What assurances can the Cabinet Secretary give that the IT infrastructure in Wales is protected, to ensure the continuity of care for Welsh patients following the cyber-attacks in the NHS in England? TAQ(5)0173(HWS)

I thank the Member for the question. As you know, the First Minister issued a written statement yesterday regarding the ransomware attack that affected organisations globally last week in the UK, primarily NHS England and NHS Scotland being the focus of attention. Whilst we have been unaffected on this occasion, we must continue to be vigilant to ensure that our systems are as resilient as possible against future attacks on the network, which are, sadly, inevitable.

Thank you, Cabinet Secretary. I think the incident last week has raised many questions, most importantly how we are going to protect our patients in the NHS. As you say, the reports have suggested that 47 trusts in England have been affected, and 13 in Scotland, because they’d failed to apply recent security updates that might have protected them. Now, I think it’s worth noting that the impact is not just one of disruption and inconvenience; this actually, potentially, has life-changing and life-threatening consequences. If you think about the impact on individuals waiting for scans for cancer treatments, I think the impact could be incalculable and such an attack by cyber terrorists is morally, I think, indefensible.

Now, the joined-up nature of the NHS in Wales and the £11 million computer investment meant that there were fewer vulnerabilities in Wales. I think of course we’ve got to point out that there’s no room for complacency, but I think it would be remiss of us not to acknowledge the efforts of the NHS Wales Informatics Service and the IT teams across the whole of the NHS in Wales for protecting us from this latest attack. That’s not to say that we should be complacent—it may happen again—but they protected us on this occasion and I think we should salute them.

I quite agree. I’m very happy to publicly acknowledge and thank staff in the NHS Wales Informatics Service, not only for the way in which they have made the case for, and then applied, the additional cyber security measures that we’ve provided across the service, and not only for the fact that they did actually uptake the security updates that apparently did not take place in NHS England, but the fact that over the course of the weekend and into the start of this week, they looked for vulnerability within the system, they detected areas where the virus had been intercepted by the measures we’ve put in place, and were able to actually resolve some of the risks that existed. That, for example, included closing off parts of the NHS to external e-mails: the right thing to do to make sure that our system was not compromised. But that professionalism is there to be vigilant constantly, because this is not an issue that will go away this week. We certainly can’t skip away and say, ‘There won’t be a problem next week, the week after or next year as well.’ There’s a challenge here about making capital investment decisions as well. It’s not always very popular investing in areas like this, but it is essential, it makes a real difference to patient care. So, we can thank our good fortune and the sense that we have made in being one step ahead by making investment choices in cyber security.

We welcome the First Minister’s written statement yesterday concerning the impact of the recent global cyber attacks on the NHS in England. It is positive to learn that the NHS in Wales was not significantly affected and services were largely uninterrupted. However, we note that 40 cancer patients had treatment interrupted at Velindre hospital in Cardiff, which, for them, must have been quite traumatic. It is clear from repeated events of this nature that we are living in a world where data held electronically are vulnerable and services can be brought to a halt within seconds of an attack. It is clearly unacceptable that the users of Wales’s public services should be affected in this way, but we also note that we do not want to overreact and throw the teddy out of the pram. Electronic data storage is, largely speaking, more efficient and more secure than paper-based systems. So, it is important we continue to develop our information infrastructure across Wales to maintain pace with technology. In light of this, would the First Minister give an undertaking to ask the new cyber security centre based at GCHQ to review cyber security across the public sector in Wales? Thank you.

Thank you for the question. As you know, I’m not the First Minister but I’m sure he’ll consider your request. There is already a review, as you’d expect, to take place within the service here to learn lessons from what worked and why and what more we need to do in the future, and it’s important that we do that—to understand the level of risk that we carry, to understand what we do within the system, and how we minimise the risk progressively in the future. That’s the right thing to do and that’s what we’re already doing of, and for, ourselves, as we should do. We’re lucky to have national architecture with the NHS Wales Informatics Service, where people are committed—committed to the once-for-Wales approach we’re trying to take on taking advantage of the developments in using digital technology to improve health care—not just the process but the experience and the outcomes for people as well—as well as understanding the risks that are attached to that. There is a meeting of the national informatics board—a nice snappy title within the healthcare world—and they’ll again be looking back at what’s happened as well as looking to the future as well. So, a properly balanced approach—not complacent, but not forgetting, as you say, the real advantages and the real potential for improving healthcare by unlocking the great digital potential that does exist.

Thank you, Cabinet Secretary.

The next topical question is from Simon Thomas.