A – EPR (and whether notes are electronic or scanned) - see below
B – PAS - see below
C – Theatre – see below
D – Ophthalmology - see below
E – Endoscopy – see below
F – Chemotherapy - see below
G – Cardiac/Cardiology/Vascular - Cardiac – This service is not provided at the Trust; Cardiology – see below; Vascular - see below
H – Pathology – see below
I – Histology – see below
J – Radiology – see below
K – Radiotherapy – N/A This service is not provided at the Trust.
L – Maternity – see below
M – Paediatric – see below
N – ICU/Intensive Care/CCU – see below
O – Dialysis – N/A This service is not provided at the Trust.
P – Respiratory - see below
Q – Dental - see below
R – Dermatology - see below
S – Mental Health – East Lancashire Hospitals NHS Trust do not have adult mental health services within the Trust. Psychological interventions are provided within select specialities and systems are in line with service area (as noted above).
1. Name of the system used :
2. System provider name:
3. System version name/number:
4. Does the Trust anticipate changing the system provider at present? If so, which system will replace it?
5. If you have an EPR, are the records electronic or scanned?
6. Does the Trust currently have an integration engine to securely exchange data between software systems, both internally and externally? If so, what is the name and supplier of this system?
Trust Response:
1. Name of the system used :
See below for each area
2. System provider name:
See below for each area
3. System version name/number:
We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as section 24(1) FOIA. These are qualified exemptions and require a public interest test to be performed, as follows.
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public fund. However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of this material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
Section 24(1) – National security
In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.
Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.
However, we consider that it is not in the wider public interest to disclose this information because, as well as the risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part of the UK’s public health and emergency response and these security measures also protect the proper functioning of Category One Emergency provision, the disclosure of this information may also compromise national security.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
4. Does the Trust anticipate changing the system provider at present? If so, which system will replace it?
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
5. If you have an EPR, are the records electronic or scanned?
We implemented Cerner in June 2023 (EPR). This is currently being used as a paper light system and any paper still generated is filed in the paper case note. Records continue to be pulled for activity as required.
6. Does the Trust currently have an integration engine to securely exchange data between software systems, both internally and externally? If so, what is the name and supplier of this system?
We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as section 24(1) FOIA. These are qualified exemptions and require a public interest test to be performed, as follows.
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public fund. However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of this material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
Section 24(1) – National security
In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.
Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.
However, we consider that it is not in the wider public interest to disclose this information because, as well as the risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part of the UK’s public health and emergency response and these security measures also protect the proper functioning of Category One Emergency provision, the disclosure of this information may also compromise national security.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
A – EPR (and whether notes are electronic or scanned)
1. Name of the system used : Millenium EPR
2. System provider name: Oracle (Cerner)
Some manual casenotes are still in use across the organisation.
B – PAS
1. Name of the system used :
2. System provider name:
This is all part of EPR, we do not have a separate PAS system as we use the PAS module of Millenium.
C & N - Theatres and Critical Care -
1. Name of the system used :
Cerner EPR
2. System provider name:
Cerner
D – Ophthalmology -
1. Name of the system used : Cerna
2. System provider name: Oracle Health
E - Endoscopy -
1. Name of the system used :
Solus
2. System provider name:
Solus
F - Chemotherapy:
1. Name of the system used : iQemo
2. System provider name: iQ HealthTech
G - Cardiac – N/A
G - Cardiology
1. Name of the system used :
Change Healthcare still 14.1
NCAP NICOR (not sure there is a version)
Sentinel (SpaceLabs) v11.5.6.15633
Cerner Millenium
2. System provider name: as above
G - Vascular -
1. Name of the system used : Millenium EPR
2. System provider name: Oracle (Cerner)
H & I - Pathology and Histology -
1. Name of the system used :
Telepath
2. System provider name:
Dedalus
J - Radiology -
1. Name of the system used :
Sectra PACS, CRIS
2. System provider name:
Sectra PACS - supplied by Siemens Healthineers, CRIS - Magentus
K – Radiology – N/A
L - Maternity -
1. Name of the system used :
Badgernet
2. System provider name:
Clevermed
M – Paediatric –
1. Name of the system used :
Cerner Millenium (Main trust EPR system)
2. System provider name:
Oracle
C & N - Theatres and Critical Care -
1. Name of the system used :
Cerner EPR
2. System provider name:
Cerner
O – Dialysis – N/A
P - Respiratory -
1. Name of the system used :
Solus
2. System provider name:
Solus
1. Name of the system used :
V-STATS
2. System provider name:
Sentec
1.Name of the system used :
Oasys
2.System provider name:
University of Birmingham or maybe Cedd Burge owns the copyright
1.Name of the system used :
AirView
2.System provider name:
ResMed
1.Name of the system used :
InfoSmart
2.System provider name:
Fisher and Paykel
1.Name of the system used :
EncoreAnywhere
2.System provider name:
Philips Respironics
1.Name of the system used :
IxTrak
2.System provider name:
Unknown
1.Name of the system used :
ResScan
2.System provider name:
ResMed
1.Name of the system used :
Noxturnal
2.System provider name:
Nox Medical
Q – Dental -
1. Name of the system used : predominantly Cerner millennium EPR but we do also use ICE and Sectra PACS
2. System provider name: Cerner Millenium
R – Dermatology -
1. Name of the system used :
Cerner EPR
2. System provider name:
Cerner
S – Mental Health – N/A
