A new survey suggests many NHS trusts are failing to invest enough in protecting their computer systems and data. The NHS must ensure data protection and backup provisions are fit for purpose, otherwise, patients’ lives may be at risk. 

Plymouth’s Derriford Hospital was hit by a ransomware attack earlier this year that shut its systems down, it was revealed recently. Rather than pay the hackers off, the hospital restored its systems from a back-up.

Unfortunately, judging by a recent story on Sky News, many other UK hospitals simply wouldn’t be able to rely on back-ups, because their parent NHS Trusts have spent nothing on cyber-security.

Sky collected information from 97 NHS trusts about their spend on computer security and whether they had been the target of any cyber attacks recently. Seven NHS trusts, covering 2 million patients, admitted that they spent nothing on cyber-security in 2015. Another 45 NHS trusts were unable to specify their cybersecurity budget at all, Sky says.

Sky’s investigation also revealed that trusts are suffering an increasing amount of personal data breaches, from 3,133 in 2014 to 4,177 last year, and that cyber incidents are accounting for more breaches, from eight in 2014 to 60 in 2015.

In the face of an increase in malicious attacks by hackers and criminals, the NHS has been slowly moving towards using the Cloud to protect its data. However, given the nature of patient data, there are massive challenges for any NHS trust and Cloud services provider to address.

Indeed, when the NHS started exploring using the Cloud a few years back, it had to take legal advice about whether it would be able to do so. The answer was yes, but only if the data was actually being stored somewhere in England.

The question of whether the NHS should be using Public or Private Cloud services has also been raised. There is no legal reason why the NHS cannot use the Public Cloud, but trusts may prefer the apparent extra security of having their own Private Cloud.

Whether public or private, though, NHS trusts need a suitable and reliable cloud service provider. The highest priority here is to ensure that the provider’s data centre resources are based in England, because Patient Identifiable Data (PID) must not leave the country. Furthermore, the provider’s internal data backup must also only be to English data centres – in other words, if the data centre itself suffered some kind of catastrophic failure, where are its back-ups stored? If sensitive data is mirrored outside England, then it would be illegal for the NHS to use them.

Service level agreements concerning how, where and when data is stored and under what conditions it is transferred back should also be key considerations when selecting a cloud data protection services provider. The end user should also take into account the provider’s level of encryption to prevent any accidental or targeted misuse of data. There are legal requirements for the level of encryption that must be used for NHS data, particularly PID.

Building a private cloud solution for NHS trusts is admittedly somewhat more complex than using the Public Cloud, but it would give NHS bodies increased control over critical patient data and digital information.

While the NHS trust will have more resources to manage, a private cloud solution has a comprehensive range of options with regard to the provisioning of services, access rights, selection of applications and device support. That, in turn, gives employees greater flexibility, the tools they need for their job, and the ability to deliver the same user experience as they would get with a public cloud. The safety of data and devices would have to be guaranteed according to internal standards specified by the NHS, of course.

For an increasingly cash-strapped NHS, the potential cost savings and efficiency benefits offered by using the Cloud to back up vital data are obvious. However, as you would expect, the overriding concern must be the integrity and safety of patient data.

Originally posted on Compare the cloud January 11th 2017