University Hospital
Clifford Bridge Road
Walsgrave
Coventry
CV2 2DX

Direct Line: 024 76968771
www.uhcw.nhs.uk

Dear Requester

We acknowledge receipt of your email to UHCW:

Freedom of Information Request Form

If you have submitted a request under the Freedom of Information Act
(FOIA) your request will be considered and you will receive our response
within the statutory timescale of 20 working days.

The reference number for your email is FOI/1466.

Should you have any further inquiries concerning this matter, please reply
to this email leaving the subject line unchanged.

Yours sincerely,
UHCW

 
University Hospital
Clifford Bridge Road
Walsgrave
Coventry
CV2 2DX

Direct Line: 024 76968771
www.uhcw.nhs.uk

Our Ref: FOI/1466
Date: 4 January 2022

By email only

Dear Requester

We write further to your request for information under the Freedom of
Information Act received 30 November 2021.  We have set out your request,
together with our response below. 

1. Do you have a formal IT security strategy? (Please provide a link to
the strategy)

A) Yes
B) No

2. Does this strategy specifically address the monitoring of network
attached device configurations to identify any malicious or non-malicious
change to the device configuration?

A) Yes
B) No
C) Don’t know

3. If yes to Question 2, how do you manage this identification process –
is it:

A) Totally automated – all configuration changes are identified and
flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help
track and identify configuration changes.
C) Mainly manual – most elements of the identification of configuration
changes are manual.

4. Have you ever encountered a situation where user services have been
disrupted due to an accidental/non malicious change that had been made to
a device configuration?

A) Yes
B) No
C) Don’t know

5. If a piece of malware was maliciously uploaded to a device on your
network, how quickly do you think it would be identified and isolated?

A) Immediately
B) Within days
C) Within weeks
D) Not sure

6. How many devices do you have attached to your network that require
monitoring?

A) Physical Servers: record number
B) PC’s & Notebooks: record number

7. Have you ever discovered devices attached to the network that you
weren’t previously aware of?

A) Yes
B) No

If yes, how do you manage this identification process – is it:

A) Totally automated – all device configuration changes are identified and
flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help
track and identify unplanned device configuration changes.
C) Mainly manual – most elements of the identification of unexpected
device configuration changes are manual.

8. How many physical devices (IP’s) do you have attached to your network
that require monitoring for configuration vulnerabilities?

Record Number:

9. Have you suffered any external security attacks that have used malware
on a network attached device to help breach your security measures?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

10. Have you ever experienced service disruption to users due to an
accidental, non-malicious change being made to device configurations?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

11. When a scheduled audit takes place for the likes of PSN or Cyber
Essentials, how likely are you to get significant numbers of audit fails
relating to the status of the IT infrastructure?

A) Never
B) Occasionally
C) Frequently
D) Always

The NHS Trust can neither confirm nor deny whether information is held
under section 31(3) of the FOIA. The full wording of section 31 can be
found here: [1]http://www.legislation.gov.uk/ukpga/2000...

S31(3) of the FOIA allows a public authority to neither confirm nor deny
whether it holds information where such confirmation would be likely to
prejudice any of the matters outlined in section 31(1). This includes
information the disclosure of which would or would be likely to prejudice
the prevention or detection of crime.

As section 31(3) is a qualified exemption, it is subject to a public
interest test for determining whether the public interest lies in
confirming whether the information is held or not.

Factors in favour of confirming or denying the information is held

The NHS Trust considers that to confirm or deny whether the requested
information is held would indicate the prevalence of cyber- attacks
against the NHS Trust’s ICT infrastructure and would reveal details about
the Trust’s information security systems. The NHS Trust recognises that
answering the request would promote openness and transparency with regards
to the NHS Trust’s ICT security.

Factors in favour of neither confirming nor denying the information is
held

Cyber-attacks, which may amount to criminal offences for example under the
Computer Misuse Act 1990 or the Data Protection Act 2018, are rated as a
Tier 1 threat by the UK Government. The NHS Trust, like any organisation,
may be subject to cyber-attacks and, since it holds large amounts of
sensitive, personal and confidential information, maintaining the security
of this information is extremely important.

In this context, the NHS Trust considers that confirming or denying
whether the requested information is held would provide information about
the NHS Trust’s information security systems and its resilience to
cyber-attacks. There is a very strong public interest in preventing the
NHS Trust’s information systems from being subject to cyber-attacks.
Confirming or denying the type of information requested would be likely to
prejudice the prevention of cybercrime, and this is not in the public
interest.

If the NHS Trust were ether to confirm or deny the existence of the
requested information, the disclosure would be likely to prejudice, the
effective conduct of public affairs for the Trust, the NHS or any other
government department(s) and as such conflicts with Section 36(2c) of the
FO IA. The full wording of section 36 can be found
here: [2]https://www.legislation.gov.uk/ukpga/200...

Balancing the public interest factors

The NHS Trust has considered that if it were to confirm or deny whether it
holds the requested information, it would enable potential cyber attackers
to ascertain how and to what extend the NHS Trust is able to detect and
deal with ICT security attacks. The NHS Trust’s position is that complying
with the duty to confirm or deny whether the information is held would be
likely to prejudice the prevention or detection of crime, as the
information would assist those who want to attack the NHS Trust’s ICT
systems. Disclosure of the information would assist a hacker in gaining
valuable information as to the nature of the NHS Trust’s systems, defences
and possible vulnerabilities. This information would enter the public
domain and set a precedent for other similar requests which would, in
principle, result in the NHS Trust being a position where it would be more
difficult to refuse information in similar requests. To confirm or deny
whether the information is held is likely to enable hackers to obtain
information in mosaic form combined with other information to enable
hackers to gain greater insight than they would ordinarily have, which
would facilitate the commissioning of crime such as hacking itself and
also fraud. This would impact on the NHS Trust’s operations including its
front line services. The prejudice in complying with section 1(1)(a) FOIA
is real and significant as to confirm or deny would allow valuable insight
into the perceived strengths and weaknesses of the NHS Trust’s ICT
systems.

As we have provided the information that we do hold your request is now
closed.  We trust that this is satisfactory but if you are dissatisfied
with the way that it has been handled you have the right to ask for an
internal review.  Internal review requests should be submitted within two
months of the date of receipt of the response to your original letter and
should be addressed to: David Walsh, Director of Corporate Affairs,
University Hospitals Coventry & Warwickshire NHS Trust, Clifford Bridge
Road, Coventry CV2 2DX.

If you are not content with the outcome of the internal review, you have
the right to apply directly to the Information Commissioner for a
decision.  The Information Commissioner can be contacted at: Information
Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF.

Yours sincerely

Andrea Phillips
FOI & Access to Health Records Manager

References

Visible links
1. http://www.legislation.gov.uk/ukpga/2000...
2. https://www.legislation.gov.uk/ukpga/200...