Health agency warns of cyber-attack risk

Public Health Scotland said a digital attack could lead to
‘significant and immediate disruption’

By Chris Green

Health agency warns of cyber-attack risk

Public Health Scotland said a digital attack could lead to ‘significant and immediate disruption’
By Chris Green

Scotland’s key public health agency could be at risk of a cyber-attack due to a lack of investment in digital security and other safety measures, its board has been told.

Public Health Scotland (PHS) warned that such an attack could lead to “significant and immediate disruption to our ability to operate”, as well as financial losses.

The concerns about digital security were raised in a recent corporate risk paper presented to the health body’s board, which graded the risk as red on a traffic light scale.

Cyber security experts told 1919 that the warning highlights the “growing threat” posed by cyber-attacks to major Scottish organisations, and urged vigilance.

Formed in April 2020, PHS is Scotland’s national public health body and supports work in preventing disease, prolonging people’s lives and promoting healthy behaviours.

Warning of the risks of a cyber-attack on its systems, the PHS paper said there had been “insufficient investment in appropriate foundational data and digital infrastructure”.

It also raised concerns about the level of cyber security measures across the organisation, as well as staff development and “ambiguity about governance”.

The paper said this meant PHS “could be vulnerable to data loss and system failure caused by human error or intentional attack to our IT, digital systems, and/or data”.

It added that PHS might be left unable to rapidly respond to and recover from such an event, “which may result in a significant and immediate disruption to our ability to operate, financial loss, reputational damage, and loss in public confidence in PHS as a trustworthy data custodian”.

The paper gave the event a risk score of 16 out of 25, higher than the target score of 12. It also listed a series of ongoing mitigation measures, including mandatory cyber security and information governance training for all staff, and monthly cyber training modules.

“The evolving nature of cyber threats means that traditional defence mechanisms such as firewalls and antivirus software are no longer enough”

Jude McCorry, CEO, Cyber and Fraud Centre – Scotland

Jude McCorry, CEO of the Cyber and Fraud Centre – Scotland, which provides cyber services, training and advice to businesses and other groups, said the report “underscores the growing threat posed by cyber-attacks to major Scottish organisations”.

She added: “Cyber-attacks can lead to significant operational and reputational implications for large organisations, therefore it is vital that measures are put in place to mitigate the risk.

“It is reassuring that Public Health Scotland has outlined planned mitigating actions and current cyber security measures including staff training and security upgrades.

“The evolving nature of cyber threats means that traditional defence mechanisms such as firewalls and antivirus software are no longer enough.

“We encourage all organisations to put in place a tried and tested incident response plan so they can effectively prepare for, respond to, and recover from a cyber-attack in a timely manner, particularly those that rely on confidence from the public as a safekeeper of their data.”

The warning from PHS follows the targeting of NHS Dumfries and Galloway, which revealed it had been the subject of a cyber-attack in February 2024.

Three months later, the criminals behind the attack released more than three terabytes of data on an area of the internet known as the dark web.

The health board said at the time that some of the information published had led to an “increased risk of identity theft” for its staff, warning them to be vigilant.

It added that the criminals had been able to access data such as letters from consultants to patients, letters between consultants, test results, and x-rays.

Scottish Liberal Democrat leader Alex Cole-Hamilton described the PHS warning as “troubling”.

“There have been several prominent cyber-attacks against health boards and local authorities in recent years, so taking steps to make these systems more robust would seem like a sensible step,” he added.

“Whether the threat comes from vandals, malicious actors aligned with foreign states, or simply those out to turn a profit by exploiting data, it’s important that our health service is as well prepared as it can be.”

In December 2022, NHS National Services Scotland launched a Cyber Centre of Excellence to enhance its capability to protect patients, data, and staff from the threat of cyber-attacks.

Further investment in the centre, which currently provides 24/7 coverage against cyber threats to the NHS as well as support and guidance for boards, is being planned.

A PHS spokesperson said the agency “must proactively identify, assess, and manage any potential risks to its IT security so that we are prepared to protect against potential threats, while also complying with regulatory requirements”.

They added: “It is therefore essential that IT security is considered as part of our corporate risk register. PHS’s corporate risk register incorporates strategic and corporate level risks that impact the whole organisation and includes plans and actions to mitigate potential risks and minimise threats.

“The ‘data loss and system failure: prevention and recovery’ risk, currently on the PHS corporate risk register, has been scored as a red risk due to the assessed likelihood and impact given the global threat to IT systems. By proactively identifying and assessing potential risks, we can ensure we are best placed to mitigate them.”