Cybersecurity in Healthcare: Separating data location and IS
 |
Focus on: Cybersecurity in Healthcare |
Last week we highlighted how increasingly hyperscale cloud is seen as a positive for addressing cybersecurity in healthcare, where just a few years ago many healthcare organizations wondered if the cloud could be as secure as their on-prem systems. Our contention is that increasingly security gets added into “benefits” column with other issues like cost and agility as organizations look to the cloud. New cloud policy guidance from the UK (jointly written by NHS Digital, NHS England, the Department of Health and Social Care and NHS Improvement) echoes our comments about the cybersecurity in health benefits of hyperscale cloud, noting: “Cloud providers have a significant budget to pay for updating, maintaining, patching and securing their infrastructure. This means cloud services can mitigate many common risks NHS and social care organizations often face.”
But the guidance, entitled “NHS and social care data: offshoring and the use of public cloud services” confronts another issue, related to the location of cloud data centers (and thus where patient data can be stored) that has historically been a barrier for healthcare customers in the Europe who wish to use hyperscale cloud. A report on barriers to cross border data flows from 2017 aptly sums up the belief as follows: “Many policymakers reflexively and mistakenly believe that data is more private and secure when it is stored within a country’s borders.” Is location necessarily a reliable proxy for privacy and security of data, particularly in the EU where there is a Union-wide Directive (soon to be Regulation) for data transfer within the European Economic Area( EEA)? More specifically, in the context of Cybersecurity in healthcare, is location of storage of patient data a dispositive factor?
In the UK, our healthcare partners and customers had long labored under the influence of a somewhat obscure NHS policy that held “NHS has a prohibition on storing patient identifiable data outside of England where there is any link to national systems or applications.” Many customer were confused due to contrary guidance from the UK Information Commissioner’s Office that “There are no restrictions on the transfer of personal data to EEA countries.” Although the former policy only applied to a small subset of patient health information (only information that came via links to national systems and thus not “locally” created patient information that was generated at the local NHS Trust level), this requirement challenged healthcare organizations who sought to leverage the cloud in the UK. This data location restriction interfered with cost, security, resiliency and reliability calculations that some organizations had made in the course of considering EU region hyperscale cloud services.
The new joint guidance issued in the UK is welcomed on a number of fronts, including that it provides a clear endorsement of the cloud: “NHS and Social care providers may use cloud computing services for NHS data” and a reference to the UK Government’s “Cloud First” policy (that dates back to 2013). More importantly, it puts to rest the former confusion around data location and makes it clear that “NHS and social care organizations are permitted to host data within the UK, EEA (countries deemed by the European Commission to have adequate protections for the rights of data subjects), or in the US where covered by Privacy Shield.”
