For more than a decade, there’s been an expectation that all patient identifiable data stored by the NHS must be held within the UK. Although this hosting restriction has never been mandated by law – remember, the Data Protection Act makes no distinction between England, the UK and the rest of the European Union with regards to data residency – there’s been explicit national policy and a range of local decisions and directives that have enforced this situation.
Over the last two years, the three leading public cloud providers – Microsoft Azure, Amazon Web Services and Google Cloud Platform – have all opened or announced dedicated UK-based hosting zones within their public cloud provision.
And these cloud providers are directly accessible via the NHS N3 network.
These developments are great news for the NHS as they allow for more reliable, scalable and secure services – while significantly lowering costs. Take old IT systems as an example. They can be migrated to the cloud – improving reliability, simplifying services and avoiding serious failures that impact service delivery.
But it’s important to realise these new services throw up some challenges.
Costs can rise quickly and unexpectedly with these new pay as you go services
In our experience, we’ve found that organisations typically pay a 30% premium on their cloud provider spend as they haven’t fully considered the commercial challenges associated with cloud adoption. We recently helped an organisation to cut their public cloud spend by 52% in four months – creating a £250,000 annual saving. To maximise cost savings from a shift to public cloud, particularly at a time where there’s significant cost pressures, the NHS needs to invest in skills, experience, processes and tools. This will allow it to effectively manage its cloud provider spend – including accountability for all cloud resources and the ability to exploit the continually evolving and complex commercial models.
UK hosting alone is not enough to resolve all data and information security issues
The NHS is still responsible for information security, and cloud providers clearly state where their responsibility stops and the customer’s (the NHS) starts. Traditional security polices, controls and systems need to be refreshed to adapt to the range and nature of cloud services. This could include supporting more dynamic environments, micro service and/or server-less architectures, platform-as-a-service workloads and a new set of security constructs and services.
Some traditional architectural patterns are no longer the best option
To exploit the true value of a shift to public cloud, NHS trusts and organisations need to think beyond a ‘lift and shift’ of existing services to public cloud. They need to reimagine how applications and services are architected, developed and deployed using cloud native features to support the broader digital transformation agenda. The shift to cloud provides an opportunity to transform existing services to not only reduce cost, but take advantage to new technologies, ways of working and insights that can have a material positive impact of the services it offers to clinicians and the wider community. We recently developed a solution to make more use of platform-as-a-service to create a public facing web service for the NHS – one at half the price of a more traditional service, while using auto-scaling capabilities to increase capacity up to 1000% within a matter of seconds. And all of this came at a marginal increase in cost.
So it’s clear the NHS must handle these new services with care, but by taking the right approach it will be able to reap the benefits public cloud offers.