Show
Information Security TipsNational Cybersecurity Awareness Month Tip (Week Five)Keep your personally owned devices, apps, browsers, and anti-virus/anti-malware software patched and up to date.
National Cybersecurity Awareness Month Tip (Week Four)Protect
your data. Encrypt your devices.
National Cybersecurity Awareness Month Tip (Week Three)
Back up critical files.
National Cybersecurity Awareness Month Tip (Week Two)Protect your passwords.
National Cybersecurity Awareness Month Tip (Week One)Always think twice before clicking on links or opening attachments.
It's National Cyber Security Awareness Month Please help celebrate by watching the following short videos:
Beware of bogus computer support callsAttackers pretending to be Computer Support are calling the Health Sciences! Don’t invite them in to your computer, install their software or give them your passwords! These attackers want to steal personal financial information as well as confidential UCLA information from your computer and file shares.
Report suspicious activity to your local IT support group or contact [email protected]. Create your own custom Smartphone Security Checklist!Mobile security threats are on the rise so check how well your devices are secured by using the FCC tool:
Protect yourself from Malicious Advertising attacks!Malicious advertising (Malvertising) uses online advertising, often on reputable sites, to distribute malware, particularly ransomware, with little or no user interaction required. See the Infographic to learn more. Malvertising and Ransomware, the Bonnie and Clyde of Advanced Threats Infographic To protect yourself against Malvertising:
Enabling Macros for Word can install Ransomware!Online criminals are sending out phishing emails with attached Word documents that contain macros that install ransomware. If you open an attachment and get a message asking you to enable macros, close the file and forward the email with the attachment to Dangerous Email [email protected] so they can check if it is legitimate. Below is a phishing email with a Word attachment that was sent to UCLA Health Sciences recently. And here is the message that comes up when the Word file is opened. Enabling macros would install the Locky Ransomware and encrypt all the files on the computer and any file shares. Beware of Downloading or Distributing Copyrighted Material
For more information:
Attackers pretending to be Computer Support are calling the Health Sciences!Don't invite them in to your computer or give them your passwords! These attackers want to steal personal financial information as well as confidential UCLA information from your computer and file shares.
Report suspicious activity to your local IT support group or contact [email protected] Ransomware on the Rampage!Ransomware is a form of malware that encrypts files on your computer and then demands payment in exchange for the password to access them. To prevent harm from ransomware:
If you see a message like this, or any messages that say your files have been encrypted, contact IT support IMMEDIATELY! Learn more:
Forward Phishing or Suspicious EmailsForward any phishing emails, or emails you suspect may be phishing to [email protected] . You can also search for "Dangerous Email" in the Outlook Global Address List. Protect yourself from Phishing - Know the red flags!Wipe your old devices securely before disposal, recycling or resale.Please be sure to delete any UCLA Restricted Information that may be on your device as the first step. Then follow the instructions in the YouTube video below to securely wipe iPhone and Android devices. Visit an Encryption Fair in Your Neighborhood before January 15thAll mobile devices used for University Business must be encrypted.
Visit Device Security to find the fair near you. Wipe your old devices securely before disposal, recycling or resale.Please be sure to delete any UCLA Restricted Information that may be on your device as the first step. Then follow the instructions in the YouTube video below to securely wipe iPhone and Android devices. Treat your mobile devices like cash – don’t leave them unattended!Don’t let thieves shop for your mobile devices this holiday season:
No Restricted Information to non-Mednet or non-JSEI AddressesPeople in the Global Address List with a globe next to their name do not have Mednet or JSEI addresses. You may not send Restricted Information to them. Beware of tech support phone scams!Scammers claiming they are from UCLA or Microsoft tech support may call you saying there are urgent issues that need fixing on your computer, and then trick you into providing passwords or compromising your system.
