Skip to main content

Cloud security one page overview

Follow these steps to safely use public cloud in the health and social care system.

Page contents

It is always appropriate to consider the use of public cloud when designing and implementing any kind of information system. This guidance supports you in your role as Data Controller, ensuring that all uses of public cloud are well-executed: known, safe, secure and effective. The Health and Social Care Cloud Security Good Practice Guide provides detailed guidance.

Understand the data you are handling

Get a list of all the data types/attributes that will be stored/processed by the system.

How much data is under consideration?

How long will it be held in the system?

What is the Service Classification of the system (Bronze | Silver | Gold | Platinum)?

Carefully assess the data types/attributes and decide which data types this relates to. Use the Risk Model to obtain a Risk Classification.

Refer to:

Health and Social Care Cloud Security Good Practice Guide

Health and Social Care Cloud Risk Framework

Health and Social Care Data Risk Model

Document:

Retain the list of data types/attributes.

Record the rationale for selecting the data type(s).

Retain the completed risk model.

Assess the risks associated with the data

Does the calculated risk classification align with your organisation’s risk appetite? Undertake appropriate governance to ratify.

You should consider:

  • breaking down complex systems and using the public cloud for specific subsystems
  • the as-is situation – an existing ‘high-risk’ implementation may be better in the cloud than how it’s currently hosted
  • public perception - you must be comfortable with any challenge that comes from the public and the media
  • lock-in and migration - using vendor specific components will make it harder to migrate to another provider
  • requirements - are there any technical limitations or specific requirements that may preclude the use of public cloud?
  • impact of breach - consider the impact and subsequent management of any unintended breach

Refer to:

Health and Social Care Cloud Risk Framework

Document:

  • the governance decision to use the cloud (such as meeting minutes)
  • responses to all other considerations

 

Implement proportionate controls

Apply proportional controls:

Select a Cloud provider that meets the required security standards – those that match the security and service classification.

Apply the security controls that are under your responsibility – those that match the security and service classification.

Refer to:

Health and Social Care Cloud Security Good Practice Guide

Document:

  • evidence that the supplier meets the standard
  • evidence that you have implemented the controls

 

Monitor

Ensure that your vendor keeps you informed of any changes that may affect, in a detrimental way, the security of your system and data.

The security controls that you have implemented need to be reviewed and audited on a regular basis.

Document:

  • waivers/residual risk
  • revised certifications and assessments

 

Last edited: 6 January 2022 9:49 am