Cloud security guidance

Security of any NHS IT system, service, application, or function is priority zero for any NHS or healthcare organisation. A secure cloud and internet platform is the key to enable a trusted network of healthcare systems that interact and enable better workforce management, patient care, and operational efficiencies. Security does not stop at organisations' IT security and governance teams but is everyone's responsibility from the board level to the patient or citizen.

Cloud Centre of Excellence - NHS Cloud strategy

Let us know what you think about the Cloud Centre of Excellence (CCOE) strategy.

Cloud and internet first security guidance for the NHS

Following national guidance from the National Cyber Security Centre (NCSC) the NHS will adopt the 14 Cloud security principles as its core means of alignment of cloud and internet security throughout the NHS and healthcare providers.

These adopted Cloud and internet principles are.

ARTICLE

1. Data in transit protection

User data transitioning networks should be adequately protected against tampering and evesdropping.

ARTICLE

2. Asset protection and resilience

Your data (and the assets storing or processing it) should be adequately protected.

ARTICLE

3. Separation between users

Separation techniques ensure a customer's service can't access or affect the service (or data) of another.

ARTICLE

4. Governance framework

A governance framework is vital to co-ordinate and direct the management of the service.

ARTICLE

5. Operational security

Services must be operated and managed in a way to impede, detect or prevent attacks.

ARTICLE

6. Personnel security

Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

ARTICLE

7. Secure development

Cloud services should be designed, developed and deployed in a way that minimises and mitigates threats to their security.

ARTICLE

8. Supply chain security

Third party supply chains should support all of the security principles which the service claims to implement.

ARTICLE

9. Secure user management

Providers should make tools available to securely manage your use of their service.

ARTICLE

10. Identity and authentication

Access to service interfaces should be constrained to authenticated and authorised individuals.

ARTICLE

11. External interface protection

All external or less trusted interfaces to the service should be identified and defended.

ARTICLE

12. Secure service administration

Systems used for the administration of cloud services will have highly privileged access to that service. Their compromise would have a significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

ARTICLE

13. Audit information for users

You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

ARTICLE

14. Secure use of the service

The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.

Compliance with these security principles is paramount to providing services and will help to determine the confidence of how secure a system, service, application, and/or function is.

The NCSC has also produced the “Security benefits of good cloud service” white paper that evidences that adopting good cloud practices including automation, using infrastructure as code, and using commodity expertise provides security benefits for cloud platforms by default.

In addition to these principles, an NHS or healthcare organisation will be required to undertake continuous security compliance monitoring, testing, and alerting using national services provided by NHS England and NCSC, but also locally within NHS and healthcare organisations within their development pipelines, deployment processes, cloud hosting services, and information governance procedures.

All-access to public cloud-deployed platforms will be on the basis of least privilege, user access based on a federated understanding of the user, and system to system access based on roles defined as part of the platform deployment.

As a part of compliance with this policy it is instructed that an approved IT Health-check/Penetration Test is carried out on an annual basis on the NHS and healthcare organisations cloud services including edge connections to the internet or any other private network as a means to facilitate confidence or to highlight any vulnerabilities within the security of the system, service, application and/or function.

Any security vulnerability or breach will be required to be reported to the NHS or healthcare organisations Senior Responsible Owner (SRO) who will access the mitigation, be accountable for the security vulnerability being resolved or escalating.

References

1. NCSC 14 Cloud security Principles
2. CHECK - Penetration Testing

Last edited: 16 January 2025 11:09 am