Our Director of Cloud Solutions gives a guarded prognosis to storing patient data overseas.
Health and social care organisations stand to benefit greatly from using cloud services, particularly from a cost and efficiency standpoint.
That was the message from deputy chief executive at NHS Digital Rob Shaw in January when guidance on offshore data hosting for Britain’s health service was announced.
Having the option to store patient data offshore with third parties in Europe or with specific organisations in the US will certainly allow for a reduction in costs – sensible given how stretched NHS funds are and how urgently public sector organisations in order to find and procure new services.
But such a move means that care providers, whether mental health services or sexual health clinics, may unknowingly be storing and sharing personal data with any given third party.
While any selected offshore US company must be part of the EU’s Privacy Shield programme to be considered, potential problems lie in multinational providers that use “follow the sun” models to support their own infrastructure.
So while organisations may be under the impression that their data is appropriately hosted – either in the US and operating within the Privacy Shield or in the EU within the boundaries of GDPR – that same data may be being transited anywhere outside the approved jurisdictions during certain hours to allow for that 24/7/365 operation.
Of course, data sharing in itself is not all bad. In healthcare, it’s vital to aid research into curing the cancers and diseases that exist today, but patient confidentiality must come first; there has to be complete transparency in an environment where data is accessed, handled or administered as was proven in the recent Facebook-Cambridge Analytica data harvesting scandal.
What’s needed is a risk vs reward approach. Data owners must rate the risk surrounding their data as well as understanding the costs needed. They must do the legwork to ensure they know every single element of their data and what their provider of choice may or may not be doing with it. But equally, they need to consider whether offshoring could only be a short-term solution.
The initial savings that offshoring data allows are undeniable but patient data, for example, may be better kept as close to home as possible to ensure it won’t be affected by any future change in legislation and any consequent additional costs once the UK makes it exit from the EU.
The NHS needs a strong and stable infrastructure and organisations will fare just as well from working with national providers, like Daisy, who, through public cloud platforms such as Microsoft Azure, are able to retain control over data and applications, store them locally and remain compliant within specific frameworks where they need to demonstrate exactly where data is.