 Fy enw i chi ddod o'r 17th yr Y Helf ond y Ysgolg Cymru yn 2017. Fy enw i chi'n ddaeth fywch perthu ym Mwgol Ffons i'r Sialent? Fy enw i chi ddod o'r Fy enw i'ch ddweud o'r ffoil o fwy o gwaith o ffotograph o'r prysfyddiadau. Yr 1rhyw ymddynt yn y cyddiadau cyfnodol yn y cyfnodol i'r llyfrig o ffotograff a'r hyfforddiadau ymddynt yn y cyddiadau cyfryd. The first instrument is the mental health tribunal for Scotland, practice and procedure number 2 amendment rules 2017, SSI 2017-17-17. There has been no motion to annul and the delegated powers and law reform committee has not made any comment on the instrument. Could I invite any comment from members? No, then that is agreed. Thank you very much. The second instrument is the mental health patient representation person Scotland regulations 2017, SSI 2017-17-17. Again, there has been no motion to annul and the delegated powers and law reform committee has not made any comment on the instrument. Any comments from members? No, then that is agreed. The third instrument is the mental health certificates for medical treatment Scotland regulations 2017, SSI 2017-17-17. Again, no motion to annul and the delegated powers and law reform committee has not made any comment on the instrument. Any comments from members? No, then that is agreed. The fourth instrument is the mental health conflict of interest Scotland regulations 2017, SSI 2017-17-17. Again, there has been no motion to annul and the delegated powers and law reform committee has not made any comment on the instrument. Is there any comment from members? No, then that is agreed. Thank you very much. Agenda item 2 is a session on information technology and security. We have two panels today, and our first panel includes Professor Bill Buchanan, the Cyber Academy Edinburgh Napier University, Andy Robertson, director of ID, NHS Services Scotland and Andy Greer, acting assistant director of eHealth and information services, NHS Ayrshire and Arn. We are going to move directly to questions. Claire, would you like to begin? Thank you very much, convener, and I would like to welcome the panel to the committee this morning. Can you tell us first off what happened, why it happened and perhaps explain that in Lehmans language for us? I am Andy Robertson for the director of ID at NHS National Services Scotland. Essentially, there was a release, and I do not think that anyone is quite sure yet where it originated, but there was a virus found its way into the network. When I say the network, we share a network and we are linked in with England. We have also linkages into the internet from our NHS network. It found its way on to computers and exposing a particular issue that we have in and around some of the software that runs on some machines. Once it infected those machines, the nature of the virus was such that it tried to connect to other machines with similar exposures. It found its way through—there were three layers of security that the virus found its way through. If it found its way through a network port that was opened in particular, if it found itself with a piece of software that is designed specifically around file sharing and if the machine had not been patched to the latest level of the Microsoft operating system, then it was able to spread through our network. As has been advertised, the ransomware nature of the virus was such that it was encrypting files on those machines of different types, so it was effectively shutting down those machines as it travelled and moved through the network. Does that cover what actually happened? Yes. Are you telling me that? That is what happened. I guess in terms of why it happened, and when I say that we have, it is the exposure that a number of organisations worldwide had in their computer systems and networks. So this was a virus that affected multiple systems internationally? Yes, and multiple organisations internationally, so it is a worldwide release. Why did it then affect the health care computers in Scotland? The organisations that were impacted had a number of things in common, including the health service here. We were all using a particular piece of software that shares information among computers. Within the health service, that is fairly fundamental to how the health service operates on a daily basis. We are a very linked and networked organisation and data moves around the health service that really maintains our services on an on-going basis. We have some computers in the health service running that particular piece of software. We also make use of a particular network configuration in and around our firewalls, where, in some places, this particular virus picked on one route through firewalls. I guess that the perpetrators would understand that there would be an exposure across the world in a particular port that is used in our firewalls. It was really looking for machines that had not been patched up to the latest version of the Microsoft software releases for those machines. And this is a common world? So anyone who was impacted had the same set of circumstances across their environments. Okay. In terms of the patch that was not applied, what was that? Can you explain what that particular patch was that had not been applied? Andy, can you explain the patch? So the patch was a Microsoft patch. What that did was close one of the loopholes that the virus used to attack with. It closed a specific network port. I am asking you for those who are technologically challenged, and I include myself in that category. Systems or software systems inherently have these loopholes, is that what you are saying? Operating systems that run on our computer. Just to give you some context, the virus reached 1 per cent of the devices that run in the health service. For the most part, for 99 per cent of the machines that could have reached, we were protected in 99 per cent of those machines. 1 per cent for varying reasons had not been updated with that particular software patch for Microsoft. However, the other two layers of security that we would have in our environment would normally be enough to keep that secure. So we receive patches all the time from Microsoft and other software vendors in terms of keeping our estate up-to-date and secure. However, each individual organisation that has responsibility for deploying that patch needs to make local decisions in and around how often they would run their patching regime. So there is no consistency across all of NHS Scotland? Well, across NHS Scotland, there are 22 different health boards, all with their own accountability for managing their IT estate. Now, we are all conforming to the same policy and indeed the same guidelines and the same best practice, but local decisions need to be made in and around when to apply patches and when not. Some of that, those decisions are tied to the particular circumstances in local boards. It might be peculiar to specific parts of local boards' estates, but that really needs to be managed locally based on local information. It also requires a downtime and sometimes an interruption to normal IT service delivery to apply some of these patches. So again, decisions are made locally in terms of how often you apply these patches and what your regime sits in and around that. You said very in reasons that the 1 per cent weren't covered. What are some of those various reasons? It could be that the regime was due to run on the next week or the next month. It could be something that was in testing locally. There could be complications in and around the software that runs. When we receive patches, they need to be tested before we can deploy. Sometimes patches that come in on an operating system will have a knock-on effect on some of the applications that run on them. Medical devices come in many shapes and sizes and require operating system computers to be attached to them. Sometimes that can provide reasons why it is difficult to keep patches up to date. Sorry, and what exactly was it that was affected? Was it a specific version of an operating system? The press would have you believe that it was mostly legacy operating systems such as Windows XP. However, evidence would suggest that it was Windows 7, so it wasn't restricted just to Windows XP. OK, Alison. Thank you very much, convener. Thank you, panel, for joining us this morning. Mr Robertson, you, in responding to Claire Hoy, suggested that the incident had exposed a particular issue that we have. I would like to direct my questions to Professor Buchanan, if I may. Thank you for your evidence. I found it fairly accessible, quite an interesting read. You suggest that the main lesson that we have to learn from this incident is a complete underinvestment in the delivery of IT infrastructure in the NHS. You go on to say that there is a lack of integration across different stakeholders that, in general, we are lagging behind England when it comes to this infrastructure, that healthcare has the poorest track record for computer security, that medical records are incredibly valuable to criminals, and it paints quite a picture of concern, and it seems that the experts in the field who will enable us to protect ourselves in the future are in short supply. Was that avoidable? It was avoidable. The problem is to do with the file-sharing protocol that is used on the Windows operating system. It wasn't needed at all. In many industries such as oil and gas, finance and Edinburgh, you will find one of the most advanced security operations centre infrastructures in the whole world. Many of our graduates go and work for many of the finance industry. They use a virtualised infrastructure. The days of computer systems with technicians walking around with disks to patch are gone. These days, you should have a dynamic infrastructure where machines are patched every evening. That was a critical patch. The critical is the highest level. If you want to use something from spinal tap, this was an 11 out of 10 in terms of if it is a threat. It should have been patched and it was well known. It was a race for the industry to catch up with the patch before those with the skills to make something malicious turn their evil hands to something else. We got out of this very well, but it could happen that it would be much more severe. We really need to look at the whole health and social care infrastructure in Scotland. We struggle to integrate between primary and secondary healthcare just now. In England, it has happened much easier. In London, there is the open data sharing partnership, where they have managed to get all the health authorities to share information, what is allowed to be shared and what is not allowed to be shared. That includes dentists, community practice, GPs, hospitals and so on. Generally, it is a more citizen focused approach. In Scotland, we really struggle with integration with social care. Our systems are legacy and we need to admit that. We are now in a data age and information age, where data is critical for the pre-emptive understanding as to whether someone is at risk for their health. We need a massive increase in spending, not just in computers, but in looking at healthcare services and how we provide that to the citizen. Are you hopeful that this might be seen as a wake-up call and that we can take action so that this is avoided in future? Yes. There has generally been a resistance to IT in healthcare. It gets in the way. That is typically because services have been designed in a way that does not make it easy for GPs and clinicians and nurses—the most important people—to be able to use the systems. We need to create an ecosystem around innovation in Scotland. We need to support SMEs to be engaged with the NHS and to work with clinicians about how best to analyse the patient's pathway. An outage of a day a week, as we have seen with BT and Capita, could cause economic and the loss of lives in Scotland. A large-scale power outage would cause much more effect than a simple ransomware attack. Do you think that there is sufficient knowledge of the area within the NHS? It is difficult for them to recruit staff. The finance industry energy will pick off the best graduates, and it will pick off the best professionals. It is extremely difficult, as we do in education, to be able to recruit the best security professionals. I think that we are getting there, but it is difficult on the resources. Because we have the 22 health boards, it is difficult to manage an incident. We have to corral all the different health boards, different systems and a lot of legacy. I think that this must be a 10 to 20-year journey that we must go on, but we are moving to the cloud, not the public cloud, but we are moving much more towards virtualised architectures that are much more robust and resilient. In