Display Single Record

FOI Request

Disclosure ID
FOI/06273
Request Date
September 11, 2023
Subject
Data breaches in the last year
Description
  • How many data breaches/security incidents have you suffered in the past year?
  • How many of these were as a direct result of accidental or deliberate misuse of access credentials?
  • How do you manage privileged access/privileged user accounts to maximise cyber resilience in line with best practice? (For example what software you use) • What measures do you take to protect endpoints from ransomware and other cyber threats?
  • Within your trust’s cyber security strategy, is managing privileged access a top priority?
  • Within your trust’s cyber security strategy, is managing privileged accounts on endpoints (i.e. laptops/workstations) a top priority?
  • What actions do you take to ensure DSP compliance?
Response

I’d like to request responses to the following questions surrounding your current cybersecurity and privileged access management strategy please:

– How many data breaches/security incidents have you suffered in the past year?

4

– How many of these were as a direct result of accidental or deliberate misuse of access credentials?

4

– How do you manage privileged access/privileged user accounts to maximise cyber resilience in line with best practice? (For example what software you use) – – What measures do you take to protect endpoints from ransomware and other cyber threats?

“The requested information relating to our Trust’s ICT systems and the security of these systems is exempt from disclosure under Section 24 (Safeguarding National Security) and Section 31 (Prevention and Detection of Crime) of the Freedom of Information Act (FOIA).

 If disclosed, this information could be used to identify ways of breaching our Trust’s ICT security measures, which would thereby put us at increased risk of cyber-attack. This would potentially put invaluable patient and staff data at risk, which the Trust has a legal duty to protect under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018), and other confidential data which is essential to the running of Trust services.

 The disclosure of information which may undermine the integrity of our ICT systems, and NHS ICT systems on a national scale, is exempt under Section 24. The disclosure of information which would make our Trust more vulnerable to crime is exempt under Section 31, as releasing the requested information may prejudice our ability to prevent cyber-crime targeting our systems.

 These are qualified exemptions; the public interest in withholding information must outweigh the public interest in disclosure. It is the opinion of the Trust that the public interest in protecting the integrity of our information and ensuring our ability to provide healthcare services justifies the application of these exemptions.”

– Within your trust’s cyber security strategy, is managing privileged access a top priority?

Please see above response

– Within your trust’s cyber security strategy, is managing privileged accounts on endpoints (i.e. laptops/workstations) a top priority?

Yes

– What actions do you take to ensure DSP compliance?

The Trust completes an annual Data Security and Protection Toolkit and is currently ‘standards met’, with an independent audit confirming ‘substantial assurance’ in all 10 Data Security Standards.    

Attachment 1
Attachment 2
Attachment 3
Attachment 4
Attachment 5
Attachment 6
Attachment 7
Attachment 8
Attachment 9