 The next item of business is consideration of business motion 5.626, in the name of Joe Fitzpatrick, on behalf of the parliamentary bureau, setting out a revised business programme for today. I would ask any member who wishes to speak against the motion to press their request-to-sweet button now, and I call on Joe Fitzpatrick to move motion 5.626. Firmly moved. Thank you very much, and no member has asked to speak against the motion. Therefore, the question is that motion 5.626, in the name of Joe Fitzpatrick, be agreed. Are we all agreed? We are agreed. The next item of business is a statement by Shona Robison on the impact on and response by the NHS in Scotland to the global ransomware incident. The cabinet secretary will take questions at the end of her statement so that there should be no interventions or interruptions. I call on Shona Robison. Thank you, Presiding Officer, for the opportunity to make a statement on the impact and response of the NHS in Scotland to the recent global ransomware attack. Members will have seen news reports about the global impact of Friday's attack. In the UK, the main area affected has been the NHS. Across NHS England, 47 health organisations were infected with the malware, including 27 acute trusts. While in Scotland, 13 health boards have experienced some impact from the attack, although less severely than in England. I wanted to come to Parliament today to update members on the current situation. Members will be aware that a UK-wide criminal investigation is under way, led by the National Cyber Security Centre and supported by Police Scotland. Health boards will fully support those inquiries. My Cabinet colleague Michael Matheson, Cabinet Secretary for Justice, participated in a meeting of the Cobra Committee yesterday afternoon, which was chaired by the Home Secretary to consider the consequences of the cyber attack. Ensuring services recovery from the cyber attack as quickly as possible has been a priority for health boards. Since Friday, health board staff, as well as staff within GP practices, have been working extremely hard to ensure that the impact of the attack does not affect the quality and the care provided by vital NHS services. I want to take the opportunity to thank them all for their efforts. Of the 13 boards affected, NHS Lanarkshire and NHS Borders have had the most significant impact. In response to this, as with other health boards, contingency arrangements were put in place, including manual standby systems, to ensure that appropriate patient information was still being captured and that patient services were being delivered across the NHS. I would like to take this opportunity today to reassure patients in Scotland that there has not been any reported breaches of patient data or personal details as a result of the attacks. Good progress has been made by all boards over the weekend in terms of recovery and mitigation. Most services, computer devices and systems are back online and operational on Monday morning. Many boards' IT staff are working on a 24-hour basis to ensure that appropriate fixes and the guidance that is issued by the National Cyber Security Centre are in place so that services are available to the public as quickly as possible. There will, however, still remain on-going work by boards to ensure that staff report any issues so that those can be investigated. I have written to health boards to record my thanks to all staff involved in responding to those attacks and thanking them for the additional work that they have carried out since Friday to ensure that the impact has been managed appropriately. While investigations and reviews are under way, initial assessment highlighted that across health boards less than 1 per cent of devices have been affected. That is around 1,500 devices in total. NHS Lanarkshire and NHS Borders have now reported that they have made considerable progress in restoring systems and that patient services continue to be provided. NHS Lanarkshire has reported that less than 20 patients waiting for routine appointments have had to be rescheduled. While the response from health boards and their staff is to be commended, I am sure that, like me, many members will want to understand why the impact from the cyberattack has affected the NHS. My officials are working closely with health boards to gain an understanding of why the situation arose in the first place. Issues that will be considered through this work will be to understand whether health boards had appropriate patching regimes in place. This is the process of applying fixes from software and hardware suppliers on to IT systems to improve security. With less than 1 per cent of devices infected, I think that we can draw some comfort from that position. However, we must not be complacent. I should also make clear that the adoption of any patch from a supplier requires a technical assessment to ensure that there are no unintended consequences on NHS systems. My cabinet colleagues are also seeking assurance across the wider public, private and voluntary sectors in relation to cyber preparedness. The Scottish Government has contacted over 120 public bodies to seek assurance that they have appropriate resilience in place. The Cabinet Secretary for Justice will today chair a meeting of the National Cyber Resilience Leaders Board, which draws together a range of partners, including industry. The board will consider the circumstances that led to the attack, the multi-agency response and the steps that can be taken to enhance the future resilience across sectors. This is not a threat that Government can combat alone. This is about all of us across all sectors working, sharing and learning together to reduce the impacts that those criminal attacks have on our organisations and the public. There continues to be substantial investment in IT across NHS Scotland. The Scottish Government provides funding of around £100 million per annum to