| Reference | FOI 2024-073 |
|---|---|
| Description | Clinical systems information request April 2024 |
| Date Requested | 25/04/24 |
| Date Replied | 15/07/24 |
| Category | Systems Cyber Security Exemption Applied Commercially Sensitive Exemption Applied |
Request
I am writing to make an open government request for all the information to which I am entitled under the FOI Act 2000.
Please proved information regarding the following systems:
1. Analytics (PLICS)
2. BI & Data Warehousing
3. Cardiology
4. E-Rostering (staffing)
5. Integration Platform
6. Oncology
7. Pathology
8. Patient Administration System*
9. Pharmacy
10. Scheduling*
11. Theatres
12. Secondary Care Electronic Prescription Service (EPS)
* If your acute trust offers community services, please provide details of the Patient Administration System (PAS) and Scheduling systems used in both the community and acute settings.
Please enter 'No System Installed' or ‘No Department’ under supplier name if your trust does not use the system or have the department:
a) System type –
b) Supplier name –
c) System name –
d) Date installed –
e) Contract expiration –
f) Is this contract annually renewed? - Yes/No
g) Do you currently have plans to replace this system? - Yes/No
h) Procurement framework –
i) Other systems it integrates with? –
j) Total value of contract (£) –
k) Notes - e.g. we are currently out to tender
Please provide your answer in the above format for each system.
System definitions:
Analytics (PLICS): A business intelligence tool that provides patient level costing information, systematically analysing electronic patient data to monitor patient level costing (may include healthcare resource groups).
BI & Data Warehousing: Integrates data and information collected from various sources, e.g. electronic patient/health records, enterprise resource planning systems, radiology and lab databases, wearables etc, into one comprehensive database.
Cardiology: A specialist clinical information system is used for cardiology
E-Rostering (staffing): An electronic staff management tool that enables trusts to plan staffing requirements, report on enhanced hours, overtime, sickness, TOIL and annual leave. Common suppliers include Allocate Software.
Integration Platform: Software that supports the integration and interoperability of various clinical and management IT systems and services.
Oncology: An Oncology Information Management solution supports the multidisciplinary teams involved in the care of patients with cancer.
Pathology: The ability to send structured pathology/radiology results to GPs electronically.
Patient Administration System: These are the core enterprise systems, containing a Master Patient Index, used by NHS trusts to enable them to know when a patient has arrived, who they are, who they were seen by, what treatment they received and what happened to them. This core functionality, needed by every trust, covers admission, discharge and transfer.
Pharmacy: Pharmacy orders and stock control is managed electronically
Scheduling: Enterprise level systems that are designed to effectively and efficiently allocate resources (staff, equipment, treatment and even data) to patients at the necessary time and place. Systems in this area range from appointment booking, typically for clinic slots, through to far more sophisticated SAP-style resource allocation and scheduling systems.
Theatres: A specialist theatres system is used to manage patients and surgical procedures in theatres.
Secondary Care Electronic Prescription Service (EPS): This is a digital system designed to enable medication prescribing for patients in secondary care outpatient settings (outpatient e-prescribing). Specifically tailored for FP10 prescriptions, this service enables healthcare providers to electronically send prescriptions directly to community pharmacies for fulfilment. In contrast to inpatient e-prescribing, where prescriptions are managed by the e-hospital dispensary, secondary care EPS streamlines the process by seamlessly sending prescriptions from secondary care outpatient departments to community pharmacies, eliminating the reliance on paper prescriptions. Common providers of this system include Cleo Systems, EMIS, TPP, and Advanced.
Response
Please proved information regarding the following systems:
1. Analytics (PLICS) – See below
2. BI & Data Warehousing - See below
3. Cardiology – See below
4. E-Rostering (staffing) – See below
5. Integration Platform – Cyber Security exemption – See below
6. Oncology – See below
7. Pathology – See below
8. Patient Administration System* – See below
9. Pharmacy - See below
10. Scheduling* - See below
11. Theatres - See below
12. Secondary Care Electronic Prescription Service (EPS) - See below
* If your acute trust offers community services, please provide details of the Patient Administration System (PAS) and Scheduling systems used in both the community and acute settings.
Please enter 'No System Installed' or ‘No Department’ under supplier name if your trust does not use the system or have the department:
a) System type –
b) Supplier name –
c) System name –
d) Date installed –
e) Contract expiration –
f) Is this contract annually renewed? - Yes/No
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
g) Do you currently have plans to replace this system? - Yes/No
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
h) Procurement framework –
i) Other systems it integrates with? –
We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as section 24(1) FOIA. These are qualified exemptions and require a public interest test to be performed, as follows.
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public fund. However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of this material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
Section 24(1) – National security
In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.
Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.
However, we consider that it is not in the wider public interest to disclose this information because, as well as the risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part of the UK’s public health and emergency response and these security measures also protect the proper functioning of Category One Emergency provision, the disclosure of this information may also compromise national security.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
j) Total value of contract (£) –
k) Notes - e.g. we are currently out to tender – N/A
Please provide your answer in the above format for each system.
