Mission: ContinuityB U I L DI NG R E S I L IEN CE AG A I N S T U N P L A NNE D S E R VI CE I N T E R R UPTI ON S
Stephanie Poe, DNP, RN-BCCNIO, The Johns Hopkins Hospital and Health System
Discussion Topics
• The “Age of Acceleration”
• Cyber Risk and Cyber Resilience
• Cybersecurity Infrastructure and Nursing Informatics
• Building Cyber Resilience
• Resilience Training Content
July 20, 2018SINI 2018 2
The Age of AccelerationS E T T I NG T HE CO N T E XT
July 20, 2018SINI 2018 3
The Age of Acceleration
Exponential Growth of Computing
Power (Technology)
Compelling Evidence of Climate
Change
Massive Globalization
July 20, 2018SINI 2018 4
Cyber Risk as defined by the Institute of Risk Management
• Any risk of financial loss, service disruption, or reputational damage to an organization from some sort of failure of its information technology systems.
Not a question of “if”, but “when”
July 20, 2018SINI 2018 5
An Emerging Lexicon
• Cyberattack
• Cyber Crime
• Cyber Ecosystem
• Cyber Event
• Cyber Exercise
• Cyber Health/Safety
• Cyber Hygiene
• Cyber Incident
• Cyber Infrastructure
• Cyber Literacy
• Cyber Operations
• Cyber Ops Planning
• Cyber Risk
• Cybersecurity
• Cyber Threat
• Cyber Resilience July 20, 2018SINI 2018 6
Hacktivism PhishingData
BreachSocial
EngineeringMassive Security
Flaws
July 20, 2018SINI 2018 7
Ransomware
Cyber Risk Threatens• HIPAA security
• Personal security
• Business continuity
• Service excellence
• Patient safety
• Financial stability
July 20, 2018SINI 2018 8
Cyber ResilienceCR I T I CA L CY B E R S E CUR IT Y I N F R A S T R UCTUR E A N D T HE R O L E O F N U R S I NG I N F O R M ATI CS S P E CI A L IST S
July 20, 2018SINI 2018 9
Risk Resilience
Given the inevitability of cyber incidents, how can we best prepare?
July 20, 2018SINI 2018 10
Cybersecurity
Systemic challenge
Affects digital economy &
society
Risk is loss of networks, data,
services
Risk is reputational and
existential
Urgency is “now”
World Economic Forum (2017). System Initiative on the Digital Economy and Society: Advancing Cyber Resilience: Principles and tools for Boards.
July 20, 2018SINI 2018 11
NIST Definitions
• Cybersecurity: process of protecting information by preventing, detecting, and responding to attacks
• Cyber Event: change that may have an impact on organizational operations
• Cyber Incident: event that has been determined to have an impact on the organization prompting the need for response and recovery
July 20, 2018SINI 2018 12
Critical Infrastructure Components
Identify Asset management
Business environment
Governance
Risk assessment
Risk mitigation
Supply chain risk management
July 20, 2018SINI 2018 13
NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018
Partnership for Identify Function
Emergency Management
Clinical Informatics
Information
Technology
July 20, 2018SINI 2018 14
Critical Infrastructure Components
NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018
Protect Identity management
Authentication
Access control
Cybersecurity awareness and training
Data security
Information protection processes
Maintenance and repairs
Protective technology
July 20, 2018SINI 2018 15
Partnership for Protect Function
Access Security
Academic Trainees
Cybersecurity
Training
July 20, 2018SINI 2018 16
Critical Infrastructure Components
Detect Anomalies and events
Security continuum monitoring
Detection processes
July 20, 2018SINI 2018 17
NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018
Partnership for Detect Function
High Reliability
Situational Awareness
Vigilance
Training
July 20, 2018SINI 2018 18
Critical Infrastructure Components
Respond Response planning
Communication
Analysis
Mitigation
Improvements
July 20, 2018SINI 2018 19
NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018
Partnership for Respond Function
Communication DowntimeForms
Downtime Reports
July 20, 2018SINI 2018 20
Critical Infrastructure Components
Recover Recovery planning
Communication
July 20, 2018SINI 2018 21
NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018
Partnership for Recovery Function
Recovery Procedures
Short-term Recovery
Long-term Recovery
July 20, 2018SINI 2018 22
Building Cyber ResilienceS TO P – T HI N K - CO N N E CT
July 20, 2018SINI 2018 23
Cyber-Resilience• A public good
• Information stewardship
• Strategy & culture versus tactics
• Accountability: Board and Executive Team
• Responsibility: All
World Economic Forum (2017). System Initiative on the Digital Economy and Society: Advancing Cyber Resilience: Principles and tools for Boards.
