The Department of Health and Social Care, NHS Digital, NHS England and NHS Improvement have released guidance on the safeguards which health and social care organisations can securely store and use their data, including confidential patient information in the public cloud including solutions that make use of data off-shoring.
This move is a large step forward and has removed one of the last impediments to the use of the public cloud by NHS bodies. According to the guidance, there are several key areas of clarification which together mean that far more NHS organisations can safely and securely adopt dedicated Cloud services, such as Microsoft Azure.
- The most critical identified data types are still “OFFICIAL-SENSITIVE” these can be stored in Azure or another certified public cloud.
“We cannot, through the Government Security Classification Policy, indicate the very highly sensitive NHS materials such as PKI secrets as needing any greater control than many other kinds of information” – Health and Social Care Cloud Risk Framework
- Using the NHS digital risk analysis tool, an individual trust could put all its most sensitive Personal Confidential Data (PCD) and everything else in a secure public cloud with sign off from its own CIO or Caldicott Guardian. A Trust can make its decision to move all its data to a Microsoft Azure primary or secondary data centre as part of a coordinated programme of works or begin to move some systems in line with their strategic needs.
- Larger NHS organisations can still put PCD and less sensitive data into Microsoft Azure but would meet risk statements like this one:
“At this level, it is likely to become more difficult to justify that the benefits of the use of public cloud outweigh the risks. However, this case may still be made, requiring approval by CIO / Caldicott Guardian, and would be required to be made visible to the organisation’s Board” – Health and Social Care Cloud Risk Framework.
This means that creation of hybrid designs by a trusted and certified partner can allow even the largest NHS organisations to take advantage of Microsoft Azure capabilities, taking care to work within compliance and security best practices.
Microsoft Azure offers greater security and cost efficiencies by effectively replacing an organisation’s internal servers and the resource and infrastructure needed to operate and maintain them. Current Public Sector users of Microsoft Azure include police forces across London and the Ministry of Defence – which, according to Microsoft, said security and value for money were reasons for the move.
We know that security in the Cloud has often been cited as a big obstacle to migration. However, the Microsoft Azure platform is supported by a wide range of security tools that deliver confidentiality, integrity and availability of client data, while also providing transparent accountability.
Trustmarque designed the reference pattern used by Microsoft for central UK Government Azure. This puts us in an excellent position to offer guidance and support to NHS organisations who are looking to accelerate their use of the cloud. We help our customers achieve IT flexibility, improve their TCO of NHS IT solutions and speed up responses to the changing needs of patient and government.
If your organisation wants to embrace the benefits of cloud and identify potential pitfalls but needs advice on your next steps or where to get started, we are here to help.