the NHS, we should have warm sites. A warm site is where, if you have a power outage in one area, we can switch over to another area. We should definitely have a cold site, which is the data infrastructure of the NHS set up somewhere else in Scotland. It does not have to be in Scotland, but we can flip over to that site just in case there is a major outage. You say in your written submission that we need to build systems on a white list of trusted systems and where all other connections and systems are not trusted. This is about putting in place a structure that helps to prevent this occurring in the future. I think that people in security are now realising that, rather than having a black list, the things that you are not allowed to connect to, you have a white list, which are the things that you should connect to. The NHS is such a critical system that it should be in lockdown that the least privilege is given to every service and every role. Only by escalating that privilege can you move up and get higher privileges. The NHS needs to work on what is allowed and everything else is barred. Connection to TOR, the dark web and so on should be barred automatically. There needs to be much more responsiveness to attacks and to have an instant response team. However, that is not something that is just happening in Scotland. In the US, cybersecurity and health are rated in a critical condition at the current time. Thank you very much. We are going to run a jargonometer in this session. That was not the term that I used but you will get the inference. We have got virtualised architecture, TOR and other such terminology. Can you help us with virtualised architecture? Virtualised means that, rather than being dependent upon a piece of hardware, a computer, a processor, your desktop is now running in the cloud. It is a piece of software that does not run on the hardware of the computer. You are using the computer as a portal. You can have the simplest of computers and access the most complex of infrastructures inside the cloud. That is the way that most companies work now and most businesses. You can go anywhere in the world, you can sit in Starbucks. I hate to bring up a bit of tech here but you have a VPN, a virtual private network connection between you and your infrastructure and then you run your desktop virtually on your machine. That means that none of the files, none of the ransomware, the malware can run on your computer. The cloud infrastructure, the virtualisation infrastructure can make checks all the time and can update patches at any given time. Typically, overnight, your desktop will be patched. The concept of taking six weeks to patch I cannot understand that at all, especially for a critical patch. The problem with the NHS is that it has so many disparate computers distributed around the network that are still allowed to connect. Those days, they should not be given a certain amount of time to update themselves to the latest systems or that they are off the network completely. I will be dropping virtualised architecture into conversation zone. Jenny. For Tor and for the dark web, the ransomware connected straight to the dark web, so it did not go to any normal website, it did not go to any bank or PayPal or anything like that. It downloaded what is called the Tor browser, which is the dark web. It encrypts all its traffic. You cannot see what it is doing. Even though you are watching what it is doing, you cannot see it. It connected straight into the dark web and into a Bitcoin infrastructure. The NHS needs to understand that any connection into the dark web is malicious. It could be that someone is trying to hide something or downloading a whole lot of patient records, then it just needs to understand that it should bar anything that tries to hide its path. Good morning to the panel. I would like to go back to my colleague Claire Hoy's point at the start. She asked how that all began. I would like to ask a question about how the virus transferred. Was it via email in the first instance—I suppose that Andy Roberts was speaking about this. No, it did not. We are fairly sure that it did not come in through email and it did not come in through anyone connecting to a compromised website. There are a number of different places that we look when our defences are breached. We are fairly sure that it did not come in through an email and it did not come in through anyone clicking on a website that perhaps it received through an email. We are fairly sure that it came in through our connection into the N3 network. We run the Swan network and Scotland, the Scottish-wide area network, that is used by the health service. We have a gateway to the English health service through something called the N3 gateway. The virus reached us either through that connection or through the internet, perhaps both. I understand that, once the computer becomes infected, it locks the files and encrypts them so that you cannot access them. It sometimes demands payment via Bitcoin. Are you aware of anybody in Scotland making payment via that system? From what I have read, it was demanding payment and if people did not pay within a set number of days, the payment could increase. That is the nature of how it shows itself to the user of a device. No one in the health service has ever paid any ransom. It is a policy not to ever pay that. I do not know if anyone in Scotland from other organisations that were impacted paid that. It does try to encourage you to pay quickly. If you do not pay quickly, then the price goes up. Essentially what we do in those circumstances is that we give up on that machine in terms of its current state and we restore it to the last good position that we would have in terms of our restoration policy. We would restore the machine prior to its infected state. That is what we were able to do in just about every circumstance, for the 1 per cent of machines that were impacted. You can guarantee that there will be continued attacks on the NHS and other organisations. Cybercrime is a huge industry now and the stakes are being raised every day. We know that. We are going to have to spend more money on our defences. I agree with Professor Buchanan on that. I do not think that our picture of where the NHS is at is quite as dark as perhaps. That was painted. We are taking all those types of steps that Professor Buchanan laid out in his paper. We certainly are in a position where we were able to recover the health service. The vast majority of services were up on the Monday morning. That happened at three or four o'clock on a Friday afternoon. We were able to recover all of our key services by the Monday morning. There were one or two subsequent issues just based on having had a major incident over the weekend that took us a few days into the new week. However, we think that our defences worked fairly well in terms of the impact that it had on the health service. We think that, where we were breached, we were able to recover as per our recovery plans and our disaster recovery regimes. All health boards were affected in the same way. NHS Lanarkshire and the Borders were to the worst affected in Scotland. In comparison, Lothian, Orkney and Shetland were not affected at all. Do you know why that might be the case? I appreciate that you said that that does not relate to the varying operating systems. I am not necessarily sure whether it relates to the fact that those boards were perhaps directly connected to the N3 network that you spoke about. We are all connected to the N3 network. If I can go back to the same three set of circumstances, you needed to be using a particular file-sharing software that Professor Buchanan referred to earlier on. You needed to have a certain circumstance of rules in and around your firewall and you needed to be in a certain position in and around your patching regime for this to impact you. As much as that is the reason why it reached the health service at all, those were the same reasons applied to why some boards were impacted more than others. On a scale of 1 to 10, with one being the least sophisticated and 10 being the most sophisticated, where would you place the one-a-cry virus? I think that this was probably one or two. There is a kill switch. The developers who make those malware systems will put in a kill switch. The kill switch is that the first thing that it does is that it checks something. What it did was that it checked a certain domain name. There were two domain names that it checked to see if they were actually registered on the internet. Someone in England found out that it was making this call and registered those two domains and stopped it. It killed it. It would have been much worse if that hadn't actually been in there, but that was the core of it. It didn't really have a great defence. It probably wasn't created by someone with large-scale investment in creating malicious infrastructures. If you see the energy infrastructure in the Ukraine has been attacked, a fairly complex malware that attacks the control systems for the energy infrastructure has quite a large investment in it. In terms of one-a-cry, it was fairly easy to detect when it was connecting to the dark web and to stop the connection then. It really wasn't a complex piece of malware, and it could have been much, much worse. Could you perhaps sketch out for the committee what an attack in the 7, 8, 9 or 10 end of the scale would look like? Further from that comment, do you think that we have the resilience within the IT system in NHS Scotland to deal with such an attack at that level? I would say that it splits into four key risks. Distributed denial of service, which is very difficult to protect against. That is where malicious agents across the internet will target certain systems and consume all the resources that mean that they fall over and that they fail. Then you can get a domino effect where other systems will fail. A good example is, I am sorry to talk technical here, but it is DNS, a domain name system. It happened in the US recently where there was a Facebook outage, and what was happening is that web cameras, half a million web cameras across the world were infected by malware, all had the same username and password, and these cameras directed themselves on to the DNS infrastructure, which resolves the IP address for Facebook and brought down that infrastructure. That meant that nobody could connect to Facebook. It might seem trivial, but imagine if it was NHS systems that could not resolve the names of the IP addresses of the systems that they actually connect to. That brought down Facebook for four hours because of that attack. Denial service can do that. I am a serious malware infection, which could go to the core of NHS systems and start to switch off or corrupt databases. We have legacy databases, and it is possible for a malware to possibly take over a database and encrypt it. Luckily, the computers in this case were at the periphery of the network, but a piece of malware that was targeted on the NHS in Scotland could target key data elements and bring down the data infrastructure. The next threat is a large-scale data loss. That is where patient records could be compromised in some way and migrated off the network to be sold on to the dark web. I think that the last and scariest one for us is a large-scale power outage. Like our not, planes will fall from the sky, traffic lights will fail in London and cause chaos. We are highly dependent upon our IT infrastructure. A large-scale power outage, if somebody was to trip the power supply for a key resource in the NHS, could cause the whole of the infrastructure to fail. Hopefully, that will not happen and that we have things in place. However, looking at Scotland and the way that Scotland is organised for its key critical network connections, we use London a lot. You will find that if I communicate with you, probably the data packet will go all the way down to London and come back up again. If we were to lose critical connections to the internet, typically to London, we will bring down all our industry, education, health, finance and so on. The economic effect of that would be devastating for a country like Scotland. Hopefully, there are lots of things in place, but having failover backup routes for network connections and power is a core part of what we need to look at. That was your own opinion, Professor Buchanan. What about the other panel members? My opinion is that those are all threats, but they are all threats that we are well aware of. We have had the distributed… Professor Buchanan called it the DDoS attack, where it is a very different nature of the cyber threat, where people are trying to maliciously bring down their websites and internet-facing services. We