UKCloud Health and Corsham Institute announce new findings on adoption of public cloud services in the NHS

Public confidence in the NHS is currently high, but with privacy awareness increasing significantly, there’s a risk that incidents could expose weaknesses in sovereignty, efficiency and data security

UKCloud Health, the easy to adopt, easy to use and easy to leave assured cloud services company, and the Corsham Institute, a charity dedicated to research and learning to help people adapt and thrive in a digital world, today announced the findings from the latest Corsham Institute research report: “The Adoption of Public Cloud Services in the NHS: trust, security and public opinion”. Based on exclusive polling from ComRes, the research tested levels of public understanding of patient data storage options within the NHS and the public’s confidence or otherwise in the security of that data. In addition to the public polling conducted by ComRes, the report also features expert testimony from interviews conducted by Corsham Institute with a range of health and care professionals and experts, including input from UKCloud Health.

The survey found:

• High levels of confidence in trust that the NHS is storing patient data securely: 70% of British adults say they are confident that the patient data the NHS holds on them is stored securely, while 25% say they are not confident.
• Low levels of understanding as to how patient data is currently stored in the NHS, with half of respondents thinking that patient data is stored on a national NHS computer server and only 28% thinking that it is stored on a cloud.
• People are twice as likely to be comfortable storing their information on clouds managed by British companies (49%) than on clouds managed by global companies (23%).
• A desire for more information on data storage in the NHS, with 88% of adults saying it’s important to know where and how their patient data is stored and 80% saying it is important to know whether patient data is hosted by companies whose headquarters are outside of the UK.

“Patients have a limited understanding of how the NHS stores or processes data. Indeed, the public and healthcare professionals rightly focus more on patient experience and outcomes,” commented Louisa Simons, COO of the Corsham Institute. “Cloud computing has the potential to enhance collaboration, increase efficiency and improve security across the NHS. However, progress in migrating workloads to the cloud varies dramatically between different trusts and other bodies within the NHS. Many organizations are still reliant on the kind of fragmented and dated infrastructure that was impacted by the Wannacry attack and are also reliant on out-dated and inefficient technologies such as fax machines – which are surprisingly still in widespread use across the NHS.”

Simons continued:

There is a risk that a significant incident, either another attack like Wannacry, or a significant data breach, as recently occurred in Singapore, could shatter confidence in the way that the NHS stores and processes data. Lack of confidence in the NHS to store patient data securely could limit patient’s willingness to share their data for research, which is essential to help improve outcomes. The introduction of GDPR and the publicity resulting from the Cambridge Analytica/Facebook scandal have already increased privacy awareness and shaken public trust in data security more widely. The research shows that there is little public appetite for NHS data to be kept outside of the UK or held on clouds managed by global companies, concerns that will likely be exposed and exacerbated in the aftermath of any further significant incidents."

Even before the Wannacry attack, a previous ComRes poll sponsored by UKCloud Health in early 2017 found that the British public were concerned about the protection of their personally identifiable data, and that 65 percent also stated that they were concerned about whether their health records, such as medical history or social care records, are adequately protected by companies and public services.

“Capturing the undoubted advantages of cloud does not mean that NHS data needs to ever move outside of the UK or be held on clouds managed by global companies,” added Nicky Stewart, Commercial Director at UKCloud Health and one of the expert witnesses interviewed for the report. “Government-grade, secure facilities with connectivity to NHS networks like N3 and HSCN exist within the Crown Campus. Use of such secure, UK-sovereign facilities would not only help minimize the risk of further incidents, but would also eliminate the risk of public backlash over moving data outside of the UK or holding it on clouds managed by global companies, in the event of any such incident.”

Crown Campus is a secure government-grade hosting environment specifically for public sector framework service providers. It enables collaboration between public sector organizations and the community of service providers that support them, including UKCloud Health, the main cloud provider within the Crown Campus.

UKCloud’s many government and NHS customers benefit not only from the enhanced efficiency and security provided by its secure, UK-sovereign cloud services, but also from being hosted in close proximity to many other key data sets within the Crown Campus. For example, Genomics England, the largest single health data set in the UK, is hosted by UKCloud Health along with a number of key hospital trusts. UKCloud Health also hosts a growing ecosystem of health-oriented service providers. Being in close proximity to each other, allows for secure, low-latency connectivity and increased scope for collaboration not only between Trusts, but also with key health solution providers like Docman, Egton and Mayden, all hosted on UKCloud Health’s multi-cloud infrastructure.

UKCloud Health also provides a range of multi-cloud options for optimal workload placement, providing a path for healthcare organizations wanting to the modernizing legacy IT that was vulnerable to the Wannacry attack. There is no one-size-fits-all cloud approach though, and Trusts need a secure, compliant, and cost-appropriate solution that meet the demands of their organization and provides a best fit for each workload. For Trusts with an array of legacy and cloud-native applications, a multi-cloud approach provides the most comprehensive and effective solution and with UKCloud Health it can be provided from totally UK-sovereign facilities that are directly connected to both N3 and HSCN.

The Corsham Institute report accompanying the research findings included expert testimony and opinion from a range of professionals and organizations, including UKCloud Health. It looked in detail at recent NHS data handling stories and the current policy and data governance landscape, including the impact of the Cambridge Analytica/Facebook scandal on public trust in data security more widely. The report’s authors drew out a number of important themes from the research and interviews, including:

• The importance of emphasizing the benefits from the adoption of public cloud in the NHS, including: lower costs (freeing up more money for frontline care); greater safety and security of the data; and the opportunity for better care and innovation.
• The need to address some significant challenges for the NHS, including: low levels of digital literacy and technical skills; barriers to maximizing the potential of cloud computing, including financial impacts if there are long-term contractual tie-ins to big cloud providers; and the risks from the gulf between the low levels of public understanding of the use of cloud computing, particularly when provided by major global tech companies, and the potential impact should a data security breach occur that is linked to a cloud provider.

Taking the polling and the research together, the report’s authors concluded that that there should be better engagement with the public to make them aware of the use and benefits of cloud computing in the NHS, and to build their understanding and trust in a way that pre-empts risk, rather than waiting to respond to a security breach or other data handling controversy. They also flagged the considerations and trade-offs to be made between choosing a UK-based or global public cloud provider, particularly in relation to data protection and procurement.