On this page:
In April 2017, the Ministry worked with the Department of Internal Affairs (DIA)’s Government Chief Information Office (GCIO) to update our approach to the use of cloud based services:
- Changes to the Ministry of Health’s policy on cloud computing (docx, 72 KB)
- Changes to the Ministry of Health’s policy on cloud computing (pdf, 255 KB)
Context
What is cloud computing?
Cloud computing is a phrase that covers the transmission, storage and processing of information at a location not owned or managed by the information's owner. This information can be accessed from anywhere at any time.
Subscription options
Cloud computing contracts can be established to allow health providers to use the chosen computing resources on a pay-per-use or subscription basis.
Who owns the infrastructure?
A hosted service provider owns and oversees the infrastructure, software and administrative tasks and makes the service available to clients. There is no need for the health provider to maintain additional hardware and software.
The three main levels required to operate the service are:
- software as a service (SaaS)
- platform as a service (PaaS)
- infrastructure as a service (IaaS).
Why use the cloud?
The use of cloud or hosted services is a viable option for funders and providers of health and disability support services (health agencies) because of its cost and convenience.
Responsibilities
Under the Health Information Privacy Code 1994 (the Code), each health agency has a legal responsibility to ensure everything within the power of the health agency is done to prevent unauthorised access, use, modification or disclosure of information for which they are custodians.
This responsibility may be meet by the health provider undertaking due diligence of the proposed cloud-based or hosted service using the GCIO questionnaire document:
DHBs and wholly owned DHB shared service organisations, are also subject to the Department of Internal Affairs (DIA)’s ICT functional leadership mandate – expressed through the role of the Government Chief Information Office (GCIO). This mandate includes a requirement that DHBs:
- use government Infrastructure-as-a-Service (IaaS) for 'computer and storage' services
- undertake their own cloud risk assessment using DIA's guidance on assessing the risks of cloud services.
Health providers are responsible for the security and integrity of personal health information that is stored or processed by public cloud services.
All health providers wanting to store personal health information in a public cloud service may do so provided:
- they first undertake a formal risk assessment
- the outcome of the risk assessment is signed-off by the health provider’s senior management prior to using the services.
The Ministry also requires DHBs to:
- satisfy themselves via the cloud risk assessment process that the product or service meets the requirements of HISO 10029:2015 Health Information Security Framework – Section 18 Cloud Computing and Outsourced Processing
- forward a copy of completed risk assessments to the GCIO. A copy is also to be provided to the Ministry of Health prior to the commencement of the cloud service use
- record each individual public cloud service utilised within its application portfolio management system.
Public cloud services should be considered on a case by case basis.
An expectation of the Health Information Security Framework and Government CIO cloud computing requirements is that all health agencies create an internal cloud computing policy to provide guidance to:
- the agencies on assessing the risks of cloud-based services, process maturity and compliance with regulation
- the purchasers when evaluating, procuring and contracting cloud-based services.
To help organisations create their own cloud computing policies, the Ministry of Health’s internal cloud computing policy is provided as an example.
- Ministry of Health internal cloud computing policy (docx, 53 KB)
- Ministry of Health internal cloud computing policy (pdf, 195 KB)
Cloud service risk assessment
The risks associated with a third party not subject to New Zealand jurisdiction inappropriately accessing or releasing health information, could impact negatively on all health agencies, beyond the particular health agency responsible for holding the health information. Maintaining clinician, patient and public trust depends on proactively managing these risks.
The Ministry considers the following are key risks for personally identifiable health information that is not retained within New Zealand:
- trust in data security and privacy laws overseas, loss of control, and uncertainty over hosted service providers’ (and their local jurisdiction’s) alignment with New Zealand’s health information security and privacy requirements
- uncertainty and unpredictability regarding performance, reliability and support
- unauthorised access or use of health information about New Zealanders by the hosted service provider or third parties.
Connected Health and the cloud
Any health agency or Connected Health application service provider wishing to use a cloud service to transmit, store or process health information may use an accredited Connected Health access supplier to provide a secure network link between their cloud environment and Connected Health.
Organisations not currently approved for access to Connected Health or wishing to provide a Connected Health application service may apply.
- Application to connect to Connected Health
- List of accredited Connected Health access suppliers and certified products
(The information above is adapted from Alex Mu-Hsing Kuo (2011) ‘Opportunities and Challenges of Cloud Computing to Improve Health Care Services’. Journal of Medical Internet Research, 13(3): e67)