Davey Winder: NHS cybersecurity needs to be less Captain Picard, more Locutus of Borg
- 22 November 2018
On the same day the health and social care secretary addressed the annual meeting of International Association of National Public Health Institutes (IANPHI), his vision for putting prevention at the heart of the nation’s health was published.
I couldn’t help but wish Matt Hancock was talking about NHS cybersecurity, and my mind raced with thoughts of Star Trek when Captain Picard was transformed into Locutus of Borg. I’ll explain why in due course.
Both the publication date of 5 November and the document subtitle – ‘Our vision to help you live well for longer’ – made me want to light up the night sky with the message that breach protection is better than post-breach cure. Not that there ever seems to be an actual cure post-breach; just the application of a plaster or two and a quick slurp of whatever security medicine is available and affordable to take away the pain until the next attack.
In that IANPHI speech, Hancock spoke about the use of AI in ‘predictive prevention’ for improving health outcomes.
The next frontier of prevention
“The next frontier of prevention is using the data at our disposal to predict who will be ill with what, and to get in there early,” were the exact words that caught my attention. Substitute ‘ill’ with ‘at risk’, and Hancock could have been revealing my fantasy policy for the future of cybersecurity within the NHS.
I say fantasy not because such predictive cyber-AI technology doesn’t exist in some form, but rather because both my gut and historical evidence suggest a reactive security posture will continue to be the NHS reality for some years to come.
Yet in my never-humble opinion, an intelligent predictive approach to security would both reduce the healthcare attack surface and improve security posture. It would also tick all the boxes that Hancock demands from the NHS across the board – a transformational change that can save money, eliminate waste and get the best return on investment.
A good slogan… shame about the reality
The UK government has a national cybersecurity strategy of defend, deter and develop, which is at it should be. If only the reality were as good as the slogan.
The European Security of Network and Information Systems (NIS) Directive, regardless of where Brexit does or doesn’t leave us, requires that essential services data and networks are both secured and cyber resilient. Everyone would argue, I hope, that this must apply to the NHS. Managing risk is a tricky business, that’s something else that is hard to argue with.
Yet, as the WannaCry incident revealed, the cyber risk to the NHS has not, frankly, been managed as well as it could be. An injection of cash is welcome, but it’s not the answer in isolation; how that cash is spent, on processes and technology, will determine if it’s a wise investment or not. It must be spent with a proactive approach in mind.
That means policies that provide better systems visibility so as to be able to identify the risk blackspots and advanced technologies that can offer a predictive resilience against threats that are yet to emerge. I know: this all sounds complex and costly, and it will be. Yet only by building a real-time and exhaustive image of the network landscape can the kind of zero-trust model that is required to enable applications to exchange data securely be created.
Applying machine learning to User and Entity Behaviour Analytics (UEBA) is just one more way of being more proactive – more predictive – regarding network breach attempts. This kind of scenario modelling, where anomalies are identified automatically, is both intelligent and effective. Effective not just against the external threat actor, but malicious or accidental insider threats as well.
Some Star Trek nerding
It’s not a matter of the machines taking over either, but rather working with security teams to make their workloads manageable and dynamic. Think of it as Security Information and Event Management (SIEM): The Next Generation if you like, with less Captain Picard and more Locutus of Borg.
My Star Trek nerd is strong today, but if yours isn’t let me explain. The captain of the Enterprise was assimilated into the Borg collective (an army of bots if you like) but eventually rescued by his crew. That he was forever ‘part Borg’ would help humanity defeat that enemy in a later episode. What I’m trying to say is that AI and man working together is the best way to defeat the attacking hordes.
Looking back to that IANPHI address, something else Hancock said was that “the NHS must go from being the world’s biggest buyer of fax machines to the tech pioneers of the future” before adding “and I know we can do it, because we’ve done it before”. So, let’s keep the momentum going and do it with security as well.
6 Comments
Good article. I support MH because he is vocal and H&SC leaders should be vocal and share their thoughts. Far too many NHS leaders are now playing it safe. In my mind a man will risk it and go where no man has gone before. In my personal and honest opinion the NHS needs technical people as much as it needs clinical people right NOW.
Unfortunately MH knows nothing about medicine and even less about the correct employment of information technology. It is like giving a loaded gun to a 5 year old. I’m afraid risk taking and peoples’ lives do not make easy bedfellows. There have been deaths attributed to ‘computers’ but the causes are due to poor processes. To modify an old phrase ‘poor process in, adverse consequences out’ and the computer is doing exactly as it was told.
Push for security on the next list of Hancocks principles.
1. Shift left on security, take it out of locked off floors and get developers building it into products.
2. Shift left of patient consent. Take it out of endless series of meetings which just result in spreadsheets, build it around patients not practitioner/organisations and let developers start building it into products.
3. OAuth2 openid plus authorisation. Admittedly this is one protocol many standards but better than the free for all we currently have.
I have already tried. After Wannacry and the presence of the NCSC I thought this would be rolling along nicely and then they quietly give IBM a £30m. contract to do security work, of which I have heard zilch. I repeat; technology is not the issue in the NHS. The communications processes are and throwing tech at them won’t solve anything, just make them fail faster.
Unfortunately whilst some IT suppliers continue to ‘Klingon’ to old technologies there will always be certain vulnerabilities, at least there are some ‘Enterprising’ startups offering network behavior analytics to try and mitigate these legacy devices and the ‘warped’ hackers trying to exploit them but cyber-security will always be part of the ‘trials and tribulations’ of working in IT.
Davey used the word PROCESS!! I’ll henceforth read everything he writes, even cheques or notes for the milkman. Welcome to Colditz Davey, just the two of us here at present.
Comments are closed.