Freedom of information requests

No. of cyber-attack and budget spent on cyber support for the Trust

Questions

1. How many times has your organisation experienced an attempted cyber-attack in the last two financial years?
2. Have you ever reported any cyber-related incidents to the NCSC and if so, how many in the last two financial years?
3. Thinking about cyber-attacks where the criminal was able to obtain data or disable systems, how much have these cost the organisation?
4. How much of the organisation’s total annual budget is spent on cyber support, protection and computer systems?
5. How many people are employed by the organisation to oversee cyber support and programmes?

Response

The Trust can neither confirm nor deny whether we hold the information you have requested for the following reasons:

 

Section 31 (1) (a) Law enforcement - the prevention or detection of crime:

Disclosure of this information would be likely to prejudice the prevention or detection of crime.

 

Section 31(3) of the Act recognises the need to exclude the duty to confirm or deny if any information is held where to do so would, or would be likely to, prejudice any of the matters mentioned in 31(1).

 

It is in our view that to confirm or deny the extent to which University Hospitals Birmingham NHS Foundation Trust has been subject to cyber security breaches and the nature of such attacks would provide information that is contrary to taking appropriate measures to manage these risks.

 

There is significant public interest in understanding more about cyber-crime and its potential effect on public organisations, however there is also substantial public interest in not prejudicing any public organisation’s ability to protect itself from cyber-crime.

 

Providing any information could reveal facts about an organisation’s cyber security stance, for example, even to reveal the total number of incidents could give an indication to the world at large of the strength of an organisation’s cyber defences.

 

There is also a danger that by revealing any information to the world at large it may alert attackers that organisations are aware of their activity and they could then modify their behaviour accordingly, for example by destroying evidence pertinent to a future prosecution.

 

Therefore S31 (1) (a) of the FOIA is engaged as disclosure of the information requested would be likely to prejudice the prevention or detection of crime.

 

The public interest test:

 

Factors in favour of maintaining the exemption

 

There is a strong general public interest in supporting public bodies to effectively protect the data they hold and to make efficient use of public funds to prevent costly attacks of this type.

 

In relation to health care organisations this public interest is magnified as the data held are sensitive medical records and a malicious attack on IT infrastructure could affect the delivery of medical treatment, leading in the worst case scenario to the loss of lives.

 

Factors in favour of disclosure

 

The public have a right to know how public funds are spent.

There is also always a favourable public interest in disclosure arising from requests made under the Freedom of Information Act; in the spirit of transparency and openness.

The public may benefit from knowing how well resourced cyber-security is in a particular public organisation.

 

 

 

Conclusion

 

In this instance the Trust considers that the balance of public interest clearly lies in maintaining the exemption in the effectiveness of law enforcement and the prevention of crime.

1. We experience cyber-attacks on a regular basis, but none have been successful

2. Over the last two financial years, we never had to report a cyber-attack to NCSC.

3. There has been zero cost.

4. Exempt under S31(1) for FOIA

5. Exempt under S31(1) for FOIA