While our cybersecurity columnist Davey Winder has no problem with his data being held in the cloud, he is worried about this recent push to off-shored cloud services and the possibility of NHS patient data being stored outside the UK.

The debate surrounding security and the cloud has, for the most part, long since been settled: it’s not insecure by design. Of course, that doesn’t mean there aren’t security issues as far as cloud-based storage is concerned – just that they tend to be like the threats that are prevalent across the enterprise storage space.

But that didn’t stop 61% of NHS trusts responding to a freedom of information request earlier in the year citing security and compliance as being the biggest barriers to cloud adoption.

Practically speaking, the security concerns surrounding the cloud tend to be issues such as vulnerabilities in web applications. According to Alert Logic there has been a 300% increase in such attacks since 2014 and 75% of all ‘events’ logged by the cloud security specialists during the last 18 months involve them in one way or another.

Data sovereignty and geo-fencing

Then there is the misconfiguration problem, with poor implementation of available access controls – or poorly communicated configuration options – leaving applications and data exposed.

The potential impact of the highly publicised Spectre and Meltdown vulnerabilities that particularly affect cloud service CPUs is still being flagged by many security consultants, though we are yet to see any evidence of that threat actually being exploited in the real world.

Perhaps the biggest question mark, and certainly the most pressing what with the general data protection regulation (GDPR) becoming a legal reality before the end of May, hangs over the issue of compliance –compliance and data privacy to be precise.

Data sovereignty and geo-fencing may not be trendy buzzwords, but they should be front and centre in the minds of every NHS trust looking to use public cloud services to store patient data.

This despite NHS Digital declaring such services, including those based in the US, as being a safe place for confidential patient data to be stored. Of course, the NHS Digital guidance does come with a caveat or 20, but that this offshoring of patient data has been given the thumbs up has left my thumb (and index finger) permanently attached to my chin.

Contemplating the privacy practicalities of off-shored cloud data storage opens a very complex can of worms indeed. So complex that the NHS Digital guidance says any decision to make use of such resources must be the responsibility of the local data controller within a healthcare organisation and the senior information risk owner (SIRO) responsible for data and cybersecurity. (Assuming trusts are following the recommendations of the national data guardian and have one, of course).

It is also recommended Caldicott Guardians are involved as this clearly is a risk-based decision process.

Understanding risks and implications  

 As Shaun Fletcher, the chief technical architect at NHS Digital, says  “You’re still responsible for your own data. You still need to understand what controls you’ve got in place, and that may become a little bit harder as you go to the cloud. Make sure that as part of your security cartography, you understand what the risks are, what protection the providers are giving you, and what you’re doing on top of that.”

Disregard those words at your peril.

Understanding where your data sits, and the implications of that, is equally important yet something often overlooked in the rush to cloud adoption.

Data sovereignty is a relatively easy thing to deal with if you are offshoring within the European Economic Area (EEA) or to Canada, New Zealand or Switzerland, all of which have an ‘adequacy decision’ in place with the European Commission; they are all deemed compliant with EU data protection regulations.

Offshoring to the US is way more complicated though, even if the cloud provider has signed up to the EU and US agreement known as Privacy Shield which replaced the highly controversial Safe Harbor principle that was eventually declared invalid by the European Court of Justice.

That President Trump signed an Executive Order in January that specifically excludes non-US citizens from US agency privacy policies regarding personally identifiable information doesn’t exactly add clarity or confidence to the situation.

Problem with off-shore cloud services

Many would argue that the lack of prudent legislation concerning privacy protection within the US, especially with regards to intelligence agency and law enforcement access, leave data stored there open to legal challenge, Privacy Shield or not.

Surely anything that has the potential to impact upon confidentiality of patient data, including access to data for surveillance purposes, must be questioned?

Let’s not forget that the Privacy Shield agreement allows for companies to self-certify, and the EU’s data protection agencies have as recently as December expressed significant concern about the system as it stands.

As a patient I have no problems with my data being held in the cloud, but this push to off-shored cloud services worries me.

Geo-fencing your data is a good start, and advisable for any organisation considering putting confidential data into the cloud.

I feel that NHS data should be kept within the UK whatever the NHS Digital guidance says. After all, knowing where your data is physically stored is one thing, but knowing who has access to it (off-shored tech support staff for example) and what jurisdictions apply (a non-UK parent company can add jurisdictional complexity) another entirely.

The Ministry of Defence isn’t allowing cloud data to be stored outside the UK, so why is it ok for NHS patient data?