Experts urge caution over NHS promises to secure its data in the cloud


Keumars Afifi-Sabet

7 Jun, 2018

Migrating from legacy infrastructure to the cloud is a mammoth task for any organisation, yet it’s particularly daunting for the National Health Service (NHS) – one UK’s most critical public services and its largest employer.

NHS Digital, the organisation underpinning the health service’s digital transformation, issued guidance in January outlining how Trusts should approach migration – marking the first time an authority has greenlit the use of public cloud in the health service.

Previously, cloud providers would approach Trusts to offer their services only to get knocked back, with many claiming NHS Digital prohibited the use of public cloud services. NHS Digital would then have to clarify to vendors individually, when subsequently approached with complaints, that there was no explicit ban on the use of cloud.

Because of this, NHS Digital commissioned a working group on the safe use of cloud with the National Cyber Security Centre (NCSC) in 2016, with policy at the time dictating any data stored overseas couldn’t contain sensitive information. The working group was set up to investigate how the policy could be changed to make use of cloud benefits, with a framework eventually agreed with ministers the following year.

«What the guidance is providing is a mechanism for organisations to do their own risk assessment as to whether or not cloud services can be used for their service or requirements,» Michael Flintoff, NHS Digital associate director for platforms and infrastructure, tells Cloud Pro.

«The main thing for me is clarity,» he adds, as Trusts have indicated a desire for guidance around data risk modelling and accessing services, something which traditionally hasn’t been there.

Sam Smith, coordinator at campaign group medConfidential, agrees the guidance is needed in principle, explaining «what it does – and the reason for the guidance – is it means hospitals can no longer say [to vendors] ‘NHS Digital told us not to’,» also claiming NHS Digital grew weary of having to repeatedly clear up the misunderstanding on an individual basis.

But Smith does not believe the guidance will make a difference, and, despite the clarity it provides, sees this as NHS Digital having «dumped [responsibility] back on the hospitals», while criticising the organisation for failing to introduce a set of minimum standards for the products available.

NHS ‘can be, and will be attacked’

Cloud transformation has been central to the digital transformation strategy of many organisations, including swathes of the public sector, with the government issuing its own cloud-first guidance last year.

NHS Digital says the benefits extend beyond cost-saving to being able to develop, test and deploy services quicker, without large initial capital expenditure, as well as a better scope for data interoperability.

Flintoff said a cloud-first strategy has led to greater efficiencies in his own «heavily technical, development-orientated» organisation; undergoing transformation on a service-by-service basis and pay-as-you-go type services, such as SQL-as-a-service, to ensure best value.

But for an organisation as large and fragmented as the NHS, an IT project of this scale poses huge challenges, with the health service keen to forget a string of failed efforts in the past; the most notable example being the care.data scheme abandoned in 2016.

Security, meanwhile, is an equally pressing concern. NHS Digital assured Trusts they could safely locate health data, including patient records, in the public cloud, but a string of reports have underlined security risks. For instance, 100GB of secret NSA data was found exposed on a misconfigured Amazon Web Services’ (AWS) S3 bucket in late 2017, among a host of other high-profile leaks including those at FedEx and Accenture.

«The days of blithely assuming that an IT system can be made totally secure are gone,» says Dr Paul Miller, senior analyst at Forrester.

«It is far more realistic to assume that any IT system can be attacked and will be attacked, and the emphasis should, therefore, be on detecting those attacks, defending against the vast majority of those attacks, and mitigating the impact of any attack that does get past the initial set of defences.»

medConfidential’s Smith adds that while the chances of suffering a breach aren’t necessarily higher in the cloud, the consequences of any breaches are likely to be far more severe in nature if they occur on public cloud infrastructure as opposed to within the NHS firewall – particularly if Trusts simply opt for the cheapest option.

In light of these «additional challenges,», the NHS is deploying tools like privileged access management and two-factor authentication to bolster security.

«The fundamentals of what we’ve done with IT for the last 20 years haven’t changed,» says NHS Digital’s Flintoff. «They don’t change because we go to the cloud, we might just have to approach them differently because we do that».

Third-party access to patient data

For others, meanwhile, one of the biggest concerns centres on privacy, and whether third-party organisations, such as large tech companies, may have access to sensitive patient data once it’s put into the cloud.

«These people are here to make money, if not today, tomorrow, and you need to understand very clearly what their business model is if you are going to be part of that,» said Javier Ruiz Diaz, a director at Open Rights Group. «For the NHS it would be highly irresponsible not to be asking those questions right now».

He cites arrangements with DeepMind in which hospitals, most notably the Royal Free in London, were slammed for granting Google access to patient data without consent.

Provided additional concerns around ensuring trusts do not become locked-in to one provider, and retaining ownership of public data, are dealt with, he believes the benefits could be substantial.

But these benefits, which include «better ICT, more innovative, and faster development», can only be reaped on the condition it’s «done properly and it’s not done with short-sightedness» or as a money saving exercise.

«If you say you need to do cloud just because you’re saving money – that in itself is very, very short-sighted, because there are costs,» adds Ruiz. «You are bringing risks, so to just say you are going to save money is a false economy, because in the long term you are going to lose a lot more.»

‘It makes no sense to train a new army of experts’

McAfee’s research also found a quarter of organisations cited a lack of staff with skills to manage security for cloud applications as a key challenge, with only 24% reporting they suffered no skills shortage. Significantly, 40% of IT leaders reported a skills shortage was slowing their organisation’s cloud adoption.

The NHS is suffering a staffing shortage in clinical areas, let alone in the technical skills required to maintain an IT project of this scale. NHS Digital itself only has «18 to 20 deeply technically skilled people», according to a House of Commons report into the WannaCry attack that crippled the health system last year.

The report highlighted the struggle faced by NHS organisations trying to recruit and retain skilled cyber security staff in the midst of a national shortage, in a landscape where the private sector can pay far more than the health service to attract talent.

«Teams within the NHS already have skills and experience in the relevant areas, but there aren’t enough of them,» says Dr Miller. «It doesn’t make sense for the NHS to train or hire a new army of cloud experts for the migration: there are systems integrators, consultancies, and other partners ready and willing to provide those services to the NHS. But, equally, the NHS should not outsource the whole problem to a third party.»

He called for an increase in the size and funding for internal IT and digital capabilities, given the NHS needs people with the skills and expertise to understand the migration, as well as continue to ask the right questions with regards to what its partners may be proposing. Above all, this transition must be designed, shaped, and led by NHS employees.

«The work must also be done within the broader umbrella of a digital strategy for the NHS. This isn’t just about moving from one server to another, or upgrading one application to its cloud-based equivalent,» he adds.

«The real opportunity here is to think about what a digital NHS should look like, how a digital NHS can help NHS staff be more efficient, informed, and empowered, and how a digital NHS can improve interaction with and care for patients.»

Image: Shutterstock