The NHS has allowed trusts, hospitals and social care providers to store patient data on cloud computing platforms, provided such offshoring does not violate data transfer rules incorporated in the GDPR.
NHS and social care providers will be able to store patient data either within the UK, in a country deemed adequate by the European Commission or in a location in the U.S. which is covered by the Privacy Shield.
NHS' new ruling has now paved the way for trusts, hospitals and social care providers to store, maintain, and back up vast patient data on secure cloud platforms, thereby eliminating the need to maintain a vast storage capacity and also keeping sensitive patient data away from hackers.
However, NHS has placed restrictions on where such data can be stored or backed up. In a press release, the organisation said that NHS and Social care providers will only be allowed to store data within the UK, in a country deemed adequate by the European Commission or in a location in the U.S. which is covered by the Privacy Shield.
It also added that any decision to offshore patient data to cloud services must be taken once Senior Information Risk Owners (SIROs) are satisfied with appropriate security arrangements. NHS trusts and hospitals have also been urged to use National cyber security essentials as a guide while offshoring patient data.
It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively," said Rob Shaw, deputy chief executive at NHS Digital.
According to the NHS, by hosting data on cloud platforms, NHS and social care organisations will not only be able to save a lot of money on updating, maintaining, patching and securing their infrastructure but will also be able to take advantage of lower IT costs while developing, testing and deploying new services.
At the same time, it also warned organisations that to access data stored on cloud services, they will need to have reliable Internet connections and will also have to hire people with the capability to deliver and manage cloud services.
'Use of the cloud increases the portability of data, meaning data can be distributed across multiple devices both within and without the boundary of your organisation. The right cultural understanding and behaviours need to be in place to manage this portability appropriately mitigate any risks,' it added.
'It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively,' said Rob Shaw, deputy chief executive at NHS Digital.
Despite their obvious advantages, cloud storage services are not inherently secure and need to be patched regularly to maintain their secure profiles. Last year, a survey of CIOs from the UK and the United States revealed that 88% of them were not in favour of cloud adoption because of the long-term security risks it created.
A majority of them believed that the cloud was reducing their organisations’ control over IT as they did not apply the same comprehensive ITSM processes in the cloud as they did for their in-house IT services.
'CIOs should still be managing cloud services internally, rather than abdicating responsibility to the provider. Otherwise they risk losing control, and increasing both cost and risk to themselves and the business,' said Paul Cash, managing partner at Fruition Partners who conducted the survey.
'Technologies like the cloud now underpin much of the UK business infrastructure and there is a clear intent from companies to keep up with the pace of change. But with great digital opportunities comes an element of risk – companies must ensure cyber security is a boardroom priority and work closely with suppliers and customers to remain cyber resilient,” said Tom Thackray, Director of Innovation at CBI.
While NHS and social care organisations now have the option of migrating patient data to could servers, it remains to be seen how effectively they'll be able to retain control over such data and choose the right services based on their needs.