Use of cloud or hosted services for managing health information

Guidance from the Ministry on the use of cloud or hosted services in the health sector for managing personal health information.

Purpose

To provide guidance on the use of cloud or hosted services for managing health information especially where personal health information is stored and managed outside New Zealand, and to support the National Health IT Board’s (the IT Board) position statement:

Unless an exemption is granted by the National Health IT Board, or the health care provider uses an Accepted overseas based cloud or hosting service, all personal health information held in an identifiable form and associated clinical or administrative data must be fully domiciled in New Zealand.

Context

Cloud computing or hosted services provide customers with access to computing resources over a network on a pay-as-you-go basis. "Cloud" comes from the use of a cloud-shaped symbol used to picture the combination of computers, applications, networks and support services required.  The hosted service maintains the customer’s data and application processing while the user interacts with their application through the screen of a network enabled device. Cloud computing or hosted services allows organisations to use computing resources on a pay-per-use or subscription basis without needing to maintain hardware and software locally.

A hosted service provider owns and oversees the infrastructure, software and administrative tasks and makes the service available to clients, usually over the Internet.

The three main levels required to operate the service are:

software as a service (SaaS),
platform as a service (PaaS) and;
infrastructure as a service (IaaS).
The use of cloud or hosted services is a viable option for funders and providers of health and disability support services (health agencies) because of its cost and convenience.

However, if personal health information is stored overseas using a cloud or hosted service there is no guarantee that the same privacy rights and security standards afforded to New Zealanders will be upheld outside the jurisdiction of New Zealand.

Risks

The risks associated with a third party not subject to New Zealand jurisdiction inappropriately accessing or releasing health information could impact negatively on all health agencies, rather than only the health agency responsible for holding the health information. Maintaining clinician, patient and public trust depends on proactively managing these risks.

The Ministry considered the following risks when making its decision that the default position is that personally identifiable health information should be retained within New Zealand:

trust in data security and privacy laws overseas, loss of control, and uncertainty over hosted service providers’ (and their local jurisdiction’s) alignment with New Zealand’s health information security and privacy requirements
uncertainty and unpredictability regarding performance, reliability and support
unauthorised access or use of health information about New Zealanders by the hosted service provider or third parties.
(This information above is adapted from Alex Mu-Hsing Kuo (2011) ‘Opportunities and Challenges of Cloud Computing to Improve Health Care Services’. Journal of Medical Internet Research, 13(3): e67)

As with health information stored in New Zealand, the paramount issue to consider in relation to transferring health information to an off-shore location is who has jurisdiction over or control of that information – control over how it is transmitted, stored and protected, who can access it, how it can be used and whether it can be modified or disclosed.

Legal/Policy Responsibilities

Under the Health Information Privacy Code 1994 (the Code), each health agency has a legal responsibility to ensure everything reasonably within the power of the health agency is done to prevent future unauthorised access, use, modification or disclosure of information they come into possession of.

Patients too though need to trust that their information is held securely.  They need to be able to find out where their information is being held and that they can access that information should they wish.

Options for health care providers wishing to store identifiable health information overseas

Health care providers wishing to store identifiable health information overseas can choose from one of two options.  They can either choose to use a product or service that has been Accepted by the Ministry as fit for purpose, or they can apply for an exemption.

Accepted overseas hosting or cloud based products or services

As the Ministry has gained more knowledge and confidence in suppliers hosting solutions, the Ministry has decided to identify certain overseas hosted or cloud based products or services that it Accepts are fit for purpose. Any health care provider who chooses to use a product of service that has been “Accepted” as fit for purpose can choose to use it without the need to go through the full exemption process.

Vendors seeking Accepted status will need to satisfy the IT Board that their cloud or hosted product or service meets government requirements.


List of Products and Services Accepted by the Ministry as fit for purpose

Oculo
Gallagher Bassett
Alternatively the healthcare provider can simply email cloudcomputing@moh.govt.nz for further information. 

In parallel, the Government Chief Information Officer (GCIO) is working to certify certain suppliers as having products or services that government agencies can have confidence in.  The Ministry and the GCIO are working together on this so that the two processes align

We have also developed guides for

vendors seeking to gain Accepted status for their overseas cloud or hosted product or service
health care providers looking to store identifiable health information overseas.

Seeking exemption

Any health agencies considering the use of cloud or hosted services where part or all of the infrastructure and services are located overseas will need to submit a proposal for consideration and approval by the IT Board on a case-by-case basis.

The application should be sent to cloudcomputing@moh.govt.nz.

Proposals will need to demonstrate that the health care provider has undertaken a due diligence of the proposed overseas cloud based or hosted service and plans to fulfil their responsibilities under the Health Information Privacy Code 1994. As part of that due diligence the IT Board will expect the applicant to complete the questions contained in the document "Cloud Computing: Information Security and Privacy Considerations", Government Chief Information Officer (GCIO), April 2014. This document can be found on the ict.govt.nz website:

Cloud computing risk and assurance framework - Background to Government’s approach
Any exemption granted will be subject to the following conditions:

The Chief Executive, director or other person with authority to bind the health agency will complete a statutory declaration stating that the information provided to the IT Board is correct to the best of their knowledge and belief;
The health agency will undertake an annual privacy and security audit of the hosted service and will forward a copy of the report to the IT Board;
The health agency will maintain a copy or back up domiciled in New Zealand, of all personal health information held in an identifiable form.

New Zealand domiciled cloud computing

If health agencies choose to use a cloud or hosted service solution with infrastructure and storage based in New Zealand then, prior to doing so they are expected to undertake due diligence of the solution offered. The IT Board expects due diligence to include confirming where the health information will be stored (including backups and standby facilities) and where the hosted service is provided in New Zealand.

Further information

For further information about cloud computing, read the:

New Zealand Cloud Computing Code of Practice (from the Institute of IT Professionals NZ)
Cloud Computing: A Guide to Making the Right Choice, Office of the Privacy Commissioner, February 2013
Using the cloud (from the Office of the Privacy Commissioner)

Share this post