To move the InfoSec discipline forward organizations should take all of the following steps EXCEPT

1. Home
2. Compliance Tips
3. Information Security Tips

Information Security Tips

National Cybersecurity Awareness Month Tip (Week Five)

Keep your personally owned devices, apps, browsers, and anti-virus/anti-malware software patched and up to date.

• Enable automatic updates for operating system changes and application security patches.
• Restart your devices periodically to make sure updates are applied.
• If you do not have a current antivirus program installed, all UCLA faculty, students and staff are eligible to use UCLA-licensed Sophos.
• Note: UCLA Health IT will keep the workstations and PCs they manage up to date. 

National Cybersecurity Awareness Month Tip (Week Four)

Protect your data.  Encrypt your devices. 

• Be sure your Windows PC or Mac is encrypted to prevent data theft.
• Ensure that your iOS or Android device is encrypted and enrolled in Airwatch.
• Use only encrypted USBs or portable hard drives.

National Cybersecurity Awareness Month Tip (Week Three)

Back up critical files.

• Back up critical data to UCLA Health IT-approved storage such as network file shares and UCLA Health Box.
• Any external media or USB drives used for backups must be encrypted.
• To protect against ransomware, make sure to have offline backups.
• To protect against fires, floods and other disasters, be sure to have offsite backups.
• Test your backup files periodically.

National Cybersecurity Awareness Month Tip (Week Two)

Protect your passwords. 

• Make them long and strong.
• Never reveal your password to anyone.
• Use different passwords for different accounts.
• Use different passwords for work and non-work activities.
• Click "no" when websites or apps ask to remember your password.
• Use strong authentication where possible, such a multifactor authentication (Duo), fingerprints, and tokens.

National Cybersecurity Awareness Month Tip (Week One)

Always think twice before clicking on links or opening attachments.

• Even if they look like they are from someone you know.
• Whenever possible, go to web pages by searching for the topic instead of clicing on a link in a message.
• If an attachment is unexpected, contact the sender by phone or e-mail a known address to confirm that they sent it.

It's National Cyber Security Awareness Month

Please help celebrate by watching the following short videos:

• How to create a strong password by Google (52 seconds)
• Phishing & Email Security by SANS (3 minutes 54 seconds)
• WIFI Phishing by Sophos (5 minutes 33 seconds)
• Learn more about Cyber Security at the link below:

Beware of bogus computer support calls

Attackers pretending to be Computer Support are calling the Health Sciences!

Don’t invite them in to your computer, install their software or give them your passwords!

These attackers want to steal personal financial information as well as confidential UCLA information from your computer and file shares.

• Be aware of all unsolicited computer support calls.
• UCLA computer support will never ask you for your password.
• If in doubt that a computer support call is real, hang up! Then call your local IT support team to verify.

Report suspicious activity to your local IT support group or contact [email protected].

Create your own custom Smartphone Security Checklist!

Mobile security threats are on the rise so check how well your devices are secured by using the FCC tool:

• If you use your smartphones or tablets for UCLA Health Sciences Business, they must be encrypted and enrolled in ISS AirWatch.
• Download apps only from trusted stores. Read the app’s privacy policy to see exactly what phone features it will have access.
• Maintain physical control of the devices in public or semi-public places.
• Disable interfaces that are not currently in use, such as Bluetooth, infrared, or Wi-Fi. Set Bluetooth-enabled devices to non-discoverable.
• Keep your smartphone OS and apps up-to-date on patches.
• Avoid joining unknown Wi-Fi networks and using public Wi-Fi hotspots.
• Securely delete all information stored in a device prior to discarding it.
• Report a stolen smartphone or tablet to [email protected].

Protect yourself from Malicious Advertising attacks!

Malicious advertising (Malvertising) uses online advertising, often on reputable sites, to distribute malware, particularly ransomware, with little or no user interaction required. See the Infographic to learn more.

Malvertising and Ransomware, the Bonnie and Clyde of Advanced Threats Infographic

To protect yourself against Malvertising:

• Practice safe browsing and be selective about which sites you browse and which links you click. This won’t protect you against malvertising living on reputable sites but it will decrease your odds of getting hit.
• Make sure your Operating System, browser, any browser add-ons and Antivirus software are fully up to date.
• Remove any software, especially Flash or Java, you don’t use and keep all 3rd party software up to date
• Enable the safety features available for your browser.
  • Turn on Enhanced Protected Mode of IE ll
  • By default, latest Firefox sets plugins to “Ask to Activate” by default with the exception of Flash. Consider enabling “Ask to Activate” for Flash
  • Enable “Let me choose when to run plugin content” on Chrome

Enabling Macros for Word can install Ransomware!

Online criminals are sending out phishing emails with attached Word documents that contain macros that install ransomware. If you open an attachment and get a message asking you to enable macros, close the file and forward the email with the attachment to Dangerous Email [email protected] so they can check if it is legitimate.

Below is a phishing email with a Word attachment that was sent to UCLA Health Sciences recently.

And here is the message that comes up when the Word file is opened. Enabling macros would install the Locky Ransomware and encrypt all the files on the computer and any file shares.

