As NHS Digital endorses placing health data in the public cloud, we ask what responsible cloud use looks like in the NHS.
For some time we have been calling on the NHS to move to the cloud as a cheaper, more secure alternative to on premise and outsourced IT. We therefore warmly welcome NHS Digital’s recently issued guidance that endorses placing health data in the public cloud. The guidance encourages health and care organisations to harness the potential of cloud, thereby becoming more secure and providing better efficiencies, and allowing NHS Trusts to do ‘more for less’.
It is hoped that this official cloud endorsement will also unlock a wave of innovation in the NHS, especially in areas like IoT solutions. These solutions will generate a wealth of new and enriched data, that can then further inspire yet more specialist solutions that will themselves deliver new insights and help reduce costs and improve outcomes. There are a number of factors that need to be considered here:
With cloud as the underlying enabler for so many other areas of innovation, the new guidance from NHS Digital is most welcome. It comes at a time though when there has been a growing trend towards multi-cloud strategies and a realisation not only that no single cloud is appropriate for all workloads, but also that cloud lock-in represents an increasing threat.
In addition, various organisations and publications (examples here and here) have expressed surprise that NHS Digital’s guidance on cloud should include off-shoring to US data centres, as long as the companies are covered by the Privacy Shield agreement. The Privacy Shield agreemen allows firms to sign up by self-certifying to the US Department of Commerce. However, the EU’s data protection agencies said in December that they have “significant concerns” about it, and even the European Commission has admitted a number of improvements are needed. Issues on the US side include the lack of a permanent ombudsman to oversee the deal, how compliance with the scheme will be monitored and how firms making false claims will be weeded out. Indeed, Privacy Shield is being challenged from all sides and its future is anything but guaranteed.
As ever though, the NHS Digital guidance came with a number of caveats. Many of these emphasised that responsibility for things like security, privacy and compliance cannot be outsourced. Indeed, along with the new guidance, NHS Digital provided links for more details on its cloud security good practice guide, its cloud risk framework, its data risk model and its cloud security overview.
To help address the key challenges of adopting the global public cloud platforms and help outline what responsible cloud use looks like, we have drawn up the following golden rules that NHS Trusts would be wise to follow:
Consider using a government-grade provider for your most critical workloads and patient Identifiable data sets – those providers with adequate assurance levels and with connectivity to HSCN. Caldicott principles mandate levels of protection for patient identifiable data. With HSCN providing secure connectivity, data transfer via the public internet should be avoided – especially given the heightened level of cyber activity, as we saw with Wannacry. Trusts also need to be prepared for the DoH 2017/18 data and security guidance, which the NHS will have to measure from this April (see here).
Adopt a multi-cloud approach to ensure that you get the right cloud for each of your workloads. Avoiding cloud lock-in and maximising flexibility with multi-cloud and you’ll not only find the best fit for each workload in the cloud, but also be able to cater for applications that were never designed to run in the cloud.
Keep your data in the UK. Despite NHS Digital’s guidance mentioning Privacy Shield, the framework’s future is far from assured and you may need to repatriate your data if, like Safe Harbor, it is overturned. There are few scenarios in which you should need to take data off shore in the first place, so why take the risk?
Most organisations are going to have their work cut out preparing for GDPR, so avoid complications that could compromise your compliance. For example, the global cloud providers maintain the right to export your data anywhere in the world, without notice, irrespective of your choice of processing region, which is contrary to both GDPR and NHS Digital’s published guidance.
As we move towards a paperless, more integrated and more intelligent future, we will be expected to query ever larger data sets with ever greater speed and efficiency (potentially triggering egress charges and other hidden costs). Ensuring that your data sets and workloads are in close proximity to those of your peers, of your key application providers and of key third parties (such as Genomics England with the rise of genomic medicine) will become increasingly advantageous.
We see a bright, innovative future for the NHS as well as a way of not only improving efficiency and of in part alleviating its constant financial pressures, but also of improving patient outcomes. The cloud will have a big role to play in all of this and the new guidance from NHS Digital should be welcomed, as long as the five golden rules are kept in mind.