know about that and the power outage, just to give the committee some assurance. We have a very resilient data centre based in Livingston, so not in London but in Livingston, where we manage most of our large-scale national infrastructure out of. We have a contract with AtoS. AtoS runs a large data centre for us. It is almost a tier 4 data centre that runs in Livingston. It has two different power cables into it. It is resilient in terms of its power supply. It has the UPS battery backup and it has generators should we run into that. There are a number of other measures that we would take, so just to give the committee some assurance, we are aware of those types of threats. There are steps that we have taken. The work that we do to cover all threats to the systems that we run in the health service is quite wide-ranging. That was a particular attack. I think that you asked about the nature of the attack and how sophisticated it was. It was almost sophisticated in its simplicity in terms of how it breached the networks and the way in which it compromised that particular exposure. You can see from the reach of that, that was worldwide. It was not just the health service that had that exposure. In terms of the other more malicious types of attack that we might come under, we do have measures in place to protect ourselves against just about every item there. The frame that we use covers a broad range of security and safety measures that we would have in place that would cover that range of different ways in which you may well be attacked. We move on to something else. As we move seemingly inexorably towards the internet of things, it is going to have an impact on how we deliver healthcare. I think that we are aware of some of the opportunities that this presents us with. What about the challenges and particularly the vulnerabilities that this will engender? Address that to the question. The internet of things within the NHS is already here. Most significant medical devices in hospitals these days are computers within their own right and are connected to the network. One area of mitigation we use within NHS Asher and Arran to combat any threat against this internet of things is we have a separate network for medical devices. Anything that isn't a desktop PC or a server sits on a separate network and only has the appropriate ports open to allow access to that device. Whether that could be an MRI scanner or a syringe driver or a pump, they all sit on a separate network so that we can monitor and control that network separately and provide a degree of assurance of the network services. You feel quite confident that you will not be vulnerable to the types of attack that we have been discussing? I would never give 100% guarantee, but we were largely unaffected during this recent incident. Given the sensitivity of a separate network for the internet of things, I presume that there are special measures in place in addition to existing measures to deal with any such attack, given the impact that can happen in patient wellbeing and potentially life? Yes, absolutely. If we think about some of the radiology devices in particular, so should they start to compromise our corporate network, we can disconnect them from the network. They still tend to operate as normal. It's just that the images wouldn't be available across the network. It would require the clinicians to actually go to the devices rather than make them available. I just want to go back and explore a bit more about the cause of this particular attack in the application of patches. Professor Buchanan, just to clarify if I heard you right, you were saying that, certainly in our own machines at home, when you get a patch update, the kind of thing comes up and says that you want to update the latest version, you click yes and it goes and does it. I had assumed that that's what was happening, but you were indicating that we're at a situation where that doesn't happen and you get technicians wondering about discs updating machines. Is that an accurate portrayal of where we are? I couldn't say exactly. I did hear some people say that there were people walking around patching machines, but these days what should happen is an orderly patching system that was identified earlier. Companies will have a patching system where in the evening you will patch all the machines automatically. The concept of somebody having to go to a machine and update it really is an archaic 1970s type of role. The NHS should have a general policy of watching the analytics and knowing what needs to be patched. What are the top 10 things that need to be patched at this given time? I don't think that there was any excuse for missing this one. Probably the core infrastructure was well protected and patched, but it's probably the computers at the periphery of the network. They shouldn't have been allowed to connect into the infrastructure and propagate the ransomware. I understand that. Thank you very much. Maybe either of the ideas you want to comment on that, just in terms of where we are specifically on that, how we update. If I could take that one. Certainly speaking for NHS Asher and Aaron, I don't recognise the comments made by Professor Buchanan. We automate our patch delivery and for our core infrastructure that happens overnight and for our desktop PCs, our peripheral PCs, that happens during the day and it happens certainly within one week of patches being released. I think that that's evidenced by the minimal impact that this one-a-cry export had for NHS Asher and Aaron. Speaking for NHS Aaron. I can only speak for Asher and Aaron. Right, okay. For NHS and perhaps for the broader, we have in National Services Scotland, we have responsibility for guidelines across the other 21 health boards, as well as looking after our own estate. The vast majority, and when I say vast majority, again I want to put this in context, 99 per cent of the NHS's estate here was unaffected by this virus. For the vast majority of cases, all of that is automated. We don't run around doing this with desks. We will have complex environments where the consideration and I mentioned right up front, the consideration of when to apply patches is a judgment call based on service delivery, the level of risk and other layers of security that you would consider to have in place to keep yourself safe during that environment. Again, it's difficult that we realise for us to sit here and say now that we have been breached by this particular virus that we had all of that covered, obviously we didn't, but I don't think that we were the only organisation to have that particular exposure. Now, we have automated this as far as we can under the circumstances, but we have 150,000 devices connected to the NHS network in Scotland. We have three and a half thousand sites to cover. We have GPs, pharmacists, optometrists, who essentially operate on their sites with varying levels of connection into our network. It would be ideal if we could take people off the network if they were not entirely compliant with last night's patch, but that's an impractical consideration for an enterprise such as the NHS in Scotland just with our sheer scale and complexity and reach. So, just to clear, you're saying that there are some, it may only be 1 per cent, but there are some machines that, with some days having to go around and manually update the patches? There's very little, Andy, I would guess, and I'll bow to Andy knows the technical detail better than I. It's not so much whether you have to physically visit the site, it's making the decision to take the services down to apply the patches and to live without the service whilst you do that maintenance on a less than regular nightly basis. Next question is, is there some kind of measure or how much visibility do you have on where we are with patch update? You may comment on it, but Professor, we can't say that this is one that was an absolute must, absolutely should have been done, the patch absolutely should have happened as soon as possible, and clearly there will be degrees of how critical it is to implement certain patches, but across the piece, across the NHS, is there a visibility of where we are with patch update, or do we not really have that? Certainly we would have that at the health board level, whether we would have that nationally. I wouldn't have visibility at the national level, but each health board is accountable for its own IT security, so people in positions such as myself and Andy would understand our areas of responsibility, and we'd understand exactly where we are with patch versions across our estate. Last question is, is anybody done any estimate of what the cost to the health service was of this attack, the downtime that it caused and the recovery processes that we had to go through to bring things back up? We don't have a number to hand right now. Most of the IT resources that went into that are sunk cost. We used our own resources, we used our own staff to recover, and we didn't have to go spend any real significant amount of money outside what we already spend in terms of the people, the resources, the expertise, the tools and the other resources that we would use to protect and recover our network. I just say that the recovery side of things is important now, that the best practice and the advice that we get around the piece is one of, you can protect yourself, but you can also assume that the level of sophistication of these types of attacks is going to increase and you need to be able to recover. We have already invested in that ability to recover in terms of backups and the tools and the staff that we need to be able to recover. It's a bit of a race though that that requirement is going to increase as we go forward as these types of attacks get more sophisticated. Will that figure exist at some point in the future, or are you just saying that it was absorbed internally? I don't think that we have—we could certainly pull that figure together based on the amount of time and money that was spent from most of what was done on the goodwill of IT staff who are already in our employ, I would say, on the back of that, but that's certainly a figure that could be calculated. That's going to be an issue in itself that we rely on the goodwill of the staff in such or such circumstances, but anyway, you could provide us with that information if you have it. Mr Robinson, you seem to be saying basically that you provide central guidance, central examples of best practice, but that the problem really lies in the fact that our 21 health boards all do their own thing basically. Are you saying that if all the health boards had followed specifically the guidance that you had issued, that problem wouldn't have happened? The way in which the health service IT governance works is based on a coalition of the willing. We are not in a position to issue—indeed, we don't audit—what happens in local health boards. We do try to collect best practice. I think that boards try to apply that to their own circumstances best they can. I think that there are some boards who were unimpacted by the virus and by the incident. I think that it's fair to say that if all boards were at the same level as those that were unimpacted, there would have been a lot of significantly less impact, but that impact was limited in its reach as it was. You are saying that you don't have enforcement, if you like, but are you saying that specifically that the reason why those boards that were unimpacted is because they followed your guidance and had all the boards followed specifically what you were saying this wouldn't have happened, or is it just something that they did off their own backs? I mean, I'm just trying to get to the bottom. If we were all at the same stage as the best practice that reaches across the country, so different boards are better at different things across the country, there is a picture, and we were already there in terms of understanding what that picture looks like, but if everyone was at that same high level at the high water mark across the country of different boards, then yes, there would have been zero impact. Just looking at this specific example, Professor Buchanan said that this patch was a must effectively, so you would have known that this patch was a must, so did you issue guidance that said effectively that you really as a matter of urgency should update your systems with this patch? I don't think we issued anything in particular to this patch, we received patches on a very frequent basis across our estate, it's a very large estate, and it's a daily occurrence for us to get patches, I think, Andrew, that's fair to say, plus the different types of software that runs, so this one didn't stick out to us as being anything