UCLA + Google ≠ SafeUCLA is switching to Google Apps for Bruin-Online email storage. You may not use Bruin-Online email or other Google Apps to send, receive or store Restricted Information because we do not have the appropriate agreements with Google. Do not use Siri to dictate Restricted Information (RI)!Per the Apple software license agreement when you use Siri / Dictation, your voice is recorded and sent to Apple servers. If you use Siri for dictation you are agreeing to these terms. You may not use Siri with RI, including PHI since we do not have the appropriate agreements in place with Apple. Beware of Phone Spear Phishing!Recently, users have received phone calls from a scammer claiming to be with UCLA IT who asks for remote access to the users’ workstations. Always beware of callers asking for your password or remote access to your workstation, especially if you have not requested help. If in doubt, hang up and call your IT Support Group. Protect your computer against viruses and malware!If you are a current UCLA student, staff or faculty, you can download Sophos Anti-Virus for Mac or Windows for free at the link below: Note, if your computer is managed by an IT Support group, Anti-Virus should already be installed and an additional Anti-Virus program is not necessary. Check first before using Cloud Services with UCLA data!
Would you open this attachment?Spear phishing is legitimate-looking email that appears to be from people or organizations that you trust, but it is sent by hackers who want to steal your information and credentials.
To learn more about spear phishing, watch this informative University of Michigan video. Protect Our Patients - Secure Your ComputerSecure your computer when walking away or log off when finished.
These measures help protect our sensitive information and keep patients’ information private and secure! In addition, it protects you from someone misusing your account. Disable AutoFill on the iPhone Safari browserThe iPhone Safari browser can remember certain information entered on forms so it can fill in forms for you. To avoid caching of sensitive information such as your contact information, passwords, and credit cards, you can disable the AutoFill feature:
Never save passwords to websites that allow access to UCLA Restricted Information. Never store Protected Health Information (PHI) on unencrypted mobile devices!Storing Protected Health Information (PHI) on unencrypted mobile devices can lead to a breach if the mobile devices are lost or stolen. In a recent case, an unencrypted laptop was stolen from one of Concentra Health Services (Concentra)’s facilities. As a result, Concentra has agreed to pay the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,725,220. Whenever possible, store PHI on a network file share or remove PHI from files before storing to mobile devices. Contact your IT support group for help with encryption. Windows XP Put Out to PastureMicrosoft ended support for Windows XP on April 8th which means Microsoft will not fix any new security bugs found in the operating system. Computers still running Windows XP will become soft targets for compromise and will be out of compliance with our Minimum Security Standards. Ask your IT Support group when your Windows XP computers will be upgraded. Please consider upgrading your home computers running Windows XP too. Here is a ZDNet article with more information How to encrypt Microsoft Office DocumentsUsing password protection for Microsoft Word, Excel, and Power Point documents can provide HIPAA-compliant encryption when using MS Office 2007 or later.
See tutorials on how to enable encryption Beware of Downloading or Distributing Copyrighted Material
For more information:
Report lost/stolen computers/mobile devices/removable media immediately!Email the Office of Compliance Services – Privacy and Information Security or call (310) 794-8638) as soon as you learn that any computing device or removable media has been lost or stolen.
Check Your Laptop’s EncryptionIf there is any chance Restricted Information could be stored on your UCLA-owned laptop, the laptop must be encrypted.
If you store Restricted Information on your UCLA laptop, but is not encrypted, please contact your IT Support Group immediately. Disclosures of PHI for research under an IRB Waiver of Authorization should be reported to HIMS!Patients have the right to receive a list of certain disclosures of their PHI, including disclosures provided for research under an IRB Waiver of Authorization.
Splashdata’s Worst Passwords of 2013Never use bad passwords like the top 10 worst below for any accounts!
View the top 25 worst passwords, visit the link below: Backup your data and avoid disasterElectronic devices can call it quits and take your precious data with them at any time. Performing regular backups can save you lots of time and headache in trying to recover that data.
Stormy Weather Advisory on Restricted Information with iCloud BackupiCloud allows you to backup Apps and settings from your iPhone or iPad to Apple’s servers. Do not enable iCloud with any Apps that might contain Restricted Information.
Flooded by spam? Here’re hints on how to slow the flow!
Intro allows LinkedIn to access all your emails!Intro, the new LinkedIn app for iOS Mail, adds LinkedIn contact information to your emails. However, it does this by redirecting all your emails so they go through LinkedIn’s servers.
