Ministers have been urged to release details of a cybersecurity audit that took place three months before a Scottish NHS health board was targeted by hackers.
Inspectors undertook a statutory review of online security at NHS Dumfries & Galloway in December 2023, it can be revealed.
The audit was part of a Scotland-wide programme of checks on NHS and public health bodies – to ensure that they are meeting expected data security and management standards.
Under the law, NHS health boards are assessed on a range of cybersecurity ‘controls’ that must be either achieved or partially achieved to ensure compliance.
Despite repeated requests NHS Dumfries and Galloway – which had over three terabytes of its data leaked onto the dark web last month – has refused to release details of the external audit.
The health board has insisted that the document is ‘extremely confidential’ and cannot be shared – because it may harm the organisation’s security.
Similarly, the Scottish Government, which commissioned the external audit, and is the ‘competent authority’ overseeing NHS cybersecurity, also refused to disclose the findings.
However, opposition politicians today called for full transparency over whether the health board was complying with expected cybersecurity standards.
Scottish Labour Health spokesperson Jackie Baillie said: “Health boards being vulnerable to cyberattacks is an incredibly serious matter.
“In recent cases we’ve seen the disruption cyberattacks cause and the risk they pose to the confidentiality of patient data.
“If health boards and the Scottish Government are aware of any vulnerabilities in our NHS’s cybersecurity, they must inform Parliament and the public and rectify any weakness in the system quickly.”
Scottish Conservative deputy health spokesperson Tess White MSP added: “This recent cyberattack resulted in confidential medical records being made public and left patients understandably alarmed.
“The SNP Government and NHS Dumfries & Galloway must be fully transparent about any audits that were carried out before this attack took place and given the scale of this breach, it’s crucial that they give a full and open account that restores public trust.”
Millions of files belonging to the regional health board were uploaded to the dark web last month, following what the health board described as a ‘focused and ongoing’ cyberattack which it announced on March 5.
Ransomware gang INC Ransom claimed responsibility for the attack, and published evidence of the hack on its dark web blog site on March 27 – and threatened more was to follow unless various unspecified demands were met.
Finally, on May 6, over three terabytes of data was published on the gang’s dark web site, including confidential patient and staff information.
Those files contained sensitive patient data, NHS personnel records, lab results, administrative, strategic and corporate governance data.
They also included children’s mental health records, with full names and dates of birth, and details of patients being treated for various conditions.
In a further development, National Records of Scotland confirmed two weeks ago that it was affected by the hack – with a ‘large volume’ of its data accessed and published by the cybercriminals.
The health board has insisted that the hackers did not access the primary records system for patients’ health information – the system used by GPs, containing people’s entire medical history in one location.
However, it has initiated an investigation, calling in the police, experts from the National Cyber Security Centre and advising the privacy watchdog, the Information Commissioner.
Health board officials contacted people most at risk from the hack and issued a warning about identify theft. Teams are also working to secure systems in the aftermath of the attack.
Organisations deemed to be ‘operators of essential services’ such as the NHS or critical national infrastructure – like water or energy providers – are bound by law to have the highest cybersecurity standards.
Under the EU Network and Information Systems Regulations 2018 (NIS Regulations), their systems must be highly secure in order to prevent data compromise.
According to the regulations, organisations must establish and maintain policies and processes ‘concerning systems assessment, inspection and verification’.
The health board confirmed that it was audited in December last year by the Thurso-based not-for-profit consultancy Cyber Security Scotland, which specialises in cyber defence policies, procedures and technology.
It is led by Dr Keith Nicholson, former joint chair of the National Cyber Resilience leaders’ board’s public sector steering group, and contributing author to the Scottish Government’s Cyber Resilience Framework.
His organisation was appointed by the Scottish Health Competent Authority – a Scottish Government body – to review the cybersecurity provisions of every health board.
All NHS and related health bodies are subjected to this audit process and must adhere to certain ‘controls’, against which they are rated as having ‘achieved’, ‘partially achieved’ or ‘not achieved’. Cyber Security Scotland is then required to produce a final report assessing overall compliance to Scottish government ministers.
A spokesman for NHS Dumfries and Galloway said: “NHS Dumfries and Galloway’s last NIS Audit took place in December 2023 and was carried out by Cyber Security Scotland who currently have the contract for Health NIS Audits appointed by the Health CA (Scottish Government).”
The Scottish Government said it would not publish the audit outcomes as they were classified as ‘official sensitive’ and may “highlight cyber resilience strengths and weaknesses”.
Health secretary Neil Gray said in parliament on May 7, however, that the Scottish Health Competent Authority “noted that auditors found that NHS Dumfries and Galloway had demonstrated clear commitment to the audit process.”