special beyond the normal types of patching we receive from Microsoft, and as I mentioned earlier on, we have multiple layers of security in our environment in terms of protecting us, so the fact that we receive a patch one night if we don't deploy it the next night, we have another two layers of security that should keep us in place, and there are different reasons why we would schedule that patch now, again, 99 per cent of the estate was patched to that level and was covered during the attack, but there was nothing unusual about this one and it's something that we would work with our normal patching regime unless there was truly something that came out and said truly emergency, so there was nothing different about this one in terms of its urgency to that which we would normally receive. Professor Buchanan's written submissions is quite a comprehensive, as it was dismantled of where we are in terms of the technology talks, for example, there's no need for us to use the type of file sharing systems that you mentioned earlier, we could be using, I won't go into the technology, but we could be using a virtual system that would avoid using that type of system that we currently use, so why are we not moving to using that type of system at the moment? We are moving to using that type of system, an example I can give you is that the GP systems that are running off surgeries across the country, so 1,000 GP surgeries has run on a locally hosted system for a fairly long time now since we started running GP systems and local surgeries. We are very shortly going to market to look for the next generation of GP systems which will run in the cloud and when I say run in the cloud that means they will be remotely hosted and as Professor Buchanan laid out they will run in a secure data centre and be accessed across a network rather than being situated in computers within GP surgery. We're also doing that with our PC estate, we are looking at how we move that to secure data centres, I don't disagree with anything that Professor Buchanan laid out, but it is a huge investment and I mean a huge investment to transfer our systems to a different next generation of computing as I think you would agree that this represents, so the world is moving there, we are moving there as well, but as I mentioned earlier on we have a very large estate and a very large number of stakeholders, let's say 150,000 devices, 165,000 users, three and a half thousand sites, it's going to take us time and money to get there. So what level of investment will be needed to get there? I would say we don't have that end number, I couldn't quote you a number right now in terms of where that would take us but it would be a significant amount of money so it would tens if not hundreds of millions of pounds to do that. We spend around £260 million a year on services within the health service so just to give you an idea of the scale in terms of how much money we would spend across the health service on IT as it stands. But are you being at it? Given the fact that one of the Roses Committee is obviously to look at budgets and the Government will have to look at budgets as well, given the seriousness of this issue, are you looking at how much it would cost to get to where you need to be? Yes, we are working with the Government and with boards to look at our programme of work over the next few years. We would work through the what was the eHealth strategy board in terms of putting forward here are our programmes of work across a number of different fronts with acute, with primary care, with our infrastructure, with our PCs, what we would do for GPs, what we would do with our master patient index, what we would do with our patient facing systems. So we've got a programme of work laid out and we've laid out an amount of money but that would require increased investment over coming years and it's not clear if that will be available or not. So you do know how much it would be required to deliver this then? In terms of the numbers, we are looking at increases in the region of about £15 million a year to ramp up our programmes to be able to move to this new environment. In terms of the spending, that's on national and nationalised projects. So currently we would be spending round about 100 million a year come centrally for central managed programmes and that's the type of thing that NSS gets involved in. So when we look at projections out, there would be an increase of around about £15 million a year that would be required to allow us to move a bit faster in terms of what we're doing just now, in terms of moving to new environments. Professor McAnon, have you or your university or colleagues made an estimate of what they think needs to spend in this regard? I think you need to add a zero and then maybe another zero. I mean this is our core health and social care infrastructure. I think 15 million patches it, it keeps it going, it's a stick and plaster but really we need to invest massively. It's good to see the DHI making inroads about innovation. I think there needs to be more openness to a certain extent with research and innovation to make sure that SMEs in Scotland have the opportunity to work with the NHS and I know that it is happening but if you really want things to go fast then you've got to support innovation, you've got to support the growing of companies, great little cloud companies and not go with the old model of large faceless companies running legacy systems and keeping virtual monopolies on their infrastructure. I think you've got to have a much more open system for review and not to pick faults but to really look at how best you can share. You have the finance industry in Edinburgh is one of the best security infrastructures that you have probably in the world. There's a lot of professionals around that could give support about how you go from legacy systems towards this new health and social care environment and it will grow a new economy and I think from a citizen point of view I don't think our health and social care really integrates. Why did a company based in Sky have to go down to London with their e-read book and now every child who's born in London has an e-read book? My grandson has a paper-based read book which is great but the natural extension on to that is an electronic health care record so I don't think we've talked about negative about this ransomware and things like that but I think we really need to understand how we can really grow a new health care infrastructure and design it around the citizen rather than around the NHS and the workflow patterns that are there just now. Thank you panel. I'm actually really excited by what you say there. I think it would be a huge advantage if data that is collected about the individual citizen belonged to the citizen and they decided who could look at it and who could share it and I think it would overcome one of the massive barriers that we have in healthcare which is data sharing and yet you know I worked in psychiatry for 20 years people tell the same story time and time again and get tired of and traumatised by having to tell the same story again because the data isn't shared. I wonder if you could tell me a little bit more about your vision and what is required to get there? Well I think I think we've always found London as a good role model as a city who really looks after their care. It's a similar size population more in fact but they've managed to really define a data sharing policy across London and how data is shared because London has a demographic similar to Scotland. We go in areas like Chelsea and Westminster from the private areas to affluent areas so I think we need to understand how the data should flow but also to protect the rights of the individual to privacy. That's a really difficult balance to make but it does involve the citizen understanding about what information they should hold and what they should own but I think a building block is definitely the e-read book. It just seems unnatural to go from a paper based system. When we go into hospitals we still see the early warning score system for risk assessment still done as a pen and paper exercise which means that you're not gathering information that you could use to be able to predict illnesses and so on. I think there's some good work going on in Scotland but we've always found that London is the place where innovation thrives so if there's some way that Scotland could foster new infrastructures and especially around the health and social care integration which seems to be the biggest barrier just now. How do we care in the home and how do we ensure that people aren't admitted into hospitals when they don't need to? That's providing the information to the first responders, the ambulance staff, to have enough analytics that they're not spying on the person but to know the prescriptions that they're actually on and the risks to that patient and a lot of that isn't medical data, it can be social economic data relates to the decision. I think that we could do things a lot smarter but it does bring a whole lot of security problems so I think if we were open as a nation then we could really create the best infrastructure possible. Moving on to the security issues so I'm also where we spent an awful long time talking about malicious attack of our IT systems when in actual fact one of the largest security threats is just human error. What have we got in place to protect us against human error, people looking at stuff that they shouldn't or being able to look at stuff that they shouldn't, people sending emails to the wrong folk and not blinding them, all of these standard security threats that happen on a day-to-day basis? Security are people, people and people so I think you can put the best introduction. You found that quite recently didn't you? A lot of that is staff awareness and most ransomware will come in through a phishing email and people clicking on a link that they're not meant to. Most data will be leaked from the infrastructure by a doctor sending an email back to their email account and getting the email address wrong. So I think there needs to be a skilling up of all staff in the NHS and across the public sector about how they can cope and to be continually probing. Most companies now will do some sort of an assessment test against their employees such as conduct a fake phishing attack and see who clicks on it and then if they do they're then sent on a training course. So I really couldn't go into detail about specifics though. If I could just maybe add something there from NHS Asheron Aaron. We are just about to actually conduct our first phishing campaign just to see how the staff react to that and see where there's flaws in terms of upskilling that education and that awareness and we've certainly tried to communicate, well we do communicate with our staff at various levels around education of malware and the associated risks. It is always human nature though that sometimes errors do occur. In terms of the clinicians though looking at medical records inappropriately, we use a platform called Fair Warning, it's rolled out throughout Scotland in the NHS that actually picks up on should a clinician be accessing their record, a family member's record somebody from around the corner. So that's quite comprehensive and that is dealt with on an individual basis. That happened because that did happen with the emergency care somebody didn't it was inappropriately accessed by a medic. That was fairly quickly spotted wasn't it? It was. Reports I believe are run certainly within a month of all of our key systems and we move the key systems without staff knowledge that we monitor. So it is quite comprehensive and the emergency care summary is certainly available to our first responders but I do take Professor Buchanan's point that there could be more social care information provided within the emergency care summary. Yeah and it's not available across the board to every health professional who might benefit from using it like my own professional pharmacy. Thank you. Marie Todd mentioned the recent situation at British Airways. It appears there that it was a power surge that caused the problem and some poor technicians carrying the can for something that happened across multiple sites. Dozens if not hundreds of countries bring in that airline to a standstill? Assuming that British Airways being a profitable large multinational company had many of the backups in place that the NHS has so therefore leads me to the question if it can happen there can that happen here? I think it can happen with any organisation. As I said earlier it is a very complex infrastructure that we have. Lots of systems are dependent upon other systems typically outside