FOI 2024-347 :: East Lancashire Hospitals NHS Trust

Reference	FOI 2024-347
Description	Access control system
Date Requested	13/09/24
Date Replied	11/09/24
Category	Systems

Request

Access Control System Overview: 

1. Current System(s):

* What electronic access control system(s) do you currently have in place? Please include manufacturer of control unit & model (e.g. SALTO, PAXTON, ASSA) 

2. Access-Controlled Doors:

* How many doors across all of your sites have access control systems installed? How many per each site?  

3. Access Control Types:

* Please provide a detailed breakdown of the different types of access control setups in place (e.g., magnetic lock doors, electric strike doors, battery-operated electronic handle sets, battery-operated electronic cylinders, etc.). 

4. System Age:

* When was your current access control system installed? Which company installed it?  

5. System Integration:

* Is your access control system integrated with your ID card production or other systems (e.g., time and attendance, building management/CCTV and/or fire/security alarm systems)? If so, which system(s) is it integrated with?  

6. Supplier Information:

* What are the names of the suppliers of your existing access control system?

* Who is your current supplier for access cards and fobs, and do you purchase these directly or through your access control installers/maintenance contractors? 

7. Manufacturer and Models:

* What manufacturer and model of cards and fobs do you use for your access control system? Please provide specific details of each of the exact manufacturer/model of card(s)/fob(s) that you use at each site (e.g. Paxton 692-052 Net2 Proximity ISO Cards Pack of 500 SKU: AC-PAX-692-052) together with the cost (including VAT) each month/year. 

8. Management Software:

* What software is used to manage the door controllers and readers in your access control system? (e.g. Paxton Net2 Pro) 

Usage and Distribution Details:

9. Consumable Usage:

* Please provide data on the monthly and annual usage/purchases of access control cards and fobs. This should include how many are issued, lost/replaced, and returned faulty/damaged each month/annum.  

10. User Information:

* How many individual users require access control cards/fobs across all sites? If possible, please provide a breakdown by site or building. 

Maintenance and Support:

11. Management and Contact Information:

* Who manages your site’s access control system? Please provide a name, direct email address and direct telephone number / extension for this contact. 

12. Support/Maintenance Contracts:

* Do you have a current support/maintenance contract for your access control system? If so, when does this contract expire? 

Future Plans:

13. Planned Changes:

* What are the organisations plans related to the installation, upgrade, or support/maintenance of access control systems over the next three to five years? 

Response

We believe that disclosing details would undermine the cyber security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-

attackers. We have therefore withheld this information in accordance with sections 31(1)(a) and (b) as well as

section 24(1) FOIA. These

are qualified exemptions and require a public interest test to be performed, as follows.

The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice

the prevention

and detection of crime (including cyber-crime) and also the apprehension and prosecution of offenders. Therefore,

this information is exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public

interest test applies.

We accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS

safe

and secure. This is especially important given that this infrastructure is maintained using public fund. However,

this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release

of this

material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider

NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability

and capacity in this area. It could provide those groups or individuals with an indication of where to focus their

efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take

advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it

could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.

In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public

interest

in disclosing the information.

Section 24(1) – National security

In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To

limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.

Again, we accept there is a legitimate public interest in the effectiveness of measures being employed to keep the

NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.

However, we consider that it is not in the wider public interest to disclose this information because, as well as the

risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this

area. It

could provide those groups or individuals with an indication of where to focus their efforts when targeting our

systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already

in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach

or bypass cyber security measures, with serious consequences. As the NHS is an essential part of the UK’s public

health

and emergency response and these security measures also protect the proper functioning of Category One

Emergency provision, the disclosure of this information may also compromise national security.

In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public

interest in disclosing the information.

Requests for information must be made in writing. Telephone requests cannot be accepted. We accept requests in the form of:

Letter
Email

Send your request to:

Freedom of Information Requests
East Lancashire Hospitals NHS Trust
Information Governance
Corporate Offices Building
Royal Blackburn Teaching Hospital
Haslingden Road
Blackburn
BB2 3HH

Or email: foi@elht.nhs.uk

You must include your full contact details, stating in what format you would like to receive the information.

Return to FOI Requests

Was this page helpful?

FOI 2024-347

Request

Response

How to make a request

Accessibility tools