An Interview with John Godwin

Meet John Godwin, UKCloud Health’s Director of Compliance & Information Assurance. With more than 25 years’ experience, John’s area of specialist expertise is information security and data protection, which is particularly important for the effective protection of sensitive medical data hosted within UKCloud Health by its customers.

What’s your role at UKCloud Health?

I’m responsible for all matters relating to information assurance and data protection, ensuring that UKCloud Health operates in a secure manner, and that we are always ready to be assessed by government, customer and certification body auditors. Internally, I support and guide my Compliance Team colleagues in delivering risk management and audit functions, but I also spend a considerable amount of time out of the office visiting and supporting our growing community of healthcare customers and partners. I’m passionate about sharing best practice with our growing network of innovative healthcare partners, helping them to strengthen and protect their propositions.

I’m also responsible for the UKCloud Foundation, the charitable focus of our business.  The Foundation arranges volunteer days for all our colleagues to support a charity of their choice, provides for matched funding of their individual fundraising activities, and develops relationships with chosen charities on common themes, for example the promotion of STEM (science, technology, engineering and maths) which is an important consideration for future skills requirements at UKCloud Health. I believe that everyone should try to give something back to those less fortunate than themselves.

Have you always worked in information security?

Not intentionally, but in a strange, subliminal way it’s always been a consideration at the heart of all my roles over the years! I started life as a mainframe computer programmer for a local authority, writing programs in COBOL/JCL which helped to manage the council’s finances. Next up was a very specific role designing the numeric combinations for large, complex master-keyed systems (think large hotels, university accommodation, cruise liners etc.) and being very careful not to design accidental cross-keying! My next move saw my baptism into the world of formal business management systems, and the growth of my interest in all things security (physical, personnel and technical) with one of the UK’s largest IT distributors. At the turn of the Millennium I joined a Managed Services Provider, and spent eight years designing and strengthening their security posture – initially to the BS7799 standard which later became ISO27001. And in 2011, an option to join UKCloud was too much of an opportunity to let pass by!

So how did you get involved with UKCloud Health?

I joined UKCloud right back on day one in 2011, when we had lots of plans and ideas, and an infectious desire to support the UK Government’s emerging intention to harness the flexibility, security and cost savings associated with the public sector’s use of cloud services. Once the cloud platform and services had been designed, implemented and security tested, which took 18 months, I lead the crucial process by which formal Pan Government Accreditation from CESG (now NCSC) was obtained: an important and credible independent validation which demonstrated our credibility to our public-sector customers.

UKCloud Health has always sought to maintain an effective portfolio of accreditations, certifications and validations. From experience I understand just how important these can be to potential customers who are looking to understand and minimise the risks associated with moving their data into the cloud. Just as important, however, is the extra reassurance that we gain at UKCloud Health from knowing that our platforms, systems and services are regularly subject to the most demanding of independent technical and operational checks, validating that we are a safe and trusted environment to host the most sensitive of datasets – including those arising from the activities of our healthcare customers.

Does the UK healthcare community embrace best practice?

In a word, yes! At UKCloud Health, we always endeavour to be accessible and transparent to our healthcare customers, whether by the communication of evidence packs or white papers, or by presenting at health-sector related events on emerging or challenging subjects, such as the forthcoming EU General Data Protection Regulation. We’re fortunate to be working alongside some very clever and innovative healthcare professionals who are making a real difference to patient care in the UK, but some of them are very small organisations who may have little or no previous experience in demonstrating the required levels of information security and data governance that their NHS customers require.

UKCloud Health is an “N3 Aggregator” (soon to become HSCN), and as I undertake the formal assessment process which is required to validate that a customer is sufficiently secure to have their service connected to the N3 healthcare network, it’s an excellent opportunity to suggest improvements and alignment with current best practice such that our healthcare partners can become more compliant and resilient as a result. I’m always very impressed by the range of next-generation healthcare solutions that I see during these assessments, which drives home the importance of the role that UKCloud Health is playing in supporting the NHS and improving the health and wellbeing of the nation.

As UKCloud Health’s Data Protection Officer for GDPR, I’m also supporting our healthcare partners and their data protection preparations ahead of the 25th May deadline. Healthcare data is one of the “Special Categories” of personal data noted in Article 9 of GDPR, and needs specific consideration for its processing and care. Combined with an increasing awareness by citizens of how their personal data is being used and protected, it’s essential that we work together to ensure that risks are identified and managed, such that the great benefits of cloud-based healthcare services which we’re collectively delivering are not challenged by a lack of trust from the general public.

Can using cloud benefit the UK healthcare community?

Cloud, done well, is proven to deliver a range of great benefits to the healthcare community – delivering significant cost savings from lower consumption costs, allowing innovation from the latest technologies and providing greater collaboration and associated efficiency opportunities from being better connected.

It’s this last point which I have grown to appreciate as I have undertaken dozens of N3-related assessments around the country. At its simplest, some providers I have worked with are realising the cost benefits and increased security controls which are associated with the replacement of legacy on-site assets from individual doctors’ surgeries to a centralised cloud-based environment, accessed via secure network links. There are other solutions which are improving the patient experience, for example by streamlining consultations, referrals, admissions and after-care activities. Others are focused on improving the access to medical services, for example by the provision of on-line consultations using smartphones. Traditionally, the NHS has operated a manual, paper-based approach to the management and sharing of patient data, and cloud is clearly demonstrating that there is a much better way.

And from the Patient’s Perspective?

As I noted earlier, the imminent launch of GDPR as the new data protection framework for the EU (including the UK) reflects just how much of our lives are now lived on-line via an internet connection and smartphone. GDPR will provide for greater protection of our personal data, visibility of how and why it is being processed, and will provide recourse and compensation when something goes wrong. As data subjects ourselves, this is a positive change which we should all be embracing.

Healthcare manages huge volumes of personal data. As patients, we can rightly expect that our medical records are being maintained securely and in a confidential manner, and that we will not be placed at risk if it is accidentally (or deliberately) disclosed. At UKCloud Health, we have an important part to play here, by ensuring the security and resilience of the cloud infrastructure upon which a growing number of the UK’s healthcare interactions now depend. Whilst we exercise the same care and thoroughness on all our cloud platforms, knowing that our own personal medical information is being safely processed and stored on UKCloud Health’s infrastructure is reassuring.

How do you unwind away from UKCloud Health?

Many of the tasks of UKCloud Health’s Compliance Team are complex and require focus, concentration and an eye for detail. I also spend a lot of time out of the office travelling to meet customers and partners, or to present at events and conferences throughout the UK. Away from UKCloud Health, I value spending time with my wife and two grown-up children, and spending as much time as possible at our rural retreat in France.