Scotland, outside the UK. So a power failure in the east coast of the US would have devastating effects on the public sector in Scotland because we still are running things inside the public cloud and also there are services such as DNS that would actually affect. So I think most of the risks that we see are probably external risks. The concept of the firewall as a main protection for a company are going and an IoT infrastructure so that the firewall does not really exist anymore. It has 3G connections to the internet, so the concept that you can corral them around a little network can protect them has gone. So I think that we do need to understand where the data is, what is critical, when devices need to be patched. I think that it can take up to a year for a device to be recalled in the NHS, for it to be patched if there is an error on it. So I think that it is a really complex infrastructure and probably we just need to be much more dynamic in understanding the internal risks and also the external risks to the infrastructure. Because rather than a loss of profit and a loss of face for BA, we would see a loss of lives and that is much more important than the brand of a company. So we would be measuring a loss in terms of billions really if we had a large scale power outage and it is great to see that the NHS have things in place but you know that when things happen you just do not predict exactly what is going to happen and you might be well drilled in one area but something else happens that you just did not see. I think that more and more we need to do more scenario based training. We need to set up what is defined as a security range where you could actually simulate the NHS and what would happen if parts of it failed and see if our responders could actually cope with that. It is very difficult for us to say that bad things will not happen. It is very difficult for us to say that. However, what we can say is and give some assurance in terms of the fact that we realise that I worked in private sector for many years before I joined the public sector and the thing that strikes you when you work for the health service is realising that straight line between the job you do and the patient and keeping them safe and the dependency that the health service now has on IT is enormous. It is very difficult for us to imagine the health service operating without the IT infrastructure that it has but we take that extremely seriously and the measures that we put in place are fairly broad in terms of trying to protect us against what the industry and what the best practices in and around security and resilience are telling us and hopefully in some of the written evidence you see the connections that we have got into the UK and Scotland's best minds on that. We try our best to cover the same as everyone else will. In 2013, my colleague Richard Simpson asked questions to the Scottish Government about consideration at the given date, ending the provision of security support for earlier versions of Windows operating system and moving to an open source operating system. At that point it was said that XP would be unsupported from 2014 and 86 per cent of devices had been uprated and the exercise completed in 2014. The answer goes on to say that in terms of the Microsoft that no suitably mature, scalable and secure alternatives to Microsoft Windows and Outlook products were available. Is that still the case? Are there no alternatives? To Microsoft products, that is for sure. I will take you back to the scale that I mentioned in terms of your install base. The install base that we have is enormous. The investment that we have in Microsoft products is enormous. We will continue to look at alternatives. When you say Microsoft, it depends whether we are talking about the operating systems or some of the software that runs on them. Largly, Microsoft is by far and away the dominant operating systems that are used across industries and across Governments across the world. Everyone has the same issue as we have. You would like to think that there is an alternative to Microsoft from the point of view of competition and keeping your choices current. However, the cost of moving on from a Microsoft-based environment would be enormous. I am not entirely convinced that the benefits would outweigh the costs of moving. I think that the concept of an operating system is old, that is legacy. We now run with our mobile phone, our iPad, many of us are running Android and Mac OS. I think that the concept of a Windows operating system in a decade's time will seem as old-fashioned as the abacus. The server infrastructure around the NHS is more likely to be based on a Linux open source platform. Much of the services will be built around that. We need to understand that more clinicians and more nurses will probably be using portable devices that may well be Windows. I think that there are plans for Windows devices, but increasingly there will be a mobile environment. Those mobile environments have 3G connections that do not connect to this one network and the NHS infrastructure. Those are back doors. Those are the way that a clinician can check on the internet to be able to see the best prescriptions. I think that that day of everything is closed and you have a firewall. As long as the firewall is protecting the whole infrastructure, everything is fine. That is an old world. The question that Richard Datt asked was a valid one at that time, typically around the cost of licences within the NHS. However, as we migrate, it will be a mobile device that we use and will be connecting more and more into a cloud. I think that we really need to understand the changing nature of IT. Just coming in and certainly from an air show and our viewers of territorial board, our service dates are probably around about 99 per cent Microsoft. That is purely because of our clinical system vendors. They specify Microsoft as an operating system and there are very few alternatives out there, with one notable exception in Scotland. Aside from that, they are all Windows. Certainly, going on to Professor Buchanan's point regarding mobile devices, we use a number of mobile devices that are certainly coming over external networks and we always use two-factor authentication to secure that link. I think that that is evidenced again in the lack of an outright within Asher and Aaron. However, we can only run at the price of clinical system vendors. In terms of the churn of hardware and software, what is the kind of timescale that you look at in terms of writing stuff off and replacement hardware and software? For desktop PCs within Asher and Aaron, we currently work to a five-year timescale, however, due to some financial constraints, that is likely to drift. For the server estate drift, in terms of it, it will become a longer period than five years. Our server estate is almost exclusively virtualised and we replace the hosts on a five- to six-year basis, on a rolling basis. For most of our large-scale national applications, we are usually looking at contract terms around about seven years for the large-scale software that runs on the infrastructure but infrastructure refresh typically runs on a five-year cycle as a default. What would be the accepted IT standard, Professor Buchanan? Is there such a thing? I would hate to have the problem of moving away from legacy and the NHS. I could not imagine how that can happen in a relatively small time period. However, I do know that buying desktop PCs is not the way forward. The minute you put a desktop PC, you automatically fix something then. We need to be thinking much more of a mobile-type environment, an IoT environment and much more building systems around the citizen. That will take a lot of investment and a lot of time to do that. I could not comment on the cost of replacing PCs. Okay, thank you very much. At several points during that, I was nodding along, pretending that I knew what you were talking about and I am sure that some of my colleagues were doing so as well. But thank you very much. It was very helpful this morning and we will now suspend briefly. Can I welcome to the meeting Shona Robison, Cabinet Secretary for Health and Sport, Penny Rocks, head of eHealth, digital health and care, governance and technical strategy in Grimgall eHealth, all Scottish Government. Can you invite the Cabinet Secretary to make an opening statement? Thanks, convener, for inviting me to attend the committee today. I certainly welcome the committee's interest in what was a significant incident that affected a number of health boards in Scotland. This was a global ransomware attack, which, by its very nature, was aimed at causing the maximum disruption to a large number of organisations across the world, but I do think that it is worth acknowledging the extent of this incident across the UK and in particular the NHS. Across the NHS in England, some 47 health organisations were infected with the malware, including 27 of their acute trusts, while in Scotland 11 territorial health boards, two national health boards and a number of GP practices, experienced some impact from this attack, although less severely than in England. As we have already learned from this attack, swift action and co-ordination and sharing information limited the impact on the NHS in Scotland. We must all therefore reflect on this incident, identify the lessons and more importantly share these lessons with partners so that we can help each other to put in place the appropriate and effective measures to combat cybercrime. I want again to acknowledge the tremendous efforts of NHS staff in the wider public sector in responding to the ransomware attack and providing assurances around the security of their networks. I can reassure everyone that there are no reported breaches of patient data or personal details as a result of the attacks. There remains a UK-wide criminal investigation under way led by the National Cyber Security Centre and supported by Police Scotland. Health boards continue to fully support these inquiries. There will be a number of lessons arising from these attacks that we must learn from. Reviews are already under way to capture what can be improved to ensure that we reduce the chances of a similar attack happening in the future. The Scottish Government Cyber Resilience Unit will also be arranging a lessons-learned exercise to help health boards and other agencies to mitigate the risks from further ransomware and other cyber attacks. There was considerable collaboration across the NHS as well as a cross-sector engagement during this time. Collaboration at this level is an essential element and helps to demonstrate confidence in the public sector's ability to respond to such events. Historically, there has been strong collaboration between all e-health leads, e-health infrastructure leads and IT security teams both nationally and regionally on IT security issues, with meetings held on a regular basis. NHS National Services Scotland host a quarterly meeting called the National Information Security Forum, which is attended by all IT security representatives from each board and they discuss current threats and vulnerabilities and exchange intelligence. This cohesiveness was particularly helpful during the attack, as security information was shared quickly and implemented immediately. Business continuity ideas were discussed and good practice shared across health boards and unaffected boards provided their security expert resource to help those that had been impacted. Further ideas are already being discussed around a more national approach to managing IT security across the boards and providing systematic and regular intelligence briefing of potential attacks and vulnerabilities. Although we cannot prevent another cyber attack from happening, we will continue to minimise the risk and impact of future attacks. Initial assessment highlighted that across health boards around 1 per cent of devices were affected. This is around 1,500 devices of this total some 1,100 were in NHS Lanarkshire. That means that only 400 devices across the rest of NHS Scotland were actually affected by the attack. Of the 13 boards affected, NHS Lanarkshire was the most impacted. However, the board took appropriate precautionary action and, along with other affected health boards, put business continuity arrangements in place to ensure that patient services continue to be delivered across the NHS. While investigations are still under way in NHS Lanarkshire, early indications are that their estate and patching regime was appropriate but they had not yet deployed the specific patch prior to the date of the attack that they were in the process of an extensive replacement programme, hence why they were so badly affected. Lessons