Reference | FOI 2022-701 |
---|---|
Description | how your organisation interfaces different systems within your organisation |
Date Requested | 07/03/23 |
Date Replied | 03/04/23 |
Category | Informatics Systems I.T. |
Request
- Do you use an Integration Engine (IE) within your IT Estate?
-
- If the answer is, yes, please provide the name of the software product used.
- What systems are integrated to the IE? Please provide the product name. For example, CareFlow Electronic Prescribing and Medicines Administration
- Please provide details of whether you use Internal or External resource for developing integrations.
-
- If an external resource is used, please provide details of how new developments are priced within the contract. For example, number of days x day rate, fixed price, case by case.
- If an external resource is used, what is the term of the contract and when does it end?
- Please provide details of whether you use Internal or External resources for managing and maintaining integrations.
-
- If an external contract is used, please provide details of the contract provision (i.e. maintain, incident management, support etc) the term of the contract (start date & end date) and the contract value.
- How many new integrations have been commissioned with external resources over the last two Financial years (FY 21/22 & FY 22/23).
- How much did your organisation spend on integration developments by external resources in the last two Financial Years (FY 21/22 & FY 22/23)?
- For the quantum of integrations identified in question 4, please provide a sense of scale as to whether the development effort was Small, Medium or Large. As a rough guide, development effort is estimated as:
Small |
< 12 days |
Medium |
>=12 & < 25 days |
Large |
>= 25 days |
Response
1.Do you use an Integration Engine (IE) within your IT Estate? YES
a.If the answer is, yes, please provide the name of the software product used. Rhapsody TIE
b.What systems are integrated to the IE? Please provide the product name. For example, CareFlow Electronic
Prescribing and Medicines Administration
FOIA. These are qualified exemptions and require a public interest test to be performed, as follows.
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice
the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of
offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified
exemption and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS
safe and secure. This is especially important given that this infrastructure is maintained using public fund.
However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed.
The release of this material could provide valuable information to those wishing to launch a cyber-attack against
the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build
up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication
of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere,
the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public
interest in disclosing the information.
Section 24(1) – National security
In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To
limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.
Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the
NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.
However, we consider that it is not in the wider public interest to disclose this information because, as well as the
risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this
area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting
our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the
‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting
an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part
of the UK’s public health and emergency response and these security measures also protect the proper functioning
of Category One Emergency provision, the disclosure of this information may also compromise national security.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public
interest in disclosing the information.
2.Please provide details of whether you use Internal or External resource for developing integrations.
External Resource used
a.If an external resource is used, please provide details of how new developments are priced within the contract. For example, number of days x day rate, fixed price, case by case. No Information
b.If an external resource is used, what is the term of the contract and when does it end?
We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as section 24(1)
FOIA. These are qualified exemptions and require a public interest test to be performed, as follows.
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice
the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of
offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified
exemption and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS
safe and secure. This is especially important given that this infrastructure is maintained using public fund.
However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed.
The release of this material could provide valuable information to those wishing to launch a cyber-attack against
the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build
up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication
of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere,
the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public
interest in disclosing the information.
Section 24(1) – National security
In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To
limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.
Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the
NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.
However, we consider that it is not in the wider public interest to disclose this information because, as well as the
risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this
area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting
our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the
‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting
an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part
of the UK’s public health and emergency response and these security measures also protect the proper functioning
of Category One Emergency provision, the disclosure of this information may also compromise national security.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public
interest in disclosing the information.
3.Please provide details of whether you use Internal or External resources for managing and maintaining
integrations. External Resource used
a.If an external contract is used, please provide details of the contract provision (i.e. maintain, incident management, support etc) the term of the contract (start date & end date) and the contract value. No Information
We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as section 24(1)
FOIA. These are qualified exemptions and require a public interest test to be performed, as follows.
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice
the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of
offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified
exemption and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS
safe and secure. This is especially important given that this infrastructure is maintained using public fund.
However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed.
The release of this material could provide valuable information to those wishing to launch a cyber-attack against
the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build
up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication
of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere,
the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public
interest in disclosing the information.
Section 24(1) – National security
In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To
limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.
Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the
NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.
However, we consider that it is not in the wider public interest to disclose this information because, as well as the
risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this
area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting
our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the
‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting
an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part
of the UK’s public health and emergency response and these security measures also protect the proper functioning
of Category One Emergency provision, the disclosure of this information may also compromise national security.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public
interest in disclosing the information.
4.How many new integrations have been commissioned with external resources over the last two Financial years (FY 21/22 & FY 22/23).
The Trust is unable to provide this as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
5.How much did your organisation spend on integration developments by external resources in the last two Financial Years (FY 21/22 & FY 22/23)?
The Trust is unable to provide this as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
6.For the quantum of integrations identified in question 4, please provide a sense of scale as to whether the development effort was Small, Medium or Large. As a rough guide, development effort is estimated as:
Small |
< 12 days |
Medium |
>=12 & < 25 days |
Large |
>= 25 days |
Requests for information must be made in writing. Telephone requests cannot be accepted. We accept requests in the form of:
- Letter
Send your request to:
Freedom of Information Requests
East Lancashire Hospitals NHS Trust
Information Governance
Corporate Offices Building
Royal Blackburn Teaching Hospital
Haslingden Road
Blackburn
BB2 3HH
Or email: foi@elht.nhs.uk
You must include your full contact details, stating in what format you would like to receive the information.