health boards for IT investment and for maintaining cyber security resilience. Health boards spend at least the same amount per annum. However, we know that, in 2016-17, the total spend was around £257 million. Although the attack was unprecedented in its scope with hundreds of organisations affected across the globe, it was not an isolated incident. In fact, NHS Scotland, along with other organisations, face similar attacks every day, most of which are thwarted by the controls and protections that are in place. All health boards have IT security frameworks and policies in place. The IT environment across health boards is complex, with a mixture of legacy and new systems in technology. There is a continuing work programme in place to ensure that all systems are updated as soon as possible as developments in technology move on. I can assure Parliament that the NHS in Scotland remains at the forefront of using digital technology to support the quality of patient services that we provide. There will be a number of lessons arising from the ransomware attacks that we must learn from. Reviews are already under way to capture what can be improved to ensure that we reduce the chances of a similar attack happening in the future. The Scottish Government will also be arranging a lessons-learned exercise to help health boards and other agencies to mitigate the risks from further ransomware and other cyberattacks. However, due to the criminal activities, the NHS and all other parts of the public sector need to be vigilant and keep their systems up-to-date and fully protected at all times. That is a lesson that all parts of society can learn from. In conclusion, I want to reiterate that, while the impact of those attacks has affected NHS boards, there has been no reported breaches of patient data or loss of personal details or any reported impact on patient safety. In addition, I commend the response event of health board staff who have worked tirelessly to ensure that the impact has been kept to a minimum. However, we cannot be complacent and we must ensure that the lessons identified are adopted by all health boards going forward so that we can minimise as far as we can the impact such attacks have on systems that we use to deliver not just health but our public services in Scotland. The cabinet secretary will now take questions on the contents of her statement. We will have about 20 minutes. I would ask any member who wishes to ask a question to press their request to sweet button now. I call on Donald Cameron. I refer to my register of interest in the fact that I am on the board of two companies that invest in health technology. I thank the cabinet secretary for an advanced view of her statement. The incident is unjustifiable and indiscriminate. I, too, would like to begin by thanking the IT staff across Scotland who have worked tirelessly to get the NHS back online and the medical staff who have continued to provide care in the face of adversity. I would add my thanks to the words of the cabinet secretary. I welcome too that there has been no breach of patient data reported. We must also bear in mind that this is not just about infrastructure but that patients in our hospitals and health centres have been affected. Operations were cancelled and people were not able to get to their scheduled appointments. It may be the case that, across the NHS, one of the reasons that IT systems have failed is because out-of-date software is still being used. I therefore ask the cabinet secretary how will the continuing work programme that she refers to in her statement ensure that systems are not only upgraded now but will continue to be kept up to date in the future. I thank Donald Cameron for his questions and comments about the efforts of staff. The IT systems across the NHS are complex and, of course, some of them are different because they serve different purposes. The NHS systems that will be used in an acute hospital will be different from those used by special boards, for example. Having the same system in all of our NHS boards is not the issue—they will be different because they serve different purposes. At the moment, we understand that, mainly, Windows 2007 and Windows 2003 devices were affected and that only a small number of Windows XP devices were affected. No Windows XP has been an issue that has been raised within the media. I can say that there are approximately 6,500 XP devices out of around 150,000 total devices, which is less than 5 per cent. What I am saying is that it is not straightforward that it is about one piece of software compared to another. We need to understand that, across the different softwares that were affected, why were some affected and not others. That is the piece of work that will now be undertaken. Obviously, I am sure that Donald Cameron will appreciate all of the efforts that have been about getting the systems back up and running and sorting problems so that the patient impact can be minimised. The next phase is now to understand more about the software, what went wrong in those areas that it went wrong, and, more importantly, what can we do to make sure that we improve the resilience of those systems. I reiterate that the system was less than 1 per cent of devices that were affected, which meant that 99 per cent of devices were not affected by the malware. Although that provides some context, Donald Cameron can be assured that I am in no way complacent about that. I thank the cabinet secretary for prior sight of the statement and I also join the cabinet secretary in thanking all those IT and NHS staff who have worked around the clock to get the situation under control. In December, following freedom of information requests that showed that almost every health board in Scotland had been targeted by a ransomware attack, Scottish Labour called for a review into cyber security. In February that just passed, we exposed a security breach that involved NHS