NHS Dumfries and Galloway (Cyberattack)
To ask the Scottish Government what its response is to the reported cyberattack on NHS Dumfries and Galloway. (S6T-01869)
I wish to outline at the outset that the incident is the subject of a live police investigation, so colleagues will appreciate that I am limited in the detail I can share. However, I assure Colin Smyth and other colleagues that the Scottish Government continues to fully support NHS Dumfries and Galloway as it responds to the cyberattack.
Although I understand that the news will have been alarming for patients and staff, I assure Parliament that the board responded swiftly and in line with established protocol. I have spoken to the chief executive of NHS Dumfries and Galloway and I am assured that my officials are fully supporting the board as part of a multi-agency approach. In addition, I can advise that other national health service boards have been mobilised at the Government’s request to provide technical support to NHS Dumfries and Galloway.
So far, the attacks do not appear to have caused any major disruption to patient services, which is welcome. However, it is deeply worrying that there is a risk that hackers were able to acquire a significant amount of information, which could include identifying data on patients and staff. We know from past attacks on the NHS that the motive can often be related to extortion attempts on organisations or individuals.
What actions are being taken to protect staff and patients from extortion attempts? Will the cabinet secretary give a clear assurance that there will be clear, open and transparent communication with staff and patients about the possibility that they could be approached by someone claiming to be in possession of data relating to them, so that they know what to do in such circumstances? People are worried, and communication so far has been very limited.
NHS Dumfries and Galloway made the situation public last week and advised people that if they are concerned about anyone approaching them with information about their data, whether that be a patient or a member of staff, they should contact the police immediately by calling 101.
On Colin Smyth’s earlier point, I am pleased to say that there has been a minimal impact on patient services. However, it is important to note that we know that the incident has resulted in the need for some staff to change working practices in the short term. I am grateful to everyone who is working to ensure that people still receive the best possible care while we work at pace to ensure a return to normal working practices.
I am limited in what I can say because of the live police investigation, but I note that the difficulty is in how we can directly contact patients, given that we do not know exactly what data has been taken. We know the scale of the data loss and what the data will be used for, however, and, as NHS Dumfries and Galloway has suggested, the likelihood is that it might include patient and staff information.
Cyberattacks on the NHS are not new, obviously, but it is clear from this attack that they are becoming more common and more sophisticated. Of course, they are not unique to NHS Dumfries and Galloway. Following the attack, which has led to a breach of confidential data, and given that the security that is used by the health board will have been very similar to that which is used by the NHS across Scotland, will there now be a review of the cybersecurity protections that are used by the NHS?
Obviously, a breach of confidential data is an extremely serious matter, which is why there is a multi-agency response to it. I am confident in what I have been advised by NHS Dumfries and Galloway about its preparedness for such a cyberattack, and I am happy to share that confidence in a more private way with Colin Smyth or any other colleagues.
The attack demonstrates the clear need for continued investment in the cybercapability of our public sector, not just here in Scotland but across the United Kingdom. Recently, we have seen attacks in very similar circumstances that happened to the University of Manchester and NHS England, and Colin Smyth is right to point to there being a pattern that we need to be alive to.
The Scottish Government and NHS boards have continued to invest in the development of the Cyber Centre of Excellence in recent years. The centre has been delivered organically and is already the focal point of cyberdefence. The response to this incident allows for that work to be done on a national scale.
On Colin Smyth’s question, we will continue to monitor and keep under review the implications of the attack and ensure that our cyberresilience continues to be as strong as possible.
My question is in a similar vein to Colin Smyth’s.
The NHS board is working with the National Crime Agency, the UK National Cyber Security Centre, the Scottish Government and the Information Commissioner to mitigate and investigate the recent cyberattack. It was clear at yesterday’s NHS briefing that the board was not able to provide full information, as advised by those professional agencies, but one thing that is clear is that cyberattacks will become more commonplace. Will the cabinet secretary provide further information on how the lessons that are learned from the NHS D and G event, including the business continuity plan, will be shared with other public bodies in Scotland to ensure that they are prepared to prevent, as far as possible, a similar attack in the future?
I thank Emma Harper for her question. I am glad that she and colleagues from the Scottish Parliament and Westminster found yesterday’s briefing from NHS Dumfries and Galloway helpful, although it was caveated, as my replies have been, by the fact that this is a live police investigation.
I assure Emma Harper that my officials have already started a lessons-identified exercise, the learning from which will be shared at a suitable time. I want to be clear that, as detail about the incident becomes available, I will continue to share as much information as I can with other public bodies—through the multi-agency arrangements that Emma Harper mentioned in her question—so that they are able to take preventative steps to defend against similar attacks in the future.
My constituents have raised concerns about how the leaked personal and sensitive data might be used. Therefore, information, guidance and support from NHS Dumfries and Galloway will be crucial in the coming days and weeks. Will the cabinet secretary give details on what assistance the Scottish Government is giving the health board to ensure that patients and staff are aware of potential risks and the actions that they might need to take to protect themselves? Can he confirm whether he believes that NHS Dumfries and Galloway has abided by data protection legislation in the manner and timing in which it has informed patients and staff of those risks?
I thank Finlay Carson for the way that he approached that question. In line with the offer that I made to Colin Smyth and Emma Harper, I would be happy to write to Mr Carson about some of the preventative steps that were taken by NHS Dumfries and Galloway to try to prevent the attack happening in the first place and the steps that it has taken since.
He is absolutely right to say—and I reiterate—that the breach of confidential data is an extremely important and serious matter. I would be happy to set out for Finlay Carson the steps that were taken to provide public information at the earliest possible opportunity, to ensure that people could protect themselves against misuse of the data that was gathered.