Beware of Downloading or Distributing Copyrighted Material

• When you download or acquire unlicensed copies of copyrighted works, or upload or distribute copies of copyrighted works, you may be infringing upon the copyright holder’s rights.
• If you violate a copyright owner’s exclusive rights, even unknowingly, you can be subject to University disciplinary actions, civil damages between $750 and $150,000 (per infringement) and/or jail time.
• When reports are received of alleged copyright infringement on UCLA Health Sciences networks, the owner of the system responsible for the infringement will be identified and reported to the appropriate campus authorities.

For more information:

• Copyright infringement facts
• Digital Millennium Copyright Act at UCLA
• Contact the Office of Compliance Services

Attackers pretending to be Computer Support are calling the Health Sciences!

Don't invite them in to your computer or give them your passwords!

These attackers want to steal personal financial information as well as confidential UCLA information from your computer and file shares.

• Be aware of all unsolicited computer support calls.
• UCLA computer support will never ask you for your password.
• If in doubt that a computer support call is real, hang up! Then call your local IT support team to verify.

Report suspicious activity to your local IT support group or contact [email protected]

Ransomware on the Rampage!

Ransomware is a form of malware that encrypts files on your computer and then demands payment in exchange for the password to access them. To prevent harm from ransomware:

• Backup essential files regularly. Be sure to encrypt when saving to external drives or removable media.
• Be cautious about unsolicited attachments or suspicious links. Word documents are a current favorite for spreading ransomware.
• Don’t enable macros in document attachments received via email.
• Keep your system up to date on applications, operating system and antivirus.
• Only use administrative credentials when necessary.

If you see a message like this, or any messages that say your files have been encrypted, contact IT support IMMEDIATELY!

Learn more:

• Locky ransomware is trending now
• Ransomware forced Hollywood Presbyterian Hospital to revert to using pen and paper

Forward Phishing or Suspicious Emails

Forward any phishing emails, or emails you suspect may be phishing to [email protected] . You can also search for "Dangerous Email" in the Outlook Global Address List.

Protect yourself from Phishing - Know the red flags!

Wipe your old devices securely before disposal, recycling or resale.

Please be sure to delete any UCLA Restricted Information that may be on your device as the first step. Then follow the instructions in the YouTube video below to securely wipe iPhone and Android devices.

Visit an Encryption Fair in Your Neighborhood before January 15th

All mobile devices used for University Business must be encrypted.

• Exchange one non-compliant USB flash drive for a 4GB encrypted drive.
• Enroll your eligible smartphone and tablet in AirWatch.
• Get your laptop and its external hard drive encrypted.

Visit Device Security to find the fair near you.

Wipe your old devices securely before disposal, recycling or resale.

Please be sure to delete any UCLA Restricted Information that may be on your device as the first step. Then follow the instructions in the YouTube video below to securely wipe iPhone and Android devices.

Treat your mobile devices like cash – don’t leave them unattended!

Don’t let thieves shop for your mobile devices this holiday season:

• Never leave your mobile devices unattended — even for just a moment. And don’t leave mobile devices in your car! Be on guard in airports and hotels.
• Call or email the Office of Compliance Services – Privacy and Information Security ([email protected], (310) 794-8638 immediately when a mobile device has been lost or stolen.

No Restricted Information to non-Mednet or non-JSEI Addresses

People in the Global Address List with a globe next to their name do not have Mednet or JSEI addresses. You may not send Restricted Information to them.

Beware of tech support phone scams!

Scammers claiming they are from UCLA or Microsoft tech support may call you saying there are urgent issues that need fixing on your computer, and then trick you into providing passwords or compromising your system.

• Do not trust unsolicited calls asking you to provide passwords or other personal information, visit a website, or allow remote access to your workstation.
• If in doubt, hang up and call your IT Support Group.

UCLA + Google ≠ Safe

UCLA is switching to Google Apps for Bruin-Online email storage. You may not use Bruin-Online email or other Google Apps to send, receive or store Restricted Information because we do not have the appropriate agreements with Google.

Do not use Siri to dictate Restricted Information (RI)!

Per the Apple software license agreement when you use Siri / Dictation, your voice is recorded and sent to Apple servers. If you use Siri for dictation you are agreeing to these terms. You may not use Siri with RI, including PHI since we do not have the appropriate agreements in place with Apple.

Beware of Phone Spear Phishing!

Recently, users have received phone calls from a scammer claiming to be with UCLA IT who asks for remote access to the users’ workstations. Always beware of callers asking for your password or remote access to your workstation, especially if you have not requested help. If in doubt, hang up and call your IT Support Group.

Protect your computer against viruses and malware!

If you are a current UCLA student, staff or faculty, you can download Sophos Anti-Virus for Mac or Windows for free at the link below:

Note, if your computer is managed by an IT Support group, Anti-Virus should already be installed and an additional Anti-Virus program is not necessary.

Check first before using Cloud Services with UCLA data!