Your data could be taken hostage.Ransomware is a form of malware that encrypts files on your computer and then demands payment in exchange for the password to access them. If you see a message like the one below on your computer, contact IT Support immediately. Multiple systems at UCLA have been infected by the CryptoLocker ransomware and data files without backups were permanently lost.
For more information on CryptoLocker, click on the link below Protect your device, use AirWatch
Securely Erase Your Android Phone or Tablet Before Disposal or ReuseBefore you sell, throw out or give away your old Android device, be sure to erase the internal storage to remove any confidential information.
Back-to-School Clean-up Time for Restricted Information If RI is not there, it can’t be lost or stolen!
Securely Erase Your iPhone/iPad/iPod Touch Before Disposal or ReuseBefore you sell, throw out or give away your old iOS device, be sure to erase the device’s memory and reset it back to factory condition to remove any confidential information.
For more information on how this works, please see Apple’s knowledge base article Do you have $1.2 million to spare?Most copiers and multifunction printers contain hard drives that must be securely erased or destroyed before retirement of the device.
Delete Saved Web Site Data!When you visit a website, your web browser saves information from the site in your computer’s cache. If you use sites that contain Restricted Information, be sure to clear the cache regularly. Here’s how to do this in Internet Explorer.
For more information and instructions for other browsers, check out Indiana University’s Knowledge Base article Is your password tough enough?An easy way to create a password is to think of a phrase and use the first letter of each word or parts of the words. Mix upper and lower case and add numbers. Longer is better. Special chars add complexity, but don’t work with some systems. Examples (don’t use these):
For different systems, keep the same base password, but add additional characters that remind you of that system. Test to see what makes a good password at the site below. Don’t test your real password!
Don’t forward your Mednet or JSEI email to external email addresses!• Remember that only Mednet.ucla.edu and jsei.ucla.edu email accounts may be used for communicating Restricted Information, including PHI that is not otherwise secured to colleagues and workforce members. Strong Passwords – Easy to Remember!The folks over at Google created this under-a-minute video on how to create a strong password Be a Control Freak!Good passwords are:
Will your password let the bad guys in?Good passwords are:
Do not store Restricted Information (RI) on personal USB drives!
Friends don’t let friends text Restricted Information (RI)
Don’t use Siri for PHI!Using Siri (including Siri dictation) that involves PHI will transmit confidential patient information to Apple servers, which would be a violation of HIPAA since we do not have a Business Associate Agreement with Apple.
Do Not Store Patient Info in Your Phone’s Contacts or CalendarThe UCLA Health System mobile device policy only permits the storage of Restricted Information (RI) in email on a personally owned smart phone or cell phone.
Our patient data is only as secure as your password!A strong password should be long, complex, and random:
Don’t write your password down. DON’T share your password with others! Failure to protect your password or sharing it with others could result in disciplinary actions. Learn more about how to create strong passwords Dispose of Copiers, Printers and Fax machines securelyMost copiers, printers, and fax machines have hard drives that store the documents they process. These drives must be securely erased or destroyed before retirement of the device. Before disposal, check with your local IT support group and/or the vendor on the best method for secure disposal. Remember, a vendor must have a HIPAA Business Associate Agreement (BAA) before they take possession of any UCLA copier, printer, or fax machine that could contain PHI. Don’t use SurveyMonkey to collect Patient Information!SurveyMonkey will not sign HIPAA Business Associate Agreements which are required before PHI can be used or stored by a vendor. SurveyMonkey’s own Terms of Use prohibit users from using SurveyMonkey to collect PHI. Always check with the Office of Compliance Services – Privacy & Information Security ([email protected]) before using any third party services to collect or store PHI. Defend Against Dangerous Bugs, Enable Automatic UpdatesOperating system updates are an important part of keeping your computer secure. Here is how to setup automatic updates on your Windows and Mac computers that are not managed by IT:
Be aware that some specialty software, such as PGP encryption on Macs, may need to be updated before updating your operating system. Also remember to back up your critical data often Don’t use Doktuz, Doximity, Evernote, DropBox, Google docs, Medigr.am, etc. with Restricted Information!Even when vendors display the UCLA name or imply that UCLA is a partner, check with the Office of Compliance Services – Information Security ([email protected]) first to ensure the necessary agreements are in place before storing Restricted Information in the Cloud. Free Anti-virus for UCLA Faculty, Staff, and StudentsUCLA Faculty, Staff, and Students can use Sophos anti-virus, which is provided for free at Bruin OnLine, on computers where anti-virus is not supported by IT. See the links below for the installation instructions:
Please contact Bruin OnLine at (310) 267-HELP (4357) or [email protected] with any questions. Work securely from home using Remote Desktop ConnectionRemote Desktop allows you, with a VPN connection and supervisor approval, to take remote control of your work computer from home or other external locations and use it almost as if you were sitting in front of it. It’s secure because any Restricted Information stays on your work computer.
