Doctors and other healthcare providers in the UK have official guidance from the NHS on how to properly offshore and use public cloud services for storing confidential patient information to public cloud services. This guidance includes offshoring, which puts this patient data in foreign public cloud servers, including those located in the United States.
NHS Digital, the national and information technology partner of the health and care system in the UK, published the new guidance, which applies to health and social care organizations throughout the UK.
Using the new outline, NHS and social care providers can now begin moving patient data to the public cloud, a move becoming increasingly more popular around the world. In the United States, more patient data is finding its way to the cloud as a cost-savings alternative to private IT infrastructure.
The NHS said, “The standards will enable NHS organizations to benefit from the flexibility and cost savings associated with the use of cloud facilities.”
Applicable Public Cloud Providers
Not every public cloud provider is allowed to host NHS data. According to the guidelines, data must only be hosted within the European Economic Area (EEA), a country deemed adequate by the European Commission.
US-based public cloud services, including those offered by Amazon, Google, and Microsoft are now permitted to host this sensitive data as long as they are actively registered in the International Trade Administration (ITA)’s Privacy Shield List. These companies and their respective services have been vetted and found to have adequate security to host sensitive data.
UK Government Cloud First Policy
The UK government has been operating under what it calls a “Cloud First” policy for public sector IT since 2013. This policy mandates that government services consider cloud solutions before alternatives. The Cloud First policy specifically outlines a preference for public cloud offerings ahead of private, hybrid, or community-based models.
Individual organizations continue to have the option to opt for a different method of patient record storage.
Rob Shaw, Deputy Chief Executive at NHS Digital, said: “It is for individual organizations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively.”
This latest initiative is just another step forward for the UK’s ongoing move towards a cloud-based IT infrastructure.
Noting cost savings and the ability for managed cloud-based services to scale, the new guidance offers organizations a four-step plan of migration.
As for any security concerns, the report states: “NHS and social care organizations can safely put health and care data, including non-personal data and confidential patient information, into the public cloud. Many NHS organizations and government departments have already made this decision based on risk management assessments and having put appropriate safeguards in place.”
While the guidance does state where an organization can and can’t place NHS data, it also emphasizes that doing so is not without risk. The outline cites numerous points of concern including loss of data due to breach, compatibility issues with existing systems, and other issues that arise when data is maintained by an entity outside of an organization’s control.