Trust Response:
a) System type – Civica CostMaster
b) Supplier name – Civica CostMaster
c) System name – Civica CostMaster
d) Date installed – 2022
e) Contract expiration – see exemption
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
f) Is this contract annually renewed? - Yes/No – see above exemption
g) Do you currently have plans to replace this system? - Yes/No – see above exemption
h) Procurement framework – Unknown
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – see exemption
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
2. BI & Data Warehousing
a) System type – Microsoft 365
b) Supplier name – Microsoft
c) System name – Microsoft 365
d) Date installed – Unsure
e) Contract expiration – 2025
f) Is this contract annually renewed? - Yes/No – see above exemption
g) Do you currently have plans to replace this system? – see above exemption
h) Procurement framework - KCS Software Products and Associated Services Y20011
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – £4732621 for the total Microsoft contract
3. Cardiology
a) System type – Echo reporting/ Cath Lab reporting and image storage
b) Supplier name – Change Healthcare
c) System name – Change Cardiology
d) Date installed – +15 years
e) Contract expiration – 2/3 years
f) Is this contract annually renewed? – see above exemption
g) Do you currently have plans to replace this system? – see above exemption
h) Procurement framework – Unknown
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – + £200,000
a) System type – Holter and BP analysis
b) Supplier name – SpaceLabs
c) System name – Sentinel/ Pathfinder
d) Date installed – +15 years
e) Contract expiration – 3 years
f) Is this contract annually renewed? – see above exemption
g) Do you currently have plans to replace this system? – see above exemption
h) Procurement framework – Unknown
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – Unsure
a) System type – Exercise Treadmill
b) Supplier name – GE
c) System name – GE
d) Date installed – +15 years
e) Contract expiration – 12 months
f) Is this contract annually renewed? – see above exemption
g) Do you currently have plans to replace this system? – see above exemption
h) Procurement framework – Unknown
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – Unknown
4. E-Rostering (staffing)
a) System type – Electronic Rostering System
b) Supplier name – Allocate/RLDatix
c) System name – Optima/HealthRoster
d) Date installed – Approximately 2021
e) Contract expiration – 2026
f) Is this contract annually renewed? - Yes/No – see above exemption
g) Do you currently have plans to replace this system? - Yes/No – see above exemption
h) Procurement framework – HTE
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – £313,000
5. Integration Platform
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public fund. However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of this material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
Section 24(1) – National security
In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.
Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.
However, we consider that it is not in the wider public interest to disclose this information because, as well as the risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part of the UK’s public health and emergency response and these security measures also protect the proper functioning of Category One Emergency provision, the disclosure of this information may also compromise national security.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
6. Oncology
a) System type – Cancer Register
b) Supplier name – Somerset NHS Foundation Trust
c) System name – Somerset Cancer Register
d) Date installed – Unknown
e) Contract expiration – 2022
f) Is this contract annually renewed? – see above exemption
g) Do you currently have plans to replace this system? – see above exemption
h) Procurement framework – Unknown
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – see exemption
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
7. Pathology
a) System type – LIMS
b) Supplier name – Dedalus
c) System name – Telepath
d) Date installed – approx. 1990
e) Contract expiration - N/A
f) Is this contract annually renewed? – see above exemption
g) Do you currently have plans to replace this system? – see above exemption
h) Procurement framework – N/A
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – see exemption
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
8. Patient Administration System*
a) System type – Cerner
b) Supplier name – Oracle
c) System name – Millennium
d) Date installed – 2023
e) Contract expiration – see above exemption
f) Is this contract annually renewed? - Yes/No – see above exemption
g) Do you currently have plans to replace this system? - Yes/No – see above exemption
h) Procurement framework – Clinical Digital Solutions framework from London Procurement Partnership
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – see exemption
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
9. Pharmacy
a) System type – Pharmacy stock system and PMR
b) Supplier name – Ascribe Limited trading as EMIS Health
c) System name – ASCRIBE
d) Date installed – +10 years.
e) Contract expiration – 2025
f) Is this contract annually renewed? – see above exemption
g) Do you currently have plans to replace this system? – see above exemption
h) Procurement framework – NHSSC
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – see exemption
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
10. Scheduling*
a) System type – No System
b) Supplier name – No System
c) System name – N/A
d) Date installed – N/A
e) Contract expiration – N/A
f) Is this contract annually renewed? - Yes/No – see above exemption
g) Do you currently have plans to replace this system? - Yes/No – see above exemption
h) Procurement framework – N/A
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – N/A
a) System type – Cerner
b) Supplier name – Oracle
c) System name – Millennium
d) Date installed – 2023
e) Contract expiration – Unknown
f) Is this contract annually renewed? - Yes/No – see above exemption
g) Do you currently have plans to replace this system? - Yes/No – see above exemption
h) Procurement framework – see above exemption
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – see exemption
The Trust is unable to provide the information requested as this information is commercial in confidence. This information is exempt under section 43 (commercial interests) of the Freedom of Information Act (FOIA), as the information would be likely to prejudice the commercial interests of those involved.
Section 43 (2) is a qualified exemption which means the Trust must undertake a public interest test. The Trust has considered the public interest in disclosing this information and while it is in the public interest to disclose information that informs the public of how we spend our money, especially where this relates to the provision of public services, we have determined that the prejudice arising from disclosure outweighs the benefit to the public in this instance.
12. Secondary Care Electronic Prescription Service (EPS)
a) System type – Secondary Care EPS
b) Supplier name – No System Installed
c) System name – N/A
d) Date installed – N/A
e) Contract expiration – N/A
f) Is this contract annually renewed? - Yes/No – see above exemption
g) Do you currently have plans to replace this system? - Yes/No – see above exemption
h) Procurement framework – N/A
i) Other systems it integrates with? – see above exemption
j) Total value of contract (£) – N/A
Requests for information must be made in writing. Telephone requests cannot be accepted. We accept requests in the form of:
- Letter
Send your request to:
Freedom of Information Requests
East Lancashire Hospitals NHS Trust
Information Governance
Corporate Offices Building
Royal Blackburn Teaching Hospital
Haslingden Road
Blackburn
BB2 3HH
Or email: foi@elht.nhs.uk
You must include your full contact details, stating in what format you would like to receive the information.