Is it OK to backup NHS patient data in the cloud?

If you’ve ever wondered what the official line is – from the UK’s NHS (National Health Service) – on whether the NHS and its business partners can back up patient identifiable data with third party cloud computing providers over the Internet – then this Save9 article might be of use to you.

NHS Cloud Backups

In summary it is permissible to backup PID in the cloud but there are some stringent technical, information security management and information governance requirements that must be adhered to, most of which are briefly outlined below.

Background
One of Save9’s major customers is an NHS Business Partner and we were recently tasked by their Information Governance team to find out if cloud backups of PID (Patient Identifiable Data) is permitted by the NHS; from a technical, information security and information governance compliance perspective.

If this article is not detailed enough for a specific project you have in mind or you would like some assistance in specifying and deploying a cloud backup solution that meets (or exceeds) your data security and information governance compliance needs then please contact Steve Bromham at Save9 via our contact form or phone number below.

Department of Health – view on using Cloud services
The statement below was made by a representative of the Department of Health in reply to a similar query that Save9 made to the NHS – relating to the use of cloud computing: “At this point there is no DH [Department of Health] prohibition on local Trusts processing their data via Cloud services or offshore. However, there is an expectation that information assets are understood, comprehensive/rigorous risk assessment and management is documented and undertaken by the local organisation, that NHS IG [Information Governance] policies and standards are applied, that legal obligations are satisfied, and that the data involved does not originate from DHID [Department of Health Informatics Directorate] /CFH [Connecting for Health] /HSCIC [Health and Social Care Information Centre] provisioned services – as would contravene our CFH policy. It is the responsibility of the local SIRO [Senior Information Risk Owner] to accept any risks in consultation with their Board, Caldicott Guardian, assigned information asset owners and supporting IG teams.”

Note: A ‘Caldicott Guardian’ (named after Dame Fiona Caldicott – the UK’s National Data Guardian) is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian; this is mandated for the NHS.

Note: NHS Connecting for Health ceased to exist at the end of March 2013 and HSCIC was renamed NHS Digital in July 2016.

Department of Health – Information Security and Risk Policy – view on Cloud Computing
Here is a copy of a response received from the Infrastructure Security Team and the Department of Health – Information Security and Risk Policy Lead: “Locally, Senior Information Risk Owners and Information Asset Owners are responsible for ensuring security assessment, approvals including risk acceptance, and that there is an expectation generally for compliance with NHS IG [Information Governance] policies and good practice. This essentially means perform a local risk assessment, stay within the law and the IG Assurance Framework, don’t commit to anything that is not fully understood, and/or that you do not have appropriate confidence in.”

Storing PID (Patient Identifiable Data) outside of England is not permitted
A recent response from the Infrastructure Security Team made reference to the Department of Health – Information Security and Risk Policy Lead; commenting on the offshoring of data; “…a specific area to be mindful of in relation to ‘cloud computing’ is the potential for ‘offshoring’ of sensitive data to occur. This could happen for example, if utilising a ‘public cloud’ provider which has data centre facilities all over the world. There is the possibility that sensitive information could end up outside of England due to the way that some public providers manage data ‘in the cloud’.”

For further information on ‘offshoring’, the Operational Security Team (OST) of NHS Digital helped Save9 clarify current NHS data storage and transmission restrictions in place – by signposting us to a specific NHS Offshore Support Requirement document.

It is quite specific:
Patient Identifiable Data should not be recorded outside of the England boundary in any format for any reason without the prior explicit written permission of the NHS.
N3 and Cloud Backups
NHS N3 Logo

The N3 is the NHS private WAN (Wide Area Network) used by NHS hospitals, organisations and their partners with connections strictly limited to authorised endpoints. All organisations wishing to make a new connection to N3 are responsible for ensuring that their connection to the WAN does not compromise the security measures already in place.

There are quite a few N3-approved data centres across the UK but there is no specific NHS requirement that backups must only be performed over an N3 WAN connection to an N3 data centre or other N3 connected site.

NHS Digital freely acknowledges that information is unencrypted when transmitted over the N3 network (unless using the VPN N3-12-4 Catalogue service which encrypts traffic across the Internet and the N3 network to a specific site) therefore confidentiality of sensitive information within N3 is not assured. N3 also faces numerous threats to security as a result of incompletely protected partner networks or connections to uncontrolled external networks such as the internet.

