The health service’s adoption of cloud technology should be “as part of a sensible, risk-managed approach” with security at its heart, NHS Digital’s chief technical architect has argued.
Shaun Fletcher was speaking at Digital Health’s Cloud Summit, held on 24 January – shortly after NHS Digital issued new guidance suggesting cloud could offer significant benefits to healthcare, including improved data security.
But, as Fletcher emphasised to delegates: “You’re still responsible for your own data. You still need to understand what controls you’ve got in place, and that may become a little bit harder as you go to the cloud.
“Make sure that as part of your security cartography, you understand what the risks are, what protection the providers are giving you, and what you’re doing on top of that.”
Delegates at the Summit, which was held in central London, also heard suggestions that managed services could provide a means of reducing pressure on IT departments as cloud is introduced.
Adam Donnelly, head of cloud services at software company Kainos, argued that cloud programming was an undertaking best left to seasoned professionals.
“Cloud engineering is hard,” he said.
“It involves infrastructure as code: an entirely new discipline. If you try to fire your existing IT team at it, you’re really not being fair to them.
“If they don’t know how to talk to the IT security teams in a language they understand, and don’t have the skills to programme that code, it puts a risk on what you’re trying to achieve.”
Joanna Smith, CIO of Royal Brompton & Harefield NHS Foundation Trust, reported that managed services had been useful in controlling costs.
She explained how the trust had experimented with an infrastructure-as-a-service model before asking cloud service provider ANS to review its consumption.
After doing so, ANS identified that Royal Brompton & Harefield was paying between a third and two-thirds more than it required, Smith said.
She explained: “[Cloud providers] are constantly changing their cost models and how they manage their environments. If your teams don’t understand how to manage this, you’re paying well over the odds. If you’re not monitoring the usage of the applications that are running, you’re paying for stuff you don’t need.”
Meanwhile Fletcher noted that opting for end-to-end cloud platforms from established vendors meant organisations could benefit from more feature-rich infrastructure.
“Some of the other things we’re interested in are the features that have been developed and introduced at great pace by some of the cloud platform providers, that we would not ordinarily have looked into.
“[For example] if you want to introduce the Internet of Things, remote sensors, big data and possibly some machine learning, you can tap into some of those features and capabilities as a service.”
Yet before going after more advanced features, Fletcher suggested organisations target “low-hanging fruit and quick wins” to help win over the hearts and minds of corporate decision-makers.
He also pointed out that the recent guidance from NHS Digital on cloud services was “not a blanket permission to throw data into the cloud”, and called on regional and national organisations to put forward good practice guidance on the topic.
“NHS Digital won’t be able to give all the answers…even within our own internal organisation, we’ve got to understand that balance of the right levels of controls being put in place, against allowing people to go in and innovate. I think that’s a really tricky balance to strike.”
31 January 2018 @ 15:38
Would it not be appropriate at this stage to suggest introducing BLOCKCHAIN in order to provide the essential DATA security across the entire NHS platform? as it is, GP’s work with basic email to patients verifying ID, DOB, etc for repeat prescriptions which is completely vulnerable towards interception of personal information and medical records. BLOCKCHAIN has proved to be a viable proposition in finance as it offers exceptional security in terms of access with extra layers of protection.