I reiterate NHS Dumfries and Galloway’s call for staff and the public to be on their guard against any attempt to access their systems and against approaches from anyone claiming to be in possession of their data. Anyone who finds themselves in that situation should contact Police Scotland immediately by calling 101.
HMP Kilmarnock (Transfer to Public Ownership)
To ask the Scottish Government what its position is on the cost and impact of the transfer of HMP Kilmarnock into public ownership. (S6T-01878)
HMP Kilmarnock successfully transferred to Scottish Prison Service ownership and management on Sunday 17 March. The SPS and the private operator delivered a smooth transition, supporting staff and those in custody while maintaining the high standards already set within the prison. The SPS will continue delivering quality services at the prison, while benefiting from the skills and experience of the existing staff.
It has been Scottish Government policy since 2007 that prisons should be owned and managed by the public sector and that public safety and prisoner rehabilitation and wellbeing should not be driven by private profit.
The final overall cost of operations at HMP Kilmarnock will depend on a variety of factors but is currently estimated at £11.6 million for 2024-25. [Angela Constance has corrected this contribution. See end of report].
His Majesty’s chief inspector of prisons recently raised serious concerns about some prisons already in the estate. She said that HMP Greenock needs bulldozed and that HMP Barlinnie is close to catastrophic failure. Meanwhile, the replacement for HMP Barlinnie is already overdue and over budget, as is the HMP Highland project.
It is evident that the service is already struggling with significant financial constraints, although HMP Kilmarnock was praised for its successful performance under private control. A recently released report also raised a number of concerns about the HMP Kilmarnock transition. Can the cabinet secretary assure us that plans have been put in place to ensure that that prison will not fall into disrepute as others have done?
I am the last person to demur from the challenges that currently exist across the prison estate, which are not helped by having a very high prison population.
Of course, I do not necessarily accept the member’s characterisation of the current estate. There are well established plans in place to replace HMP Barlinnie with HMP Glasgow and there are similar plans for HMP Highland. I have answered a number of oral and written questions about Greenock, Highland and Glasgow prisons and recently made a statement about the pressures on the entire prison estate.
The member should be aware of the good performance of public sector prisons in Scotland, in comparison with those in the private sector, particularly regarding violence and drug use—I have referred to that in the chamber as well. She will also be aware that there are two stages. The first is the successful transition that we have seen and the second is the actions that will take place in the coming year.
I point out that that was not my characterisation of the prison service, it was that of His Majesty’s chief inspector of prisons.
The chief executive of the Scottish Prison Service has said that the service is committed to ensuring the transition of HMP Kilmarnock into public ownership while maintaining the high standards that the prison displays. However, during that transfer, staff have lost the security of 56 body-worn cameras. The prison now needs to recruit a further 70 staff and there is also the question of whether four drug-detection dogs, which have proved to be an important asset in preventing drugs worth around £1.2 million from entering HMP Kilmarnock, will be retained.
Can the cabinet secretary confirm that the existing level of safety and security will be maintained at HMP Kilmarnock despite the loss of those cameras? Can she provide us with an update on the drug-detection dogs? Can she also confirm that there will be no further overcrowding until all the staff are recruited?
It is important to acknowledge that, even with the transition arrangements and the transitional operating model, the number of staff in HMP Kilmarnock will increase so that staff who are working long shifts or back shifts on a weekend can have a break. That is a good example of why we have prisons operating for the public interest, as opposed to the private profiteering that exists across these islands in relation to private prisons.
It is important for Parliament to be aware that the current body-worn cameras in HMP Kilmarnock were not part of the contract and there is no agreement for those pieces of equipment to transfer. However, it is also worth recognising that a pilot operation will commence in April in three prisons in the estate and that, thereafter, body-worn cameras will be rolled out across the prison estate.
I have already corresponded with members on the drug-detection dogs and handlers. The two detection dogs and handlers have now transferred into the SPS following the transition, and they do indeed play a critical role in tackling the drug crisis.
The proposal to bring Kilmarnock prison into the public sector has been there for 17 years, so I wonder where the Tories have been hiding on the issue until now. Does the cabinet secretary agree that the Government has a great record on and commitment to delivering more and better public services, unlike the Tories, who would sell off anything and everything to bail themselves out of the financial mess that they have created?
Please answer in relation to the substantive question, cabinet secretary.
The member is right to point to the historical position of this Government. Indeed, our 2007 manifesto said:
“We are committed to a publicly owned and run ... service.”
That was because our assessment is that public services, be they hospitals or prisons, should be run for public good and not private profit. Private prisons are a legacy of previous Administrations, whether that is the Liberal-Labour coalition or the Conservative Government pre-devolution.
Can the cabinet secretary explain why the trade union Community has been de-recognised at Kilmarnock prison? Is she concerned that Community advises that the Scottish Prison Service is refusing to meet it and, as a result, the union is now issuing an indicative ballot for industrial action? Will the cabinet secretary intervene to ensure that that dispute is resolved?
I am about to reply to correspondence that I have received from Ms Clark and Ms McNeill on those issues. In relation to union recognition, the Scottish Prison Service indicated throughout the consultation process, which was intensive, its intention to maintain its existing trade union arrangements for all public sector prisons in Scotland, and the transferring staff group will be covered by those existing arrangements.
It is important to point out to Parliament that the arrangement that exists between Serco and the Community union was a voluntary agreement and not a legally binding one. It is my view that it does not place an obligation on the SPS, which has worked hard to maintain its current relationships with trade unions—mainly, but not exclusively, the Prison Officers Association.
Air ais
Business MotionAir adhart
Business Motion