Skip Navigation












Intranet Login

Johns Hopkins University
5801 Smith Avenue
Davis Building · Suite 3220
Baltimore, MD 21209
Phone: 410.735.6450
Fax: 410.735.6440
Directions to CEPAR (PDF)

Support CEPAR

See more in:

How Does Johns Hopkins Help Protect Data?

Credit: iStock

A cyberattack occurs when a hacker targets computer networks, systems and infrastructures to maliciously gain access or damage them. Cyberattacks can cause a wide range of problems for an individual or organization, including financial loss, information theft or reputational harm. Darren Lacey, chief information security officer for The Johns Hopkins University and Health System, and his team try to prevent, detect and respond to such attacks. According to Lacey, Johns Hopkins receives thousands of potential security-related events per day. The network firewall blocks a majority of these attacks, and Lacey’s team closely investigates about 20 to 30 incidents weekly. 

As health care providers, we are targeted because we have information or electronic business processes that hackers believe they could use to make money, Lacey says. So what does Johns Hopkins do to protect its massive amounts of online records and data, such as employee and personal health information?

Some of the more familiar protections for the private information that employees of Johns Hopkins use or create every day are logins, passwords and multifactor authentication. For example, when you log on to your computer, you need a login and password to access information. When you are working remotely or want to retrieve your pay statement, you may need your phone to receive a secondary passcode via text or authenticator app. “We try to achieve a balance whereby there is a little bit of difficulty for the user in the same way that you may have difficulty from carrying around a key to get into your house,” Lacey says. “The idea is to create an experience that is ‘secure’ and predictable. ‘Secure’ means that the data are protected against most lines of attack.”

There are also many tasks Lacey’s team and Information Technology (IT) as a whole complete behind the scenes. At times, for many different reasons, users move around online data and information or forget it is stored in a certain place, which could lead to negative consequences. “We are interested in trying to identify areas where data resides in an unusual or risky place, such as on a web server,” Lacey says. “Identifying pockets of data that are in places that don’t really serve much of a purpose and thus creates potential risk of loss.”

The IT team also blocks many malicious or unwanted emails from getting into your inbox. Lacey says his team blocks 90 percent of the messages — or millions of messages each day — that come through the Johns Hopkins “gateway” as either spam or phishing attacks. His team will follow URLs in messages, or team members will download, or detonate, files to see if they are malicious. “If we blocked everything that we thought might possibly be phishing, and we really tightened the controls, many, many legitimate messages from external sources would be blocked,” Lacey says. “So we have to constantly gauge whether we’re blocking too much or not blocking enough.”  

Lacey’s group also tries to prevent cyberattacks through threat modeling. “We try to imagine what kinds of things an attacker is likely to do,” Lacey says. “We try to imagine the bad things that can happen, what’s the likelihood of those bad things and what’s the motivation of a potential attacker.” Lacey’s team then identifies security controls to help prevent such an attack, while balancing the concerns and needs of users to avoid frustration in their everyday use of computers and networks. “Our goal is to build trust in systems, legitimate levels of trust and to create a consistent environment for users, IT administrators and application developers and administrators that is a balance between annoying and secure.”

Still, Lacey warns that despite all the precautionary measures his team and the entire IT team take, hackers can still be successful. “The idea is that for most of us, we have to operate under the assumption that bad things will happen, and it’s really our responsibility as individuals to protect ourselves as best we can,” Lacey says.

Here are some ways you can protect yourself from being a victim of a cyberattack:

  • Make good choices about storing and distributing information. Regularly review and organize your computer and network files. Lacey asks users “to use common sense and use the amount of data that you think you will need for your job.”
  • Do your own threat modeling. Determine your own worst-case scenarios and think through them. “If you assume that a lot of information about you is going to get out, how do you reduce the likelihood of that information damaging you?” Lacey says.
  • Ensure important personal accounts, such as banking, retirement and email accounts, are set up with multifactor authentication, if available. Also, request notifications when a certain amount of money is withdrawn or other changes are made to your banking or retirement accounts.
  • Do not respond to online requests for personally identifiable information. Most organizations, including Johns Hopkins, will not ask for this information through the internet.
  • When in doubt, trust your instincts. If an offer looks too good to be true, you are probably right.

For additional tips, check out this Hopkins on Alert article.

Related articles:

Preparedness Spotlight: What You Need to Know About Cybersecurity