Exclusive: Ministers urged to release details of cybersecurity audit at hacked NHS health board
Ministers have been urged to release details of a cybersecurity audit that took place three months before a Scottish NHS health board was targeted by hackers.
Inspectors undertook a statutory review of online security at NHS Dumfries & Galloway in December 2023, Futurescot can reveal.
The audit was part of a Scotland-wide programme of checks on NHS and public health bodies – to ensure that they are meeting expected data security and management standards.
Under the law, NHS health boards are assessed on a range of cybersecurity ‘controls’ that must be either achieved or partially achieved to ensure compliance.
Despite repeated requests NHS Dumfries and Galloway – which had over three terabytes of its data leaked onto the dark web last month – has refused to release details of the external audit.
The health board has insisted that the document is ‘extremely confidential’ and cannot be shared – because it may harm the organisation’s security.
Similarly, the Scottish Government, which commissioned the external audit, and is the ‘competent authority’ overseeing NHS cybersecurity, also refused to disclose the findings.
However, opposition politicians today called for full transparency over whether the health board was complying with expected cybersecurity standards.
Scottish Labour Health spokesperson Jackie Baillie said: “Health boards being vulnerable to cyberattacks is an incredibly serious matter.
“In recent cases we’ve seen the disruption cyberattacks cause and the risk they pose to the confidentiality of patient data.
“If health boards and the Scottish Government are aware of any vulnerabilities in our NHS’s cybersecurity, they must inform Parliament and the public and rectify any weakness in the system quickly.”
Scottish Conservative deputy health spokesperson Tess White MSP added: “This recent cyberattack resulted in confidential medical records being made public and left patients understandably alarmed.
“The SNP Government and NHS Dumfries & Galloway must be fully transparent about any audits that were carried out before this attack took place and given the scale of this breach, it’s crucial that they give a full and open account that restores public trust.”
Millions of files belonging to the regional health board were uploaded to the dark web last month, following what the health board described as a ‘focused and ongoing’ cyberattack which it announced on March 5.
Ransomware gang INC Ransom claimed responsibility for the attack, and published evidence of the hack on its dark web blog site on March 27 – and threatened more was to follow unless various unspecified demands were met.
Finally, on May 6, over three terabytes of data was published on the gang’s dark web site, including confidential patient and staff information.
Those files – seen by Futurescot – contained sensitive patient data, NHS personnel records, lab results, administrative, strategic and corporate governance data.
They also include children’s mental health records, with full names and dates of birth, and details of patients being treated for various conditions.
In a further development, National Records of Scotland confirmed two weeks ago that it also was affected by the hack – with a ‘large volume’ of data access and published by the cybercriminals.
The health board has insisted that the hackers did not access the primary records system for patients’ health information – the system used by GPs, containing people’s entire medical history in one location.
However, it has initiated an investigation, calling in the police, experts from the National Cyber Security Centre and advising the privacy watchdog, the Information Commissioner.
Health board officials have contacted people most at risk from the hack, issued a warning about identify theft and are also working to secure systems in the aftermath of the attack.
Organisations deemed to be ‘operators of essential services’ such as the NHS or critical national infrastructure – like water or energy providers – are bound by law to have the highest cybersecurity standards.
Under the EU Network and Information Systems Regulations 2018 (NIS Regulations), their systems must be highly secure in order to prevent data compromise.
According to the regulations, organisations must establish and maintain policies and processes ‘concerning systems assessment, inspection and verification’.
The health board confirmed that it was audited in December last year by the Thurso-based not-for-profit consultancy Cyber Security Scotland, which specialises in cyber defence policies, procedures and technology.
It is led by Dr Keith Nicholson, former joint chair of the National Cyber Resilience leaders’ board’s public sector steering group, and contributing author to the Scottish Government’s Cyber Resilience Framework.
His organisation was appointed by the Scottish Health Competent Authority – a Scottish Government body – to review the cybersecurity provisions of every health board.
All NHS and related health bodies are subjected to this audit process and must adhere to certain ‘controls’, against which they are scored according to whether they have been ‘achieved’, ‘partially achieved’ or ‘not achieved’. Cyber Security Scotland is then required to produce a final report assessing overall compliance to Scottish government ministers.
A spokesman for NHS Dumfries and Galloway said: “NHS Dumfries and Galloway’s last NIS Audit took place in December 2023 and was carried out by Cyber Security Scotland who currently have the contract for Health NIS Audits appointed by the Health CA (Scottish Government).”
A Scottish Government spokesperson said: “The audit outcomes are classified as Official Sensitive and due to the content, which may highlight cyber resilience strengths and weaknesses, they are not available for general release.”