Every day and all night long, spammers, scammers, crooks, spies and robots jiggle the doorknobs on the Johns Hopkins Medicine computer network, trying to find a way in.
Darren Lacey, chief information security officer, leads a team working hard to stay one virtual deadbolt ahead in the high-stakes world of cybersecurity.
In a mild Oklahoma twang, he declares that Johns Hopkins is up to the task. Also responsible for protecting most of The Johns Hopkins University, Lacey packs a laptop that can monitor both Johns Hopkins networks in real time and instant-message staff members when something looks suspicious.
With the recent ransomware attacks on hospital networks around the nation, discussions of data security are never far away. Lacey recently paused his patrol to talk with Dome about the state of network security at Johns Hopkins.
Q: It seems as if hospitals increasingly are a target of hackers.
A: I believe attackers are going after hospitals because they see a lot of them with unpatched vulnerabilities. They seem to be coming after health care because we’re an easy target, or at least easier than banks. Whether compromising health care data is their purpose is an open question. In our analysis of attacks over the years, we see little to indicate patient data have been singled out.
Q: The recent attacks on hospitals across the nation seem to be motivated by money. Tell us about ransomware. How does it work?
A: It’s a form of malware that goes in, infects a machine and looks for every place where files may be stored. On an individual machine, it finds files, takes those folders—say, your documents folder—and encrypts it. Then, it also looks for connected file shares, like your H drive. It gathers every file on the H drive and encrypts it. Next, it sends a notice to the user, saying, “All your files are encrypted. If you want your files back, you have to send us a payment.”
One way people normally get attacked with ransomware is when someone on the network opens an email attachment that seems benign.
Q: How are we protecting ourselves?
A: We use dozens of different technical controls to combat attacks. One that users might see is when we email or text you a random numeric code to use after you enter a password. That’s called a multifactor authentication. This a big deal for both users and systems administrators, as it makes attacks like phishing for passwords less effective. Our attacks dropped off significantly after we had those protections.
Q: How many attempts a day are there to break into Johns Hopkins?
A: We generally block 3 to 5 million intrusion attempts a day—in addition to knocking down spam and things like that.
Ninety-nine percent of these attacks are automated. They are essentially scanning the internet, looking for vulnerabilities. They are not intelligent attacks, as a general matter. It’s knocking on doors and rattling doorknobs over and over and over. A substantial proportion of what we block is internal computers on the Johns Hopkins network calling out to sites that are used by attackers as “command and control” systems.
Q: How much happens that you actually worry about?
A: Generally, we investigate 20 or 30 things a day.
Q: How do you and your team keep the network safe?
A: We constantly test our environment. We’re constantly running scans and penetration tests to determine any types of vulnerabilities.
Q: Does this mean we employ our own hackers?
A: In the information security business, we call it red teaming and blue teaming. A red team attacks something in the system, and the blue team defends it. Penetration testing tries to find weaknesses that hackers might try to exploit. Once, the goal was to be as stealthy as possible so that no one would know that you were testing them. Now I try to be a little noisier. The goal is for departments to be able to monitor their own systems well enough to see whether they’re being attacked. We’re looking for someone to come back to us and say, “What the heck is going on with my server, or whatever?”
Q: How big is our cybersecurity staff?
A: About 15 or 20, depending on how you count them. The staff is about 30 percent larger than it was three years ago. And we’re still trying to develop it.
Q: Johns Hopkins Medicine has roughly 40,000 employees and thousands of guests using the network. What sort of daily traffic do those numbers generate?
A: Johns Hopkins Medicine has about 100,000 devices, including smartphones and home computers, on the network on any given workday.
Those devices generate not quite 1 billion sessions a day. Today, for instance, we have 830,376,000 successful sessions in the Johns Hopkins Medicine clinical network. That’s people at Johns Hopkins connecting with one another and with people on the outside. Every time you log on to a website, you’re going to create a session. And your conversation with someone may have multiple sessions in it.
Q: Do that many devices create vulnerabilities? It seems that if we were a building with one door and no windows, we’d be harder to break into.
A: Yes. That’s the right metaphor. We’re going to be asking people to do a lot of things differently over the next few years. For example, we’re going to see increasing restrictions on the kinds of devices that can get on our network. Those devices are going to have to prove that they have their anti-virus software up to date. They’re going to have to prove that they’re encrypted. And they’re not going to have to prove it to you or me; they’re going to have to prove it to the network itself.
We have to make sure we have more people using IT-issued and managed devices, especially laptops and workstations.
Q: What can employees do to protect patient privacy and to keep the network safe?
A: Patient privacy is as important as security, and it goes beyond the computer network. Follow the safeguards we have in place. Be mindful of privacy protection when it comes to copying, storing and sharing private information about patients. Don’t have private conversations about patients in public places like elevators. Clean your desk and be careful with documents that contain patient information.
As for the computer network, pay attention to things like opening suspicious emails. If one looks fishy, or you don’t recognize the sender, please don’t open the attachment.
Q: Is it just a 21st-century fact of life that we’ll all get hacked at one time or another?
A: There’s an element of truth in the notion that we’re all vulnerable and we’re all going to get attacked. But a lot depends on the culture of the organization. Our academic culture is different from, say, a bank, where there’s the expectation of complete privacy and airtight security. Our main objective is to tamp down the vulnerabilities and to be good enough at incident response that the bad guys don’t go after us as frequently.
Q: Are you worried that hackers will see Johns Hopkins as a challenge?
A: There’s this myth that if you work really hard at protection, the bad guys will see you as a challenge and they’ll really go after you. There is little evidence for that. They’re generally looking for easy pickings.
You know the one about the couple who encounters a bear in the woods? The woman takes off running. The man yells, “This bear can run 30 miles an hour! There’s no way you can outrun him!” And the woman yells back, “I don’t have to outrun the bear—I just have to outrun you!”
That is the information security world.
Q: Overall, how concerned should we be about cyber threats?
A: I’m quite optimistic about this. I actually think that not only can we get ahead of it, but we will get ahead of it. This is a difficult technical and organizational problem, and there are smart people working hard to address it.