the union, which is aptly called keep Grangemouth working. As a Conservative, I have no hesitation in backing that campaign to keep Grangemouth working, because the campaign asks for three things—an extension of the lifetime of the refinery, investment in new technology and support for greener and cleaner energy projects.
From her engagement with Petroineos, can the cabinet secretary confirm Martin Williams’s front-page story in The Herald this morning that the hydrocracker has been restarted? What impact does the return to sustained profitability mean for extending the life of the refinery?
I am very pleased to join Stephen Kerr in recognising the work of Unite the union. By extension, I again put on record my thanks to the highly skilled workers at Grangemouth, who contribute so much to that asset of strategic importance to Scotland.
I am of course aware of today’s media coverage, which explores the issue of the hydrocracker at the Grangemouth refinery. That is purely an operational matter for the company, and it is commercially sensitive. It is not appropriate for me to speculate or theorise on what is, in essence, media speculation at this point, but I can assure Stephen Kerr and members that ministers and officials engage regularly with all those with an interest in the cluster, including with the business, to understand the impact of current operations. We are interested in operations today and how that progresses into the future.
I thank the minister for her response, but I hope that she would agree that it is a matter of interest for her and her team to find out whether the hydrocracker has been restarted. We have it from multiple sources that it has been, and that is a significant development.
I cannot help but think that the window of opportunity that the restarting of the hydrocracker brings is not unrelated to the end of the Bute house agreement. I echo what Derek Thomson of Unite has said in the light of the return to healthy profits for Petroineos at Grangemouth. He said:
“The only sensible commercial decision to be made is to maintain the refinery’s operations and in doing so retain 500 highly-skilled jobs.”
I say, “Hear, hear”, to that.
Investing in cleaner and greener energy projects at Grangemouth is a major strategic issue for the whole of Britain. Both Governments must work together with local interests to secure the future of the site and the local economy. What discussions has the cabinet secretary had with UK ministers, and what have they agreed? In addition to the local council, Forth Valley College and Petroineos, which other local businesses have been recruited to the Grangemouth future industry board?
I will be glad to share with Stephen Kerr a copy of the cast list for the Grangemouth future industry board. It is quite extensive, so I will do that in writing.
Given the importance that Stephen Kerr places on the matter—as I do—I encourage him not to indulge in theories about political configuration on the one hand and, on the other, what are, in essence, commercial matters for Petroineos to consider. I restate the fact that it is not appropriate for me to comment on media speculation, but I reinforce the point that ministers and officials are very closely engaged in the development of these matters.
I close by highlighting that, given the strategic importance of Grangemouth, our objective is to maximise transition opportunities and minimise any gap between those emerging and transition happening, all with a view to securing as many jobs as possible.
We all agree about the need to secure the refinery and jobs in this important industrial cluster in my constituency. However, we also agree on the need for that to be done sustainably, so, to that end, will the cabinet secretary update Parliament on the calls for the United Kingdom Government to remove the regulatory barriers affecting sustainable aviation fuels and thus to allow the possibility that the site will have a future as a biorefinery?
Michelle Thomson is absolutely right to highlight biorefining as a potential transition opportunity for the cluster. Ministers have made several representations to the UK Government and have asked for engagement on issues regarding sustainable aviation fuel. Initial indications suggested that the UK’s post-Brexit SAF mandate would inhibit the use of hydrotreated esters and fatty acids and therefore the development of SAF, but more recent developments appear to present a more positive picture. We will continue pressing that issue. I am in on-going dialogue about the matter with UK ministers in both the Scotland Office and the Department for Energy Security and Net Zero and I will be glad to keep Michelle Thomson up to date about that, given my understanding of her concern about the issue.
Will the cabinet secretary confirm that the just transition plan for Grangemouth will be published this month? Does she acknowledge that staff working at Grangemouth need assurance that their skills, knowledge and experience will be key to a just transition to the cleaner, greener energy projects that can make Grangemouth and Scotland successful leaders in renewable energy and to meeting the aspirations that Unite says are in critical need of our support?
I agree with a great deal of what Sarah Boyack says. Our just transition plan for Grangemouth industrial cluster will be a truly first-of-its-kind vision for the site and will outline the long-term operations that we hope to see taking place by 2045. Beyond that vision, the plan will also set out and chart the series of actions required to secure that vision, focusing on securing long-term investment, developing technical and commercially viable solutions for manufacturing, and fostering the correct policy environment for all that. Work to finalise the just transition plan is under way and I expect it to be published very soon.
Having raised the need for urgent action, I welcome the news that Petroineos has invested in and restarted the hydrocracker and that the site is turning a profit. The save Grangemouth campaign, which is headed by my Westminster colleague Kenny MacAskill, aligns itself with the results of a recent survey by Unite the union, which strongly indicates that there has been a collective failure by both Governments to support Grangemouth. What substantive commitment will the Government now make to ensure a long-term sustainable future for this core asset for Scotland’s energy industry, so that there is no cliff edge for both workers and Scotland’s energy security?
The Government is absolutely clear about the strategic importance of the Grangemouth complex. That is why future proofing the complex is a priority for us. It is important to our economy and our energy mix and is vital to the workforce in Grangemouth and the surrounding communities. That is why, although decisions regarding the companies on the site are for the commercial entities that are in control there, we are working determinedly with all interested parties on a future plan. We are meeting all who have a stake and are investing, including in plans for future low-carbon opportunities. I end by restating our ambition to maximise transition opportunities, minimise gaps and secure as many jobs as possible.
In her answers so far, the cabinet secretary has stopped short of committing to publishing the just transition plan. Can she confirm that it will be published by the end of the month? Given that the Scottish Government’s web page for the Grangemouth future industry board states that it is updating its workstream priorities for 2023, and that we are five months into 2024, is she comfortable with the pace and volume and actions that have been taken to date?
Please answer in relation to the substantive question, cabinet secretary.
As I said in my response to Sarah Boyack, the work on the vision and actions that will be set out in the just transition plan for Grangemouth is nearing completion. I expect the plan to be published very soon indeed.
That concludes topical questions.
Air ais
Business MotionAir adhart
Personal Statement