Why it's cloud first at NHS Scotland

'Every penny we spend on hardware is a penny less to spend on patient outcomes,' says digital director and CISO Deryck Mitchelson

Deryck Mitchelson, director of digital and CISO at NHS Scotland, talks about making the most of changes forced by the pandemic to push through lasting improvements in support of health outcomes.

"Everything we're doing is cloud, there's nothing we're doing that's not cloud in some way," said Deryck Mitchelson, director of digital and chief information security officer at NHS Scotland.

"In my mind, every penny we spend on hardware is a penny less to spend on patient outcomes."

This is not a sentiment you'd have heard from a public sector IT leader just a few years back, when the approach to cloud was one of extreme caution. But barring "the occasional private data centre" it's very much the picture today, with the old security and compliance worries in retreat.

Indeed, Mitchelson is firmly of the view that the cloud providers now provide a resilience that's well beyond anything achievable in house.

"I trust Microsoft and Amazon implicitly more than I trust myself with security best practice, after all they've got much bigger budgets than I do," he said.

Mitchelson says the adoption of cloud has been fundamental NHS Scotland's pandemic response, which, on a technical level, has required the rapid setting up of data sharing with other countries in the UK, secure storage and analytics, apps and portals, moving services online and facilitating remote working.

"We've adopted SaaS-based subscription services, we have deployed Office 365 and that has enabled the NHS to continue to work to do consultations and collaborate, no matter where people are," he said.

Staff from cloud companies have been on hand to assist directly with the response on a consultancy basis. For example, Microsoft assisted Mitchelson's team in building the Check-in Scotland app, which allows staff and visitors to check in and out of venues in support of the country's national contact tracing services.

"Microsoft actually worked as part of the team. They give us the resources that and helped us make sure that we built things that were scalable that were fully secure, and it's been a great way of working," Mitchelson said.

Scotland's test and trace capacity was developed in collaboration with another cloud vendor, ServiceNow, with a data platform deployed for collecting, storing and analysing test data. It was also used to create Scotland's test and trace app and an app for PPE procurement.

The latest phase of this particular collaboration is a Covid vaccination certification web portal, rolled out over a two-month period, where people can download a certificate as an interim measure as travel restrictions have eased. Asked about reports of security issues, Mitchelson insisted the portal is an interim measure.

"The goal is to shortly integrate vaccine certification into the existing NHS App providing citizens with a fast, easy and digitally signed certificate," he said.

The pandemic response has provided a golden opportunity to overhaul some ageing infrastructure, including mothballing the Fujitsu mainframe whose COBOL programs have been the backbone of winter flu scheduling for the last 25 years. NHS Scotland has moved to a ServiceNow-based system that's "enterprise ready and runs in the cloud and is always available. It's been hugely successful," said Mitchelson.

Multiple clouds, multiple opportunities

Keen to use best-of-breed services, Mitchelson favours a hybrid and multi-cloud approach. NHS Scotland uses multiple services from both of the biggest public cloud providers Microsoft Azure and AWS, although not always as part of an overarching strategy.

"That's just the way things have landed," he said. "I think we'll probably always have a hybrid cloud with disparate cloud providers, and the reason is less about resilience, it's more around opportunities in these clouds that can benefit the NHS in Scotland. I don't want to say I can't use that Amazon service because we've deployed services into Microsoft or vice versa. I get great support from all my vendors and I want them all to work with me for the betterment of health outcomes in Scotland."

As a caveat, though, this approach requires careful management to avoid duplication, which can be a challenge even given the range of experience available among the team's 400 staff.

"If you're an organisation the size of NHS in Scotland that you have the skills, but you still need to keep an eye on things like managing Direct Connects into to AWS at the same time as you're managing ExpressRoutes into Azure," said Mitchelson. "You're managing firewall appliances to terminate these connections, and you need teams that can be managing both sides of that, and then of course there's monitoring of the environments."

That said, the task can be made easier by pursuing best practice and platform-agnostic approaches, he went on.

"If you're deploying services in the cloud, you could use the same CI/CD stack and where you're deploying to probably doesn't actually matter: you can deploy to this or that cloud - or to a third-party cloud. If you're managing your code and your pipelines appropriately you can reduce duplication, and that's what we're trying to do for the NHS."

Leaving a legacy

A complex public sector organisation like the NHS will never be operating at the cutting edge of IT, and nor should it be, but cloud services can help reduce the risk inherent in adopting newer services and eliminate the clutter and technical debt of legacy infrastructure. Mitchelson, who has been in post for just less than three years, says he's determined the pandemic response should leave a positive digital legacy, particularly in preparing for future pandemics.

"We've increased the deployment of our NHS Near Me technology, allowing us to move GP consultations to online GPs, so again that's all cloud-based technologies," he said.

"We are not yet in a place in Scotland where you can go to a single place and get appointments across different areas and different GPS, but we've got a GP programme that I manage as one of my responsibilities, and that's delivering a transformation to move all the GP systems and services into the cloud as well.

"And at that point, we can really start to join up all the systems, the data and the scheduling and deliver many new benefits."