On the same day the health and social care secretary addressed the annual meeting of International Association of National Public Health Institutes (IANPHI), his vision for putting prevention at the heart of the nation’s health was published.

I couldn’t help but wish Matt Hancock was talking about NHS cybersecurity, and my mind raced with thoughts of Star Trek when Captain Picard was transformed into Locutus of Borg. I’ll explain why in due course.

Both the publication date of 5 November and the document subtitle – ‘Our vision to help you live well for longer’ – made me want to light up the night sky with the message that breach protection is better than post-breach cure. Not that there ever seems to be an actual cure post-breach; just the application of a plaster or two and a quick slurp of whatever security medicine is available and affordable to take away the pain until the next attack.

In that IANPHI speech, Hancock spoke about the use of AI in ‘predictive prevention’ for improving health outcomes.

The next frontier of prevention

“The next frontier of prevention is using the data at our disposal to predict who will be ill with what, and to get in there early,” were the exact words that caught my attention. Substitute ‘ill’ with ‘at risk’, and Hancock could have been revealing my fantasy policy for the future of cybersecurity within the NHS.

I say fantasy not because such predictive cyber-AI technology doesn’t exist in some form, but rather because both my gut and historical evidence suggest a reactive security posture will continue to be the NHS reality for some years to come.

Yet in my never-humble opinion, an intelligent predictive approach to security would both reduce the healthcare attack surface and improve security posture. It would also tick all the boxes that Hancock demands from the NHS across the board – a transformational change that can save money, eliminate waste and get the best return on investment.

A good slogan… shame about the reality

The UK government has a national cybersecurity strategy of defend, deter and develop, which is at it should be. If only the reality were as good as the slogan.

The European Security of Network and Information Systems (NIS) Directive, regardless of where Brexit does or doesn’t leave us, requires that essential services data and networks are both secured and cyber resilient. Everyone would argue, I hope, that this must apply to the NHS. Managing risk is a tricky business, that’s something else that is hard to argue with.

Yet, as the WannaCry incident revealed, the cyber risk to the NHS has not, frankly, been managed as well as it could be. An injection of cash is welcome, but it’s not the answer in isolation; how that cash is spent, on processes and technology, will determine if it’s a wise investment or not. It must be spent with a proactive approach in mind.

That means policies that provide better systems visibility so as to be able to identify the risk blackspots and advanced technologies that can offer a predictive resilience against threats that are yet to emerge. I know: this all sounds complex and costly, and it will be. Yet only by building a real-time and exhaustive image of the network landscape can the kind of zero-trust model that is required to enable applications to exchange data securely be created.

Applying machine learning to User and Entity Behaviour Analytics (UEBA) is just one more way of being more proactive – more predictive – regarding network breach attempts. This kind of scenario modelling, where anomalies are identified automatically, is both intelligent and effective. Effective not just against the external threat actor, but malicious or accidental insider threats as well.

Some Star Trek nerding

It’s not a matter of the machines taking over either, but rather working with security teams to make their workloads manageable and dynamic. Think of it as Security Information and Event Management (SIEM): The Next Generation if you like, with less Captain Picard and more Locutus of Borg.

My Star Trek nerd is strong today, but if yours isn’t let me explain. The captain of the Enterprise was assimilated into the Borg collective (an army of bots if you like) but eventually rescued by his crew. That he was forever ‘part Borg’ would help humanity defeat that enemy in a later episode. What I’m trying to say is that AI and man working together is the best way to defeat the attacking hordes.

Looking back to that IANPHI address, something else Hancock said was that “the NHS must go from being the world’s biggest buyer of fax machines to the tech pioneers of the future” before adding “and I know we can do it, because we’ve done it before”. So, let’s keep the momentum going and do it with security as well.