Showing results for 
Search instead for 
Did you mean: 
Create Post

Healthcare: How Safe Is the Public Cloud for UK NHS Organizations? Part I

Level 11

By Paul Parker, SolarWinds Federal & National Government Chief Technologist

Here’s an interesting article from SolarWinds associate, David Trossell, where he dives into cloud security concerns at National Health Service (NHS).

Moving to the cloud is not a be-all-end-all security solution for NHS organisations.

Several press reports claim that NHS Digital now recognizes public cloud services as a safe way of storing health and social care patient data. In January 2018, the UK’s National Health Service Digital press statement cited Rob Shaw, Deputy Chief Executive at NHS Digital.

It’s hoped that the standards created by the new national guidance document will enable NHS organizations to benefit from the flexibility and cost savings associated with the use of cloud facilities. However, Shaw says: "It is for individual organisations to decide if they wish to use cloud and data offshoring and there are a huge range of benefits in doing so. These include greater data security protection and reduced running costs, when implemented effectively.” 

With compliance to the EU’s General Data Protection Regulations (GDPR) in mind, which came into force in May 2018, the guidance offers greater clarity on how use to cloud technologies. With a specific focus on how confidential patient data can be safely managed, NHS Digital explains that the national guidance document “highlights the benefits for organisations choosing to use cloud facilities.”

These benefits can include “cost savings associated with not having to buy and maintain hardware and software, and comprehensive backup and fast recovery of systems.” Based on this, NHS Digital states it believes that these “features cut the risk of health information not being available due to local hardware failure.” However, at this juncture, it should be noted that the cloud is not a one-size-fits-all solution, and so each NHS Trust and body should examine the expressed benefits based on their own business, operational, and technical audits of the cloud.

ROI concerns

A report by Digital Health magazine suggests that everything is still not rosy with the public cloud. Owen Hughes headlines that, “Only 17% of NHS trusts expect financial return from public cloud adoption.” This figure emerged from a Freedom of Information request that was sent to over 200 NHS trusts and foundation trusts by the Ireland office of SolarWinds, an IT management software provider. The purpose of this FOI request, which received a response from 160 trusts, was to assess NHS organisation’s plans for public cloud adoption.

“The gloomy outlook appears to stem from a variety of concerns surrounding the security and management of the cloud: 61% of trusts surveyed cited security and compliance as the biggest barrier to adoption, followed by budget worries (55%) and legacy tech and vendor lock-in, which scored 53% respectively,” writes Hughes.

Key challenges

The research also found that the key challenges faced by the trusts in managing cloud services were caused by determining suitable workloads (49%), and 47% expressed a concern that they might have a lack of control of performance. The primary concern expressed by 45% of the respondents was about how to protect and secure the cloud.

To be continued…

Find the full article on ITProPortal.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates.  All other trademarks are the property of their respective owners.

Level 14

Thanks for the article!

Level 13

Good Article - thanks

I like that organizations and leaders and "thinkersof deep thoughts" are considering this topic.

I'm disappointed they're only taking a narrow view that includes availability and profit.  Yes, those are very important.  But there are a few problems not sitting in the bright light of day, which ought to be spotlighted for consideration:

  • Security.
    • The cloud is a vague place to keep your data, and if you don't own physical control of the physical space, you don't know who is physically accessing it.  And we know physical access trumps most everything if you want to take something from someone else.
    • Similarly, prove cloud providers do NOT have logical security vulnerabilities that allow unauthorized people access to your private data.  Yes, "prove a negative."  I have to do it daily when managing and monitoring a network.  "No, it's not the network.  And here's how I know: . . . ."
  • Prevention.
    • Spending incredible amounts of money and time to provide highly available data that is secure is  . . .  expensive and time consuming.  What parallel and equally-funded actions are being taken for "prevention"?  We know "An ounce of prevention is worth a pound of cure."  So why don't businesses, governments, organizations and entities take some time and work towards preventing hacking?
    • For every dollar spent on MFA and encryption and VPN access and security certificates and high availability and diverse multiple backups, a matching dollar should be spent towards reaching a future that doesn't need those things.  A future where every nation, every business, every group, and every individual understands and willingly follows ethical and moral behavior.  In essence:  Prevent the conditions that cause hacking and theft and malware writing, etc.

The return on investment will be ridiculously enormous.


  • Not needing to protect data from unauthorized access.
  • Not having to worry about identity theft.
  • Not having to to protect against cyber attacks, no matter from hostile nations or script kiddies or anything in between.
  • No one writing viruses, Trojans, Wyrms, etc.
  • No more unavailable resources due to malicious intentions

Will it be easy?  Will it be expensive?  Will it even be possible or practical?  Is there any hope?