will be to improve the deployment time of critical patching and that will be their focus going forward. There continues to be substantial investment in IT across the NHS and the Scottish Government provides funding of around £100 million per annum to health boards for IT investment and for maintaining cyber security resilience. Health boards spend at least the same amount per annum, although further analysis of health boards spending estimates that over £350 million was spent in 2016-17 and that is expected to be a similar level of investment this year. Although the attack was unprecedented in its scope, with hundreds of organisations affected across the globe, it was not an isolated incident and the NHS, along with other organisations, faced similar attacks every day, most of which are thwarted by the controls and protections that are in place. All health boards have IT security frameworks and policies in place but the IT environment across health boards is complex with a mixture of legacy and new systems and technology. There is continuing work in place to ensure that legacy systems are updated as soon as possible as developments in technology move on. However, some special medical devices still need to run on old IT and there are challenges around updating those. Health boards also have appropriate patching regimes in place. This is the process of applying fixes from software and hardware suppliers on to IT systems to improve security. However, I want to make clear that the adoption of any patches received from a supplier requires a technical assessment to ensure that there are no unintended consequences on IT systems. Due to those criminal activities, the NHS and other parts of the public sector need to be vigilant and keep their systems up to date and fully protected at all times. Just finally, convener, in response to the attack, the national cyber resilience leaders board quickly convened an extraordinary meeting on 16 May to review the circumstances surrounding the attack, the multi-agency response to it and to identify the next steps to ensure cyber resilience across all sectors. At that meeting, the board agreed to accelerate delivery of a public sector action plan, which it had been working on previously, to help all Scottish public bodies to develop a shared understanding and approach to achieving cyber resilience. The board will present the action plan to ministers shortly for their consideration, following which we would expect to consult at pace with the wider Scottish public sector on implementation. The plan is expected to include a commitment to develop clear minimum standards of cybersecurity for all Scottish public bodies to implement during 2017-18 and proposals to help to provide assurance around higher standards of cyber resilience in key public bodies. In conclusion, I thank you for the opportunity to be here today and I look forward to your questions. Thanks very much. In any area of health, there is a tension between centralisation of services and different boards having their own systems in place. What we have heard from the previous panel is that this is life and death stuff and this is extremely important. Is there any movement or move towards having a more consistent system across Scotland? Yes, there is. I will let Graeham say a bit more about that. That has already been the direction of travel in terms of taking a once-for-scotland approach around IT investment as well, making sure that our systems are more joined up. That has been the direction of travel, but we also want to ensure that the monitoring of our systems is improved. I have laid out in my opening statement some of the resilience and oversight that there is, but I think that there is always room for improvement in the monitoring of systems and making sure that we have that continuity is very important. Graeham, do you want to say a bit more about the direction of travel? Certainly. Most of the boards already participate on a very co-operative basis. The IT security officers for each health board participate on a regular basis, communicating with each other and the four home nations to get the best advice out to all parties at all times. We certainly are now looking at how we can never mind the impacts for the security and standardisation of that, but even just the economy of scale on PINE product, which can be more standardised and deployed across all sites, across all health boards, and that is certainly a direction of travel that I will be looking into in the coming months. I suppose that the following for that is that the words public sector, IT procurement, fill everyone with a chill. Are we bad at it or is that just a perception in the media? Is that just a portrayal in the media or are we really as poor as that would suggest? One of the things that we have not done is that we will be aware of the big IT project down south that became a bit of a legendary tale of something of its complexity, which was too complex and has ran into severe difficulties. We have taken a different approach in Scotland, and that is recognising the need to move to more continuity and a once-for-Scotland approach, but not trying to overlay one big system across the NHS that would have brought the challenges that they had down south. I think that most importantly, security product is already purchased off national framework agreements, so all boards will be buying security products consistently off of the same vendors. What we have to get better at doing is knowing and managing those products on the ground. That is where the emphasis needs to be on standardisation and giving more guidance and advice from expertise, which we already have through NSS. We have security advisers who lead us through all that and who also take guidance and leadership when attacks do happen. When procurement process is going through, why is it that it appears that the public purse carries the can for failure in public IT procurement, rather than the companies who are failing to provide what they want from them? I think that that has improved. I think that we are better. Particularly with NSS, their skills around procurement are able to drive a harder, better bargain on behalf of the public sector. Lessons have been learned from previous contracts where the balance was not right and those who were selling had all the information. There was an imbalance of power there. We have much better at that. NSS is expertise and this has been really helpful. At the end of the day, the economy of scale is what we are aiming for. What larger suppliers may tend to do is divide and conquer health boards across the nation and what is important for us that we keep together. Certainly across Scotland, a lot of the bigger contracts more recently on national frameworks have been a lot more cohesive and well managed. In the previous session, we had evidence from Professor Buchanan, if I understood him correctly, and I caveat my following remarks with that. It was a trajectory that is a move away from fixed desktop infrastructure towards if I have this right virtual architecture and greater use of mobile devices. Is this a view shared by the Government that this is where we are moving to? There is a move towards cloud-based solutions, but I am going to ask Graeme to talk about the more technical aspects of that, if that is okay. The virtualisation is the modern industry way of lowering costs, improving security and increasing reliability and availability of systems. Most health boards for their core components, the more their core infrastructure are now virtualising all their environment, so that is pretty much in place. What we vary in is how we deliver that, how we manage that on an on-going basis and how we can improve that. What the most important component is is that the staff training that goes behind that is new for people, so it is about making sure that staff are up to date. Infrastructure now across NHS in Scotland is pretty modern. That is why a lot of the issues and the impact of the attack were minimised. From the server point of view, the reporting is about the desktop, which is the end-users, where there were some deviances. That is worth mentioning that in terms of the upgrade and replacement of the IT systems used by GPs, there is a procurement underway with completion delivery for about 2019-20 on the new GP IT and community IT systems, which are cloud-based solutions. That is going to really be quite a big, big difference to the way GP practices IT systems are configured on how they work. I believe that there is a need for significant investment of resources in the overall infrastructure. I think that we were given a number of £15 million, and they said that a zero went another zero to it. Is that a amount of investment that you recognise as being necessary? If you take the figure that I used in my opening statement that when we looked at what boards actually spent in 2016-17, it was £350 million. If you look ahead to the next five years of that spend, that is about £1.5 billion, so it is a lot of zeros. What is important is how that money is spent. If you look at the list of companies and organisations that were impacted from this cyber attack, some of them are multi-million pound, billion pound organisations that spend huge amounts on cyber, security and IT. What is important for the NHS is that we need to make sure that the resources are at an appropriate level, but it is also about what it is spent on that is important. You could spend billions of pounds, but if you spend them on the wrong thing, you are not going to get the systems that you need and you are not going to get the security that you need. It is as important about what it is spent on as much as how much is spent. I think that the ambitions of NHS Scotland are significant. We want to do the best job for the population in delivering efficient, good services. That is a never-ending challenge, so perhaps the reference of future investment will reflect the fact that we have an ambitious programme here, which we certainly want to invest in to ensure that it delivers for the population. You made reference to the NHS in England in the fact that you thought that we handled it or were not impacted as much as the recent cyber attack in Scotland was in England. In his evidence to the committee, Professor Bill Buchanan from the School of Computing at Edinburgh University stated in a quote, that Scotland seems to be behind England in the creation of a robust, modern and dynamic healthcare infrastructure. He goes on to say that there is a general lack of citizen access with weaknesses around the integration of primary and secondary healthcare along with a general lack of integration with social care. Do you think that that is a fair criticism? I do not think that it is. First of all, I just say that all of our health systems were in one way impacted in another. I think that it is about us all learning lessons. I am learning lessons from each other as well. There were aspects of cyber security that for England and Wales might have better than us. It is about the four nations learning lessons from each other. There is a lot of work going on at a UK level to make sure that those lessons are learned and that there is a co-ordination there. On the citizen access issue, there is a lot of work going on in Scotland. We have the GP-SPIA programme, for example. I think that that was a good example of taking the public with us when it was a big new data system. It was important that the public understood what the purpose of that was. There was a lot of work that went on around explaining that to the public. As I mentioned a few minutes ago, the investment in the IT systems, in the new GP IT and community IT systems is very much about linking up primary and secondary care. It is going to be a cloud-based solution, so it is at the cutting edge of technology. That procurement is well under way. Also, if you look across NHS England, yes, there will be pockets of very good practice, but it is quite a disparate system. It is not one that is particularly joined up and trusts very much do their own thing. There are pockets of good practice that we would want to learn from, but I am not sure that I would make the comparison in the way that the professor has. Just to complement that comment, there are 22 health boards in Scotland. Every single month, we, as a group of professionals, meet in the same room sharing, working together, making sure that we are all bringing services to the fore and that nobody is falling behind. Any new technologies are well discussed, well embraced, and sometimes we do trials in one health board and then share that across others. We are a very cohesive group, and hopefully the committee can recognise that that brings a