Cybersecurity - FOI Response Register

FoI Number
2023-392
Subject
Cybersecurity
Date Received
02/10/2023
Request and Response
  1. In 2023, what annual cybersecurity budget has been allocated to your NHS Trust?

No specific budget:

Cybersecurity digital technology is part of the overall Digital Budget.

Statutory/Mandatory staff training is part of Organisational Development Budget

  1. Can you also provide your Trust’s annual cybersecurity budget for the years:
  1. 2022
  2. 2021
  3. 2020
  4. 2019
  5. 2018
  6. 2017

In accordance with FOISA s 17(1), NHS Shetland confirms that it does not hold the information requested as there is no specific cyber-security budget. See question 1 above.

  1. In 2023, how is your annual cybersecurity budget spent:
  1. What percentage goes towards cybersecurity training for employees? 

In accordance with FOISA s 17(1), NHS Shetland confirms that it does not hold the information requested as there is no specific cyber-security budget. See question 1 above.

  1.  

In accordance with FOISA s 17(1), NHS Shetland confirms that it does not hold the information requested as there is no specific cyber-security budget. See question 1 above.

We estimate that expenditure of IT on cybersecurity technology is approximately 5% of budget

  1.  

In accordance with FOISA s 17(1), NHS Shetland confirms that it does not hold the information requested as there is no specific cyber-security budget. See question 1 above.

We estimate that cybersecurity is approximately 10% of digital team activity

  1. How many employees work in your NHS Trust?

818

  1. How many employed, full-time members of staff make up your NHS Trust’s cyber/info security team?

See exemption justification below

  1. How many hours of cybersecurity training are employees of your NHS Trust required to undertake every year?

Approximately 1.5 hours of mandatory training.

  1. Has your NHS Trust paid any ransom demands to cybercriminals in the last five years?

See exemption justification below

  1. If yes, how much did you pay in total?

See exemption justification below

  1. Has your NHS Trust had any patient records compromised / stolen by cybercriminals in the last five years?

See exemption justification below

  1. If yes, how many records were compromised / stolen?

See exemption justification below

In accordance with FOISA s 16(1), NHS Shetland confirms that it holds the information requested but that it is exempt from disclosure under FOISA s 31(1) as the exemption is required to protect national security.

The Government has declared cyber-attacks a tier 1 national security threat, see below.

https://www.gov.uk/government/news/uk-cracks-down-on-ransomware-actors#:~:text=ransomware%20is%20a,providers%20were%20targeted

NHS Shetland as a Scottish Health Board is an operator of essential services under The Network and Information Systems Regulations 2018: Schedule 2, s 8 (2)(c)(ii).

In this context, providing the detail requested would provide information about the Health Board’s cyber strategy, and potential vulnerabilities allowing these to be mapped for weakness. Therefore the provision of details of this nature is likely to provide additional risk of cyber-attacks. There is a very strong public interest in preventing the Health Board’s information systems from being subject to cyber-attacks. Providing the type of information requested and subsequent online publication, would very likely provide potential attackers with useful intelligence relating to the cyber security footprint of NHS Shetland, which is not in the public interest.

For all of the reasons provided above, the requested information would also be exempt from disclosure under FOISA s 35(1)(a) as disclosure would, or would be likely to, result in substantial prejudice to the prevention or detection of crime.