Report highlights public concerns over NHS cloud data storage

A new report has revealed that the benefits of cloud computing for the NHS are significant but public awareness of its use is low.

The latest Corsham Institute (Ci) report, The Adoption of Public Cloud Services in the NHS: trust, security and public opinion, tested levels of public understanding of data storage options within the NHS and confidence or otherwise in their security, and on interviews with a range of health and care professionals and experts.

The survey found:

• High levels of trust that the NHS is storing patient data securely: 70% of British adults say they are confident that their NHS data is stored securely, while 25% say they are not confident.
• Low levels of understanding as to how patient data is currently stored in the NHS, with nearly half of respondents thinking that is stored on a national NHS computer server and only 28% thinking that it is stored on a cloud.
• A difference in people’s views between the prospect of their patient data being held by clouds managed by British companies who store data only within the UK (49% of people were comfortable with this) as opposed to being held on clouds manage by global companies (69% of people were uncomfortable with this).
• A desire for more information on data storage in the NHS, with 88% of adults saying it was important to know where and how data is stored and 80% saying it is important to know if data is kept outside of the UK.

“Patients have a limited understanding of how the NHS stores or processes data. Indeed, the public and healthcare professionals rightly focus more on patient experience and outcomes,” commented Louisa Simons, COO of the Corsham Institute.

“Cloud computing has the potential to enhance collaboration, increase efficiency and improve security across the NHS. However, progress in migrating workloads to the cloud varies dramatically between different trusts and other bodies within the NHS. Many organisations are still reliant on the kind of fragmented and dated infrastructure that was impacted by the Wannacry attack and are also reliant on out-dated and inefficient technologies such as fax machines – which are surprisingly still in widespread use across the NHS.”

Simons continued: “There is a risk that a significant incident, either another attack like Wannacry, or a significant data breach, as recently occurred in Singapore, could shatter confidence in the way that the NHS stores and processes data.

“Lack of confidence in the NHS to store patient data securely could limit patient’s willingness to share their data for research, which is essential to help improve outcomes. The introduction of GDPR and the publicity resulting from the Cambridge Analytica/Facebook scandal have already increased privacy awareness and shaken public trust in data security more widely. The research shows that there is little public appetite for NHS data to be kept outside of the UK or held on clouds managed by global companies, concerns that will likely be exposed and exacerbated in the aftermath of any further significant incidents.”

The Corsham Institute report accompanying the research findings included expert testimony and opinion from a range of professionals and organisations. It looked in detail at recent NHS data handling stories and the current policy and data governance landscape, including the impact of the Cambridge Analytica/Facebook scandal on public trust in data security more widely. The report’s authors drew out a number of important themes from the research and interviews, including:

• The importance of emphasising the benefits from the adoption of public cloud in the NHS, including: lower costs (freeing up more money for frontline care); greater safety and security of the data; and the opportunity for better care and innovation.
• The need to address some significant challenges for the NHS, including: low levels of digital literacy and technical skills; barriers to maximising the potential of cloud computing, including financial impacts if there are long-term contractual tie-ins to big cloud providers; and the risks from the gulf between the low levels of public understanding of the use of cloud computing, particularly when provided by major global tech companies, and the potential impact should a data security breach occur that is linked to a cloud provider.

Taking the polling and the research together, the report’s authors concluded that there should be better engagement with the public to make them aware of the use and benefits of cloud computing in the NHS, and to build their understanding and trust in a way that pre-empts risk, rather than waiting to respond to a security breach or other data handling controversy.

They also flagged the considerations and trade-offs to be made between choosing a UK-based or global public cloud provider, particularly in relation to data protection and procurement.

The report can be read in full here.