lot of strength and a lot of structure to how we deliver our services. Just on that point, though, it was clear from the evidence this morning and just even clear from looking at the impact on health boards that some health boards would impact on more than others. Quite clearly, whatever best practice and guidance we have, it was not rolled out universally at the same time by every health board. Obviously, there were lessons that should be learned, so it is not a case that everything happened perfectly at every health board. No one is saying that in my opening remarks. I was very clear to say that we had challenges and lessons must be learnt and improvements needed to be made. There is absolutely no complacency whatsoever. However, if you look at the 1,500 devices that were impacted, and as I said earlier, 1,100 of those were within Lanarkshire. In my opening statement, I tried to give a bit of analysis now that we have more information about why that happened. Essentially, because they were upgrading their systems, the security around those systems, while they were being upgraded, was not as good as it should have been. That is why 1,100 of the 1,500 devices were within the one health board. The lesson from that is that when systems are being upgraded, the security around those systems needs to be better. That lesson will now be learned across the whole of the system. However, it gives some explanation about why NHS Lanarkshire was impacted more than other boards in the way it was. I think that everybody is in agreement that in order to upgrade our systems, moving to virtual systems, for example, is going to cost a significant sum of money at the moment. The Government provides £100 million, but as you said earlier, boards probably spend over £300 million in total. That comes from other parts of the health service budget. What assessment has the Government made specifically on how much it is going to cost over the next five years to get to where it wants to be around the use of virtual systems? I mean, presumably, the Government is setting budgets for the next few years, but what specific assessment of how much it is going to cost over the next five years? As I said earlier on in answer to Tom Arthur, the spend in 2016-17 was over £350 million and we could anticipate a similar level of spend in 2017-18. Even if you were to take at least that level of spend over five years, you are talking about over £1.5 billion, but what we will also be doing is part of the analysis of the lessons learned from the cyber attack, but also in terms of the IT investment going forward. We have the new digital health strategy that will be launching at the end of the year. We will keep under constant review any further resource requirements, whether that is in capital or resources, but it is fair to say that we are already—there is already a lot of resources going into the system. I will just make the point again. It is important about where those resources are spent as much as the level of those resources. That is why the priority with procurement that is on the go at the moment, with a completion timeframe of 2019-20, is in the new GP IT and community IT systems, because that interface with secondary care is so important and also the fact that the move and shift towards doing more in the community and more patients being treated in the community requires the IT infrastructure to support that. That is why the focus at the moment is on that, in terms of that being a key priority. I hear what is being said about the amount of money that is spent at the moment, but this morning's session, Andy Robertson, obviously director of IT at NHS National South of Scotland, made the point that he believed that it would require an extra 50 per cent on top of the £100 million alone in order to deliver where he thought we needed to be. Professor Bill Buchanan said that we need to add a zero on possible another zero to that, so I am just trying to get to the bottom of whether the Government has actually made an assessment as to how much you think is required over the next five years to get to where you want to be in terms of IT. I know that assessments are done on an on-going basis, so there will be further work being done now in the light of the cyber attack, and that work is on-going to make sure that in terms of the lessons learned and any additional resources that that is identified. So that work is on-going as part of the detailed analysis of how we ensure an improved level of resilience, not just in NHS but across the public sector. The digital health strategy going forward will obviously lay out the key priorities, and the resources will follow that. We will make sure that, in terms of what needs to be done and the prioritisation of that, the resources are sufficient to meet that need. I just make the point, though, that you could add zero after zero after zero on how much you spend on IT infrastructure and on cybersecurity measures, but if you are not spending them in the right way, then, as you can see by the global companies like Telefonica, FedEx, ZeroDeutscheban, all of those organisations, those companies were impacted by the cyber attack, and they spend huge amounts of money on cyber security. It is about making sure that we have the intelligence as much as we can to spend the money in the right way, however much we resource. We will keep those things under review. We are, as I said, a big process of learning the lessons and very detailed analysis of what more we need to do in the NHS in the public sector, and the resource element of that is a key component. We are no different than any other business in that. If we are developing and evolving services for improved efficiency, yes, it will require further investment. The business case has to stack up without a question. We have to take informed decisions on what we invest in and how we invest it, but the ambition, as I said earlier, is very—we have great ambitions for engaging in digital services within the NHS in Scotland, and over time that will induce more demand on infrastructure. It will put more demand on security requirements, but those components will be built into how we fund and how we deliver the case going forward. I do not think that anybody is saying that we should spend money on things that do not work, but what I am just trying to get to the bottom of is that we have great ambitions to do what we need to do. I am just not entirely sure why you do not know how much that will cost over the next few years. We have had to review, in the light of the cyber attack, the cyber resilience, and there may be additional costs out of that. That work is on going at the moment, so you would expect us to do that in a very detailed and forensic way, and that is what we are doing. In terms of the IT infrastructure commitments that are already made, there is a prioritisation of those, so that is why we are prioritising the GP and community IT systems. That is all costed. The procurement is on going at the moment with a delivery time frame of 1920. Within the whole IT infrastructure spend, there are a series of priorities, and those are laid out. There will be further detail of that going forward for the next five years and the digital health strategy that will be launched at the end of this year, which we can keep the committee informed about. You mentioned that there has been an IT assessment. I wonder if you can provide that to the committee on that assessment, and whether you can provide us with details of the global IT budget and what the figure is for IT security. If you could follow up with that information, that would be helpful. I wanted to follow up on the benchmarking of these IT projects. I was made aware of why one and why two medical students in Lothian all being given iPads when they first started working for NHS Lothian, but they report that there is no wi-fi across the Lothian estate, so they have not been much use. I can see the opportunity there, but to what extent are we looking at infrastructure like wi-fi across the NHS estate, and when will that be in place? Again, with the decentralisation of funding, the Scottish Government provides health boards with investment. There is local choice, and you are correct to say that the variabilities of what health boards spend money on varies. Some health boards are fully compliant in most of the way across their acute services. Some health boards are not. Some health boards are currently victims of challenge on things such as pay for TV, where they have long-established contracts and breaches of contracts by deploying wi-fi into their acute bed areas. There are lots of complexities, and I have just been saying when can we get wi-fi across all our services? It is a complicated picture. Certainly from colleagues in e-health, their ambition is to mobilise the workforce, again for efficiency purposes, in the acute hospitals and also out into community. That is certainly a focus of where our investment will be. It is fair to say that in Glasgow and Clyde, particularly the clinicians use of mobile devices is very advanced, so they will use those regularly to be checking up on test results and for communication. We need, in terms of benchmarking, to get that as a standard and get all boards to the standard that we would expect. Mobile devices and the use of cloud-based systems is the way of the future. Obviously, the broadband connectivity is a key part of that, so it is pretty essential. Another area that has been my pet project is around GP appointments and text messaging. Could you give us an update on where that is across Scotland and improvements, given the fact that the latest figure showed that there were a million missed appointments? Two million pounds has been directly provided through primary care investments, to invest in online services such as booking appointments and other system enhancements. The GP IT infrastructure that I talked about earlier is going to revolutionise the way GP services, certainly in terms of the digital element of them, is organised. Also, the interface with secondary care. That will be in place completion timeframe of 2019-20. Meantime, there is also work going on around improving the booking appointments and other systems. I think people expect that level of IT literacy in terms of how they interact with services. We have got a bit of catch-up to do there in our primary care services, but that is a priority. To add to that, the funding that the cabinet secretary mentioned has been decentralised. All the services that are running in general practice in Scotland today have the ability to handle online appointment booking. There is a choice at practice level. Some practices go for things like that. Some practices are a little bit more resistant. There is a bit, but certainly now that there is positive funding being made available, we are hoping that things will pick up. Do you think that that will be a postcode situation with the 22 different boards that some will say that this is what we want to do and others will say that it is not our priority? I think that it is part of the funding because we are putting in additional funding. That is a real carrot to go down that route. The investment in the IT infrastructure in general practice more broadly, the big project by 1920, will encourage the best use of the technology. The interface between primary and secondary care is going to be so critically important in terms of saving time, sharing information and the patient should get a better and quicker experience because of that infrastructure. We did stray a bit from IT security there, but clear. Can I remind committee members of my register of interests and place on record my thanks to the NHS staff who worked through the cyber attack? We have received written submissions and variable submissions to the committee about staff working overtime during this. We heard of staff goodwill, and I am sure that knowing the NHS staff, many of them worked above and beyond what was expected of them. With that in mind, can the panel please tell me what assessment the Scottish Government has made of the impact an attack like this has on staff wellbeing and what steps can be taken to ensure that staff wellbeing will not be compromised? Should a similar situation arise? I think that there was a huge effort that went on over that weekend. I know that because I was involved in many calls early mornings, late at night, and staff were working right through the night in some cases, particularly in Lanarkshire, I have to say, and I would want to pay particular tribute to the staff. It was all hands on deck. It is quite often that the NHS tends to be what happens. I have written to the boards to thank and ask for my thanks to be passed on to all