July 20, 2018SINI 2018 24
Cybersecurity Triad
People
Technology
Processes
Stop Think Connect
National Cybersecurity Awareness Month –
every October: collaborative effort
between government and industry
July 20, 2018SINI 2018 25
Staff Awareness • Password Safety?• Phishing?• Reporting suspicious
activity?• Social media?• BYOD?• Connected medical
devices?
• Removable data?• Personal information?• Information handling?• Remote and mobile
working?• Web plug-ins?• Shadow IT or free
software?
July 20, 2018SINI 2018 26
Developing Cyber Resilience in Faculty and Employees
Engage
Educate
Execute
Evaluate
Endure
Extend
Johns Hopkins Research & Quality Group Translation Model, Pronovost et. al., 2008 July 20, 2018SINI 2018 27
Developing Resilience
Engage
• Who are your stakeholders?
• Know where they stand –their knowledge, their skills
• Make personal connections with real world application
• Promote interest and curiosity
July 20, 2018SINI 2018 28
Developing Resilience
Educate
• Where are the knowledge gaps?
• Raise awareness
• Provide information and make it personal
• Encourage inquiry and exploration
July 20, 2018SINI 2018 29
Developing Resilience
Execute
• Assign personal responsibility
• Teach cyber hygiene best practices
• Test cyber hygiene competency
• Practice IT emergency management
July 20, 2018SINI 2018 30
Developing Resilience
Evaluate
• Monitor behaviors
• Review incident reports related to security breaches
• Debrief unplanned technology outages
July 20, 2018SINI 2018 31
Developing Resilience
Extend
• Share best practices across job roles
• Share lessons learned during unplanned outages
• Design for high reliability
July 20, 2018SINI 2018 32
Developing Resilience
Endure
• Plan for sustaining resilience over time
• Conduct refreshers
• Hold cyber hygiene campaigns
• Reward/recognize resilience behaviors
July 20, 2018SINI 2018 33
Sample Educational ContentHA R D W I R I NG CY B E R HYG I E N E P R ACT I CE S TO B U I L D R E S I LI ENCE
July 20, 2018SINI 2018 34
Teaching Principles of Good Cyber Hygiene
Password management
Situational awareness
Phishing detection
July 20, 2018SINI 2018 35
Cyber Hygiene Best Practices – for end users
Use $trOng3r passwords (use numbers, symbols, upper & lower case letters)
July 20, 2018SINI 2018 36
Cyber Hygiene Best Practices – for end users
Change passwords regularly (every 45-90 days)
July 20, 2018SINI 2018 37
Cyber Hygiene Best Practices – for end users
Don’t change your passwords or enter personal credentials over public Wi-Fi
July 20, 2018SINI 2018 38
Cyber Hygiene Best Practices – for end users
Don’t share usernames, passwords, or access codes with anyone
July 20, 2018SINI 2018 39
Cyber Hygiene Best Practices – for end users
Don’t open emails, links, or attachments from strangers
July 20, 2018SINI 2018 40
Cyber Hygiene Best Practices – for end users
Disable Auto connect Wi-Fi or enable “Ask to Join Networks”
July 20, 2018SINI 2018 41
Cyber Hygiene Best Practices – for end users
Use your cell network when security is important (4G, 5G, LTE)
July 20, 2018SINI 2018 42
Cyber Hygiene Best Practices – for end users
Limit personally identifiable information on social media
July 20, 2018SINI 2018 43
Cyber Hygiene Best Practices – for end users
Limit how often you “like” a status, follow a page, or allow an app to access your social media profile
July 20, 2018SINI 2018 44
Cyber Hygiene Best Practices – for end users
Be wary of unsolicited calls asking you to break normal security features,
July 20, 2018SINI 2018 45
Cyber Hygiene Best Practices – for end users
Update apps and computers within 24 hours of notification
July 20, 2018SINI 2018 46
Cyber Hygiene Best Practices – for end users
Use the latest browsers; they have improved security
July 20, 2018SINI 2018 47
Cyber Hygiene Best Practices – for end users
Enable privacy settings, increase default security settings, set up alerts
July 20, 2018SINI 2018 48
Cyber Hygiene Best Practices – for end users
Before clicking on anything, stop, think, and check if it is expected, valid & trusted.
July 20, 2018SINI 2018 49
Managing The Age of Acceleration
Exponential Growth of Computing
Power (Technology)
Compelling Evidence of Climate
Change
Massive Globalization
July 20, 2018SINI 2018 50
Nursing Informatics Leadership is Critical to Developing Cyber Resilience
Questions?
SINI 2018 July 20, 2018 51
Contact information: