Mission: ContinuityB U I L DI NG R E S I L IEN CE AG A I N S T U N P L A NNE D S E R VI CE I N T E R R UPTI ON S

Stephanie Poe, DNP, RN-BCCNIO, The Johns Hopkins Hospital and Health System

Discussion Topics

• The “Age of Acceleration”

• Cyber Risk and Cyber Resilience

• Cybersecurity Infrastructure and Nursing Informatics

• Building Cyber Resilience

• Resilience Training Content

July 20, 2018SINI 2018 2

The Age of AccelerationS E T T I NG T HE CO N T E XT

July 20, 2018SINI 2018 3

The Age of Acceleration

Exponential Growth of Computing

Power (Technology)

Compelling Evidence of Climate

Change

Massive Globalization

July 20, 2018SINI 2018 4

Cyber Risk as defined by the Institute of Risk Management

• Any risk of financial loss, service disruption, or reputational damage to an organization from some sort of failure of its information technology systems.

Not a question of “if”, but “when”

July 20, 2018SINI 2018 5

An Emerging Lexicon

• Cyberattack

• Cyber Crime

• Cyber Ecosystem

• Cyber Event

• Cyber Exercise

• Cyber Health/Safety

• Cyber Hygiene

• Cyber Incident

• Cyber Infrastructure

• Cyber Literacy

• Cyber Operations

• Cyber Ops Planning

• Cyber Risk

• Cybersecurity

• Cyber Threat

• Cyber Resilience July 20, 2018SINI 2018 6

Hacktivism PhishingData

BreachSocial

EngineeringMassive Security

Flaws

July 20, 2018SINI 2018 7

Ransomware

Cyber Risk Threatens• HIPAA security

• Personal security

• Business continuity

• Service excellence

• Patient safety

• Financial stability

July 20, 2018SINI 2018 8

Cyber ResilienceCR I T I CA L CY B E R S E CUR IT Y I N F R A S T R UCTUR E A N D T HE R O L E O F N U R S I NG I N F O R M ATI CS S P E CI A L IST S

July 20, 2018SINI 2018 9

Risk Resilience

Given the inevitability of cyber incidents, how can we best prepare?

July 20, 2018SINI 2018 10

Cybersecurity

Systemic challenge

Affects digital economy &

society

Risk is loss of networks, data,

services

Risk is reputational and

existential

Urgency is “now”

World Economic Forum (2017). System Initiative on the Digital Economy and Society: Advancing Cyber Resilience: Principles and tools for Boards.

July 20, 2018SINI 2018 11

NIST Definitions

• Cybersecurity: process of protecting information by preventing, detecting, and responding to attacks

• Cyber Event: change that may have an impact on organizational operations

• Cyber Incident: event that has been determined to have an impact on the organization prompting the need for response and recovery

July 20, 2018SINI 2018 12

Critical Infrastructure Components

Identify Asset management

Business environment

Governance

Risk assessment

Risk mitigation

Supply chain risk management

July 20, 2018SINI 2018 13

NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018

Partnership for Identify Function

Emergency Management

Clinical Informatics

Information

Technology

July 20, 2018SINI 2018 14

Critical Infrastructure Components

NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018

Protect Identity management

Authentication

Access control

Cybersecurity awareness and training

Data security

Information protection processes

Maintenance and repairs

Protective technology

July 20, 2018SINI 2018 15

Partnership for Protect Function

Access Security

Academic Trainees

Cybersecurity

Training

July 20, 2018SINI 2018 16

Critical Infrastructure Components

Detect Anomalies and events

Security continuum monitoring

Detection processes

July 20, 2018SINI 2018 17

NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018

Partnership for Detect Function

High Reliability

Situational Awareness

Vigilance

Training

July 20, 2018SINI 2018 18

Critical Infrastructure Components

Respond Response planning

Communication

Analysis

Mitigation

Improvements

July 20, 2018SINI 2018 19

NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018

Partnership for Respond Function

Communication DowntimeForms

Downtime Reports

July 20, 2018SINI 2018 20

Critical Infrastructure Components

Recover Recovery planning

Communication

July 20, 2018SINI 2018 21

NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018

Partnership for Recovery Function

Recovery Procedures

Short-term Recovery

Long-term Recovery

July 20, 2018SINI 2018 22

Building Cyber ResilienceS TO P – T HI N K - CO N N E CT

July 20, 2018SINI 2018 23

Cyber-Resilience• A public good

• Information stewardship

• Strategy & culture versus tactics

• Accountability: Board and Executive Team

• Responsibility: All

World Economic Forum (2017). System Initiative on the Digital Economy and Society: Advancing Cyber Resilience: Principles and tools for Boards.

