The digital department of the British national health service (NHS) has updated its code of conduct, advising healthcare providers to store patient data in the public cloud, both domestically and abroad.

The new guidelines, written jointly by NHS Digital, NHS England, NHS Improvement and the UK’s Department of Health and Social Care, aim to reduce the IT costs and improve interoperability between different NHS services by introducing the possibility of offshoring patient data and hosting it using public infrastructure.

The text is in line with the government’s “Cloud First” policy for all public sector IT, announced in 2013. It acknowledges the risks and warns of the complexity of cloud deployments, but assures NHS and social care providers that safe means of using cloud services exist, and can be implemented if processes are followed.

– NHS/Thinkstock

Here there and everywhere

As well as allowing patient data to be hosted in the UK, the new guidelines enable social care and NHS providers to store information anywhere in the European Economic Area (EEA).

Information can also be stored in countries which have been vetted and approved by the EU Commission, and in US facilities covered by the Privacy Shield scheme.

Developed by the US Department of Commerce and the EU Commission, and administered by the International Trade Administration, the Privacy Shield framework was created to encourage transatlantic trade between EU member states and the US whilst ensuring compliance with all data sovereignty requirements.

The code of practice preaches caution, advising that providers make “risk-based” decisions when looking to migrate data to the cloud. Factors to take into account include a greater reliance on Internet access, the requirement to switch from fixed capital expenditure to a pay-as-you-go model, and the potential need to recruit more staff or pay for internal cloud management services. Some systems could also be incompatible with cloud computing.

To help inform decisions related to security, providers are advised to refer to the Government Security Classification Policy, the Data Protection Act, the EU General Data Protection Regulation, the Information Governance Toolkit and the Data Security and Protection Toolkit. The guidelines state: “In general, these requirements are universal and large cloud service providers should have taken these into account when producing standard contractual terms.”

Safer up there

Privacy activists have voiced concerns that the new policy could leave sensitive data vulnerable to cyber attack.

Open Rights Group executive director Jim Killock told the BBC he thought the new guidelines represent “a dangerous move that could open up patient data for surveillance purposes, and that could have ramifications for patient health.” Some patients might even avoid getting care for fear of having their data misused.

”Patient confidentiality has to come first,” Killock added. 

The new guidelines state that “NHS and social care organizations can safely put health and care data, including non-personal data and confidential patient information, into the public cloud,” and that “many NHS organizations and government departments have already made this decision based on risk management assessments and having put appropriate safeguards in place.”

The text claims that using cloud services is, in fact, safer than relying on current practices: “Cloud providers have a significant budget to pay for updating, maintaining, patching and securing their infrastructure. This means cloud services can mitigate many common risks NHS and social care organizations often face.”