• The following Cloud services may not be used when Restricted Information is involved: Dropbox, OneDrive, Google Apps, iDrive, EverNote, SurveyMonkey, Siri/dictation, Apple Cloud backup, Skype.
• HIPAA requires that any vendor who creates, receives, maintains, or transmits PHI on our behalf must first sign a HIPAA Business Associate Agreement (BAA). A signed UC Purchasing Agreement may also be necessary, even if the service is free.
• Check with the Office of Compliance Services – Information Security ([email protected]) before storing Restricted Information in the Cloud.

Would you open this attachment?

Spear phishing is legitimate-looking email that appears to be from people or organizations that you trust, but it is sent by hackers who want to steal your information and credentials.

• NEVER provide your passwords to anybody.
• Think before clicking on any links or opening attachments. Beware of urgent emails that say your email is full or your account will be closed or emails you would not expect to receive.
• If you are not sure if an email is legitimate, please ask your IT support group, open a ticket with the ISS Helpdesk, or contact Information Security, [email protected].

To learn more about spear phishing, watch this informative University of Michigan video.

Protect Our Patients - Secure Your Computer

Secure your computer when walking away or log off when finished.

• For shared computers (ClinNet), close or secure all applications before you leave
• For Windows PCs, hold the Windows key and press L (for Lock). Alternatively, you can hold the Control, Alt, and Delete Keys and then click “Lock Computer.”
• For Macs, read our FAQ on configuring screen locking.
• In addition, most systems should automatically lock after 15 minutes of inactivity.

These measures help protect our sensitive information and keep patients’ information private and secure! In addition, it protects you from someone misusing your account.

Disable AutoFill on the iPhone Safari browser

The iPhone Safari browser can remember certain information entered on forms so it can fill in forms for you. To avoid caching of sensitive information such as your contact information, passwords, and credit cards, you can disable the AutoFill feature:

Go to Settings > Safari > Passwords & AutoFill and toggle the settings to off.

Never save passwords to websites that allow access to UCLA Restricted Information.

Never store Protected Health Information (PHI) on unencrypted mobile devices!

Storing Protected Health Information (PHI) on unencrypted mobile devices can lead to a breach if the mobile devices are lost or stolen. In a recent case, an unencrypted laptop was stolen from one of Concentra Health Services (Concentra)’s facilities. As a result, Concentra has agreed to pay the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,725,220. Whenever possible, store PHI on a network file share or remove PHI from files before storing to mobile devices. Contact your IT support group for help with encryption.

Windows XP Put Out to Pasture

Microsoft ended support for Windows XP on April 8th which means Microsoft will not fix any new security bugs found in the operating system. Computers still running Windows XP will become soft targets for compromise and will be out of compliance with our Minimum Security Standards. Ask your IT Support group when your Windows XP computers will be upgraded. Please consider upgrading your home computers running Windows XP too.

Here is a ZDNet article with more information

How to encrypt Microsoft Office Documents

Using password protection for Microsoft Word, Excel, and Power Point documents can provide HIPAA-compliant encryption when using MS Office 2007 or later.

• This can be useful for encrypting Restricted Information that must be sent to non-Mednet email addresses. Always use long, strong passwords and be sure to provide the password by phone or in another separate communication.

See tutorials on how to enable encryption

Beware of Downloading or Distributing Copyrighted Material

• When you download or acquire unlicensed copies of copyrighted works or when you upload or distribute copies you make of copyrighted works, you may be infringing someone else’s rights.
• If you are infringing – even unwittingly – you can be subject to University discipline as well as civil damages of between $750 and $150,000 per infringement and even criminal jail time.
• When reports are received of alleged copyright infringement on UCLA Health networks, the owner of the system responsible for the infringement will be identified and reported to the appropriate Campus Authorities.

For more information:

• Copyright infringement facts
• UCLA Policy 464
• Contact the Office of Compliance Services

Report lost/stolen computers/mobile devices/removable media immediately!

Email the Office of Compliance Services – Privacy and Information Security or call (310) 794-8638) as soon as you learn that any computing device or removable media has been lost or stolen.

• If you find a USB drive, don’t plug it in! The USB drive could be infected with malware. Call us and we will arrange to collect it.

Check Your Laptop’s Encryption

If there is any chance Restricted Information could be stored on your UCLA-owned laptop, the laptop must be encrypted.

• Check Point encryption should be installed on all MITS-supported laptops. To verify, hold your mouse over the yellow lock icon at the bottom of your screen. (You may have to first click on the << button to “Show hidden icons.”)
• PGP Whole Drive Encryption should be installed on all other UCLA-owned laptops that store RI, including Macs. If PGP encryption is used, the PGP BootGuard login screen will display at boot up.

If you store Restricted Information on your UCLA laptop, but is not encrypted, please contact your IT Support Group immediately.

Disclosures of PHI for research under an IRB Waiver of Authorization should be reported to HIMS!

Patients have the right to receive a list of certain disclosures of their PHI, including disclosures provided for research under an IRB Waiver of Authorization.

• To allow centralized tracking, researchers should report PHI disclosed for research under a Waiver of Authorization to HIMS. Use the paper Report of Disclosure of PHI for Research form or contact [email protected] to learn how to submit the report electronically.
• For questions on this requirement, contact [email protected].

Splashdata’s Worst Passwords of 2013

Never use bad passwords like the top 10 worst below for any accounts!

