1. Do you have a mobile device management (MDM) system?
Yes
2. What is the name of the Mobile Device Management (MDM) system you use?
We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as section 24(1) FOIA. These are qualified exemptions and require a public interest test to be performed, as follows.
The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.
We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public fund. However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of this material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
Section 24(1) – National security
In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.
Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.
However, we consider that it is not in the wider public interest to disclose this information because, as well as the risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part of the UK’s public health and emergency response and these security measures also protect the proper functioning of Category One Emergency provision, the disclosure of this information may also compromise national security.
In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
3. Is your mobile device management system managed by an external contractor?
No
4. Who is the external contractor that manages your mobile device management system?
N/A
5. How many corporate mobile phones (Apple, Android) do you have deployed?
2442
6. How many Apple Mac Computers do you have deployed?
N/A
7. How many tablets/iPads do you have deployed?
2285
8. What is your allocated budget for mobile device management per year?
Unknown – there is no specific budget for this.
9. Please, could you provide a name, email and phone number of the IT director in the Trust
The Trust does not supply details of members of staff unless they are already in the public domain. Contact details are also not provided unless these are public.
Structures for divisions are located on the Corporate Governance page of the Trust website
https://elht.nhs.uk/about-us/corporate-publications-annual-reports-and-accounts
Information relating to the board, including email address is on the Trust board page
https://elht.nhs.uk/about-us/trust-board
The Trust does not supply contact details of staff, such as names, email addresses and telephone numbers, unless these are routinely published on our website or already in the public domain. Such information is classed as personal identifiable information and, therefore, is considered exempt from disclosure under Section 40 of the Freedom of Information Act. Direct email addresses are not disclosed in line with Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 which states that:
“A person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.”
Should you wish to contact a member of staff, please contact the Trust switchboard on 01254 263555 and ask to be directed to them.
