NHS Digital has issued new national guidance for health and care organisations considering cloud services for storing patient information.

The document outlines a framework for assessing and managing risk around the use of public cloud technologies in the health and social care sectors in England, including legalities around how data should be stored and used and considerations to be made by organisations when choosing a supplier.

The guidance also contains best practice principles for handling customer data and highlights considerations to be made by trusts prior to the introduction of the General Data Protection Regulation (GDPR) on 25 May.

The cloud has been widely embraced in other UK industries under the government’s 2013 ‘cloud first’ policy for public sector IT.

While some parts of the NHS already make use of the cloud – such as NHS Choices and NHS England’s Code4Health initiative – the publication of the national guidelines marks the first time the technology has been approved for widespread adoption within Britain’s health service.

NHS Digital said the guidelines would “enable NHS organisations to benefit from the flexibility and cost savings associated with the use of cloud facilities.”

Central to the policy is that cloud suppliers used by NHS organisations must host their data in the UK, or European countries that provide an adequate level of protection as agreed by the European Commission.

Cloud suppliers covered by the Privacy Shield in the United States are also deemed safe for use.

All vendors are required to use cryptography to protect communications and undertake annual security assessments against recognised standards, such as the International Organisation for Standardisation (ISO) or the UK Government’s Cyber Essentials. Suppliers must undertake regular monitoring procedures and keep customers up-to-date with any changes to the service that could impact the security of the IT system and data.

Further, Local Senior Information Risk Owners (SIROs), in conjunction with Data Protection Officers and Caldicott Guardians, must be satisfied with the security arrangements the cloud service provider being considered, using National cyber security essentials as a guide.

Rob Shaw, Deputy Chief Executive at NHS Digital, said: “It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively.

“The guidance being published today will give greater clarity about how these technologies can be used and how data, including confidential patient information, can be securely managed.”

NHS Digital’s guidelines have been published in partnership with the Department of Health, NHS England and NHS Improvement.

They come at a time when NHS trusts are increasingly look to cloud as their next big IT project, allured by the technology’s promise of enabling rapid scaling-up without the associated hardware costs.

In a recent report from Digital Health Intelligence, a third of NHS surveyed said they were already delivering part of their infrastructure through the cloud, while 39% of the organisations said they planned to introduce some element of cloud-based infrastructure within the next two years.

In addition to lowering hardware costs and improving the ability to recover data in the event of a local system failure, it is argued that cloud technology could take strain off of overstretched GPs by giving them more freedom to work remotely.

Digital Health’s Cloud Summit takes place on Wednesday 24 January 2018 at Chandos House in London. It will explore how to successfully deploy cloud-based services in UK healthcare – and consider what the benefits might be. It is free to register and attend.