The following is the UF HSC guide for information security on personally managed computers. For more information, please visit http://security.health.ufl.edu
As a staff member, student or Resident at the UF HSC, you have responsibilities to protect confidential information. The stakes are higher and serious consequences apply.
These types of information are protected by Federal and State laws on privacy, and are classified by the UF HSC as Restricted. Whenever you have this information in your custody, you must protect it from accidental disclosure and you must not share it without authorization.
- Protected Health Information (PHI):: Health information combined with name, or med record #, or address, or key dates, or family members, or any other information that would link a person to their health condition
- Personal Identification Information:: Names combined with SSN, State ID #, Driver’s License #, Financial Account #’s, or any information that could be used to commit identity fraud
- Student Records:: Name or UF ID combined with grades, demographics, or any information shared by faculty and staff about students
Federal State and University penalties and sanctions apply to inappropriate uses and disclosures. Make sure you know how to use these information types legally.
Never store Restricted information on removable media such as thumb disks, memory sticks, or CD’s. UFHealth policy requires that any Restricted information be stored on encrypted media.
- Never put Restricted information in email or in an instant message
- Never leave laptops unattended and unlocked, not even for a minute. They’re highly desirably and very easy to steal
- Use a strong password (minimum of 8 characters containing at least 1 letter, 1 number, 1 capital, 1 lower case, and 1 special character) on your computer so it cannot be easily guessed
- Ensure you have set an inactivity timeout on your computer so it automatically locks requiring a password to unlock
- Your computer activity and patient record accesses are tracked by HSC Information Systems. We know where you’ve been.
- Always wear your Gator 1 ID badge. It helps us determine when someone else is in a place they should not be.
- If you’re not sure about appropriate handling of Restricted information, ASK FOR HELP!
Anti-virus protection is needed to fend off viruses or worms that can cause your computer and software to fail and cause you to lose data. Your computer may have come with anti-virus software pre-loaded, but it may not stay current if you don’t pay a subscription fee. Anti-virus software that is not current is useless. Here’s what you can do to protect your computer from viruses at no additional cost to you:
- Download Microsoft Security Essentials free software if you are running Vista or Windows 7, all newer Windows versions come with Windows Defender pre-installed.
- Follow all download and installation instructions carefully, even downloading VPN software which is safe
- Enable ‘AutoUpdate’ and schedule it for daily updates
- Enable ‘Scan All Fixed Disks’ and schedule for a scan at least weekly when you know the computer will be on
Email Attachments, HTML Pages, URLs
Opening attachments, displaying HTML pages and clicking on URLs sent to you in an email are the most common ways to contract viruses and worms.
- Delete email from unknown senders
- Call and verify if you receive an unexpected attachment, HTML page, or URL from someone you know before you open it
- Legitimate email can always be sent again
- Regardless of who sends it, do not open files that end in .exe, .bat, .vbs, .pif, or .com
- If it sounds too good to be true, it is
- 1. Be Suspicious – The most important thing you can do is be suspicious of any email telling you that you must take an action, or follow a link, that you are not expecting. Phishing attacks attempt to coerce you to take an action, frequently they will inform you they are suspending your account unless you confirm it, or they are sending you a bill / payment.
2. Enroll in 2FA – Dual Factor Authentication requires that you both KNOW A THING (password) and HAVE A THING (security token). The UF DUO Dual Factor system uses either your cell phone, your desk phone, or a unique key fob as your second factor (security token). That means if your password is compromised, the bad guy would not be able to login as you because they do not have your security token. To enroll in DUO please visit https://it.ufl.edu/2fa/
3. Check the IT Alerts Portal – When Phishing Attacks are caught at UF, they are frequently posted on the UF IT Alerts Portal. You can check the portal yourself for recent phishing emails, the URL is https://alerts.it.ufl.edu/
4. Alert UF IT – When in doubt, send the email to “firstname.lastname@example.org” and if it is a phishing email, they will record it.
5. Educate Yourself – Please read the “Identity Theft and Scams” page by the UF IT Security Team at https://security.ufl.edu/learn-information-security/protect-yourself/email/id-theft-scams/phishing-email/
6. Call the Help Desk – If you accidentally fall victim to a Phishing attack, please call the UF Help Desk immediately for assistance with changing your password and enrolling in Dual Factor Authentication. Their phone number is 352-392-HELP (4357).
Spyware and Adware
Spyware is software deposited on your computer that seeks to gather private information about you. There is a free and safe software utility called Spybot Search & Destroy that helps control spyware.
- Download Spybot S&D on your computer from http://www.safer-networking.org/en/download
- Use the advanced features of Spybot to enable Automatic Updates and Schedule Scans at least weekly to keep your include files and Spybot version up to date
Adware is software deposited on your computer that gathers information about what web sites you visit and your buying habits, and sends it to a company for marketing uses. It subsequently causes pop-up ads on your computer screen, which are annoying and somewhat invasive. There is a free and safe software utility called Ad-Aware SE Personal that helps control adware.
- Download Ad-Aware SE Personal on your computer from http://www.lavasoft.de/software/adaware
- Unfortunately, updates cannot be automated with the free version of Ad-Aware
- Check for and download ‘Definition’ files and program updates at least weekly and run an Ad-Aware system scan thereafter.
Backup your important files and folders regularly and consistently to protected file space that UF provides on network servers. We want you to be productive at the University of Florida. Don’t risk losing your data. Accidents WILL happen. Your hardware WILL eventually fail.
Safe web sites and trustworthy internet users are not apparent. Exercise these internet use cautions:
- Be judicious about picking legitimate web sites to visit; stick to those that are widely known businesses or institutions, and those that you have visited before without security issues
- Make sure the controls listed in this reference guide are in place on your computer
- Never offer up private information in email, instant messaging or on a web site that has been unexpectedly solicited from you
- Email and instant messaging are no place for Restricted information in any event
- Again, if it sounds too good to be true, it is
System Patches (Windows PCs)
System patches are operating system software updates intended to fix bugs and weaknesses in the Windows operating system that have recently been discovered. It is easy to have them automatically installed on your computer so you don’t have to remember to do it yourself, and it is so important to the health of your computer.
- Go to this safe link to sign up: http://www.microsoft.com/microsoftupdates/
- Follow the download instructions carefully
- Set the updates to automatically check and install daily
Social engineering is best described as a con man who is trying to dupe you into doing something you wouldn’t ordinarily do. You might get official looking email asking you for your password or financial account number for “security” purposes. You might get an enticing email indicating you have won an extravagant vacation, telling you to click a URL and enter personal information to collect your prize. You might be downloading software and be prompted to accept the terms of a lengthy license agreement with language permitting the company to install spyware or adware on your computer with the software you want.
- Be wary of unsolicited offers and notifications asking for personal information. Never give up personal information on your computer due to an unsolicited email or notification
- If you think an unsolicited notification asking for personal information is legitimate, call the institution rather than conducting the exchange on your computer
- Be wary of license agreements that are discouraging to read, but contain language permitting the installation of spyware or adware programs on your computer. Of course it won’t be called spyware or adware in the license agreement.
- Finally, remember, if it sounds too good to be true, it is