Please see our FAQ on Remote Desktop or contact your IT support team for more information. Keep Your Browsing to YourselfWhen you visit an encrypted (https) website your web browser may store sensitive information from the site on your computer which could be accessed later. Here’s how to prevent your browser from doing this. For Internet Explorer 8
For other browsers such as Firefox, see our FAQ on this topic. Ask your local IT support group if you need help configuring your web browser. Encrypt your Android devices!Here’s how to encrypt Android devices running OS 3.0 (Honeycomb) and later:
What must you do before storing UCLA business data, including research and patient data, in the Cloud?
Always contact your Purchasing representative and the Office of Compliance Services – Information Security ([email protected]) before using any Cloud storage services. You may not store Restricted Information on your personally owned Mobile DeviceAs was announced in the email from Drs. Feinberg and Kapur on 10/1, our policy on storing Restricted Information (RI) on mobile devices has been revised effective October 25, 2012.
Please assure that you have removed any Restricted Information from both unencrypted UCLA-owned and your personally owned mobile devices and removable media before October 25, 2012. Contact your IT support group for help with encryption. Can I keep or buy my UCLA computer?Faculty and Staff often ask if they can keep or buy their university-owned computer when it is replaced or when they separate from UCLA. The University of California has policies concerning the disposition of university property. You may not take or buy your
For more information, read UCOP Business and Finance Bulletin, Number BUS-38. Remote Wipe for Your Personal DeviceRemote wipe allows you to securely delete files on your lost or stolen phone or tablet by sending a wipe command to the device. It is not a replacement for a strong password or encryption but can be a lifesaver if a device is lost or stolen. If you don’t have ActiveSync enabled on your device, Find My iPhone or several Android apps provide remote wipe functionality.
In addition, please report all lost and stolen devices to Information Security and MITS IT Security by following these steps or call 310-794-8638. Complex Passcode for your Apple Mobile DeviceMany smart phones and tablets now store just as much or more information than computers do. A recent MIT Technology report notes that software used to "brute force" iPhone passcodes only takes about 13 minutes to try every possible four digit combination! Safeguard your data by enabling a longer and complex passcode on your iPhone / iPad / or iPod touch device with iOS 4 or above:
Passcode Protect Your Apple Mobile DeviceSet both features below to secure your Apple iPhone, iPad, or iPod:
Did you know that 15% of all passcode sets were represented by only 10 different passcodes (out of a possible 10,000)? Avoid common passcode such as 1234 or 0000, or your year of birth. Lock When You LeaveLock the screen when you walk away from your computer. (Note, if you are using a shared computer (ClinNet), don’t lock the screen, but do close all applications before you leave.)
These measures help protect our sensitive information and keep patients’ information private and secure! In addition, it protects you from someone misusing your account. Plug and PreyDon't plug in USB drives that you find lying around! Sophos conducted an analysis of 50 USB flash drives bought at a major transit authority's Lost Property auction, and found that 66% of lost USBs contained malware. When a USB drive is plugged into a computer infected with malware, the malware can download malicious code onto the drive. When the USB drive is plugged into another computer, the malware infects that computer. If you find a lost USB drive, report it to the Office of Compliance Services – Privacy and Information Security ([email protected], (310) 794-8638) and we will arrange to collect the drive. According to the latest Symantec Internet Security Threat Report, 43% of all data breaches in 2011 were in the Healthcare sector. This was higher than Government (14%) and Financial (8%) combined. Many of the report’s recommendations have been mentioned in our tips before:
Get the full story Dangers of Public Wi-FiWi-Fi hotspots in coffee shops, airports, hotels, and other public places are convenient, but they're often not secure. Using public Wi-Fi is like shouting your data across the room. Anyone who wants to listen in can with the use of some pretty simple tools. Here are a few tips:
Keep Your Personally Owned Systems Up To DateDid you know the most commonly exploited software vulnerability in 2011 was four years old? That means the victims had not updated their systems since the Beijing Olympic Games! Outdated software can allow your computer to be hacked by simply visiting a malicious website or opening an email.
