FOI 2024-287 :: East Lancashire Hospitals NHS Trust

Reference	FOI 2024-287
Description	Interest in supply chain cybersecurity
Date Requested	01/08/24
Date Replied	06/08/24
Category	Incidents Security Incidents Cyber Security Exemption Applied

Request

I am writing to submit a request for information under the Freedom of Information Act 2000 (FOIA). 

My request is as follows:

1. How many cyber incidents (threat and breach) occurred in the last two years (1st of July 2022-1st of July 2024)?

2. For each of the following cyber incident types, please indicate if your organisation experienced them in any month from the 1st of July 2022- 1st of July 2024. If yes, specify the month(s) in which they occurred:

· Phishing attacks: Yes/No. If yes, which month(s)?

· Ransomware attacks: Yes/No. If yes, which month(s)?

· Distributed Denial of Service (DDoS) attacks: Yes/No. If yes, which month(s)?

· Data breaches: Yes/No. If yes, which month(s)?

· Malware attacks: Yes/No. If yes, which month(s)?

· Insider attacks: Yes/No. If yes, which month(s)?

· Cloud security incidents: Yes/No. If yes, which month(s)?

· Social engineering attacks (excluding phishing): Yes/No. If yes, which month(s)?

· Zero-day exploits: Yes/No. If yes, which month(s)

3. For each of the following supplier types, please indicate if any cyber incidents related to them occurred between the 1st of July 2022-1st of July 2024. If yes, specify the volume of cyber incidents that occurred:

· IT service providers: Yes/No

· Medical equipment suppliers: Yes/No

· Software vendors: Yes/No

· Cloud service providers: Yes/No

· Data storage/management companies: Yes/No

· Telecommunications providers: Yes/No

· Security service providers: Yes/No

· Managed service providers (MSPs): Yes/No

· Third-party payment processors: Yes/No

4. During the period from 1st of July 2022 -1st of July 2024, did your organisation experience any of the following impacts due to cyber incidents?

· Were any appointments rescheduled due to cyber incidents? Yes/No

· Was there any system downtime lasting more than 1 hour? Yes/No

· Did any data breaches occur? Yes/No

· Were any patients affected by data breaches? Yes/No

5. What percentage of your cybersecurity budget is allocated to each of the following supply chain security technologies? Please indicate the percentage for each:

· Third-party risk assessment tools: ___%

· Vendor management systems: ___%

· Supply chain visibility and monitoring solutions: ___%

· Secure data sharing platforms: ___%

· Multi-factor authentication for supplier access: ___%

· Endpoint detection and response (EDR) for supplier systems: ___%

· API security solutions: ___%

Response

We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as section 24(1) FOIA. These are qualified exemptions and require a public interest test to be performed, as follows.

The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice the prevention and detection of crime (including cyber-crime) and also the apprehension and prosecution of offenders. Therefore, this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.

We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public fund. However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of this material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.

In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

Section 24(1) – National security

In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.

Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.

However, we consider that it is not in the wider public interest to disclose this information because, as well as the risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part of the UK’s public health and emergency response and these security measures also protect the proper functioning of Category One Emergency provision, the disclosure of this information may also compromise national security.

In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

Requests for information must be made in writing. Telephone requests cannot be accepted. We accept requests in the form of:

Letter
Email

Send your request to:

Freedom of Information Requests
East Lancashire Hospitals NHS Trust
Information Governance
Corporate Offices Building
Royal Blackburn Teaching Hospital
Haslingden Road
Blackburn
BB2 3HH

Or email: foi@elht.nhs.uk

You must include your full contact details, stating in what format you would like to receive the information.

Return to FOI Requests

Was this page helpful?

FOI 2024-287

Request

Response

How to make a request

Accessibility tools