1. 123456
2. password
3. 12345678
4. qwerty
5. abc123
6. 123456789
7. 111111
8. 1234567
9. Iloveyou
10. adbobe123

View the top 25 worst passwords, visit the link below:

Backup your data and avoid disaster

Electronic devices can call it quits and take your precious data with them at any time. Performing regular backups can save you lots of time and headache in trying to recover that data.

• Backup to network shares maintained by your IT department.
• Backup to UCLA-owned and encrypted mobile devices.
• Before backing up to the Cloud, check with the Office of Compliance Services – Information Security ([email protected]) to ensure the right agreements are in place.

Stormy Weather Advisory on Restricted Information with iCloud Backup

iCloud allows you to backup Apps and settings from your iPhone or iPad to Apple’s servers. Do not enable iCloud with any Apps that might contain Restricted Information.

• Learn more about iCloud before you enable it

Flooded by spam? Here’re hints on how to slow the flow!

• Report spam emails to the Mednet Spam Quarantine to improve our spam filter.
• Don’t click on unsubscribe links from questionable sources. Responding can confirm to spammers that your email is active, which may increase the amount of spam emails you get!
• Limit the use of your Mednet email account for personal business.

Intro allows LinkedIn to access all your emails!

Intro, the new LinkedIn app for iOS Mail, adds LinkedIn contact information to your emails. However, it does this by redirecting all your emails so they go through LinkedIn’s servers.

• Never use Intro with Mednet or JSEI email accounts.
• Read up before you use Intro with your personal email accounts.
• Learn more

Your data could be taken hostage.

Ransomware is a form of malware that encrypts files on your computer and then demands payment in exchange for the password to access them. If you see a message like the one below on your computer, contact IT Support immediately. Multiple systems at UCLA have been infected by the CryptoLocker ransomware and data files without backups were permanently lost.

• Keeping your system up to date on Antivirus will help avoid problems like this
• Be careful what you click on, and be sure to back up critical files on a regular basis.

For more information on CryptoLocker, click on the link below

Protect your device, use AirWatch

• Airwatch is a Mobile Device Management system that ensures appropriate secure configurations are in place for your mobile devices like tablets and smartphones.
• You may store Restricted Information, including PHI, in emails, contacts, calendars and in other apps on your (even personally owned) mobile devices if the devices are enrolled with AirWatch.
• Visit the MITS AirWatch page for more information on AirWatch and how to enroll.

Securely Erase Your Android Phone or Tablet Before Disposal or Reuse

Before you sell, throw out or give away your old Android device, be sure to erase the internal storage to remove any confidential information.

1. Open Settings.
2. Select Privacy.
3. Uncheck the boxes for Back up my data and Automatic restore.
4. Click Factory Data Reset
5. If prompted, check Format USB storage, Erase internal storage, and Erase SD card or similar boxes
6. Click Reset phone

Back-to-School Clean-up Time for Restricted Information If RI is not there, it can’t be lost or stolen!

• Regularly delete Restricted Information that you no longer need from your devices.
• Make sure you securely wipe any electronic storage devices before you retire them.

Securely Erase Your iPhone/iPad/iPod Touch Before Disposal or Reuse

Before you sell, throw out or give away your old iOS device, be sure to erase the device’s memory and reset it back to factory condition to remove any confidential information.

• Select the Settings app.
• Click on General.
• Click on Erase All Content and Settings.

For more information on how this works, please see Apple’s knowledge base article

Do you have $1.2 million to spare?

Most copiers and multifunction printers contain hard drives that must be securely erased or destroyed before retirement of the device.

• Check with your local IT support group and/or the vendor on the best method for secure disposal.
• A HIPAA Business Associate Agreement (BAA) must be in place before a vendor may take possession of any UCLA copier or multifunction printer that could contain PHI.
• Recently, Affinity Health Plan was fined $1,215,780 for returning a leased photocopier containing PHI to the vendor which was then sold to another party. Read more here.

Delete Saved Web Site Data!

When you visit a website, your web browser saves information from the site in your computer’s cache. If you use sites that contain Restricted Information, be sure to clear the cache regularly.

Here’s how to do this in Internet Explorer.

1. From the Tools menu in the Menu bar on the left, select “Delete Browsing History.”
2. Uncheck all boxes except “Temporary Internet files” and then click “Delete.”

For more information and instructions for other browsers, check out Indiana University’s Knowledge Base article

Is your password tough enough?

An easy way to create a password is to think of a phrase and use the first letter of each word or parts of the words. Mix upper and lower case and add numbers. Longer is better. Special chars add complexity, but don’t work with some systems. Examples (don’t use these):

• “to heal humankind, one patient at a time” – 2HealHk1Paat
• “When I was six, I lived at 38 Elm Drive” – WIw6Ila38ED
• “Charles Vincent Craig - born 1937 in Chicago: - CVCb37inChi

For different systems, keep the same base password, but add additional characters that remind you of that system.

Test to see what makes a good password at the site below. Don’t test your real password!

• How Secure is my password?

Don’t forward your Mednet or JSEI email to external email addresses!

