NHS Gives Thumbs Up To Cloud For Medical Record Storage

The NHS has published guidance on how health and care organisations can make use of cloud computing or data offshoring facilities for the storage of patient information, in a policy shift that has seen most bodies continue to use on-site IT centres until now.

In this respect the NHS has lagged behind many parts of the UK government, for which cloud services have been prioritised since 2013 under the “cloud first” policy for public-sector IT.

Organisations including NHS Choices and NHS England’s Code4Health already use the cloud, but this marks the first time the technology has been given the green light for broad adoption.

The new national guidance requires data to be stored within the UK-European Economic Area, a country that meets the European Commission’s standards for data protection or US services covered by the Privacy Shield data-transfer agreement.

Security standards

But medical privacy campaign group MedConfidential pointed out the Privacy Shield agreement between the EU and the US has been criticised by many, including some European data protection regulators. European officials found the arrangement “adequate” on its first annual review last year.

MedConfidential pointed out the MoD has stricter rules, requiring cloud data to be stored within the UK – a limitation that has encouraged providers such as Amazon, Google, IBM, Microsoft and Oracle to build its first cloud data centres in Britain.

NHS Digital said those responsible for data privacy at a local level should review security arrangements in conjunction with data proteciton officers and Caldicott Guardians, who are responsible for ensuring the confidentiality of medical records.

The guidance provides bodies with a framework for assessing and managing risk around the use of the cloud, including legal guidelines and considerations in choosing suppliers, as well as best practice principles for handling customer data and dealing with the approaching General Data Protection Regulation (GDPR), to be introduced on 25 May.

Suppliers are required to encrypt communications and undertake annual security assessments against standards such as the ISO or the UK government’s Cyber Essentials, as well as informing customers of any changes that could affect security or data privacy.

Cloud benefits

NHS Digital, which produced the guidelines in conjunction with NHS England, the Department of Health and Social Care and NHS Improvement, said the cloud’s benefits can include improved security and disaster-recovery and reduced operating costs.

“It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so,” stated NHS Digital deputy chief executive Rob Shaw. “The guidance being published today will give greater clarity about how these technologies can be used and how data, including confidential patient information, can be securely managed.”

NHS Digital said many health and care organisations have already adopted the cloud based on individual risk management assessments.

Risks in using the cloud include the reliance on internet connectivity, the necessity of changing budgeting arrangements and the requirement to bring in external experts to implement cloud systems, the guidance says.

MedConfidential said the broad guidance essentially shifts decision-making about cloud services risks to individual organisations, and could lead to some bodies looking to reduce costs making poor choices that could endanger medical privacy.

“A press release from (the Department of Health) doesn’t breach the law; although whether you would be compliant with the law if you followed what it suggests is an entirely different issue,” said MedConfidential coordinator Sam Smith in a Twitter post.

Microsoft, which already provides cloud services to the NHS and the Ministry of Defence, stated that the cloud would allow the NHS to “innovate and modernize health services in England to truly meet the needs of patients in a sustainable and cost-effective way”.

How well do you know the cloud? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • This is a fantastic article and I am very happy to hear we are doing more to protect are health service.

    Protecting the cloud is great but we need to do more implementation of quality standards such as Cyber essentials.

    Cyber essentials should be mandatory in the NHS as it is in Scotland. With tools like cybersmart.co.uk this should be easy for organisations of any size.

Recent Posts

Sphere Chat App Acquired By Twitter

Second startup purchase by a big name tech firm for young British entrepreneur Nick D'Aloisio,…

16 hours ago

Boeing Delays Starliner Launch Until 2022

Glitch with vehicle's propulsion system discovered in August still to be resolved, and crucial uncrewed…

18 hours ago

Oversight Board: Facebook ‘Not Forthcoming’ On VIP Cross-check System

Facebook’s own oversight board has slammed the platform for withholding relevant information about its VIP…

19 hours ago

Samsung Barred From Importing Smartphones Into Russia

Russian court bans Samsung Electronics from importing and selling 61 models of smartphones in Russia…

20 hours ago

Vodafone To Hire 7,000 In Digital Services Push

British mobile giant Vodafone to hire thousands of software engineers to assist in its digital…

23 hours ago

Donald Trump To Launch ‘TRUTH Social’ Media Platform

Third time the charm? After indefinite ban on Twitter, and closure of short-lived website, Donald…

24 hours ago