staff, particularly those who went beyond the college duty. We would expect boards to recognise those efforts. We have not had any information about the impact on staff wellbeing. I do not have any particular concerns in that direction, but we should recognise that those are unusual events that do not happen. We have not had events such as Thankfully Touch Wood happening every day of the week, but it is important that we make sure that staff are recognised for their efforts. The cabinet secretary is right that this attack has totally unprecedented. We were caught at 12.30 on 12 May, and it took most of the eHealth resource across the entire service to respond. That meant that they were not doing what they would normally do on a Friday afternoon. Without doubt, the sharing and the support certainly co-ordinated through the Scottish Government and the NSS. I must mention that specifically. The fantastic resource showed that we were working as a team and working together. It got to the point that a lot of the teams were even willing to go to other health boards, although the staff went down to Borders to help them to get through the blip of the challenge. Unprecedented attack. I think that going forward, obviously planning and more sharing of knowledge transfer is key to that. I thank the panel for that response. My constituency sits within NHS Lanarkshire, so I am well aware of some of the difficulties that the attack threw up. Professor Buchanan at the previous panel spoke about his thoughts about the way forward. He mentioned an instant response team. I was wondering if the panel had any thoughts on whether that could be a way forward to help to coordinate response across NHS Scotland. We have that already through our resilience arrangement. When something happens, the immediate response team, if you like, is a resilience team. It mobilises, depending on what the challenge is, the right people in the right places. In this case, eHealth leads were a critical part of that. Those arrangements have stood as in good stead when we have had previous challenges, whatever the nature of them that we have had to respond to. Lessons will be learned in terms of whether we need to tighten up on any of that. I think that our way of responding to those very challenging circumstances probably works. It does work pretty effectively. What's also adding is that the levels of defence and the level of protection and ultimately monitoring that you can do on computer networks, we're certainly going to look into that a lot more. The standard of the banding goes that if you get into protecting your assets, which is probably where we are pitching at the moment, what's important is that we get much more into event management because of knowing what attacks are happening when and having then much more control being able to identify them in real time to do something about it. That whole intelligence is certainly something that we're going to be focusing on in the coming months. Professor Buchanan made it clear in his evidence that he is concerned about a lack of investment. He said that the main lesson that we've learned from the ransomware attack is that there is a complete underinvestment in the delivery of an IT infrastructure in the NHS. One key resource is staff, and we've been speaking about them. Clare Holly raised concerns about the impact on staff wellbeing when they're not only working overtime but working overtime in a pressurised stressful situation where something's gone wrong and we're trying to contain it. Professor Buchanan spoke about the fact that experts in this field are in short supply generally, not just in healthcare, but particularly in healthcare. Obviously, there's challenges when you're up against huge financial organisations with larger budgets to attract the people with the necessary skills, the specialized skills. I'd quite like to understand what action the Scottish Government is taking to ensure that we are attracting people. I suppose that some of it might be that people are attracted to working in the NHS for all sorts of reasons, but are we doing enough to attract those with non-traditional medical skills, people with other skills? I think that we need to... it's worth re-emphasising again about how unusual an event this was, so our staff are not working like this in normal peacetime, if you like. This was a huge cyberattack that required a response that was unusual in nature as well. You're absolutely right to recognise the pressure that put on people, but, as Graeme outlined earlier on, the response was absolutely fantastic and first class. The expertise being in short supply, yes, I think that that's absolutely true, and sometimes we need to attract to the public sector generally, not just the NHS, people who are at the cutting edge, if you like, of understanding cyber security, and that means us competing with the private sector organisations to get the right people. There are programmes of work where people are brought in to test some of those systems, who have particular skills, and they are brought in to be frank, to test whether the resilience is as good as it should be. Graeme, do you want to say a little bit about this personnel? I think that you've touched on a real point there of what we typically do, going back to the fact that we collaborate across all the health boards. Nobody finds themselves in a place where they're stuck, whether they're not knowing what to do. The security forums, the gatherings, the month-in-month meetings, the support that these guys give each other is significant, and it's really, really positive. I don't hear people saying that they can't get security officers. I think that we grow our own. I think that we've got a very unique environment, I think that we've got a very, very complicated IT environment, and I think that it's important that the model of sharing, and also, as Cabinet Secretary says, a significant use of external professionals is used in this area, and it is certainly not an apology for that in the basis that this industry is changing so fast. The experts, the technologies that we have to deploy, is changing so fast. It is very difficult to keep up to speed with things, and external penetration testing of just testers, that's when we go out and hire ethical hackers to come in and try to penetrate our networks, and we learn so much from that and take their guidance and direction at that point in time. It's a great, big package of approach to solve what you've identified as a known real issue in the industry. In Healthcare Improvement Scotland, you spoke of creating a centre of excellence. Is that something that's been looked at? Sorry, Cabinet Secretary. I feel that we're already well down that road. We have got experts in NSS who work for, as I mentioned, Andy Robertson, the director, and Andy coordinates his team in support of all health boards across the country. We have got expertise at our disposal on daily basis, but, again, enhancing skills, training and awareness for the key staff is important. Final point. Did the resilience and contingency planning work as you expected it? I think that this as a whole was a very major success story for NHS Scotland. I think that the impact that happened was, and most importantly, the recovery time was very, very short indeed. There was an impact, and there's no question about that in terms of patient care, but the impact in the recovery time to put services back to normal was very, very quick indeed. Did you prepare for such an event happening and did the preparations you had put in for such an event fall through? I think that from the resilience arrangements kicking in with all of the, that goes with that in terms of the national response, the response locally. So, for example, the move on to pay the backup systems in Lanarkshire, for example, that worked really well when the IT systems were down. The staff got into those backup systems really quickly to minimise the impact on patient care, and then the mutual aid, if you like, across the system as you would expect. There are lessons to be learned around what could have been done better, but I think that if we had been laying out a theoretical attack and the response to it, I don't think that we would be far off in terms of what happened, how it was coped with the recovery time and the analysis afterwards. I think that it would be pretty much in line with what the expectation would have been, but we are not complacent. We absolutely want to make sure that we could work even better next time by learning some of the lessons from this. Thank you very much for coming along this morning. We'll suspend briefly just to change the panel. Gend item 3, subordinate legislation. It's a consideration of one affirmative instrument. As usual, with affirmative instruments, we will have an evidence session with the cabinet secretary who doesn't have her officials with her today, so we're going to do that ourselves. That will be followed by a formal debate in the motion. The instrument that we're looking at is the Kearers Scotland Act 2016, agreements of a specified kind regulations 2017 draft. I welcome to the committee's show now Robison, the cabinet secretary for health and sport. I invite an opening statement from the cabinet secretary. Thanks for the opportunity to speak about the regulation under the Kearers Scotland Act 2016. It's always been our intention that kinship carers should not be excluded from support for carers under the act. This regulation is to clarify that kinship carers who have a formal agreement with a local authority can be seen as a carer under the act, where they also meet the other requirements of the definition. In particular, this ensures that they are on an equal footing with parents who would only be seen as carers where the care required is over and above that, which would normally be expected for a child of that age. Clarifying the definition of carer now will assist local authorities in developing their local eligibility criteria under the act from October. The meaning of carer and the carers act excludes people who are caring under or by virtue of a contract. This regulation will ensure that an agreement between a local authority and a kinship carer under regulation 12 of the looked after children's Scotland regulations 2009 is not a contract for the purposes of defining a carer under the act. Without this regulation, these formal kinship carers may have been considered to have a contract to provide the care, excluding them from the definition of carer. Given that kinship carers who have no formal arrangement in place with a local authority cannot be legally considered to be caring under a contract, there is no similar potential barrier to them falling within the definition of carer under the act. To be clear, there is no suggestion that kinship carers who meet the definition of carer in the carers act will forfeit any other type of support that they might receive. Any new support under the carers act would be in addition to existing support. It has always been our intention that kinship carers are not excluded from the definition of carer in the act for a number of reasons. Feedback from stakeholders has supported this approach. Kinship carers often find themselves undertaking a caring role after a family member has fallen into crisis, feeling that they have little choice in the matter with the only alternative being that the child is taken into formal care arrangements and no payment is received for the caring that they undertake. The kinship care allowance is not a fee paid for providing care, like foster carers receive, but for accommodation and maintenance of the child or young person in their care. Any support provided through the carers act will be aimed at supporting the needs of the carer. In conclusion, I am clear that kinship carers should not be excluded from the support that is available to carers under the carers act. We are therefore putting forward those regulations to ensure that kinship carers, who have formal agreements with a local authority, can fall within the definition of carer under the act. Thank you very much. Any questions from members? Nope. We then move on to agenda item 4, which is the formal debate on the affirmative SSI, in which we have just taken evidence. Members should not put questions to the minister during the formal debate. Can I invite the minister to move motion S5M-06-069? I move that the Health and Sport Committee recommends that the Carers Scotland Act 2016 agreements of a specified kind regulations 2017 draft be approved. Okay. Any members wish to contribute? Nope. The question is that motion S5M-06-069 be approved. Are we agreed? Yes. We're agreed. Thank you very much and we will now move on to private session.