Do you know what to do if your ECU computer is stolen? What if you actually respond to a phishing email? These two scenarios and more are termed a security incident, and it’s important to report them to the IT Help Desk.*
The term, security incident, is any computer, network or paper-based activity which could result in misuse, damage, denial of service, compromise of integrity or loss of confidentiality of the ECU network, your computer (which is connected to the ECU network) and data (paper or digital).
Threats, misrepresentations of identity or harassment of or by individuals using these resources can also result from a security incident.
It is important that all incidents, whether benign and accidental or malicious and deliberate, be reported so that appropriate resolution is undertaken with the least data loss or compromise.
Security incidents you are required to report include, but are not limited to, the following:
- Lost or stolen computer or smart device
- Lost or stolen files containing sensitive information
- Unauthorized access to sensitive information
- Unauthorized access to your computer
- Compromise of your ECU user account passphrase
- Compromise of your personal computer
- Unauthorized use of your user account
- Unauthorized access to your locked office or files
- Unusual activities on your computer or network
- Unauthorized scans of your computer or the network
- Accidental disclosure of personally identifiable or sensitive information in response to a phishing scheme
- Virus, worm or Trojan horse activity on your computer
- Disclosure of sensitive data, including paper disclosure, email release or inadvertent posting of data on a website
- Suspected information technology policy violation
To report any security incident, call the IT Help Desk 252.328.9866 or 800.340.7081. If you’re unsure whether or not an activity is a security incident, call the IT Help Desk who can help make a determination.
*Do not call the IT Help Desk if you receive a threat to yourself or others. Report any threats to yourself or others to the appropriate law enforcement agency.
What does your smartphone know about you?
More than you realize.
When you think about it, we use our smartphones for a lot of routine activities in our daily lives. We send email, keep up with family and friends, and even shop online. While these activities seem harmless, they can leave behind data footprints that reveal information about us we’d rather keep private. We certainly don’t want others to know about our personal conversations, our family activities, or anything related to our bank accounts and credit cards.
What does your smartphone know about your work?
Using your smartphone to access your ECU work email can expose sensitive university information to others. For example, using your work email to address sensitive personnel issues, confidential business decisions, legal matters, and patient treatments can leave sensitive details on your smartphone.
If your phone is lost or stolen and is not properly secured, the thief may now have unrestricted access to your email and other sensitive work information.
For more information see the ECU Smartphone Security Guidelines.
Keep your smartphone safe and secure
Smartphones are essentially pocket-size computers that are just as vulnerable to viruses and other attacks as your laptop or desktop. So it’s important that you protect your smartphone as you would any other computing device.
It’s important that you do:
- keep your smartphone operating system (OS) and apps updated
- password protect your smartphone
- enable data encryption on your smartphone
- use remote data wipe (removal) features on your smartphone
And that you don’t:
And be sure to report lost or stolen smartphones, which have been used to access or store ECU sensitive information to the IT Help Desk at 328-9866.
See the Smartphone FAQ below for additional guidance.
In the coming months, ECU will test a Mobile Device Management (MDM) solution to assist with the management of personal and university-owned mobile devices, such as smartphones and tablets. This solution will enable us to provide a more secure computing environment for the university community.
The MDM solution includes such features as passcode protection, device encryption, remote data wipe and auto-configuration for accessing ECU resources.
Frequently Asked Questions
Why am I being instructed to avoid storing sensitive data on my smartphone? It’s very convenient and helps me be more efficient and effective in my work.
The availability, capability and ease of use of personally-owned smartphones have resulted in an explosion of use in business, education and patient care. The use has quite honestly out-paced the security and compliance framework needed to ensure secure access to and storage of sensitive information. The loss or theft of your smartphone could lead to a data security breach resulting in costly fines and reputational damage for the university.
What should I do if I am accessing or storing sensitive data on my personal smartphone?
Please delete any sensitive data from your smartphone. The university does not have appropriate policies and tools in place to safeguard sensitive data on smart devices. ECU will soon begin pilot-testing a mobile device management tool to assist in providing safeguards for mobile devices. You will see announcements soon on information forums to discuss the features of this tool and plans for the rollout.
I use my smartphone to access ECU email. What can I do to protect my email?
See the Smartphone Best Practice Guide for tips on securing your smartphone. A few simple steps can help protect your ECU email. Password protection, device encryption, deletion of emails from smartphones, enabling remote wipe, installing antivirus, avoiding downloading games and applications from untrusted sources are examples of steps to take.
I don’t know how to implement the steps you suggest. How do I secure my smartphone?
Check with your phone manufacturer for the specific steps to secure your phone. You can also check the manufacturer’s website. Many providers offer free classes on using your smartphone. Check the Smartphone Security Best Practice Guide and Smartphone Encryption Guide for additional resources.
What is “jailbreaking”?
The term, “jailbreaking,” refers to changes made to an iPhone, iPad, or iPod that allows users to install software applications that are not available through the Apple Store. Hence, the device is liberated and free to load whatever apps the user desires.
“Rooting” is a similar activity for Android smartphones that provides users with privileged access to the phone’s internal settings and controls. This allows users to load applications that could not be installed otherwise, because they require root access to function.
There are stability and security concerns with jailbreaking/rooting smartphones; what’s more, jailbreaking/rooting your phone may negatively impact vendor support for your device.
Related topics: Protected Health Information (PHI) | HIPAA security policies | HIPAA identifiers | Network storage
HIPAA security regulations define Protected Health Information (PHI) as any oral or recorded information created or received by a health care provider, health plan, employer, insurer, school or university, health care clearing house or a business associate that relates to the past, present or future physical or mental health or condition, provision of health care or health care payment of an individual.
There are eighteen “HIPAA Identifiers” that can be used to identify an individual, an individual’s family, employers or household members. Examples include names, telephone numbers, email addresses, medical record numbers, photographic images and home address. To see all eighteen identifiers, visit the HIPAA Identifiers page.
Please note that it is a VIOLATION of HIPAA law to store PHI on any personal device, such as a USB drive, external hard drive, home computer, iPhone or iPad. Such violations can cost ECU a fine of up to $1.5 million dollars, and you could be criminally liable for such a breach, including termination, fine and imprisonment.
Protected Health Information (PHI) must only be stored on university-approved and authorized devices. If you are unsure about your storage device, please contact the IT Security Team at ITSecurity@ecu.edu.
In the News
The State of Alaska announced in June 2012 that it is paying $1.7 million to the Federal Government for a 2009 security breach of patient data. A federal investigation following the breach found inferior security measures in place at Alaska’s Department of Health and Social Services. In October 2009, a portable hard drive was stolen from the car of an employee who worked for the State Health Department.