Released 19 July 2023
Request:
1. For each year (2020 – 2022), please confirm how many cyberattacks your Trust has suffered?
2. For each year (2020 – 2022), please confirm how many cyberattacks have resulted in the halting of or delay in delivery of care or services to patients?
3. For each year (2020-2022), please confirm: The GBP (£) value of budget allocated to cybersecurity. What percentage of the Trust’s entire budget for the financial year was spent on cybersecurity?
4. How many times in the last 12 months have you audited your third-party suppliers’ cybersecurity measures?
Assistance provided under Section 16 on 19 June 2023:
Please note that University Hospitals Sussex NHS Foundation Trust has only been in operation since 1 April 2021, following the merger of Brighton and Sussex University Hospitals NHS Trust and Western Sussex Hospitals NHS Foundation Trust. On the basis that you are seeking information for periods of time both before and after the merger, can you please confirm if you require this information for all three Trusts (i.e. both legacy Trusts and University Hospitals Sussex NHS Foundation Trust) where applicable or if you just require information for University Hospitals Sussex NHS Foundation Trust?
Where information is required for the legacy Trusts and University Hospitals Sussex NHS Foundation Trust, we will only be able to report by financial year (i.e. April – March) due to the date of the merger, and not by calendar year as you have requested. Can you please confirm this is acceptable?
With regard to question 3, cyber security costs come out of the Trust’s Capital budget, please can you confirm if you wish us to provide a percentage in terms of this capital budget or as a percentage against the whole capital and revenue budget?
Response received 20 June 2023:
Yes, please can you send the information for all three trusts. Reporting by calendar year is fine.
In answer to the third enquiry, please the percentage in relation to the capital budget.
Response:
1 and 2. The disclosure of information relevant to data security measures used by the Trust would be inappropriate to release into the public domain. If disclosed, this information could be used to identify ways in which our security protocols or those of a supplier could be breached, putting patient data and other confidential information at risk. The Trust has a duty to protect confidential, personal information under Data Protection legislation, as well as a legal obligation to safeguard information relevant to the security of our networks under the Network and Information Systems Regulations Act 2018. On this basis we cannot disclose information about the security standards we work to, since in doing so we may put the security of these systems at increased risk which could impact on the provision or continuity of our essential services.
Further to this we consider the release of this information exempt under Section 31 [law enforcement] of the Freedom of Information Act.
3. In the financial year April 2020 to March 2021 the cyber security budget was £2,420k; this sum was equivalent to 6% of the operational capital budget. In the financial year April 2021 to March 2022 the cyber security budget was £2,430k; this sum was equivalent to 5% of the operational capital budget.
4. Section 31 [law enforcement] exemption is applicable, as outlined in questions 1 and 2 above.