NHS Gives Thumbs Up To Cloud For Medical Record Storage

The NHS has published guidance on how health and care organisations can make use of cloud computing or data offshoring facilities for the storage of patient information, in a policy shift that has seen most bodies continue to use on-site IT centres until now.

In this respect the NHS has lagged behind many parts of the UK government, for which cloud services have been prioritised since 2013 under the “cloud first” policy for public-sector IT.

Organisations including NHS Choices and NHS England’s Code4Health already use the cloud, but this marks the first time the technology has been given the green light for broad adoption.

The new national guidance requires data to be stored within the UK-European Economic Area, a country that meets the European Commission’s standards for data protection or US services covered by the Privacy Shield data-transfer agreement.

Security standards

But medical privacy campaign group MedConfidential pointed out the Privacy Shield agreement between the EU and the US has been criticised by many, including some European data protection regulators. European officials found the arrangement “adequate” on its first annual review last year.

MedConfidential pointed out the MoD has stricter rules, requiring cloud data to be stored within the UK – a limitation that has encouraged providers such as Amazon, Google, IBM, Microsoft and Oracle to build its first cloud data centres in Britain.

NHS Digital said those responsible for data privacy at a local level should review security arrangements in conjunction with data proteciton officers and Caldicott Guardians, who are responsible for ensuring the confidentiality of medical records.

The guidance provides bodies with a framework for assessing and managing risk around the use of the cloud, including legal guidelines and considerations in choosing suppliers, as well as best practice principles for handling customer data and dealing with the approaching General Data Protection Regulation (GDPR), to be introduced on 25 May.

Suppliers are required to encrypt communications and undertake annual security assessments against standards such as the ISO or the UK government’s Cyber Essentials, as well as informing customers of any changes that could affect security or data privacy.

Cloud benefits

NHS Digital, which produced the guidelines in conjunction with NHS England, the Department of Health and Social Care and NHS Improvement, said the cloud’s benefits can include improved security and disaster-recovery and reduced operating costs.

“It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so,” stated NHS Digital deputy chief executive Rob Shaw. “The guidance being published today will give greater clarity about how these technologies can be used and how data, including confidential patient information, can be securely managed.”

NHS Digital said many health and care organisations have already adopted the cloud based on individual risk management assessments.

Risks in using the cloud include the reliance on internet connectivity, the necessity of changing budgeting arrangements and the requirement to bring in external experts to implement cloud systems, the guidance says.

MedConfidential said the broad guidance essentially shifts decision-making about cloud services risks to individual organisations, and could lead to some bodies looking to reduce costs making poor choices that could endanger medical privacy.

“A press release from (the Department of Health) doesn’t breach the law; although whether you would be compliant with the law if you followed what it suggests is an entirely different issue,” said MedConfidential coordinator Sam Smith in a Twitter post.

Microsoft, which already provides cloud services to the NHS and the Ministry of Defence, stated that the cloud would allow the NHS to “innovate and modernize health services in England to truly meet the needs of patients in a sustainable and cost-effective way”.

How well do you know the cloud? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • This is a fantastic article and I am very happy to hear we are doing more to protect are health service.

    Protecting the cloud is great but we need to do more implementation of quality standards such as Cyber essentials.

    Cyber essentials should be mandatory in the NHS as it is in Scotland. With tools like cybersmart.co.uk this should be easy for organisations of any size.

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago