Security in the cloud

Healthcare cyberattacks are escalating globally, threatening patient safety and care delivery. As NHS organisations become increasingly digital, their attack surface widens. Adopting cloud can significantly strengthen cybersecurity defences.

Cloud service providers offer advanced, enterprise-grade security capabilities exceeding on-premises models. Their global security teams and technologies provide continuous protection at scale for cloud workloads.

Cloud also enables easier centralisation of identity, data and threat management. Automation ensures configurations and controls are consistently applied across dynamic environments.

The cloud shared responsibility model means NHS organisations retain obligations for securing workloads, data, and accounts per cloud provider policies. Understanding this split is key for risk management.

The NHS England shared responsible model is a good example of this and highlights the responsibility between the Cloud service provider whom is responsible for the Cloud, the CCoE whom is responsible for the business as usual (BAU) tasks and governance for the NHS organisation in the cloud, and finally the application or programme team whom is responsible for the service and data running in the cloud.

Migrating to the cloud requires updating security strategies, processes, and staff skills. But done right, it can greatly reduce vulnerabilities from legacy IT issues like patching, legacy protocols and siloed defences.

Gaining a nuanced understanding of the trade-offs between control, flexibility, and management overhead with these different service models is key for NHS Trusts exploring cloud adoption. This allows making informed decisions aligned to healthcare workloads and organisational maturity. A considered approach accounts for both the substantial benefits and potential risk that cloud can introduce.