John Godwin on securely storing Patient Identifiable Data in the cloud

Here John Godwin, Director of Compliance and Information Assurance at Skyscape Cloud Services, reflects on how security has changed over his two decades in IT and whether the cloud is a responsible way to host Patient Identifiable Data (PID).

Skyscape will host a seminar on digital health in Leeds on Wednesday the 9th of March. Learn more and reserve your place here.

What are the biggest changes you’ve seen in terms of IT and IT security over the past 20 years?

One of the most noticeable things is simply the rate at which technology has evolved — to the point where, today, most of us engage with cloud-based services at work, at home, or both. In terms of IT security, the range of threats and vulnerabilities has developed at an equally rapid rate.

What do you think are the biggest misconceptions associated with cloud and cloud security?

There will always be some customers who believe that a cloud platform will be more expensive to use than in-house or dedicated infrastructure. In reality, most cloud platforms cost less, because they’re generally built as a multi-tenancy infrastructure.

Other customers may worry that with cloud, they’re no longer in control of how their data is managed and controlled. The multi-tenant nature of many cloud platforms means that the controls and security measures which are put in place are significantly more robust than those which typically exist on dedicated infrastructure or at in-house facilities. This means that customers should have more confidence in the security of their data within cloud environments.

You’ve worked with both commercial and public sector IT buyers – what are the main differences between them? 

Commercial buyers tend to be most focused on cost, convenience and time to deliver. Of course, they will care about data security, but it doesn’t always live right at the top of their agenda.

Public sector buyers, on the other hand, are incredibly aware of the sensitivity and value of the data they’re responsible for. They have to be sure they ask IT providers the right questions about their data security and protection arrangements. This is where UK Government frameworks and publications provide useful guidance.

How has take-up of cloud varied across the UK public sector?

The earliest adopters tended to be Central Government departments. When the G-Cloud framework was created, they were immediately able to realise the benefits of cloud. For example, they took advantage of service flexibility, instead of being tied to long-term contracts; the utility-style nature of cloud allows them to turn environments on and off as they needed them, which delivers cost savings. This early adoption was driven to a large extent by government policies such as Digital by Default and Cloud First, and, as a result, those departments have successfully delivered a range of effective citizen-facing services based on cloud platforms.

More recently, we’ve noted that local government and healthcare organisations have started to increase their adoption of cloud. They’re seeing the advantages compared with keeping their servers in the basement, and the processing power of cloud is enabling them to do things that simply weren’t possible before.

What’s your experience of healthcare buyers and their information assurance and compliance requirements? 

Some healthcare buyers observe that they haven’t had to think about those requirements too deeply before, so they look to their suppliers to help them identify and understand the risks. That’s why it’s so important that they work with credible cloud service providers who really understand the security and compliance requirements in healthcare, and can provide the right level of protection for their valuable sensitive data.

Can you give us an example of a healthcare provider successfully using cloud?

One of our customers is Genomics England, who use our secure cloud platform to host the 100,000 Genomes Project. It takes a hugely powerful resource to process all of their information to help researchers make breakthroughs in the diagnostic and treatment of rare diseases.

What advice would you give to cloud providers wishing to serve the healthcare sector in terms of meeting security and compliance demands?

Cloud service providers need to develop a credible, verifiable body of evidence that clearly demonstrates how they meet the CESG 14 Cloud Security Principles. This lets potential customers understand how the provider manages key activities, and assess if their data will be kept safely.

Do you think Patient Identifiable Data (PID) can be kept securely in the cloud?

Yes, absolutely. This goes back to my earlier comment about the robust security that’s routinely associated with multi-tenant cloud infrastructures. Of course, a healthcare buyer should still assess a cloud service provider’s abilities against the CESG Cloud Security Principles, ensuring that their capabilities exceed the risk appetite for their data they’re putting into the cloud.

What advice would you give to healthcare buyers about assessing potential cloud providers?

Seek out providers who are open and willing to share information. As well as evidence of a provider’s capability against the CESG Cloud Security Principles, buyers will want to look for things like independent certification against ISO 27001 and other related standards, properly scoped technical tests, the use of security-cleared staff and robust physical data centre security.

They will also need to identify where the cloud service is delivered and supported from, and how that might affect data privacy and protection. The selection of a UK-sovereign cloud provider will remove a lot of complexity from these issues.

What developments do you expect to see over the next year in terms of security or compliance?

A new standard, ISO 27018, has been published, placing more focus on the protection of personal data in cloud environments. On the horizon, we also have the European General Data Protection Regulation (GDPR), which will enforce a significantly more comprehensive approach to the management of personal data, and will bring with it much stiffer financial penalties for data breaches.

We shouldn’t underestimate the role of the citizens themselves, and their ever-increasing awareness of data security and protection issues. They do care if their data gets breached and ends up in criminals’ hands, and they are — quite rightly — asking more questions about where and how their data is being processed and stored.

John Godwin has worked in IT security and compliance for 20 years. He’s spent the past five at Skyscape Cloud Services, where he’s the Director of Compliance and Information Assurance. John’s responsibilities range from helping customers understand how to classify data for the secure use of cloud services, to assessing and auditing healthcare organisations that want to connect to Skyscape via the N3 network.

You can learn more about keeping PID securely in the cloud at an upcoming seminar, hosted by Skyscape Cloud Services. Find out more and register your interest here.

Related reading