Don't Get Hooked by PhishersMany Mednet users recently received phishing emails which tried to trick them into giving up their usernames and passwords. Watch out for:
Check out examples of phishing attempts at UCLA's "Phish of the Day" site. Protect your Mac with a Screen SaverEnabling a password-protected screen saver is an easy way to ensure your computer is secure when you step away. This can be done in 3 easy steps. (These directions are for Mac OS 10.6. Other versions may vary.)
Learn more: Protect your Mac from MalwareApple computers are becoming a target for hackers and those with malicious intent as they become more popular. Recently, over 600,000 Macs were infected with the malicious software program called Flashback.
There is an Apple Flashback Removal Tool Watch Out for Invalid Certificates!Web browsers use certificates to validate and secure Internet connections the same way physical signatures are used to identify the signer of a document. If you encounter a Certificate Error like the one below, it is possible someone is trying to forge a signature and steal your information.
Learn more BOGUS, BOGUS, BOGUS!Below is an example of a phishing email sent recently to many Mednet users that tried to trick users into visiting a bogus site that would ask for their usernames and passwords. Note the suspicious sender and link (changed for your protection - try mousing over it). From:
[email protected] [mailto:[email protected]] On Behalf Of UCLA You've reached your UCLA email maximum data allowance for this month, you may not be able to send or receive email with your email account again; you are to re-confirm your email account information to our admin panel for re-validation of your email account. If you are ever in doubt about whether an email is for real or not, ask your IT support group or contact us, [email protected]. Contact Us IMMEDIATELY for any suspected Privacy or Security Breaches
Phone (310) 794-8638 or email [email protected] Also see HS 9459, "Privacy and Information Security Incident Reporting" How to Spot Non-Mednet Email Addresses
If you have any questions, please contact your IT support group or the Office of Compliance Services - Information Security ([email protected]) Securely dispose of hard drives, smart phones, USB drives!Confidential information can remain on hard drives in computers, laptops and multifunction printers as well as on smart phones and other electronic drives after they are retired.
Contact your IT Support group to arrange for secure disposal Is your Delete Complete?After you delete a file and empty the Trash or Recycle Bin, you would think that the data would be no more, cease to exist and go to join the choir invisible! But no, until overwritten by other data, it continues to live on the hard drive and can be retrieved easily enough. When you need to be sure that confidential data will be completely deleted from your hard drive, ask your IT Support group for help with secure deletion of files or secure disposal of your device. Learn more:
Protect your Android from MalwareJust like a desktop or laptop computer, your Android smart phone is vulnerable to malware (malicious software). And the more mobile apps integrate into our lives, the more likely they will be targeted by cyber criminals. To limit the potential for malware infection, install an anti-malware program today. FREE Android anti-malware apps are available through Android Market
Recommendations are courtesy of UCLA Health Information Services and Solutions Learn more: Android platform vulnerable to malware How to Encrypt MS Office DocumentsMicrosoft Word, Excel, and Power Point can encrypt and password protect any document with just a couple of clicks. Access databases can be encrypted too.
Which of the following describes the primary reason the InfoSec Department should not fall under the IT function?Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function? There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information.
Which of the following is the first step in the process of implementing training quizlet?The seven-step methodology for implementing training is as follows: Step 1: Identify program scope, goals, and objectives. Step 2: Identify training staff. Step 3: Identify target audiences.
What is the Seta program designed to do?Security education, training and awareness (SETA) programs are designed to reduce the incidence of accidental security breaches.
Which of the following variables is the most influential in determining how do you structure an information security program?An organization's size is the variable that has the greatest influence on the structure of the organization's information security program.
|