Imagine all of your data ending up in someone else's control.  For fun, let's say Google's Cloud resources are redirected to China.  For an indefinite time.  Or, don't imagine it, read now it happened yesterday:  Internet Vulnerability Takes Down Google

Now imagine nations and groups and individuals have been working together towards a common good instead of to achieve power or money.

Getting to such a world will be a VERY long journey.  But you know what they say:

"A long journey begins with a single step."


Good article

Level 10

Unfortunately in the NHS the decision makers will largely be people who don't need to burden themselves with the security aspect. It's somebody else's job to do that. And neither of them is the IT team. A lot of the problem here is changing the culture and way of thinking to get into cloud, even when companies go out of the way to make it easy - e.g. Microsoft who saw that the regulation compliance would prohibit any cloud storage of PII & records, and promptly solved it by putting an entire Azure datacentre in England to make it remotely viable, pun not intentional.

On top of that, (not sure if you know about this so apologies if you do) the way that the NHS handles inventory is that if it's expensive enough (>£5,000) it's a Capital expenditure, and thus easier to push through because of how the system is set up. I've seen quotes come back and people add on bits or ask to have it tip over £5k because of this. So buying a rack of servers is no big deal, but justifying the ongoing expense might be a lot harder.

The other problem is getting the programs to run in the cloud usefully. Chances are they'll just make VMs and remove the physical servers but everything else will stay the same - which isn't quite the point. And you know there's a lot of legacy apps in there...

Level 20

Yep and the govcloud 2.0 here in the USA is probably in a similar situation is my guess...  They're finding out not having control over the infrastructure has some real downside and that the "cloud" isn't performing the way it was promised.

I think you're correct on all points.

And yes, I have seen that same type of Capital-versus-Expense accounting going on.  It's fluctuated wildly where I've worked in the past.  At one time $2000 was the delineation, then later it dropped to $1000, and eventually down to $200.

In following years it went up to $10,000.  It seems to depend on who the head bean counter is, and what accounting practices they learned or prefer.

I can see benefit in consistency in this across all accounts in any industry, but . . . we'll let George Orwell's nightmares take care of that on their own.

Sometimes I think businesses, governments, organizations, and individuals may not realize how moving things to the cloud may simplify unauthorized and unknown access to their data by criminals.

Moving so much to the cloud, (well, moving ANYTHING to the cloud) makes the cloud that much more of a prize to compromise.

And when it's out of your control, when you have no physical or logical security that you can reach out and touch and point to and say "I control access HERE.  None shall pass without my permission AND my knowledge!", then you really don't have anything besides words on a paper from a cloud provider.

When I hold a dollar or a diary in my hand, I control its use and access.  When I put it in the cloud . . .   well, I didn't need that dollar, or I don't care if someone reads that diary anyway.

Level 13

The NHS also need to be wary of UK data protection laws and the European GDPR. Geolocation will need to be specified to keep the data within the UK and the data will easily identify an individual.

Level 14

We had Microsoft come in here and pitch for us to move servers and data to Azure.  I pointed out that some of the data had to stay in the UK and MUST not be stored outside.  They said that wouldn't be a problem as they could guarantee the data would stay in their Dublin data centre.  I quite naturally exploded.  Dublin is NOT in the UK.

The problem with the cloud is that you are just storing stuff on somebody else's tin.  You have no control over the underlying architecture.  We have a test / dev environment in the IBM Softlayer cloud in Amsterdam.  This week IBM made a config change on their network and our test / dev environment was unavailable for almost the whole day.  They couldn't fix the problem so we had to talk them through it after discovering what they had done.  That couldn't have happened internally because we have a change process.  IBM didn't include us in their change. 


As others have mentioned it seems that so many business decisions are made on trend and finances. There are so many other elements that must be considered for a wise decision. On the other hand, like so many things Tech, as businesses adopt new technologies the price comes down for the consumer. But again, the consumer often looks for things that are "cool" and jump on it when the price is "right." An example of that is the whole IoT arena. (insert long discussion here)

About the Author
Paul Parker, a 25-year information technology industry veteran, and expert in Government. He leads SolarWinds’ efforts to help public sector customers manage the security and performance of their systems by using technology. Parker most recently served as vice president of engineering at Infoblox‘s federal division. Before that, he served in C-level or senior management positions at Ward Solutions, Eagle Alliance and Dynamics Research Corp.