- FoI Number
- 2022-640
- Subject
- Cyber Attacks
- Date Received
- 16/01/2023
- Request and Response
-
1. What was the total number of cyber-attack incidents that have been recorded in your trust in the past 24 months?
There have been no cyber-attack incidents recorded by NHS Shetland in the past 24 months.
2. What is the classification of your policy regarding breach response?
Unclear what is being asked here
3. Of the devices running Windows operating systems, what is the number and percentage of devices running Windows 11, Windows 10, Windows 7, and Windows XP?
Windows 11 0
Windows 10 Approx 1000
Windows 7 0
Windows XP 0
4. What are the top 20 cyber security risks in your Trust, and how are they managed?
All risks are managed through compliance with regulations, specifically GDPR and NISR.
NHS Shetland works with NHS Scotland such as the Cybersecurity Centre of Excellence (CCoE) and monitors national intelligence.
NHS Shetland operate a number of technologies to detect and mitigate cyberattack including endpoint protection, malware detection, firewalls, intrusion detection, system access auditing and permissions auditing.
Incidents and risks are documented in our Risk Management System.
5. Do you continue to use the Unified Cyber Risk Framework, is so how many risks are still identified/managed.
We work to the Network and Information Systems Regulations (NISR) to manage or cyber risks
6. What is your Patch Management Cycle and how is it implemented on old Operating systems (e.g., for Windows, Windows XP)?
We have no Windows 7 or Windows XP endpoints. Endpoints are patched on a 4 week cycle for routine patches. Zero day and critical security patches are deployed within 24 hours
7. What is your current status on unpatched Operating Systems?
No unpatched endpoints
For Windows server we have extended Microsoft patching contract, so patching continues, even on our end of life Windows Server 2008
8. Of the devices running Windows Servers operating systems, what is the number and percentage of devices running Windows 2000, Windows 2003, Windows 2008, Windows 2012, Windows 2016, Windows 2019, and Windows 2022?
Windows 2008 10
Windows 2012 50
Windows 2016 50
Windows 2019 25
Windows 2022 0
9. Has your Trust signed up to and implemented the NHS Secure Boundary managed service to strengthen cyber resilience? If so, how many cyber security threats has the NHS Secure Boundary detected within your NHS Trust since its implementation?
N/A. NHS Scotland does not use this managed service
10. Does your Trust hold a cyber insurance policy?
No
If so:
What is the name of the provider?
How much does the service cost; and
By how much has the price of the service increased year-to-year over the last three years?
11. When did the current Board last receive a briefing on cybersecurity threats within healthcare, and when did they last participate in cyber security training?
Briefing provided in February 2023. This was during a development session so was both and briefing and a training event.
12. How frequently, if at all, do these briefings and trainings occur, and are they carried out by cyber security technology professionals?
Briefings are at least every 6 months and are carried out by the board DPO and ITSO
13. Has your NHS Trust completed a Connection Agreement to use the Health and Social Care Network (HSCN)?
Not applicable in Scotland
If so, did you pass, and is there a copy of the code of connection?
N/A
14. Have there been any incidents of staff members or personnel within your Trust being let go due to issues surrounding cyber security governance?
No