staff whose details were leaked. Again, we repeated that call for a review on cyber security. It follows seven years of questions from my colleague Richard Simpson, who is no longer in this Parliament. Can I then ask the cabinet secretary if we now will have a review into cyber security right across the NHS? Secondly, given that we have had a history of ransomware attacks, can she confirm if we have ever had to pay out to any ransomware attacks? Thirdly, if she can give an indication on pressures that exist on NHS boards in terms of savings, they have to make that that will be impacted on the budgets that NHS boards have for cyber security. I am sure that all of us want right across this chamber is for our NHS staff to be focused on patient care rather than having to worry about this hacking scandal, which I am sure all of us find unjustifiable and abhorrent. I thank Anas Sarwar for his questions. What I can say to him that, back in February of this year, the chief operating officer of the NHS wrote to boards reminding them of the need to make sure that they had the best resilience in place and were following the best advice to make sure that their systems were as good as they could be. I would reiterate what I said to Donald Cameron, and that is that there are regular attacks on our NHS systems. The fact that, to date, those have been very limited in their impact up until the situation on Friday says something about the strength of that resilience. Indeed, even though there has been an impact from the attack on Friday, it was on less than 1 per cent of the devices. Over 150,000 devices across the NHS affected less than 1,500 of them. However, Anas Sarwar is quite right to say about lessons being learned. Of course, in terms of the review of what has happened and what needs to happen in the light of the attack, any recommendations flowing out of that will be taken forward. In terms of pay-outs, no, there have been no pay-outs. It is not the policy of the NHS to pay out against those attacks. I think that that would send out completely the wrong message. Finally, on budgets, as I said in my statement, the NHS puts a lot of resources into IT, of which, of course, cybersecurity is a key element. The Scottish Government invests around £100 million each year. That is matched by health board funding. As I said in 1617, that was over £250 million, and this year is set to be at least £200 million. In fact, over the last two years, the investment in IT has actually gone up, so hopefully that will provide some reassurance to Anas Sarwar on the issues that he raised. Stuart Stevenson, to be followed by Miles Briggs. Given that the opportunity for the cyberattack lay in a vulnerability in obsolete software and, critically, the publicising of that vulnerability, can the cabinet secretary consider whether it might be appropriate to have a database that gives us knowledge of the use of obsolete software in public services and, therefore, enables us to target news of potential vulnerabilities of which become aware to the appropriate people before attacks may happen in future? I think that Stuart Stevenson makes an important point, although, in response to Donald Cameron, I made the point that this was not about one software. It appears to have affected a number of different softwares and, particularly, has impacted on GP practices, rather than on the acute hospital with NHS Lanarkshire being the exception to that. We need to understand a bit more around what lies underneath those areas that were, where more vulnerable, because there appears to be a different pattern in different places. We need to understand all of that more readily before we decide what action we are taking. What I can assure Stuart Stevenson is that the experts that are meeting today in the leaders board, which is being chaired by my colleague Michael Matheson, has the expertise there, along with the other expertise that we will draw from, to make sure that the recommendations that we take forward into how we can make our systems more resilient will be based on the best available advice that we can find. Miles Briggs, before by Jen Gilruth. I would like to echo my colleagues thanks to all IT and NHS staff who have worked so hard over the weekend to restore key IT systems and deliver care to patients. Is the cabinet secretary confident that sufficient resilience planning is in place to cope with larger-scale incidents should they ever occur? When did the Scottish Government last undertake an order of these IT systems? I say to Miles Briggs that we are confident about the systems that we have in place, given that, as I have said already, that less than 1 per cent of devices were affected but in no way complacent. That is a wake-up call not just to the NHS but not just to the public sector but industry as well. If you look globally at the type of organisations that have been impacted here, it is a wide, wide range of organisations. We need to look at what more we can do around resilience planning. As I said, we did write to all boards back in February reminding them of the need to implement best practice and to get assurance from boards that they were doing so. We are looking today at the establishment of an extraordinary meeting of the IT leaders board. It is expertise across not just the public sector but industry as well to bring that together to look at whether there is more that we can do in response to this attack but also on an on-going basis to build that resilience. I am very happy to keep Parliament updated about that as that works taken forward. In light of the continuing threat, can the cabinet secretary provide detail on what measures are in place to monitor the safety of patient data? In response to Jenny Gilruth, let me reiterate the important point that no patient data has been compromised. I know that this is very important because I know that, on Friday, the news was breaking that patients were concerned