Cloud computing: Now hospitals can keep confidential patient records in the public cloud

Healthcare organisations get the green light to use cloud computing services to store sensitive information.
Written by Steve Ranger, Global News Director

Video: Digital transformation, data-led change: Technology leadership in the public sector

The NHS has given hospitals the go-ahead to store sensitive patient records in the cloud.

NHS Digital, which advises hospitals and doctors on tech issues, has issued guidance on the use of cloud services by healthcare and social care organisations.

The NHS holds vast amounts of extremely sensitive health data about nearly everyone in the UK; to allow that information to be stored in the cloud is a huge vote of confidence in the technology from one of the world's largest organisations.

NHS Digital said the advantages of using cloud services include cost savings associated with not having to buy and maintain hardware and software, and availability of backup and fast system recovery. "Together these features cut the risk of health information not being available due to local hardware failure," said the report.

See: Special report: The cloud v. data center decision (free PDF)

Rob Shaw, deputy chief executive at NHS Digital, said: "It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively."

The UK government introduced a 'cloud first' policy for public sector IT in 2013, and NHS Choices and NHS England's Code4Health initiative are already successfully using the cloud.

NHS doctors cloud computing

NHS records could soon be stored in the cloud.

Image: iStock

NHS Digital's guidance said that the NHS and social care providers may use cloud computing services for NHS data, although data must only be hosted within the European Economic Area, a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.

"NHS and social care organisations can safely put health and care data, including non-personal data and confidential patient information, into the public cloud. Many NHS organisations and government departments have already made this decision based on risk management assessments and having put appropriate safeguards in place," the report said.

Because cloud providers have significant budget to pay for updating, maintaining, patching, and securing their infrastructure, NHS Digital said, the use of cloud services can mitigate many common risks faced by NHS and social care organisations. For example, delays in patching well-known vulnerabilities saw the NHS hit hard by last year's WannaCry ransomware epidemic. The report also noted that as more services for patients and staff move to the internet and the need for better data interoperability increases, it's likely that use of cloud services will become more prevalent across the NHS and social care organisations.

However, the guidance -- NHS and social care data: off-shoring and the use of public cloud services -- also warned that moving critical services to the cloud will increase the importance of internet access to these organisations. "If your internet access is disrupted or is unreliable, you may lose access to your data and services," said NHS Digital.

The report also warns healthcare organisations that they may need to change the way they budget for technology, as cloud services usually operate on a pay-as-you-go model rather than being paid for from capital expenditure.

"Use of the cloud increases the portability of data, meaning data can be distributed across multiple devices both within and without the boundary of your organisation. The right cultural understanding and behaviours need to be in place to manage this portability appropriately mitigate any risks," it said.

NHS organisations are also urged to consider carefully the location of their cloud providers. "To benefit from additional resilience it is highly recommended that for the data you deem to be of the highest risk you consider taking a multi-region approach; where, for example the data is stored both in and outside of the UK."

But it's also possible to have numerous jurisdictions apply to data held in cloud services -- for example, if the cloud provider is non-UK, or has a non-UK parent company.

"Furthermore, service providers sometimes use offshore technical and support staff, who are able to access data from another location. Many global service providers have a global support model that does not limit where staff can operate. You will want to understand whether this has any impact for your risk-based decision," said NHS Digital.


Cloud computing: What it's like to make the move

Cloud computing customers on why they made the migration and what companies following in their footsteps should, and should not, do.

Cloud computing spending is growing even faster than expected

Most new features are being offered by vendors as cloud services only.

Cloud computing: How to build a business case

When planning a migration to the cloud, what do you need to take into account?


Editorial standards