• Remember that only Mednet.ucla.edu and jsei.ucla.edu email accounts may be used for communicating Restricted Information, including PHI that is not otherwise secured to colleagues and workforce members.

Strong Passwords – Easy to Remember!

The folks over at Google created this under-a-minute video on how to create a strong password

Be a Control Freak!

Good passwords are:

• Store devices with Restricted Information (RI) out of sight in secure locations when not in use.
• Keep mobile devices under your physical control at all times.
• Leave display screens and desks clear of visible RI.
• Track who has keys or access codes to your space and review periodically.

Will your password let the bad guys in?

Good passwords are:

• Not based on dictionary words or names such as days of the week, seasons, colors, or UCLA. Never use 123456, abc123 or ucla123.
• Long, at least 8 characters, but longer is better if the system supports it.
• A mix of all supported character types: upper case letters (A-Z), lower case letters (a-z), numbers (0-9), and special characters ([email protected]#$%^&*()_+`-={}|[]\:”;’<>?,./).
• Not used for any of your other accounts such as Gmail, Facebook, Yahoo!, Amazon.com, etc.

Do not store Restricted Information (RI) on personal USB drives!

• Store Restricted Information (RI) on a network file share or remove RI from files before storing them on your personal mobile devices.
• If RI must be stored on a USB drive, the USB drive must be UCLA owned and the RI must be encrypted.
• Check out our recommendations for encrypted USB drives.
• See the Mobile Device Policy, HS 9453-C.

Friends don’t let friends text Restricted Information (RI)

• Unencrypted RI (patient names, MRNs, SSNs, research subject names and medical info, etc.) should not be sent in text messages.
• Also, unencrypted RI in text messages may not be stored on personally owned phones.

Don’t use Siri for PHI!

Using Siri (including Siri dictation) that involves PHI will transmit confidential patient information to Apple servers, which would be a violation of HIPAA since we do not have a Business Associate Agreement with Apple.

• When you use Siri / Dictation, your voice is recorded and sent to Apple servers where it is converted to text.
• Per Apple’s end-user agreement, Apple can store and use your voice input and User Data to improve their product and services.

Do Not Store Patient Info in Your Phone’s Contacts or Calendar

The UCLA Health System mobile device policy only permits the storage of Restricted Information (RI) in email on a personally owned smart phone or cell phone.

• Mednet Exchange Contacts or Calendars may not be synchronized with a personally owned phone if they contain any RI such as patient names and phone numbers.
• Patient names, phone numbers and other RI may not be stored in a personally owned phone’s address book.

Our patient data is only as secure as your password!

A strong password should be long, complex, and random:

• Long: Must be at least 8 characters
• Complex: Must use at least 3 of the following character classes - uppercase, lowercase, numbers, and special characters
• Random: Must not be based on any word in any dictionary in any language, or any name or date related to you

Don’t write your password down. DON’T share your password with others! Failure to protect your password or sharing it with others could result in disciplinary actions. Learn more about how to create strong passwords

Dispose of Copiers, Printers and Fax machines securely

Most copiers, printers, and fax machines have hard drives that store the documents they process. These drives must be securely erased or destroyed before retirement of the device.

Before disposal, check with your local IT support group and/or the vendor on the best method for secure disposal.

Remember, a vendor must have a HIPAA Business Associate Agreement (BAA) before they take possession of any UCLA copier, printer, or fax machine that could contain PHI.

Don’t use SurveyMonkey to collect Patient Information!

SurveyMonkey will not sign HIPAA Business Associate Agreements which are required before PHI can be used or stored by a vendor. SurveyMonkey’s own Terms of Use prohibit users from using SurveyMonkey to collect PHI.

Always check with the Office of Compliance Services – Privacy & Information Security ([email protected]) before using any third party services to collect or store PHI.

Defend Against Dangerous Bugs, Enable Automatic Updates

Operating system updates are an important part of keeping your computer secure. Here is how to setup automatic updates on your Windows and Mac computers that are not managed by IT:

• Windows: Right-click on my computer and select “Properties.” Click on the “Automatic Updates” tab. Ensure the “Automatic” button is selected.
• Mac: Open System Preferences and select “Software Update.” Ensure “Check for updates” is checked and a reasonable time period is selected.

Be aware that some specialty software, such as PGP encryption on Macs, may need to be updated before updating your operating system. Also remember to back up your critical data often

Don’t use Doktuz, Doximity, Evernote, DropBox, Google docs, Medigr.am, etc. with Restricted Information!

Even when vendors display the UCLA name or imply that UCLA is a partner, check with the Office of Compliance Services – Information Security ([email protected]) first to ensure the necessary agreements are in place before storing Restricted Information in the Cloud.

Free Anti-virus for UCLA Faculty, Staff, and Students

UCLA Faculty, Staff, and Students can use Sophos anti-virus, which is provided for free at Bruin OnLine, on computers where anti-virus is not supported by IT. See the links below for the installation instructions:

• For Windows
• For Mac

Please contact Bruin OnLine at (310) 267-HELP (4357) or [email protected] with any questions.

