UNMC Cyber Exercise Tabletop Exercise April 13, 2016
Agenda Welcome Introductions Objectives Background Scope of Exercise Rules of Engagement Exercise Scenario Hotwash Evaluation and Final Comments
Welcome!! Thank you to the exercise design team for help developing this exercise
Exercise Design Team Keith Hansen, UNMC Rick Boldt, UNMC Marc Ferguson, Nebraska Medicine Sharon Welna, UNMC Brian Madison, Center for Preparedness Education
Introductions Name Role in your institution
Objectives At the end of this exercise: Personnel will be able to demonstrate their knowledge and expertise in handling cyber security attacks Personnel will have a better understanding of how the whole facility is affected They will have a better understanding of how the event may affect the safety and welfare of staff/students They will also have a better understanding of business continuity/resilience operations are conducted during downtime procedures/services
Background Personnel rely on electronic records and computers for assistance in research and day-to-day operations with students and staff Computer issues demonstrate our susceptibility to computer disruptions Data attacks impact a wide range of people internally and externally Communication among personnel may enhance earlier detection and resolution of widespread computer issues
9
10
Overview -Cyber Attacks - Dose of Reality
12
13
14
15
17
18 Dr. Jeffrey Gold Vice President University of NE UNMC Chancellor Ne Med Chairman of the Board Deb Thomas Interim Vice Chancellor Business and Finance Yvette Holly Assistant Vice Chancellor Information Technology Services Sharon Welna Information Security Officer Rosanna Morris Interim CEO Brad Britigan, MD Dean UNMC COM Interim President Michael Ash, M.D. Chief Transformation Officer UNMC/NM Security Executive Council Brian Lancaster Executive Director Information Management Harris Frankel, M.D. Chief Medical Officer UNMC/NM Security Executive Council Privacy Office UNMC/NM Security Executive Council
19
20
Scope of Exercise Table Top exercise – no actual computing systems will be used Scenario will be presented Groups will discuss questions Groups will report highlights to entire assembly No particular electronic records system is assumed Each table will need a recorder (Planning Chiefs) and a reporter
Rules of Engagement No threat, no harm, no foul – open and candid discussions are crucial Discussions are not policy-building or policy recommendations Proprietary information need not be released Communication between groups is encouraged when appropriate Cell phones, calls, etc – please step out of the room if you take a call We are learning from each other
Module 1 An employee of your facility discovered that another employee had placed some confidential information on social media. He felt he had a responsibility to report the incident & contacted the Human Resource (HR) department. HR upon getting this report did their internal investigation & determined in fact that the confidential information had been compromised. HR discussed the situation with the IT Director and the Compliance and Information Security Officer for the Family Educational Rights and Privacy Act (FERPA). They made the determination based on the information that had been placed on social media & due to their internal facility policy that the employee was to be terminated.
Module 1 cont. They met with the employee on a Friday afternoon & he was terminated. At this time the employee’s accessibility has not been properly terminated. The employee had been working with the staff on issues as identified with electronic records for research and Blackboard. On the weekend after being terminated (which he felt had been unfair) he gained access to the facilities computer system. That weekend the staff that was on duty started having some computer issues – being extremely slow & having difficulty logging into the system. Students have started complaining to their professors that they are having issues logging in on Blackboard.
Module 1 cont. On Monday multiple departments/students are having computer issues & research staff has started noticing that computer access is very slow and there are errors on diagnostic test reports.
Module 1 Questions How is your day-to-day operations for faculty, staff, and students going to be affected? How is the system slow – down and glitches now communicated between departments? What is your process for reporting? Who is responsible for reporting? Who do they report to?
Module 2 At this time everything has increased in severity. All departments in the facility are now having computer issues & all research areas are getting abnormal & inaccurate diagnostic test results. Blackboard is now experiencing major issues as well. IT is being bombarded with and questions have come up as to how & when this will be resolved. At this time the decision has been made to shut the computer system down.
Module 2 Questions What policies/procedures are in place to allow students to continue coursework or get extensions from faculty? If downtime procedures are used, what are the issues involved? What are departments doing now with personnel? Have any legal/liability issues surfaced?
Module 3 Social media has picked up on the event & numerous tweets have been going out. Most are negative about the handling of the event. TV channels are contacting the PIO for interviews as well as the written news departments from the area & surrounding counties. Talk show hosts are getting people to call in – their comments have not been accurate on the handling of the issue.
Module 3 Questions What is your organization’s internal social media policy? What is the role of your PIO at this time? What is your facility’s procedure for handling news media personnel? What legal/liability issues can UNMC anticipate? What is your Business Continuity Plan & what issues do you anticipate?
Hotwash
Evaluation
Final Comments Thank You for your attendance and participation! Please leave your evaluation forms with the exercise design team. Have a great day!!