that their personal data might have been compromised. It was very important that we checked out as quickly as we could to give that public reassurance and we were able to do so and I would want to reiterate that today. Going forward, what will be very important is the resilience of our systems, that we have that security around patient data. I understand very much the sensitivity and the personal nature of patient data that is held within NHS systems, so it is very important that we can give that security to patients and that reassurance to patients and that will be an absolute key priority going forward. Monica Lennon, to be followed by Ivan McKee. I would also like to put on the record my thanks to the NHS staff who have worked extremely hard and around the clock in response to the cyber attack. As has been mentioned, NHS Lanarkshire in the central Scotland region that I represent was one of the most significantly impacted health boards in Scotland, but the eHealth department worked tirelessly throughout the weekend to restore critical systems and NHS Lanarkshire staff have continued to provide care of the highest quality. However, concerns have been raised with me about the impact of cancelled operations and appointments at Hirmaiers hospital in East Kilbride. What assurances can the cabinet secretary give to my constituents about the timescale for when they can expect performance in Lanarkshire to fully recover? Can she provide further details on what action is being taken in partnership with NHS Lanarkshire to upgrade and develop their IT systems so that patients can have confidence that all possible actions are being taken to prevent similar attacks happening in the future? I thank Monica Lennon for the comments and I absolutely agree that staff in Lanarkshire, one of the most affected boards, really pulled at all the stops to avoid that impacting on patients as much as they possibly could. I think that their communication was very good as well in trying to get the message across to patients to avoid coming to A&E unless absolutely necessary and, indeed, to perhaps bring medication information with them because they were using manual systems. I should say that the manual systems that kicked in were manual systems that are there ready to use should an IT system fail and they were put in place very, very quickly indeed and were very successful in ensuring continuity of care over the Friday night and into the weekend, so I should put that on record. NHS Lanarkshire did experience what was a widespread attack on their PC environment with around 1,100 devices affected. That happened during a programme of PC replacement and we need to understand whether that was part of the issue and we are still working on information around that. Over 200 infected devices have now been replaced through a targeted prioritisation that focuses on keeping key clinical services running. It was really important to make sure that we could get those key clinical services back up and running as quickly as possible. As I said in my statement, it has reported that less than 20 patients waiting for routine appointments have had to be rescheduled, as I understand that they are being rescheduled as quickly as possible. I will certainly make sure that, in terms of communication with those patients, that is happening. That is my understanding of the situation. Certainly, in terms of what has happened in NHS Lanarkshire, that will be a key part of our learning. I think that we were very fortunate that those were the only acute hospitals that were impacted on, because I know that the impact on acute hospitals in England was very, very challenging indeed. Most of the impact in Scotland was around GP surgeries apart from NHS Lanarkshire. Again, Monica Lennon is quite right to pay tribute to the hard efforts of staff to minimise the impact on patients. Ivan McKee, to be followed by Alison Johnstone. I thank the cabinet secretary for his statement and can ask what steps NHS Scotland is taking to learn lessons from this attack and to minimise the impact of any disruption due to any future potential attacks. As I have said so far in my statement, I can say to Ivan McKee that health boards have obviously been focused, as he would appreciate, on recovering their systems and their computers. However, the next phase is now about the reviews that are under way to ensure that we learn all the lessons from this attack and make the necessary improvements where they have been identified that they need to be made. Health boards are working to implement patches and ensure that system security arrangements are updated. The lessons learned review with health boards will be getting under way. We have already got a lot of information. We need to make sure that we have a full investigation of all the detail of this. As I said in my opening remarks, the work with the National Cyber Security Centre is going to be very, very important because it has a lot of the expertise that is going to be important here. We will certainly be working with the National Centre in taking those matters forward. Finally, the National Cyber Resilience Leaders Board, which I mentioned earlier, the Cabinet Secretary for Justice's chairing, is drawing together a range of partners across the public and private sectors, and that will look at how we enhance the future resilience across all sectors, not just the NHS. I am happy to keep Parliament informed of that work. Alison Johnstone will be followed by Alex Cole-Hamilton. Clinicians and healthcare providers often have limited time to work with patients and any protocols that make patient data more secure should not impact front-line staff who need to be able to do their job without recalling and updating strings of long passwords, for example. Can the cabinet secretary give us assurances that any improvements made to the security of NHS IT systems will not have a negative impact on the workload of healthcare