Work securely from home using Remote Desktop Connection

Remote Desktop allows you, with a VPN connection and supervisor approval, to take remote control of your work computer from home or other external locations and use it almost as if you were sitting in front of it. It’s secure because any Restricted Information stays on your work computer.

• For Windows
• For Mac

Please see our FAQ on Remote Desktop or contact your IT support team for more information.

Keep Your Browsing to Yourself

When you visit an encrypted (https) website your web browser may store sensitive information from the site on your computer which could be accessed later. Here’s how to prevent your browser from doing this.

For Internet Explorer 8

• Select Tools -> Internet Options
• Select the Advanced tab.
• Under security, ensure “Do not save encrypted pages to disk” is checked.

For other browsers such as Firefox, see our FAQ on this topic. Ask your local IT support group if you need help configuring your web browser.

Encrypt your Android devices!

Here’s how to encrypt Android devices running OS 3.0 (Honeycomb) and later:

• Android phones: Touch the Settings icon from a Home or All Apps screen, then go to Personal > Security > Encryption > Encrypt phone. Select Encrypt phone, then enter your lock screen PIN or password and touch Continue. Select Encrypt phone again and the encryption process will start.
• Android tablets: Go to Settings > Personal > Security > Encryption > Encrypt table. Select Encrypt tablet, then enter your lock screen PIN or password and touch Continue. Select Encrypt tablet again and the encryption process will start.

What must you do before storing UCLA business data, including research and patient data, in the Cloud?

• You must have a signed UC Purchasing Agreement in effect before storing UCLA business data with any Cloud storage service, even if it is free.
• Additionally, HIPAA prohibits the storage of PHI at any cloud storage service unless there is a HIPAA Business Associate Agreement (BAA) in place.
• So far, DropBox has not agreed to a UC Purchasing Agreement or signed the HIPAA BAA. Please contact Purchasing for more information on how future Agreements with DropBox might be negotiated.

Always contact your Purchasing representative and the Office of Compliance Services – Information Security ([email protected]) before using any Cloud storage services.

You may not store Restricted Information on your personally owned Mobile Device

As was announced in the email from Drs. Feinberg and Kapur on 10/1, our policy on storing Restricted Information (RI) on mobile devices has been revised effective October 25, 2012.

• Whenever possible, store RI on a network file share or remove RI from files before storing to mobile devices. RI may not be stored on a mobile device or removable media unless there is a compelling patient care, business or academic need.
• Any RI on a UCLA-owned mobile device must be encrypted.
  • RI must not be stored on a personally owned device except when it is in email that is received on cell phone or smart phone as long as a passcode is set, the passcode is not shared and it is encrypted.
• Unless specific approval is received from an authorized party, all UCLA RI must be returned to UCLA when you leave.

Please assure that you have removed any Restricted Information from both unencrypted UCLA-owned and your personally owned mobile devices and removable media before October 25, 2012. Contact your IT support group for help with encryption.

Can I keep or buy my UCLA computer?

Faculty and Staff often ask if they can keep or buy their university-owned computer when it is replaced or when they separate from UCLA. The University of California has policies concerning the disposition of university property. You may not take or buy your

• Old computer from the university when it is replaced.
• Computer from the university when you leave.
  • In the case of a move by a faculty member to another institution, there is a process to transfer equipment to another university as outlined in the bulletin below.

For more information, read UCOP Business and Finance Bulletin, Number BUS-38.

Remote Wipe for Your Personal Device

Remote wipe allows you to securely delete files on your lost or stolen phone or tablet by sending a wipe command to the device. It is not a replacement for a strong password or encryption but can be a lifesaver if a device is lost or stolen. If you don’t have ActiveSync enabled on your device, Find My iPhone or several Android apps provide remote wipe functionality.

• Apple users can set up Find My iPhone by selecting Settings > iCloud > Find My iPhone and moving the slider to On. You will need an Apple ID and iCloud account. (Remember, UCLA information should never be stored in iCloud.) In the event of a loss or theft, go to https://www.icloud.com/ to wipe the device.
• For Android devices, you can download Mobile Defense for free or Where’s My Droid for $3.99. Both of these apps have a remote wipe feature.
• If you use ActiveSync for your MedNet email, you can wipe your device with Outlook Web Access by following these instructions. (Here’s how to register with ActiveSync.)

In addition, please report all lost and stolen devices to Information Security and MITS IT Security by following these steps or call 310-794-8638.

Complex Passcode for your Apple Mobile Device

Many smart phones and tablets now store just as much or more information than computers do. A recent MIT Technology report notes that software used to "brute force" iPhone passcodes only takes about 13 minutes to try every possible four digit combination! Safeguard your data by enabling a longer and complex passcode on your iPhone / iPad / or iPod touch device with iOS 4 or above:

1. Go to “Settings” and select “General”.
2. Scroll down and select “Passcode Lock”. Enter your current passcode if you have one.
3. Look for “Simple Passcode” and switch that to “Off”. Enter your current passcode again if you have one.
4. You can now set a longer passcode with numbers, mixed upper and lower case letters, and special characters.

