NHS OKs offshoring patient data to cloud providers stateside

The UK's National Health Service has said that Brits' patient data can be stored in the cloud – and has given US data centres party to Privacy Shield the thumbs-up.

In a major policy shift, NHS Digital has given care providers the go-ahead to store patient information outside Blighty in a bid to hurry them into the cloud to save cash.

Data can now be hosted in "countries that provide an adequate level of protection for personal data", said the guidance, which was developed with the Department of Health, NHS England and NHS Improvement.

This is defined as being "within the UK, the European Economic Area, in countries deemed adequate by the EU, or in the US where it is covered by the Privacy Shield", which governs transatlantic data flows.

The intention is to encourage NHS bodies to sign up to cloud services, with a chunk of the guidance set aside to promote the benefits of the fluffy stuff.

"It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively," said Rob Shaw, deputy chief executive at NHS Digital.

The touted benefits include cost savings through not having to buy and maintain hardware and software, and "comprehensive backup and fast recovery of systems".

Care providers should weigh these against the potential downsides, the guidance said. These include that critical services will depend on reliable internet access, that existing staff might not have the technical expertise, and that tech budgets may need to switch from capital expenditure to pay-as-you-go.

"Use of the cloud increases the portability of data, meaning data can be distributed across multiple devices both within and without the boundary of your organisation. The right cultural understanding and behaviours need to be in place to manage this portability appropriately and mitigate any risks," the document added.

NHS Digital emphasised the importance of risk assessment, issuing a one-page cheat sheet on security and good practice.

Care providers must carry out risk assessments and implement the right data protection controls – with reference to various pieces of government guidance – and monitor the implementation, the guidance said.

But Sam Smith, coordinator of campaign group MedConfidential, said this amounted to "NHS England and NHS Digital shifting responsibility on to the care providers".

"The guidance recognises that there are risks involved in the cloud, but it doesn't go into details on how to solve them," he told The Register.

"It puts the burden of risk assessments on to the care providers, right down to the IT manager of a small community hospital. The nervous ones will probably be OK, but the ones who aren't as cautious might not be – and patients will pay the price."

Bigger providers like Microsoft and Amazon already have a fair foothold in the health service, but Smith argued that giving NHS organisations the green light to use a wider range of cloud providers might give smaller companies too much wiggle room.

"This isn't about a hospital sticking all its data in a small cloud provider in the US; it's about subcontractors. Would a company that a clinic uses for a custom purpose use the cheapest hosting it can find? Yes. And the Information Commissioner's Office doesn't have jurisdiction over a small company in Idaho."

A further concern for privacy campaigners will be the guidance's assertion that any firm signed up to the Privacy Shield agreement offers adequate protection for NHS data.

That deal, which allows firms to sign up by self-certifying to the US Department of Commerce, has only been in place for about a year, and there remain a number of unresolved issues.

The EU's data protection agencies said in December that they still have "significant concerns" about it, and even the European Commission has admitted a number of improvements are needed.

This includes appointing a permanent ombudsman to oversee the deal on the US side and filling a number of vacant posts on the oversight board.

There are also question marks over the impact of the Trump administration's feeling towards security and privacy, and how compliance with the scheme will be monitored and firms making false claims will be weeded out.

Max Schrems' battle with Facebook over transatlantic data transfers, which ended up ruling the Safe Harbor agreement invalid, is ongoing, meaning the future of Privacy Shield is anything but guaranteed.

The NHS's move also comes after years of the government lobbying cloud vendors like Microsoft and Amazon to open up data centres in the UK. They did so, with the aim of wooing government customers that were being pushed to use public cloud services, but had to ensure the data remained in the UK.

"The MoD is keeping its position [that data has to be hosted in the UK] so the NHS medical records of every patient in the country are now treated with a lower level of protection than the menu in GCHQ's canteen," Smith said.

Microsoft has showered praise on the NHS's commitment to cloud. In a canned statement, Suzy Foster, director of health and life science, said: "By moving to the cloud, the NHS can begin to innovate and modernize health services in England to truly meet the needs of patients in a sustainable and cost-effective way."

But the gleeful welcome didn't go down quite so well on Twitter, with one user saying trusts would be better off with a private Linux server. ®