NHS cyber security: How safe is your data with the nation's healthcare service?

The health board announced the data includes information which could identify patients and staff, and has called in the Scottish Government, Police Scotland and the National Cyber Security Centre to deal with the issue.

In a statement posted to its website, the board said: “During these incursions into our systems, there is a risk that hackers have been able to acquire a significant quantity of data.

“Work is continuing together with cyber security agencies to investigate what data may have been accessed, but we have reason to believe that this could include patient-identifiable and staff-identifiable data.

“Breach of confidential data is an incredibly serious matter. We are encouraging everyone, staff and public, to be on their guard for any attempt to access their systems or approaches from anyone claiming to be in possession of data relating to them.”

Health Secretary Neil Gray told the Scottish Parliament that the board does not know what data was taken during the attack or what it is going to be used for, only the “scale” of the data which was stolen.

Police Scotland declined to comment further on the investigation, saying only that inquiries remained ongoing.

The attack is not the first time the UK’s healthcare system has been targeted by hackers, or indeed Europe.

Governments across the continent were spurred into action in May 2021, after the national and local IT systems of the Health Service Executive (HSE), Ireland’s equivalent of the NHS, were hit by a cyber attack.

According to NHS Digital, the perpetrators, suspected to be a Russian-based criminal gang, “had used one type of software to infiltrate the systems, which opened the door to the deployment and activation of another type of software – a ransomware package known as Conti”.

“It began to delete back-up functions, disable key security protocols and encrypt vital files,” a statement from NHS England’s technological wing reads.

“Hospitals across Ireland lost access to electronic records, services were disrupted, appointments were cancelled, and some medical equipment was disabled.

“Data had also been compromised. The gang claimed it had patient details, employee records and financial information, and reportedly demanded a ransom of €16.5m to prevent the release of the data and to decrypt the files.

“The job of restoring the affected systems has been gradual, with 95 per cent of servers and devices back up and running by September 2021.”

The incident led to cyber security experts across the world to look closer at ransomware - software which holds data ransom on behalf of hackers - and how it can be used against healthcare systems.

Dimitrios Pezaros, a professor at the University of Glasgow’s School of Computing Science, said ransomware does not attack healthcare systems in particular, but scans the internet looking for weaknesses in systems.

Healthcare providers happen to have large, interconnected networks which contain older computer models and software.

“These attacks may not be targeting the NHS In particular, but happen to have infiltrated the NHS,” said Professor Pezaros.

“If data sits on interconnected systems then it can be compromised, and there is no way of protecting yourself 100 per cent from that.”

The way ransomware works and propagates is by programmes looking for other programmes across the internet that have a particular vulnerability to exploit.

“Some computer that is part of the NHS network, or some other network, that is connected to the internet and happens to be vulnerable can be exploited,” added Professor Pezaros.

The ransomwares comes from a variety of organisations, he said, “from amateur hackers to gangs, to organised crimes, all the way to state actors”.

“These types of attacks, which happen to similar systems, large systems with large connections, with legacy components which haven’t been updated, we see increasing.”

On Monday, the UK Government said it has its “eyes wide open when it comes to China”, as it blamed Beijing for cyber attacks on other state systems, such as the Electoral Commission and systems used by parliamentarians

The Prime Minister’s official spokesman said: “We have our eyes wide open when it comes to China.

“The Integrated Review Refresh set out that the UK regards China under the Chinese Communist Party as an epoch-defining challenge and as the biggest state-based threat to our economic security.”

He added: “In relation to specific examples, we’ve used our new national security investment powers to block investment from China into sensitive technology sectors like semiconductors.

“Our National Security Act and others means we can take any steps that we need to, for example removing Huawei from our telecoms network.”

Downing Street said the UK has worked “closely” with its allies to identify the state behind a 2021 cyber attack on the Electoral Commission.

Asked about the length of time between the attack, which came to light in 2022, the Prime Minister’s official spokesman said: “(The investigation) was obviously complex and sensitive and we have been working closely with international partners over a period of time to identify those responsible and hold them to account.”

Professor Pezaros added that while “anything that is connected is potentially remotely accessible”, organisations such the NHS can protect themselves.

“Organisations can increase safety - mainly, strong data encryption helps.

“Strong authentication, and multi factor authentication before accessing systems holding sensitive data, and employing system and network segregation - ask, does this part of the system, holding this data, need to be connected to the larger network?”