Passcode Protect Your Apple Mobile Device

Set both features below to secure your Apple iPhone, iPad, or iPod:

1. Auto-Lock: This setting turns off the display after a preset period of inactivity. Set this at Settings -> General -> Auto-Lock
2. Passcode Lock: This setting requires a passcode to be entered whenever you unlock the screen. You can specify the amount of time the screen must be locked before requiring a passcode (should be 15 minutes or less). Set this at Settings -> General -> Passcode Lock

Did you know that 15% of all passcode sets were represented by only 10 different passcodes (out of a possible 10,000)? Avoid common passcode such as 1234 or 0000, or your year of birth.

Lock When You Leave

Lock the screen when you walk away from your computer. (Note, if you are using a shared computer (ClinNet), don’t lock the screen, but do close all applications before you leave.)

• For Windows PCs, hold the Windows key
  
   and press L (for Lock).
• For Macs, read our FAQ on configuring screen locking.
• In addition, most systems should automatically lock after 15 minutes of inactivity.

These measures help protect our sensitive information and keep patients’ information private and secure! In addition, it protects you from someone misusing your account.

Plug and Prey

Don't plug in USB drives that you find lying around! Sophos conducted an analysis of 50 USB flash drives bought at a major transit authority's Lost Property auction, and found that 66% of lost USBs contained malware.

When a USB drive is plugged into a computer infected with malware, the malware can download malicious code onto the drive. When the USB drive is plugged into another computer, the malware infects that computer.

If you find a lost USB drive, report it to the Office of Compliance Services – Privacy and Information Security ([email protected], (310) 794-8638) and we will arrange to collect the drive.

According to the latest Symantec Internet Security Threat Report, 43% of all data breaches in 2011 were in the Healthcare sector. This was higher than Government (14%) and Financial (8%) combined.

Many of the report’s recommendations have been mentioned in our tips before:

1. Do not open attachments unless they are expected and come from a trusted source.
2. Think twice before running software downloaded from the Internet.
3. Be suspicious of links in emails, even if the email comes from a trusted source.
4. Remember that any personal information you post on social networking sites could be used to target you in an attack.

Get the full story

Dangers of Public Wi-Fi

Wi-Fi hotspots in coffee shops, airports, hotels, and other public places are convenient, but they're often not secure. Using public Wi-Fi is like shouting your data across the room. Anyone who wants to listen in can with the use of some pretty simple tools. Here are a few tips:

• Only log in or send personal information to websites that are fully encrypted. To determine if a website is encrypted, look for https at the beginning of the web address (the "s" is for secure). Look for https on every page you visit, not just when you sign in.
• Don't stay permanently signed in to websites. When you've finished using an account, log out.
• Use VPN. VPNs encrypt traffic between your computer and the internet, even on unsecured networks. MITS offers VPN for remote access. Learn more about whether you are eligible for VPN access and how to obtain it.

Keep Your Personally Owned Systems Up To Date

Did you know the most commonly exploited software vulnerability in 2011 was four years old? That means the victims had not updated their systems since the Beijing Olympic Games!  Outdated software can allow your computer to be hacked by simply visiting a malicious website or opening an email.

• Microsoft releases patches for Windows the third Tuesday of every month through its Windows Update program.
• Mac OSX's Software Update program provides a similar service for Macs.
• Applications such as Adobe Reader, Adobe Flash, Oracle Java, etc. need to be updated separately and usually will notify you when updates are available. These updates are just as critical as operating system updates.
• Note, you will normally need administrative privileges to install updates.

Don't Get Hooked by Phishers

Many Mednet users recently received phishing emails which tried to trick them into giving up their usernames and passwords. Watch out for:

• Requests for user IDs and passwords: NEVER email your User IDs and passwords to anybody. UCLA and other legitimate organizations will never ask you to do this. If you do respond, change your password immediately and contact us, [email protected].
• Fake links: Check any links by mousing over them before clicking. For example, try mousing over this link: http://www.mednet.ucla.edu. The link is not what it appears to be!
• Urgent wording: Hackers attempt to create a sense of urgency so that people immediately respond without thinking. "Verify your account info now or your account will be suspended!"

Check out examples of phishing attempts at UCLA's "Phish of the Day" site.
Not sure if emails are for real? Contact your IT support group or us, [email protected].

Protect your Mac with a Screen Saver

Enabling a password-protected screen saver is an easy way to ensure your computer is secure when you step away. This can be done in 3 easy steps. (These directions are for Mac OS 10.6. Other versions may vary.)

1. Go to the Security pane in System Preferences. Select "Require password immediately after sleep or screen saver begins." This will also secure a laptop when you close the lid.
2. Go to the Desktop & Screen Saver pane in System Preferences. Select the Screen Saver tab. Move the slider to start the screen saver after 15 minutes or less.
3. Click "Hot Corners..." and select a corner to Start Screen Saver. This allows you to lock your computer by moving the mouse to the specified corner of the screen.

Learn more:
Protect the information on your Mac

Protect your Mac from Malware

Apple computers are becoming a target for hackers and those with malicious intent as they become more popular. Recently, over 600,000 Macs were infected with the malicious software program called Flashback.

