NHS England has outlined its NHS cloud strategy, recognising the need for cloud to support modernisation, enable innovation and provide strong foundations. The guidance details an approach to the cloud, exploring the current NHS cloud strategy and adoption plan, guidance on migration and exit strategies, policies, and best practice.
NHSE starts out by highlighting cloud computing and on-demand delivery models to meet the government’s Digital by Default Agenda and tackling “increasingly costly infrastructure proliferation” which it states has “hindered the NHS’s ability to modernise and fully exploit” developments in IT and to keep up with the expectations of the workforce and citizens.
In particular, NHSE points to Cloud Centres of Excellence within each organisation as helping to drive successful cloud adoption, and to central support from NHSE’s own Cloud Centre of Excellence as helping to “provide guidance, training, and support to organisations throughout their cloud journey”.
On NHS cloud policies and guidance, NHSE states the benefits of using public cloud and taking an internet first approach, such as increasing efficiency and sustainability, remaining responsive to demands like winter pressures, reducing risks associated with ageing hardware, allowing “high availability” of data and information where and when needed, and allowing NHS products to be “built securely on a maintainable cyber secure focused platform”.
NHS cloud principles
Here the guidance notes NHS cloud principles including cloud-first design to sharing learning. On “design for cloud first”, NHSE sets out that services should be designed to fit with cloud deployment type (IaaS, PaaS. FaaS, or SaaS), and that attempts should not be made to “heavily modify the cloud infrastructure to fit the needs that an on-premise infrastructure requires” since this could lead to a “sub-standard and inefficient platform”.
For connecting to the internet, the principles highlight that whilst connecting services using an internet connection offers “more accessibility and operability”, this will require a security perimeter and firewall “with a default of implicit deny on all ports unless opened to gained access to service”, as well as ongoing monitoring of inbound and outbound connections and audit logging of access to the platform.
Services within the cloud should be “secure from day zero”, the principles go on to say, with specialist skills from security architects and a clearly defined security architecture, as well as automated security testing built in to the software release cycle “using secure DevOps practices”.
The remaining principles include: automate everywhere; decouple and connected to many; optimise, then observe, then optimise some more; people make cloud happen; be open, share and learn from others; tag, know what it’s for; evolve to survive; and use what’s right not just because you need to.
Strategy and adoption
Beginning with a primer offering a high-level overview of the characteristics of public clouds, anticipated changes when moving to the cloud, and the security of public clouds; NHSE moves on to present its cloud strategy adoption plan, aiming to help healthcare organisations bolster their understanding of how to adopt cloud and what impacts to expect on things like servers, infrastructure, and applications.
As part of this, NHSE presents 13 objectives to help inform decisions around cloud journeys: adopting NHS cloud implementation principles into thinking around cloud; carrying out a hardware licensing audit; carrying out a workload assessment; and understanding security requirements and best practices for cloud hosting. It continues to add: understanding data storage and processing within the cloud; understanding cloud service offerings and where applications are “best placed”; creating a Cloud Centre of Excellence; understanding “hyper-scale cloud provider offerings” and selecting the right one; and understanding “lock-in” and the safe utilisation of services. The remaining objectives include: developing a cloud provider exit strategy; migrating applications to cloud; re-factoring applications to become cloud native; and understanding when to use multi-cloud technologies “effectively and efficiently”.
Understanding of an organisation’s hardware and software estate, according to the strategy, should cover the full software stack, including hypervisor operating system, middleware, and application components; whilst an understanding of licensing needs should take into account the software products in use and the model used to license them, as well as any vendor restrictions which may affect their use in cloud environments. An application workload assessment is recommended to offer a initial view of efficiency savings, which the strategy states should be performed by “a mixed team consisting of cloud professionals and members of the existing application support/management teams”. This process, it goes on to say, should inform knowledge of potential migration pathways for applications, and on an organisation’s dependency on them.
