As more and more of us turn to cloud computing as a reliable and convenient way to manage our information, the Ministry of Health has overhauled its cloud computing policy and made it much easier for healthcare providers to use these services to store health information.
In the past, health care providers that relied on the Ministry for funding (like District Health Boards) could not store health information on cloud servers located overseas without first getting an exemption from the National Health IT Board. This policy enabled cautious use of cloud in the healthcare sector, but reflected the Ministry's concerns about security, integrity and accessibility of sensitive health information.
The Ministry relaxed its policy slightly in early 2016 by pre-approving certain services, but the list of pre-approved services was quite short.
In 2017, to align with Cabinet's "Cloud First" policy, a major overhaul has been implemented (read the policy here). The list of pre-approved services and the exemption regime have been removed. The National Health IT Board has been disbanded, and replaced with a Digital Advisory Board that advises the Ministry.
Health providers are now permitted to store personal information using a public cloud service (whether in New Zealand or overseas) as long as they first undertake a formal risk assessment and have it signed off by senior management before use of the services.
Guidance on how to manage risk assessments is available on the Government Chief Information Officer’s (GCIO's) website here. If the risk assessment gives rise to significant concern, the GCIO advises consulting with the Ministry before proceeding further.
DHBs are also subject to additional requirements, namely:
- Ensuring that the cloud service meets the requirements of HISO standard 10025:2015 - the Health Information Security Framework's Section 18, Cloud Computing and Outsourced Processing
- Forwarding a copy of completed risk assessments to the Government Chief Information Officer and the Ministry of Health prior to using the cloud services
- Recording each individual public cloud service utilised within its application portfolio management system.
Healthcare providers will welcome this freedom to choose services that suit them operationally. However, they also need to take care - the duty to check for risks is now their responsibility alone. Under the Health Information Privacy Code and the Privacy Act 1993, health providers have a legal duty to take reasonable steps to prevent unauthorised access, use, modification and disclosure of health information that they hold. The Ministry's new guidelines help healthcare providers to perform appropriate due diligence and make the necessary risk assessments and decisions on a case-by-case basis.