How to protect the NHS from hacking, forever and completely

This is possible, cheap and simple. You’ll need no prior technology knowledge and I’ll explain by example. You’ll have safe data and operational resilience if you follow this simple principle:

Separate your data from your tools.

Imagine you’re a master carpenter in Digital World. It’s a world like ours but with the following rules:

  • You can copy ANY object as many times as you want;
  • you can wrap any object in an impenetrable security box;
  • destroying security boxes obliterates everything within them;
  • the padlocks on the security boxes are so strong that All The Energy In The Universe 1 can’t break them open;
  • burglars are exceptional at breaking into Windows (especially old ones); and
  • you need Windows, or a similar workspace, to get any work done.

Let’s imagine, you’re a world renowned furniture maker. Your tools are the same as those used by millions across the globe but your work is unique, valuable and special.

One morning, you arrive to find your workshop burgled. Somebody broke through the Windows. The windows were installed in 2003 because they were “more secure than the Windows you installed in 1998”. 2003 seems like yesterday. The burglar has wrapped EVERYTHING inside your workshop in his own giant security box and put his All The Energy In The Universe defying padlock on it. A ransom note reads, “Send 1000 bitcoins to this address in the next 24 hours or I’ll blow it all up”. You ponder the note for a moment, smile, shrug and then proceed to set the whole thing on fire.

You can do this because your priceless masterpieces are securely stored elsewhere. You roll out an identical replica of your workshop that you made a copy of the last time one of your tools changed. You patch your 2003 Windows and immediately order an installation of the latest version. You bring your masterpiece from the adjacent secure storage into your workshop and resume operations.

“Experts” will tell you that nothing is 100% secure; probably at the same time they hand over their consultancy invoice. But that’s not quite true. No workspace is secure. Security boxes, like the ones the burglar used, could withstand Thor’s Hammer. It’s not practical to work within the security boxes because they don’t have Windows. The Windows in your workspace make them vulnerable. But don’t confuse the insecurity of a workspace with the robust and impenetrable protection of encryption.

Take homes:

  • Don’t store ANYTHING of value in your workspace.
  • The complete destruction of your workspace should be tolerable.
  • Patch windows and install latest versions
  • Securely store valuable items that it would be painful to reproduce.

If ransomware can stop operations then the security strategy is inherrently flawed. No Windows patch will save it. I was surprised to hear emergency departments were closing due to WannaCry ransomware. I have no delusions about NHS security. We still see users of our system on the 15 year old, Internet Explorer 6! I was only astounded because these archaic systems were storing data that’s critical for business continuity. They’re clearly a single point of failure to £X million organisations. This is not an inevitable consequence of system fallability. No organisation should ever store critical operational data in a workspace environment.

Just to be clear:

  • You need to secure your workspace as much as possible. Keep your Windows version patched and up to date.
  • This is an aspiration for future proofing NHS security. It will be impossible to separate the data from the tools in some legacy systems.

Other considerations about this Digital World:

  • It takes a little time to open the padlocks;
  • Copying, storage, padlocks and security boxes are so cheap you should consider it as free.
  • You can get some REALLY advanced and clever padlocks.

Lastly, encryption technology has a lot to offer the NHS. It’s not just for stopping bad people. It could be a real force for good. I hope to see digital cryptography and digital signatures being used in the patient record and prescription systems of the future. The possibilities are endless in this regard.

I’m always happy to discuss this approach with NHS leaders who are worried about future ransomeware attacks.

Keep safe! or more importantly, keep robust!

  1. This is not hyperbole. Some forms of encryption are so strong that whatever you’ve encrypted within them is protected by The Laws of Thermodynamics. All The Energy In The Universe couldn’t crack them; not even with a quantum computer. 


-->