1. Do the Trust’s clinical systems share username and password combinations? [Yes, all/Yes, some/No] some AD linked
2. For clinical systems, are users required to change their passwords at pre-defined regular intervals? [Yes, all/Yes, some/No]
3. For clinical systems, are minimum requirements set regarding users’ passwords’ composition e.g. mandating that they containing ‘special’ characters contain upper and lowercase letters or contain numbers and letters (please do not include rules regarding password length in this answer)? [Yes, all/Yes, some/No]
4. For clinical systems, are minimum length requirements set regarding users’ passwords e.g. that they must be more than a pre-specified number of characters? [Yes, all/Yes, some/No]
5. For clinical systems, are maximum length requirements set regarding users’ passwords e.g. that they must be less than a pre-specified number of characters? [Yes, all/Yes, some/No]
6. Are users provided with an indicator of password strength when they are choosing passwords for clinical systems? [Yes, all/Yes, some/No]
7. For clinical systems, are passwords checked against published databases of known compromised passwords e.g. those available at haveibeenpwned.com? [Yes, all/Yes, some/No]
8. For clinical systems, are passwords stored as plain text? [Yes, all/Yes, some/No]

The Trust does hold this information; however we are withholding it under Section 31 (3) of the Freedom of Information Act as the disclosure could prejudice the prevention or detection of (cyber) crime. There is therefore significant public interest in not providing this information.

9. For clinical systems where passwords are stored hashed, are password hashes salted? [Yes, all/Yes, some/No/Not applicable]

The Trust does hold this information; however we are withholding it under Section 31 (3) of the Freedom of Information Act as the disclosure could prejudice the prevention or detection of (cyber) crime. There is therefore significant public interest in not providing this information.

10. For clinical systems, when incorrect passwords are entered, do further attempts eventually result in either throttling of further access attempts or account lock-out? [Yes, all/Yes, some/No]
11. For clinical systems, when users log in successfully, are they shown details of recent logins to that account? [Yes, all/Yes, some/No]
12. For clinical systems with web browser based interfaces, is login compatible with password management software (for example 1Password or Last Pass)? [Yes, all/Yes, some/No]
13. For clinical systems, does the Trust employ two-factor authentication? [Yes, all/Yes, some/No]
14. Does the Trust provide access to clinical systems from outside Trust premises e.g. using virtual private network technology? [Yes/No]
15. Is access to clinical systems from outside the Trust premises restricted to Trust-owned devices? [Yes/No/Not applicable]
16. Does access to the Trust’s network from outside Trust premises require two-factor authentication? [Yes, all/Yes, some/No/Not applicable]
17. For devices with access to the Trust’s network, are manufacturers’ passwords changed from default on installation? [Yes, all/Yes, some/No]
18. Do users of the Trust’s clinical systems receive specific training on cyber security in general? [Yes, all/Yes, some/No] Notices & bulletins are sent via the IT Systems to all desktops
19. Do users of the Trust’s clinical systems receive specific training in choosing and maintaining appropriate passwords? [Yes, all/Yes, some/No]
20. Do users of the Trust’s clinical systems receive specific advice not to share passwords between clinical systems and other accounts? [Yes, all/Yes, some/No]