The Ministry of Health has updated the policy on cloud computing. Cloud computing includes the transmission, storage and processing of information at a location not owned or managed by the information's owner. This information can be accessed from anywhere at any time.
Previously, personal identifiable health information was not able to be stored or processed offshore by a public cloud service unless the Ministry had either first granted the health provider an exemption to do so, or had reviewed and accepted the services to be provided.
The policy has been revised because public cloud services are now better understood through more common use, and have good security measures in place. The policy allows all health providers wanting to store personal health information in a public cloud service to do so, provided they first undertake a formal risk assessment.
Where the risk assessment identifies areas of significant concern, the health provider may wish to discuss these matters with the Ministry before making a decision. Contact firstname.lastname@example.org.
Particular areas that may generate concerns are summarised in section 18 of the Health Information Security Framework. They include sovereignty, governance, confidentiality, provider integrity, availability and incident response/management.
The outcome of the risk assessment must be signed off by the provider’s senior management, and public cloud services should be considered on a case-by-case basis.
For further information including detailed process advice, see Cloud computing and health information.