Use of Cryptographic Algorithms to encrypt NHS Cloud Backups over an Internet VPN (Virtual Private Network)
According to the Infrastructure Security Team at NHS Digital any Cloud Backup service should encrypt data traffic over a VPN using the IPsec protocol and in doing so may only utilise certain encryption algorithms – specifically following Good Practice Guidelines (GPG) that have an ‘Approved’ status.
Therefore do not use Message Digest 5 (MD5) or Secure Hash Algorithm version 1 (SHA-1) for Digital Signature Generation/Verification – due to proven collision attacks. Interestingly, the UK Communications Electronics Security Group (UK CESG) and the US National Institute of Standards and Technology (US NIST) also do not recommend the use of MD5.
NHS Informatics made it very clear that they do not endorse or recommend any specific products for use within the NHS in relation to encryption. There are a variety of encryption products available on the open market and it is for NHS organisations to determine for themselves which products best suit their needs dependent on their particular circumstances.

3DES (with a 168bit key only), AES-128 and Blowfish (with a 256bit key minimum) are all acceptable standards on existing systems currently in use within the NHS. It is recommended that for all new system deployments, AES-256 or Twofish (with a 256bit key minimum) are now used.

In terms of deploying a network layer VPN protocol – IPsec is approved by the NHS. IPsec uses cryptographic algorithms for maintaining confidentiality and integrity. However – the NHS stipulate approved algorithms for use within IPsec VPNs (typically a VPN configuration setting you can apply) such as AES-XCBC-MAC-96 for Authentication Headers (AH) and ESP Integrity plus AES-CBC for the Encapsulating Security Payload (ESP). There are a few other permitted IPsec algorithms but they are not the preferred ones, as detailed here.

NHS IG (Information Governance) Toolkit – applying it to Cloud Computing backup services
The IG Toolkit is an online system which allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards.
Requirement No. 11-308 applies to almost every type of NHS organisation or partner; “All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers” – therefore any online backup service that transmits and stores person identifiable and sensitive information will need to comply.
Similarly, IG Toolkit requirement No. 11-313 insists that ‘Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely’ – the previous section that introduced the Health and Social Care Information Centre’s Good Practice Guidelines (GPG) will certainly help (see: http://systems.digital.nhs.uk/infogov/security/infrasec/gpg).
When it comes to restoring data from a Cloud backup then IG Toolkit requirement No. 11-206 is likely to apply – “There are appropriate confidentiality audit procedures to monitor access to confidential personal information” – specifically if personal information is contained within any backup file stored at a Cloud Computing provider’s datacentre (of course, this would include on-site backup restores too).
Information Commissioners Office
When considering ‘cloud services’ (and especially where personal/sensitive personal data is to be stored) NHS Digital advises NHS organisations and its partners review the Information Commissioners Office guidance on the use of cloud computing. Although not NHS specific, it provides useful information on considerations which should be taken when determining whether to store or process personal or sensitive personal data ‘in the cloud’ together with any legal obligations.

See: http://www.ico.org.uk/for_organisations/data_protection/topic_guides/online/cloud_computing

Conclusion
The cost-benefit of Cloud Computing backup services vs. traditional on-site backups (specifically to NHS organisations and partners) is compelling. The peace-of-mind knowing your data is safely stored off-site, should disaster strike, is an attractive proposition. After all, local backups (i.e. same geographical site) can easily be damaged alongside your original data and files – from fire, flooding, theft, accidental deletion, malware or internet attacks; meaning all your data could potentially be lost forever.

Ultimately, NHS organisations and partners have a duty to record, store and transmit patient’s medical record data and sensitive information in confidence – so any deployed cloud computing backup service should come under technical scrutiny (security, scalability and reliability perspectives) whilst adhering to established information governance principles.

Compliance with NHS guidelines, the Information Governance Toolkit, internal audit processes and information security standards (e.g. ISO27001 and ISO27002) puts extra pressure on already busy IT personnel – making the process of moving backups to the cloud seem onerous and perhaps less of a priority.

However, success can be achieved by following a set of NHS guidelines and principles – as described in this article. The act of ensuring your backups are automatically transmitted off-site for added data security (via a Cloud provider or even a private link) in our view reflects a duty of care to patients and their data. In our opinion – to preserve an on-site backup regime, without exploring the potential risk-reduction benefits that NHS compliant cloud backups can bring is a blinkered view – because there are always new cloud computing technologies and services emerging designed to lower operating costs, reduce risk and improve service delivery.securely-share-NHS-patient-data-in-the-cloud