NHS needs to accelerate its move to the Cloud without neglecting Data Sovereignty
Written by Bill Mew, Cloud Strategist at UKCloud
Action needs to be taken to accelerate the NHS’s migration to the cloud in order to enhance collaboration, increase efficiency and improve security, while remaining sensitive to patients’ concerns about storing data abroad or with foreign service providers.
The recent dramatic fall in Facebook’s share price (when its stock price fell by 20% or $120bn — the biggest ever one-day drop in any company’s market value) and the uproar in Singapore (after hackers stole the personal profiles of some 1.5 million patients along with the details of prescriptions for 160,000 others) show that while the public often take their privacy for granted, there can be a massive backlash if it is ever compromised.
The NHS faced intense criticism last year when it’s IT security was found to be wanting and it was one of the organisations hit most severely by the global Wannacry malware attack. Thankfully its reputation and trusted status remained largely intact, but such trust should not be taken for granted.
The problem is that much of the NHS technology estate remains fragmented and vulnerable. Centrally it is recognised that cloud computing has the potential to enhance collaboration, increase efficiency and improve security across the NHS. Unfortunately progress in migrating workloads to the cloud varies dramatically between different Trusts and other bodies within the NHS. Many organisations are still reliant on the kind of fragmented and vulnerable infrastructure that was impacted by the Wannacry attack and are also reliant on out-dated and inefficient technologies such as fax machines — which are still in widespread use across the NHS.
In addition, for those workloads that have been migrated to the cloud, little consideration has been given to patients’ concerns about storing data abroad or with foreign service providers.
A recent report by Corsham Institute, a charity dedicated to research and learning to help people adapt and thrive in a digital world, entitled: “The Adoption of Public Cloud Services in the NHS: trust, security and public opinion”, sought to test levels of public understanding of data storage options within the NHS and confidence or otherwise in their security. The report features expert testimony from interviews conducted by Corsham Institute with a range of health and care professionals and experts, including input from UKCloud Health.
In addition, a Comres survey, commissioned by the Corsham Institute which interviewed 2,009 GB adults and is included in the report, found:
- High levels of trust that the NHS is storing patient data securely: 70% of British adults say they are confident that their patient data the NHS holds is stored securely, while 25% say they are not confident.
- Fairly low levels of understanding as to how patient data is currently stored in the NHS, with half of respondents thinking that it is stored on a national NHS computer server and only 28% thinking that it is stored on a cloud.
- People are twice as likely to be comfortable storing their information on clouds managed by British companies (49%) than on clouds managed by global companies (23%).
- A desire for more information on data storage in the NHS, with 88% of adults saying it is important to know where and how their patient data is stored and 80% saying it is important to know whether patient data is hosted by companies whose headquarters are outside of the UK.
It is clear from this research that patients have little real understanding of how the NHS stores or processes data. Indeed, the public, and healthcare professionals, rightly focus more on patient experience and outcomes. There is a risk, however, that a significant incident, either another attack, like Wannacry, or a significant data breach, like the recent one in Singapore, could shatter confidence in the way that the NHS stores and processes data. The introduction of GDPR and the publicity resulting from the Cambridge Analytica/Facebook scandal have already increased privacy awareness and shaken public trust in data security more widely.
The research also shows that there is little public appetite for NHS data to be kept outside of the UK or held on clouds managed by global companies, concerns that will be exposed and exacerbated in the aftermath of any further significant incidents.
Even before the Wannacry attack, a previous Comres poll sponsored by UKCloud Health in early 2017 found that the British public were concerned about the protection of their personally identifiable data, and that 65 percent also stated that they were concerned about whether their health records, such as medical history or social care records, are adequately protected by companies and public services.
Data Sovereignty: easy to achieve, risky to ignore
Capturing the undoubted advantages of cloud does not mean that NHS data needs to ever move outside of the UK or be held on clouds managed by global companies. Government-grade, secure facilities with connectivity to NHS networks like N3 and HSCN exist within the Crown Campus. Use of such secure, UK-sovereign facilities would not only help minimise the risk of further incidents but would also eliminate the risk of public backlash over moving data outside of the UK or holding it on clouds managed by global companies, in the event of any such incident.
Crown Campus is a secure government-grade hosting environment specifically for public sector framework service providers. It enables collaboration between public sector organisations and the community of service providers that support them, including UKCloud Health, the main cloud provider within the Crown Campus.
UKCloud’s many government and NHS customers benefit not only from the enhanced efficiency and security provided by its secure, UK-sovereign cloud services, but also from being hosted in close proximity to many other key data sets within the Crown Campus. For example Genomics England, the largest single health data set in the UK, is hosted by UKCloud Health along with a number of key hospital trusts. UKCloud Health also hosts a growing ecosystem of health-oriented service providers. Being in close proximity to each other, allows for secure, low-latency connectivity and increased scope for collaboration not only between Trusts, but also with key health solution providers like Docman, Egton and Mayden, all hosted on UKCloud Health’s multi-cloud infrastructure.
UKCloud Health also provides a range of multi-cloud options for optimal workload placement, providing a path for healthcare organisations wanting to the modernising legacy IT that was vulnerable to the Wannacry attack. There is no one-size-fits-all cloud approach though, and Trusts need a secure, compliant, and cost-appropriate solution that meet the demands of their organisation and provides a best fit for each workload. For Trusts with an array of legacy and cloud-native applications, a multi-cloud approach provides the most comprehensive and effective solution and with UKCloud Health it can be provided from totally UK-sovereign facilities that are directly connected to both N3 and HSCN.
The Corsham Institute report accompanying the research findings included expert testimony and opinion from a range of professionals and organisations, including UKCloud Health. It looked in detail at recent NHS data handling stories and the current policy and data governance landscape, including the impact of the Cambridge Analytica/Facebook scandal on public trust in data security more widely. The report’s authors drew out a number of important themes from the research and interviews, including:
- The importance of emphasising the benefits from the adoption of public cloud in the NHS, including: lower costs (freeing up more money for frontline care); greater safety and security of the data; and the opportunity for better care and innovation.
- The need to address some significant challenges for the NHS, including: low levels of digital literacy and technical skills; barriers to maximising the potential of cloud computing, including financial impacts if there are long-term contractual tie-ins to big cloud providers; and the risks from the gulf between the low levels of public understanding of the use of cloud computing, particularly when provided by major global tech companies, and the potential impact should a data security breach occur that is linked to a cloud provider.
Taking the polling and the research together, the report’s authors concluded that that there should be better engagement with the public to make them aware of the use and benefits of cloud computing in the NHS, and to build their understanding and trust in a way that pre-empts risk, rather than waiting to respond to a security breach or other data handling controversy. They also flagged the considerations and trade-offs to be made between choosing a UK-based or global public cloud provider, particularly in relation to data protection and procurement.
Originally published at digileaders.com on August 20, 2018.