1. Telephony and UC/ Collaboration
a. Please confirm the manufacturer of your telephony system(s) that are currently in place Cisco Call Manager
b. When is your contract renewal date? 2024
c. Who maintains your telephony system(s)? Daisy Communications
d. Do you use Unified Communications or Collaboration tools , if so which ones? Unified Comms
2. Microsoft
a) What Microsoft 365 licence do you have across the business e.g. E3, E5
b) Which partner looks after your Microsoft tenant? ELHT operates the Microsoft Tenant.
c) Where do you host your applications? Do you have on-premise infrastructure or do you host your applications in
public or private cloud? Which?
3. Storage
a. Does your organisation use on-premise or cloud storage or both?
b. Please confirm the on-premise hardware manufacturer c. Please confirm your cloud storage provider d. What is
your annual spend on cloud storage?
e. How do you back up your data and with who e.g. Backup as a Service
Question 2 & 3
We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as section 24(1) FOIA. These
are qualified exemptions and require a public interest test to be performed, as follows.
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption, and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe
and secure. This is especially important given that this infrastructure is maintained using public fund. However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of this
material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider
NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability
and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients. In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
