In this respect the NHS has lagged behind many parts of the UK government, for which cloud services have been prioritised since 2013 under the “cloud first” policy for public-sector IT.
Organisations including NHS Choices and NHS England’s Code4Health already use the cloud, but this marks the first time the technology has been given the green light for broad adoption.
The new national guidance requires data to be stored within the UK-European Economic Area, a country that meets the European Commission’s standards for data protection or US services covered by the Privacy Shield data-transfer agreement.
But medical privacy campaign group MedConfidential pointed out the Privacy Shield agreement between the EU and the US has been criticised by many, including some European data protection regulators. European officials found the arrangement “adequate” on its first annual review last year.
MedConfidential pointed out the MoD has stricter rules, requiring cloud data to be stored within the UK – a limitation that has encouraged providers such as Amazon, Google, IBM, Microsoft and Oracle to build its first cloud data centres in Britain.
NHS Digital said those responsible for data privacy at a local level should review security arrangements in conjunction with data proteciton officers and Caldicott Guardians, who are responsible for ensuring the confidentiality of medical records.
The guidance provides bodies with a framework for assessing and managing risk around the use of the cloud, including legal guidelines and considerations in choosing suppliers, as well as best practice principles for handling customer data and dealing with the approaching General Data Protection Regulation (GDPR), to be introduced on 25 May.
Suppliers are required to encrypt communications and undertake annual security assessments against standards such as the ISO or the UK government’s Cyber Essentials, as well as informing customers of any changes that could affect security or data privacy.
NHS Digital, which produced the guidelines in conjunction with NHS England, the Department of Health and Social Care and NHS Improvement, said the cloud’s benefits can include improved security and disaster-recovery and reduced operating costs.
“It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so,” stated NHS Digital deputy chief executive Rob Shaw. “The guidance being published today will give greater clarity about how these technologies can be used and how data, including confidential patient information, can be securely managed.”
NHS Digital said many health and care organisations have already adopted the cloud based on individual risk management assessments.
Risks in using the cloud include the reliance on internet connectivity, the necessity of changing budgeting arrangements and the requirement to bring in external experts to implement cloud systems, the guidance says.
MedConfidential said the broad guidance essentially shifts decision-making about cloud services risks to individual organisations, and could lead to some bodies looking to reduce costs making poor choices that could endanger medical privacy.
“A press release from (the Department of Health) doesn’t breach the law; although whether you would be compliant with the law if you followed what it suggests is an entirely different issue,” said MedConfidential coordinator Sam Smith in a Twitter post.
Microsoft, which already provides cloud services to the NHS and the Ministry of Defence, stated that the cloud would allow the NHS to “innovate and modernize health services in England to truly meet the needs of patients in a sustainable and cost-effective way”.
How well do you know the cloud? Try our quiz!
Third time the charm? After indefinite ban on Twitter, and closure of short-lived website, Donald…