Freedom of Information: HWHCT -042

Our ref: HWHCT-042

18 May 2022

FOI request:

Can I please make a request under the Freedom of Information Act and I would like to request the following information about the organisation’s Local Area Network (LAN) environment. You may have received the same request in the past and this information sent has now expired and I require an update as soon as possible.

Please can you send me the organisation’s Local Area Network (LAN) contract, which may include the following:

Support and Maintenance- e.g. switches, router, software etc

Managed- If this includes services than just LAN.

1. Contract Type: Managed or Maintenance

2. Existing Supplier: Who is the current supplier?

3. Annual Spend for each supplier: What is the annual average spending on the supplier above? If there is more than one supplier, please split the annual averages spent for each supplier.

4. Number of Users: Please can you provide me with the number of users this contract covers. Approximate number of users will also be acceptable.

5. Number of Sites: The number of sites, where equipment is supported by each contract.

6. Hardware Brand: What is the hardware brand of the LAN equipment?

7. Contract Description: Please provide me with a brief description of the overall contract.

8. Contract Duration: What is the duration of the contract is and can you please also include any extensions this may include.

9. Contract Expiry Date: When does the contract expire?

10. Contract Review Date: When will the organisation be planning to review the contract?

11. Responsible Officer: Contact details including name, job title, contact number and email address?

If the LAN maintenance is included in-house, please include the following information:

1. Hardware Brand: What is the hardware brand of the LAN equipment?

2. Number of Users: Please can you provide me with the number of users this contract covers. Approximate number of users will also be acceptable.

3. Number of Sites: Estimated/Actual number of sites the LAN covers.

4. Responsible Officer: Who within the organisation is responsible for LAN please provide me with contact details including name, job title, contact number and email address?

If the contract is managed by a 3rd party e.g. Can you please provide me with

1. Existing Supplier: Who is the current supplier?

2. Number of Users: Please can you provide me with the number of users this contract covers. Approximate number of users will also be acceptable.

3. Number of Sites: Estimated/Actual number of sites the LAN covers.

4. Contract Type: Managed, Maintenance, Installation, Software

5. Hardware Brand: What is the hardware brand of the LAN equipment?

6. Contract Description: Please provide me with a brief description of the overall contract.

7. Contract Duration: What is the duration of the contract and can you please also include any extensions this may include.

8. Contract Expiry Date: When does the contract expire?

9. Contract Review Date: When will the organisation be planning to review the contract?

10. Responsible Officer: Who within the organisation is responsible for each of these contract(s) please provide me with contact details including name, job title, contact number and email address?

Trust reponse:

The LAN maintenance is in-house:

1. Herefordshire and Worcestershire Health and Care NHS Trust can neither confirm nor deny whether information is held under section 31(3) of the FOIA. The full wording of section 31 can be found here: http://www.legislation.gov.uk/ukpga/2000/36/section/31

S31(3) of the FOIA allows a public authority to neither confirm nor deny whether it holds information where such confirmation would be likely to prejudice any of the matters outlined in section 31(1). This includes information the disclosure of which would or would be likely to prejudice the prevention or detection of crime.

As section 31(3) is a qualified exemption, it is subject to a public interest test for determining whether the public interest lies in confirming whether the information is held or not.

Factors in favour of confirming or denying the information is held

The Trust considers that to confirm or deny whether the requested information is held would indicate the prevalence of cyber- attacks against the Trust’s ICT infrastructure and would reveal details about the Trust’s information security systems. The Trust recognises that answering the request would promote openness and transparency with regards to the Trust’s ICT security.

Factors in favour of neither confirming nor denying the information is held

Cyber-attacks, which may amount to criminal offences for example under the Computer Misuse Act 1990 or the Data Protection Act are rated as a Tier 1 threat by the UK Government. The Trust like any organisation may be subject to cyber-attacks and, since it holds large 

amounts of sensitive, personal and confidential information, maintaining the security of this information is extremely important.

In this context, the Trust considers that confirming or denying whether the requested information is held would provide information about the Trust’s information security systems and its resilience to cyber-attacks. There is a very strong public interest in preventing the Trust’s information systems from being subject to cyber-attacks. Confirming or denying the type of information requested would be likely to prejudice the prevention of cybercrime, and this is not in the public interest.

Balancing the public interest factors

The Trust has considered that if it were to confirm or deny whether it holds the requested information, it would enable potential cyber attackers to ascertain how and to what extend the Trust is able to detect and deal with ICT security attacks. The Trust’s position is that complying with the duty to confirm or deny whether the information is held would be likely to prejudice the prevention or detection of crime, as the information would assist those who want to attack the Trust’s ICT systems. Disclosure of the information would assist a hacker in gaining valuable information as to the nature of the Trust’s systems, defences and possible vulnerabilities. This information would enter the public domain and set a precedent for other similar requests which would, in principle, result in the Trust being a position where it would be more difficult to refuse information in similar requests. To confirm or deny whether the information is held is likely to enable hackers to obtain information in mosaic form combined with other information to enable hackers to gain greater insight than they would ordinarily have, which would facilitate the commissioning of crime such as hacking itself and also fraud. This would impact on the Trust’s operations including its front line services. The prejudice in complying with section 1(1)(a) FOIA is real and significant as to confirm or deny would allow valuable insight into the perceived strengths and weaknesses of the Trust’s ICT systems.

2. c4500

3. Multiple LANs covering a total of 63 sites

4. Tim Windsor, Head of IT Infrastructure, 01905 681799, timwindsor@nhs.net

Please be aware that although this information is accurate at the time it is provided, it may not be in the future and should not be relied upon.