1. What was the total number of cyber-attack incidents that have been recorded in your trust in the past 24 months?
2. What is the classification of your policy regarding breach response?
3. Of the devices running Windows operating systems, what is the number and percentage of devices running Windows 11, Windows 10, Windows 7, Windows XP?
4. What are the top 20 cyber security risks in your Trust, and how are they managed?
5. Do you continue to use the Unified Cyber Risk Framework, is so how many risks are still identified/managed.
6. What is your Patch Management Cycle and how is it implemented on old Operating systems (e.g., for Windows, Windows XP)?
7. What is your current status on unpatched Operating Systems?
8. Of the devices running Windows Servers operating systems, what is the number and percentage of devices running Windows 2000, Windows 2003, Windows 2008, Windows 2012, Windows 2016, Windows 2019, Windows 2022?
9. Has your Trust signed up to and implemented the NHS Secure Boundary managed service to strengthen cyber resilience? If so, how many cyber security threats has the NHS Secure Boundary detected within your NHS Trust since its implementation?
10. Does your Trust hold a cyber insurance policy? If so:
a. What is the name of the provider;
b. How much does the service cost; and
c. By how much has the price of the service increased year-to-year over the last three years?
11. When did the current Board last receive a briefing on cybersecurity threats within healthcare, and when did they last participate in cyber security training? How frequently, if at all, do these briefings and trainings occur, and are they carried out by cyber security technology professionals?
12. Has your NHS Trust completed a Connection Agreement to use the Health and Social Care Network (HSCN)? If so, did you pass, and is there a copy of the code of connection?
13. Have there been any incidents of staff members or personnel within your Trust being let go due to issues surrounding cyber security governance?
14. How many open vacancies for cyber security positions are there within your Trust, and is their hour capacity affected by a shortage of qualified applicants?
15. Are there mandatory minimum training requirements for those transferred internally to work in cybersecurity within your Trust, and if so, how often is the training updated and revised to reflect the evolving nature of the industry?
16. How much money is spent by your Trust per year on public relations related to cyber-attacks? What percentage of your overall budget does this amount to?
17. Does your Trust have a Chief Information Risk Officer? If so, who do they report to?
18. When was the last time your Trust underwent a security audit? At what frequency do these audits occur?
19. What is your strategy to ensure security in cloud computing?
20. Do you purchase additional / enhanced support from a Supplier for end-of-life software (Operating Systems / Applications)? If so, what are the associated costs per year per Operating System /Application, and the total spend for enhanced support?
