NHS Scotland fights cyberattacks every day, Health Secretary Shona Robison has told MSPs, as she confirmed that 20 patients in one health board had operations rescheduled following Friday’s global ransomware attack.

Police Scotland and the National Crime Agency are investigating the attack, which hit 13 Scottish health boards including acute hospital sites in Lanarkshire, GP surgeries and dental practices, as well as the Scottish Ambulance Service.

In a statement at Holyrood, Robison praised NHS workers for their speedy response, saying no patient data had been compromised and there had been no impact on patient safety.

She said less than one per cent of devices were affected and systems were “back working normally by and large”, but she confirmed that NHS Borders and NHS Lanarkshire were worst hit, with 20 patients in the latter area having routine operations rescheduled.

“Although this attack was unprecedented in its scope, with hundreds of organisations affected across the globe, it was not an isolated incident,” said Robison. “In fact NHS Scotland, along with other organisations, face similar attacks every day, most of which are thwarted by the controls and protections that are in place.”

She urged the public sector to be “vigilant” and keep systems up-to-date and fully protected, adding: “There will be a number of lessons arising from these ransomware attacks that we must learn from. Reviews are already under way to capture what can be improved to ensure that we reduce the chances of a similar attack happening in the future.”

An action plan to help the public sector defend against cyberattacks, including preventative guidelines for all organisations, is being accelerated following an urgently convened key cyber-resilience meeting.

The National Cyber Resilience Leaders’ Board (NCRLB) was chaired by Justice Secretary Michael Matheson, while Robison gave her update to Parliament.

Matheson discussed the impact of the attack on Scotland, the multi-agency response and the steps that can be taken to boost cyber resilience across all sectors. He also committed to take forward the public-sector action plan, which includes developing guidelines and standards for all Scottish public-sector bodies to achieve by 2018 and an awareness strategy for public-sector organisations.

He said: “What is evident from this week’s events is that this was a global attack on an unprecedented scale and, whilst we are now seeing systems returning to normal, we cannot be complacent.

“We need to be clear that combatting threats of this nature isn’t something government can achieve alone. Cyber security is everyone’s business and we need to ensure that all organisations have appropriate safeguards in place.”

Hugh Aitken, chief executive of CBI Scotland and chair of the NCRLB, said: “The Scottish Government had the vision to put this board in place to design and execute a protection plan for Scotland, covering both public and private sector. We aim to have our proposals on taking forward this action plan in front of ministers for their approval by June.”

Meanwhile, security experts are examining a potential link in the computer code behind Friday’s attack with earlier ones that could suggest North Korea was responsible.

More than 300,000 computers in 150 countries were infected with the WannaCry ransomware virus.

Marcus Hutchins, a young British computer expert, was hailed a hero for helping to shut down the crippling virus after discovering a so-called “kill switch” that slowed its effects.

Experts are studying similarities between the code used in the WannaCry attack and malware distributed by Lazarus, a hacking group behind attacks on Sony Pictures in 2014 that was blamed on North Korea.

The potential link was highlighted by a researcher from Google who posted a message on Twitter showing a sample of the WannaCry malware that appeared online in February.

Researchers from cyber security company Kaspersky Lab identified clear code similarities between WannaCry and attacks by Lazarus in 2015. The company said: “The similarity of course could be a false flag operation. However, the analysis of the February sample and comparison to WannaCry samples used in recent attacks shows that the code which points at the Lazarus group was removed from the WannaCry malware used in the attacks started last Friday.”

Researchers at US software company Symantec and South Korean antivirus software company Hauri have also noted the similarities. The National Security Agency (NSA) was accused by Microsoft of “stockpiling” information about software flaws for its own operational benefit, rather than working with companies to fix them.

The stockpile was later leaked online, allowing hackers to infiltrate secure systems.

Microsoft’s senior legal voice Brad Smith said it was equivalent to “the US military having some of its Tomahawk missiles stolen”.