professionals? What further engagement will be made with patient groups and organisations that have concerns about the safety and privacy of that patient data? Just to reiterate again to Alison Johnstone that there has been no breach of any patient data in this attack. It is really important that patients are reassured and the public is reassured on that matter. I think that there should be engagement with patient groups and the public around their involvement and everybody's involvement in making sure that we can have IT security maintained at the highest level and what improvements we need to see. I take Alison Johnstone's point about not adding to the workload of staff, but IT security is all of our responsibility. Obviously, we do not want that to be onerous, but there is good practice whether that is on an individual basis in terms of back-up and passwords through to a collective responsibility in terms of the IT security systems and the patching that organisations would expect to have in place. It is everybody's responsibility, but I take Alison Johnstone's point that we should not make that an onerous responsibility, but it should be everybody's responsibility. Alex Coulhoughton I thank the cabinet secretary for advance sight of her statement. I, too, would like to echo the praise of fellow members in praising the staff. Many of you have come in on their days off to make good on this audacious and cowardly attack. The cabinet secretary noted that NHS Scotland faces similar attacks to this on an almost daily basis and explored some of that in her response to Anna Sarwar. Can she give Parliament details as to how many such attacks have taken place and whether each or any of those are subject to criminal investigation and how successful those criminal investigations have proven in bringing perpetrators to justice? Alex Coulhoughton I can tell Alex Coulhoughton that there are regular attacks, not just on the NHS, but on public services and other organisations. Some of those are of a more serious nature than others, and what we saw on Friday was a very serious nature, a global attack across so many different countries and so many different organisations. There have been attacks that have led to the involvement of the criminal investigation agencies and of the cyber experts within Police Scotland. They have certainly been making sure and have bolstered their resources. If you look at the changing nature of cyber attacks, it is very important that Police Scotland has the expertise in order to deal with that, and they have certainly got a number of cyber security expertise within Police Scotland in terms of investigating crimes of this nature. On whether there are current criminal investigations, that is something that I will write to Alex Coulhoughton about as a follow-up to his statement. What I can assure him of is that, in this instance, Police Scotland, working with the national crime agency, is treating it as a very serious attack and will be giving it its full attention in trying to bring the perpetrators to justice. Clare Haughey To be followed by Brian Whittle Does the cabinet secretary agree with me that, given the international scale of this attack, it is vital now more than ever that Scotland is represented at international discussions regarding security and international threats? Yes, those are global attacks and we need to make sure that any discussion about our international or national response to that, that Scotland has an involvement in that, which is why it is very important that Michael Matheson was taking part in the Cobra meeting that was chaired by the Home Secretary. It is very important that we understand collectively what the threat was here and, importantly, whether it is a criminal investigation or, indeed, the lessons learned and the resilience of our systems that we draw on that expertise. Michael Matheson has taken part in those Cobra discussions in terms of international work that is on going around this. Yes, we would want to make sure that the information and the impact from Scotland is recognised on that global stage and, indeed, that any lessons learned that we can learn from elsewhere in terms of how it has been addressed by other countries and other organisations that might have relevance here, that we take those lessons learned and can apply them here in Scotland. Clearly what was important, first of all, was to get organisations back up and running as much as we could yesterday morning. I am pleased to say that, particularly in the case of GP practices, none were closed. They were all open but, obviously, there was some work needing to be done in terms of retrieval of data from backup systems and that is well under way. In terms of Lanarkshire, again, it was a more complex situation that has taken a little bit longer to get those systems back up and running because that has to be done in a safe way. They have to be tested and they have to be done in a safe way. However, we are very much through the recovery stage and that is why we are now able to have systems working normally by and large. We can now turn our attention to the lessons learned phase and what more we need to do in terms of building resilience and learning lessons from the future. We are making sure that the impact on patients is kept to a minimum. Any patient—less than 20—in NHS Lanarkshire to have their appointments rescheduled, we need to make sure that that is done as quickly as possible. However, the effort has been made to try to minimise the impact on patients. We will now move on to the next item of business, which is a statement by John Swinney on national bargaining in the further education sector. The cabinet secretary will take questions at the end of his statement, so there should be no interventions or interruptions. I would ask any members who wish to ask questions in this after the statement to press their request to speak buttons as soon as possible.