David Trossell, Bridgeworks CEO speaks to IT Pro Portal about moving to the cloud is not a be-all end-all security solution for NHS organisations.
July 13, 2018
Several press reports claim that NHS Digital now recognises public cloud services to be a safe way of storing health and social care patient data. In January 2018, the UK’s National Health Service’s digital body press statement cited Rob Shaw, Deputy Chief Executive at NHS Digital.
It is hoped that the standards created by the new national guidance document will enable NHS organisations to benefit from the flexibility and cost savings associated with the use of cloud facilities. However, Shaw says: “It is for individual organisations to decide if they wish to use cloud and data offshoring and there are a huge range of benefits in doing so. These include greater data security protection and reduced running costs, when implemented effectively.
With compliance to the EU’s General Data Protection Regulations (GDPR) in mind, which came into force in May 2018, the guidance offers greater clarity on how use to cloud technologies. With a specific focus on how confidential patient data can be securely managed. NHS Digital explains that the national guidance document “highlights the benefits for organisations choosing to use cloud facilities”.
These benefits can include “cost savings associated with not having to buy and maintain hardware and software, and comprehensive back-up and fast recovery of systems.” Based on this, NHS Digital states it believes that these “features cut the risk of health information not being available due to local hardware failure.” However, at this juncture, it should be noted that the cloud is not a one-size-fits-all solution, and so each NHS Trust and body should examine the expressed benefits based on their own business, operational and technical audits of the cloud.
A report by Digital Health magazine suggests that everything is still not rosy with the public cloud. Owen Hughes headlines that “Only 17% of NHS trusts expect financial return from public cloud adoption.” This figure emerged from a Freedom of Information request that was sent to over 200 NHS trusts and foundation trusts by Ireland-based IT management software provider, SolarWinds. The purpose of this FOI request, which received a response from 160 trusts, was to assess NHS organisation’s plans for public cloud adoption.
“The gloomy outlook appears to stem from a variety of concerns surrounding the security and management of the cloud: 61% of trusts surveyed cited security and compliance as the biggest barrier to adoption, followed by budget worries (55%) and legacy tech and vendor lock-in, which scored 53% respectively”, writes Hughes.
The research also found that the key challenges faced by the trusts in managing cloud services were caused by determining suitable workloads (49%), and 47% expressed a concern that they might have a lack of control of performance. The primary concern expressed by 45% of the respondents was about how to protect and secure the cloud.
Paul Parker, chief technologist of the public sector at SolarWinds, told Hughes that the findings were not surprising because NHS organisations that must handle sensitive data “have yet to be convinced that the public cloud is an integral tool that can provide considerable ROI.” There also appears to be a lack of cloud and on-premise infrastructure management tools to manage legacy technology and to monitor performance, which are vital components for achieving the cost-efficiency and data fluidity that the government is aiming for with the Cloud First policy.
However, at a cloud summit, which was held at the beginning of 2018, Shaun Fletcher, NHS Digital’s chief technical architect, advised NHS organisations to migrate to the cloud – calling it a “sensible, risk-managed approach” that emphasises security.
However, previous advice about the cloud in recent years has emphasised the need to keep sensitive data in a private cloud environment. The reassurances of NHS Digital have raised some criticism from industry experts, and several reports have underlined the potential security risks of adopting the public cloud. For example, 100 GB of US classified National Security Agency data was discovered to have been exposed on a misconfigured Amazon Web Services (AWS) S3 bucket in late 2017.
The NHS has suffered data breaches too. One breach caused the details of 150,000 patients to be shared over a three-year period. The cause was found to be a coding error in one of the most common General Practice (GP) IT systems. This led to the patients’ data being accidentally used by NHS Digital for clinical auditing research – even though these patients had submitted type 2 objections.
NHS Digital explains what they are on its website: “A ‘Type 2’ objection is a request expressed by a registered patient lodged with a GP Practice, which indicates that personal identifiable information that relates to the patient must not be disseminated or published by NHS Digital.”
Following the data breach, NHS Digital stated it would write to the affected GPs and to their patients to ensure that they were aware of the issue. It would also provide patients with the necessary reassurance by explaining that their objections are being upheld. Fortunately, such an error as this was quickly resolved, and there were no risks to patient care. Some data breaches can have more damaging consequences though – from a financial, reputational and healthcare perspective.
As of May 2018, patients can opt out of sharing their data with third-party organisations. Once a patient has opted out, all the health and social care organisations are obligated to comply with their decision until 2020. Even so, concerns remained that the NHS is still vulnerable to more malicious cyber-attacks. So, NHS leaders, like many other organisations, can’t sit back and believe that the national guidelines offer an absolute path to data security.
The global WannaCry ransomware attacks of May 2017, which also infected 47 NHS England trusts, shows the danger of being complacent: This necessitates more than just having the right cyber-security solutions in place. Staff must be trained to avoid clicking on a malicious link within an email or document. They can be the weakest link of any organisation, and hackers are keen to exploit this.
While the new NHS Digital guidelines express that data should be kept within European Union and European Economic Area borders, such global attacks show that data sovereignty is no guarantee for data security. NHS and social care organisations should, therefore, develop plans to stay a step ahead of the cyber-attackers, and a key part of this strategy should involve backing up data in real-time to at least three datacentres and disaster recovery sites.
Prevention is better than a cure. Yet, having the ability to quickly restore data after a successful cyber-attack is crucial and much cheaper than the consequences of not having a service continuity and disaster recovery plan in place. On the flipside – particularly as GDPR compliance is a must – any data breach could prove financially expensive, as there is increased emphasis on data controllers to provide a duty of care to personal data. More than this, a breach could attract the wrath of the Information Commissioner’s Office – leading to a significant fine based on global revenues.
The hurdle that most health organisations must overcome to protect themselves from such an occurrence is the increasing size and volumes of data being created by the NHS and in social care organisations. Hospitals and GP surgeries are not immune to digital transformation, and so they must to have the ability to share several types of data: This can emanate from blood test results to X-rays and MRI scans. The need for data encryption, the impeding effects of data latency and packet loss therefore make rapidly backing up and restoring data constantly challenging.
Data – whether it is stored in the public or private cloud – can be safe, but there will also be a need to create some airgaps to protect sensitive data. However, traditional techniques for mitigating the effects of latency and packet loss can’t encrypt data in transit – and they have very little impact on data throughput compared to WAN data acceleration solutions such as PORTrockIT.
With WAN data acceleration solutions, large amounts of encrypted data can be rapidly transmitted and received over a wide area network (WAN), while mitigating the effects of latency. They can also reduce packet loss. This means that, even if a trust wishes to use a public cloud for storing patient data, it can rest assured that it will have the ability to secure sensitive data by backing it up regularly. This is regardless of how big the data volume is, where nothing but the limits of the speed of light will slow it down.