Using AWS in the Context of NHS Cloud Security Guidance

Publication date: September 29, 2021 (Document history)

Guidance was issued in early 2018 on the use of hyperscale cloud services by UK public sector healthcare organisations and their business partners. The documents comprising the guidance include detailed risk management activities for such organisations to undertake, comprising mostly technical measures appropriate to the level of security required. This whitepaper provides advice corresponding specifically to the measures described, to accelerate organisational alignment with the guidance.

Introduction

The explicit guidance on the secure use of hyperscale cloud services was published in January 2018 by four key UK Public Sector Health bodies: NHS Digital, the Department of Health and Social Care, NHS England, and NHS Improvement. That guidance built on the foundation of the National Cyber-Security Centre’s 14 Cloud Security Principles, and adopts the NCSC’s philosophy of devolving risk management to Information Asset Owners, taking a risk-based approach to managing information security in the cloud.

The guidance also draws a clear delineation between the security of the cloud infrastructure and services delivered from it, and the workloads deployed to that infrastructure. The expectations on organisations using the guidance are that they:

Quantify the information security risks involved for their workloads.
Satisfy themselves that the cloud provider they use implements the required controls to manage those risks.
Adopt the appropriate customer-usable controls for that purpose.

This whitepaper explains how to achieve the latter when using Amazon Web Services (AWS) for cloud infrastructure.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Achieving compliance