The global cyber-attack penetrated 1,500 computers at NHS Scotland, the Scottish Government has said.
Shona Robison, the Health Secretary, pledged to launch a review of what lessons could be learned from last week’s ransomware assault – amid claims the operating systems being used were vulnerable to attack.
In a ministerial statement to Holyrood, she said there was no evidence of breaches of patient data or safety, but admitted there was some disruption with appointments having to be rescheduled.
Donald Cameron, the Scottish Conservatives’ shadow health secretary, demanded assurances that systems are upgraded given that out-of-date software has been raised as a possible reason for the attack’s success.
Ms Robison said most of those systems affected were not Windows XP, which some have said left PC users poorly protected.
She said computers using Windows 2003 and 2007 were mainly affected and “only a small number” were running XP.
“It’s not straightforward, that it’s about one piece of software compared to another,” Ms Robison told MSPs.
“What we need to understand is that across these different softwares that were affected, why were some affected and not others?
“And that’s the piece of work that will now be undertaken.”
She said the NHS computers systems are under “regular attack”, including those of a serious nature, and pointed to that as evidence of the effectiveness of the protections in place.
Anas Sarwar, Scottish Labour’s health spokesman, said his party have been calling for a full review of cyber security for years, which he said have been ignored.
Ms Robison said the NHS’ chief operating officer had written to health boards reminding them of the need to make sure they have “the best resilience in place” to “make sure their systems are as good as they could be”, as recently as February.
Ms Robison said the 1,500 devices affected amounts to less than 1% of the NHS Scotland total.
“There will be a number of lessons arising from these ransomware attacks that we must learn from,” she added.
“Reviews are already underway to capture what can be improved to ensure that we reduce the chances of a similar attack happening in the future.
“The Scottish Government will also be arranging a ‘lessons learned’ exercise to help health boards and other agencies to mitigate the risks from further ransomware and other cyber-attacks.”
The total spend by health boards in 2016/17 on IT investment and cyber-attack protection was £257m, the Scottish Government says.
The ransomware attack on NHS computer systems is being investigated by Police Scotland and the National Crime Agency.
Eleven Scottish health boards were affected by the attack, which was first detected on Friday.
NHS National Services and the Scottish Ambulance Service were also hit, as well as hospitals in Lanarkshire, GP surgeries and dental practices.
