By Darren James, Office of the CISO, EMEA, ServiceNow 

As a government entity with its own public sector ministry and related agency framework, the UK National Health Service (NHS) is in the throes of going digitally cloud-enabled under approved government guidelines.

But as the ‘playbook’ now starts to get written for service deployment best practices, how should the NHS prescribe its own IT treatment programme and where do suppliers to the NHS fit into this cloud regime?

The UK government public sector ‘cloud first’ policy was published in 2013, but different sub-sectors of the UK public sector have moved at different paces to implement the opportunities for flexibility and IT agility that the cloud model offers. In the case of the NHS, the use of cloud services was endorsed in the National Information Board’s Personalised Health and Care 2020 framework in November 2014.

In January 2018 a paper jointly published by the Department of Health and Social Care, NHS England, NHS Digital and NHS Improvement states that NHS and social care organisations can safely locate data in the public cloud, including services that are located outside of the UK, provided safeguards are in place. The paper also provides advice and guidance regarding those safeguards.

A systematic process for cloud migration

NHS Digital has expanded upon this advice and guidance and developed detailed materials designed to enable a systematic approach to evaluate risk and apply proportionate controls. The guide provides a four-step evaluation method and separates the responsibilities between the service user and cloud service provider.

The steps advocate a clear process for any digital project to:

• Understand, qualify and quantify the data and application workflows that are to move to the cloud.
• Assess and evaluate the risk associated with the data itself in terms of who or what it relates to and its corresponding levels of personal privacy and enterprise criticality.
• Provide a route to implementing the appropriate controls on that data.
• Pave a way forward for the data to be monitored and continually assessed for ongoing risks.

Yet these are guidelines that ServiceNow has been complying with for many years already, as we strive to set standards before they are issued. We’re already working closely with NHS organisations across the UK and this detailed approach is an accelerator for both new and existing engagements, raising the bar for cloud security best practice globally.

The NHS Digital advice is based on the ISO27001: 2013 standard, which ServiceNow is certified to, and the Cloud Security Alliance Cloud Controls Matrix v3.0, which ServiceNow has completed.

ServiceNow is active in global cloud security initiatives and has a delegate from the ServiceNow Office of the CISO on the board of the UK & Ireland Cloud Security Alliance specifically driving UK public sector cloud security and trust initiatives.

Best practices, first steps

Digital transformation to cloud computing platforms with automation efficiencies and all the flexibility that services-based computing offers is not a plug-and-play affair. This reality holds true for UK public sector IT as it does in commercial enterprise.

Strategic planning, precise audits and stringent controls to ensure ongoing assessments and monitoring are essential from day zero. Added to this complexity, there will also be a need for education and training alongside networking and collaboration tools that offer access to knowledge on how to implement proven solutions.

ServiceNow’s advice to NHS and public health customers is to use the NHS Digital Health and Social Care Cloud Security Good Practice Guide to bring cloud instances into productive deployment using what is also a four-step approach:

1. Guide the cloud evaluation method to assess which applications and data will be migrated.
2. Understand each instance of data and its use before also considering the data lifecycle and privacy-by-design.
3. Determine appropriate controls required from the choice of Cloud Services Provider and those that must be employed as the Service User.
4. Evaluate the capabilities of the Cloud Service Provider against this guide and against the controls required.

The path to cloud for NHS Digital may at first appear too long and circuitous, but the momentum for change is already here – and inevitable progress is ultimately a good thing.