See more in:
How Does Johns Hopkins Help Protect Data?
A cyberattack occurs when a hacker targets computer networks, systems and infrastructures to maliciously gain access or damage them. Cyberattacks can cause a wide range of problems for an individual or organization, including financial loss, information theft or reputational harm. Darren Lacey, chief information security officer for The Johns Hopkins University and Health System, and his team try to prevent, detect and respond to such attacks. According to Lacey, Johns Hopkins receives thousands of potential security-related events per day. The network firewall blocks a majority of these attacks, and Lacey’s team closely investigates about 20 to 30 incidents weekly.
As health care providers, we are targeted because we have information or electronic business processes that hackers believe they could use to make money, Lacey says. So what does Johns Hopkins do to protect its massive amounts of online records and data, such as employee and personal health information?
Some of the more familiar protections for the private information that employees of Johns Hopkins use or create every day are logins, passwords and multifactor authentication. For example, when you log on to your computer, you need a login and password to access information. When you are working remotely or want to retrieve your pay statement, you may need your phone to receive a secondary passcode via text or authenticator app. “We try to achieve a balance whereby there is a little bit of difficulty for the user in the same way that you may have difficulty from carrying around a key to get into your house,” Lacey says. “The idea is to create an experience that is ‘secure’ and predictable. ‘Secure’ means that the data are protected against most lines of attack.”
There are also many tasks Lacey’s team and Information Technology (IT) as a whole complete behind the scenes. At times, for many different reasons, users move around online data and information or forget it is stored in a certain place, which could lead to negative consequences. “We are interested in trying to identify areas where data resides in an unusual or risky place, such as on a web server,” Lacey says. “Identifying pockets of data that are in places that don’t really serve much of a purpose and thus creates potential risk of loss.”
The IT team also blocks many malicious or unwanted emails from getting into your inbox. Lacey says his team blocks 90 percent of the messages — or millions of messages each day — that come through the Johns Hopkins “gateway” as either spam or phishing attacks. His team will follow URLs in messages, or team members will download, or detonate, files to see if they are malicious. “If we blocked everything that we thought might possibly be phishing, and we really tightened the controls, many, many legitimate messages from external sources would be blocked,” Lacey says. “So we have to constantly gauge whether we’re blocking too much or not blocking enough.”
Lacey’s group also tries to prevent cyberattacks through threat modeling. “We try to imagine what kinds of things an attacker is likely to do,” Lacey says. “We try to imagine the bad things that can happen, what’s the likelihood of those bad things and what’s the motivation of a potential attacker.” Lacey’s team then identifies security controls to help prevent such an attack, while balancing the concerns and needs of users to avoid frustration in their everyday use of computers and networks. “Our goal is to build trust in systems, legitimate levels of trust and to create a consistent environment for users, IT administrators and application developers and administrators that is a balance between annoying and secure.”
Still, Lacey warns that despite all the precautionary measures his team and the entire IT team take, hackers can still be successful. “The idea is that for most of us, we have to operate under the assumption that bad things will happen, and it’s really our responsibility as individuals to protect ourselves as best we can,” Lacey says.
Here are some ways you can protect yourself from being a victim of a cyberattack:
For additional tips, check out this Hopkins on Alert article.