The strategy also highlights the importance of understanding security requirements and best practices around hosting in the cloud, noting the “dynamic environment” and changing nature of security threats, but also the potential for the cloud to be made “highly secure”. It shares guidance from the National Cyber Security Centre (NCSC) around understanding intended use and identifying risks; understanding the legal and regulatory implications of the processing, storage, or transportation of information; determining relevant security principles and understanding how those are implemented; getting assurance from service providers that relevant security principles have been implemented correctly; considering additional measures that could be taken to reduce risk; evaluating any residual risks; and monitoring and managing risks on an ongoing basis through periodic review.
On the creation of Cloud Centres of Excellence, the strategy outlines a “cross-functional product team” offering functions across the organisation including developing and maintaining organisational policies, offering consultation services on cloud best practice, and providing a clear process to support contribution to any assets from the wider organisation.
Role guidance on cloud
NHSE has produced a series of guides for key areas of healthcare organisations, outlining impact and why cloud is important to different roles. For those working in clinical areas, such as CCIOs and clinicians, it highlights the potential for cloud to improve security around clinical data, to improve operational efficiency, to help retain clinical staff, and to strengthen patient care and experience. It also points to examples of cloud tech becoming “the foundation of clinical systems around the world”, like EPR systems and clinical triage systems, before looking to the future of clinical services and new tech like robotics and wearables which will require cloud due to its “scale and reach”.
In terms of organisational leadership, the guidance focuses on the ways cloud technology is improving how leaders can “empower” their organisations, “using a cloud culture which includes being agile, having the ability to respond rapidly to business changes that are expected and unexpected, changes to customer requirements, and using cloud technologies to bridge silos within the organisation including the wider NHS ecosystem”. It recognises the opportunities unlocked by the use of the cloud for improving patient outcomes, including by overcoming former constraints around physical storage, compute, or memory.
The guidance also covers areas including financial risk management, information governance, organisational transformation and delivery, people management, and technical delivery and operations.
Cloud exit strategy
NHSE highlights the risks relating to service disruption caused by migration, which may be required as a result of changing organisational priorities, the need for more or different functionality, or a cloud vendor’s decision to exit the market. These events could lead to “substantial and immediate challenges”, it goes on to say, meaning that healthcare organisations should take steps to put in place a cloud exit plan “before the first application or data is hosted in the cloud”.
The guidance shares best practice in preparing an exit plan, including putting in place plans for “parallel hosting”, allowing current and new environments to run side by side; looking at the cost and time requirements for data migration; estimating project costs and the timeline to help triage teams make informed decisions about exit viability; including business continuity preparations to protect against the “inability to exit”; applying practical cutover methodology to include user acceptance tests and data quality checks, communication with users and stakeholders, and a rollback option; and determining the testing methodology for exit plans to be put through “at least an initial paper based dry run or test exercise”.
For data, the guidance notes potential challenges including the “sheer volume” of data to be moved, the format of data not being able to be directly read in its new location, and the potential for reporting systems needing to be recreated as part of moving data.
More on making the transition to the cloud
Last month, Digital Health and Care Wales published a future opportunity sharing ambitions to plan and deliver a cloud transition programme for national digital services in Wales, seeking “one or more suppliers” to support work to migrate “circa 90 services” across “approximately 1,600 servers”. DHCW seeks at this stage to understand suppliers’ capabilities, capacities, and approaches to providing cloud transition resources to support its aims.
Join HTN, NHS England and Hampshire & Isle of Wight Healthcare NHS Foundation Trust for a webinar sharing the journey migrating Hampshire & Isle of Wight’s cloud-based intelligence platform, scheduled for 26 February, 1:00-2:00. Zoe Pink (Head of Business Intelligence & Reporting) & Gareth Edwards (Senior Data Architect) from Hampshire & Isle of Wight Healthcare NHS Foundation Trust will present how the trust elected to move away from an on-premises data warehouse and static Excel-based reporting to a more flexible and responsive cloud-based business intelligence environment.