July 20, 2018SINI 2018 24

Cybersecurity Triad

People

Technology

Processes

Stop Think Connect

National Cybersecurity Awareness Month –

every October: collaborative effort

between government and industry

July 20, 2018SINI 2018 25

Staff Awareness • Password Safety?• Phishing?• Reporting suspicious

activity?• Social media?• BYOD?• Connected medical

devices?

• Removable data?• Personal information?• Information handling?• Remote and mobile

working?• Web plug-ins?• Shadow IT or free

software?

July 20, 2018SINI 2018 26

Developing Cyber Resilience in Faculty and Employees

Engage

Educate

Execute

Evaluate

Endure

Extend

Johns Hopkins Research & Quality Group Translation Model, Pronovost et. al., 2008 July 20, 2018SINI 2018 27

Developing Resilience

Engage

• Who are your stakeholders?

• Know where they stand –their knowledge, their skills

• Make personal connections with real world application

• Promote interest and curiosity

July 20, 2018SINI 2018 28

Developing Resilience

Educate

• Where are the knowledge gaps?

• Raise awareness

• Provide information and make it personal

• Encourage inquiry and exploration

July 20, 2018SINI 2018 29

Developing Resilience

Execute

• Assign personal responsibility

• Teach cyber hygiene best practices

• Test cyber hygiene competency

• Practice IT emergency management

July 20, 2018SINI 2018 30

Developing Resilience

Evaluate

• Monitor behaviors

• Review incident reports related to security breaches

• Debrief unplanned technology outages

July 20, 2018SINI 2018 31

Developing Resilience

Extend

• Share best practices across job roles

• Share lessons learned during unplanned outages

• Design for high reliability

July 20, 2018SINI 2018 32

Developing Resilience

Endure

• Plan for sustaining resilience over time

• Conduct refreshers

• Hold cyber hygiene campaigns

• Reward/recognize resilience behaviors

July 20, 2018SINI 2018 33

Sample Educational ContentHA R D W I R I NG CY B E R HYG I E N E P R ACT I CE S TO B U I L D R E S I LI ENCE

July 20, 2018SINI 2018 34

Teaching Principles of Good Cyber Hygiene

Password management

Situational awareness

Phishing detection

July 20, 2018SINI 2018 35

Cyber Hygiene Best Practices – for end users

Use $trOng3r passwords (use numbers, symbols, upper & lower case letters)

July 20, 2018SINI 2018 36

Cyber Hygiene Best Practices – for end users

Change passwords regularly (every 45-90 days)

July 20, 2018SINI 2018 37

Cyber Hygiene Best Practices – for end users

Don’t change your passwords or enter personal credentials over public Wi-Fi

July 20, 2018SINI 2018 38

Cyber Hygiene Best Practices – for end users

Don’t share usernames, passwords, or access codes with anyone

July 20, 2018SINI 2018 39

Cyber Hygiene Best Practices – for end users

Don’t open emails, links, or attachments from strangers

July 20, 2018SINI 2018 40

Cyber Hygiene Best Practices – for end users

Disable Auto connect Wi-Fi or enable “Ask to Join Networks”

July 20, 2018SINI 2018 41

Cyber Hygiene Best Practices – for end users

Use your cell network when security is important (4G, 5G, LTE)

July 20, 2018SINI 2018 42

Cyber Hygiene Best Practices – for end users

Limit personally identifiable information on social media

July 20, 2018SINI 2018 43

Cyber Hygiene Best Practices – for end users

Limit how often you “like” a status, follow a page, or allow an app to access your social media profile

July 20, 2018SINI 2018 44

Cyber Hygiene Best Practices – for end users

Be wary of unsolicited calls asking you to break normal security features,

July 20, 2018SINI 2018 45

Cyber Hygiene Best Practices – for end users

Update apps and computers within 24 hours of notification

July 20, 2018SINI 2018 46

Cyber Hygiene Best Practices – for end users

Use the latest browsers; they have improved security

July 20, 2018SINI 2018 47

Cyber Hygiene Best Practices – for end users

Enable privacy settings, increase default security settings, set up alerts

July 20, 2018SINI 2018 48

Cyber Hygiene Best Practices – for end users

Before clicking on anything, stop, think, and check if it is expected, valid & trusted.

July 20, 2018SINI 2018 49

Managing The Age of Acceleration

Exponential Growth of Computing

Power (Technology)

Compelling Evidence of Climate

Change

Massive Globalization

July 20, 2018SINI 2018 50

Nursing Informatics Leadership is Critical to Developing Cyber Resilience

Questions?

SINI 2018 July 20, 2018 51

Contact information:

spoe@jhmi.edu