• Keep your anti-malware program active and updated.
  - If your IT Support group does not provide anti-malware, UCLA users can download Sophos
• Don't click on any links or open any attachments in emails unless you know who sent it and what it is.
• Download and install software only from websites you know and trust.
• If you believe that your computer is infected with malware, contact your IT support group immediately.

There is an Apple Flashback Removal Tool

Watch Out for Invalid Certificates!

Web browsers use certificates to validate and secure Internet connections the same way physical signatures are used to identify the signer of a document. If you encounter a Certificate Error like the one below, it is possible someone is trying to forge a signature and steal your information.

If you see a message like this, proceed with caution!

• If you're on an untrusted network (Starbucks, hotel Wi-Fi, etc.) assume someone is tampering with your connection. Close your browser and continue the activity when you are on a trusted network.
• For UCLA sites, try viewing the certificate for more information. Minor changes in the address or recent expiration could be low risk problems.
• When in doubt, check with your IT support group.

Learn more

BOGUS, BOGUS, BOGUS!

Below is an example of a phishing email sent recently to many Mednet users that tried to trick users into visiting a bogus site that would ask for their usernames and passwords.  Note the suspicious sender and link (changed for your protection - try mousing over it).  

From: [email protected] [mailto:[email protected]] On Behalf Of UCLA
Sent: Friday, March 09, 2012 7:02 AM
To: Bruin, Joe.
Subject: Update!!

You've reached your UCLA email maximum data allowance for this month, you may not be able to send or receive email with your email account again; you are to re-confirm your email account information to our admin panel for re-validation of your email account.

If you are ever in doubt about whether an email is for real or not, ask your IT support group or contact us, [email protected].

Contact Us IMMEDIATELY for any suspected Privacy or Security Breaches

• Lost/stolen laptop, computer, USB/thumb drive, Smart Phone
• Lost/stolen paper records and printouts
• Mis-sent fax, email, paper mail
• Inappropriate access to medical records
• Compromised servers and workstations
• Exposure of passwords

Phone (310) 794-8638 or email [email protected]

Also see HS 9459, "Privacy and Information Security Incident Reporting"

How to Spot Non-Mednet Email Addresses

• The user icon in the Exchange Global Address List will include a little globe if the user has a non-Mednet email address (see circled examples below).

• Check for non-mednet email addresses before sending PHI because unencrypted PHI should never be sent to non-Mednet email addresses.
• One exception is that it is OK to send PHI to @jsei.ucla.edu addresses because emails between JSEI and Mednet travel through encrypted tunnels.

If you have any questions, please contact your IT support group or the Office of Compliance Services - Information Security ([email protected])

Securely dispose of hard drives, smart phones, USB drives!

Confidential information can remain on hard drives in computers, laptops and multifunction printers as well as on smart phones and other electronic drives after they are retired.

• Don't throw them out!
• Don't recycle them!
• Don't risk exposure of PHI or other confidential information!

Contact your IT Support group to arrange for secure disposal

Is your Delete Complete?

After you delete a file and empty the Trash or Recycle Bin, you would think that the data would be no more, cease to exist and go to join the choir invisible!  But no, until overwritten by other data, it continues to live on the hard drive and can be retrieved easily enough.  

When you need to be sure that confidential data will be completely deleted from your hard drive, ask your IT Support group for help with secure deletion of files or secure disposal of your device.

Learn more:

• Data that remains behind after deletion
• Only for the technically inclined and at your own risk
  - Secure delete for Windows PCs, Apple Computers, systems with PGP Encryption

Protect your Android from Malware

Just like a desktop or laptop computer, your Android smart phone is vulnerable to malware (malicious software).  And the more mobile apps integrate into our lives, the more likely they will be targeted by cyber criminals.  To limit the potential for malware infection, install an anti-malware program today. 

FREE Android anti-malware apps are available through Android Market

• Lookout Security - available through Android Market
• Norton Mobile Security Lite
• Webroot Secure Anywheree

Recommendations are courtesy of UCLA Health Information Services and Solutions

Learn more: Android platform vulnerable to malware

How to Encrypt MS Office Documents

Microsoft Word, Excel, and Power Point can encrypt and password protect any document with just a couple of clicks.   Access databases can be encrypted too.

• Use Office encryption to protect PHI or other confidential information, for example:
  • Storing confidential documents.
  • Sending confidential information to non-mednet email addresses. Never include the password in the same email as the encrypted document. Use an alternative means of sharing the password such as another email or ask the email recipient to call you for the password or vice versa.
• Always use strong passwords. Remember the password because if you forget it, there is no way to recover the password or the information in the document. Do not store passwords near the encrypted documents.
• See the links below for step-by-step tutorials on how to enable encryption.
  • MS Office 2007 -Word, Excel PowerPoint
  • MS Office 2010 - Word, Excel, PowerPoint
  • Access 2007
  • Access 2010
• Note, use MS Office 2007 or later to ensure HIPAA-compliant encryption (AES 128-bit).

Which of the following describes the primary reason the InfoSec Department should not fall under the IT function?

Which of the following is the first step in the process of implementing training quizlet?

What is the Seta program designed to do?

Which of the following variables is the most influential in determining how do you structure an information security program?