Archive for the ‘Security Bulletin’ Category
What does your smartphone know about you?
More than you realize.
When you think about it, we use our smartphones for a lot of routine activities in our daily lives. We send email, keep up with family and friends, and even shop online. While these activities seem harmless, they can leave behind data footprints that reveal information about us we’d rather keep private. We certainly don’t want others to know about our personal conversations, our family activities, or anything related to our bank accounts and credit cards.
What does your smartphone know about your work?
Using your smartphone to access your ECU work email can expose sensitive university information to others. For example, using your work email to address sensitive personnel issues, confidential business decisions, legal matters, and patient treatments can leave sensitive details on your smartphone.
If your phone is lost or stolen and is not properly secured, the thief may now have unrestricted access to your email and other sensitive work information.
For more information see the ECU Smartphone Security Guidelines.
Keep your smartphone safe and secure
Smartphones are essentially pocket-size computers that are just as vulnerable to viruses and other attacks as your laptop or desktop. So it’s important that you protect your smartphone as you would any other computing device.
It’s important that you do:
- keep your smartphone operating system (OS) and apps updated
- password protect your smartphone
- enable data encryption on your smartphone
- use remote data wipe (removal) features on your smartphone
And that you don’t:
And be sure to report lost or stolen smartphones, which have been used to access or store ECU sensitive information to the IT Help Desk at 328-9866.
See the Smartphone FAQ below for additional guidance.
In the coming months, ECU will test a Mobile Device Management (MDM) solution to assist with the management of personal and university-owned mobile devices, such as smartphones and tablets. This solution will enable us to provide a more secure computing environment for the university community.
The MDM solution includes such features as passcode protection, device encryption, remote data wipe and auto-configuration for accessing ECU resources.
Frequently Asked Questions
Why am I being instructed to avoid storing sensitive data on my smartphone? It’s very convenient and helps me be more efficient and effective in my work.
The availability, capability and ease of use of personally-owned smartphones have resulted in an explosion of use in business, education and patient care. The use has quite honestly out-paced the security and compliance framework needed to ensure secure access to and storage of sensitive information. The loss or theft of your smartphone could lead to a data security breach resulting in costly fines and reputational damage for the university.
What should I do if I am accessing or storing sensitive data on my personal smartphone?
Please delete any sensitive data from your smartphone. The university does not have appropriate policies and tools in place to safeguard sensitive data on smart devices. ECU will soon begin pilot-testing a mobile device management tool to assist in providing safeguards for mobile devices. You will see announcements soon on information forums to discuss the features of this tool and plans for the rollout.
I use my smartphone to access ECU email. What can I do to protect my email?
See the Smartphone Best Practice Guide for tips on securing your smartphone. A few simple steps can help protect your ECU email. Password protection, device encryption, deletion of emails from smartphones, enabling remote wipe, installing antivirus, avoiding downloading games and applications from untrusted sources are examples of steps to take.
I don’t know how to implement the steps you suggest. How do I secure my smartphone?
Check with your phone manufacturer for the specific steps to secure your phone. You can also check the manufacturer’s website. Many providers offer free classes on using your smartphone. Check the Smartphone Security Best Practice Guide and Smartphone Encryption Guide for additional resources.
What is “jailbreaking”?
The term, “jailbreaking,” refers to changes made to an iPhone, iPad, or iPod that allows users to install software applications that are not available through the Apple Store. Hence, the device is liberated and free to load whatever apps the user desires.
“Rooting” is a similar activity for Android smartphones that provides users with privileged access to the phone’s internal settings and controls. This allows users to load applications that could not be installed otherwise, because they require root access to function.
There are stability and security concerns with jailbreaking/rooting smartphones; what’s more, jailbreaking/rooting your phone may negatively impact vendor support for your device.
Related topics: Protected Health Information (PHI) | HIPAA security policies | HIPAA identifiers | Network storage
HIPAA security regulations define Protected Health Information (PHI) as any oral or recorded information created or received by a health care provider, health plan, employer, insurer, school or university, health care clearing house or a business associate that relates to the past, present or future physical or mental health or condition, provision of health care or health care payment of an individual.
There are eighteen “HIPAA Identifiers” that can be used to identify an individual, an individual’s family, employers or household members. Examples include names, telephone numbers, email addresses, medical record numbers, photographic images and home address. To see all eighteen identifiers, visit the HIPAA Identifiers page.
Please note that it is a VIOLATION of HIPAA law to store PHI on any personal device, such as a USB drive, external hard drive, home computer, iPhone or iPad. Such violations can cost ECU a fine of up to $1.5 million dollars, and you could be criminally liable for such a breach, including termination, fine and imprisonment.
Protected Health Information (PHI) must only be stored on university-approved and authorized devices. If you are unsure about your storage device, please contact the IT Security Team at ITSecurity@ecu.edu.
In the News
The State of Alaska announced in June 2012 that it is paying $1.7 million to the Federal Government for a 2009 security breach of patient data. A federal investigation following the breach found inferior security measures in place at Alaska’s Department of Health and Social Services. In October 2009, a portable hard drive was stolen from the car of an employee who worked for the State Health Department.
Related topics: Data encryption | map a drive | network storage | information security | safe computing practices | virtual private network (VPN)
Your personal ECU Piratedrive is a versatile tool that keeps your files secure, creates an automatic backup, and provides off-campus access to your work files.
But there’s more—with a department Piratedrive, multiple users can share data, update files (while controlling versions) and avoid that dreaded “email blizzard.”
Personal Piratedrive (The “U” drive)
A 40-GB Piratedrive folder is created for every faculty, staff and student at ECU. When logged in to the INTRA network on campus or remotely connected to the INTRA network through a virtual private network (more on that in a bit), you have access to this folder, which is labeled as “U.” Piratedrive folders are secure and backed up nightly.
So, rather than storing your work files on your work computer or laptop—systems more susceptible than ever to compromise and data loss—save all your work to the “U” drive. In this way, your ECU data is secure, automatically backed up with files easily retrieved on campus or off. To learn more about this versatile tool, visit the Mac or Windows information page:
While 40GB of storage sounds like a lot, it may not be enough to store all your documents. Video and music files, for example, can quickly eat up your storage space. To request more storage, contact the ITCS Help Desk at 252.328.9866/1.800.340.7081.
Upon request, the university also provides departments with a 50GB Piratedrive folder. Each folder requires a department administrator who manages data and user permissions. Share data but avoid the hassle of multiple emails and multiple document versions. Like personal Piratedrive folders, department folders are backed up nightly and secure. But unlike personal Piratedrives, users must manually map a drive (create a shortcut) to a department folder. To learn more, visit the piratedrive website.
You can access your Piratedrive off campus through the university VPN (Virtual Private Network) service. The VPN provides a secure tunnel through which you can connect to your Piratedrive without worrying about someone intercepting your data. Your Piratedrive (U) appears in your folder directory, just as it does on your office workstation.
For instructions on using this service, visit the Virtual Private Network website.
Frequently Asked Questions
Who has access to the files on my personal Piratedrive?
Your personal Piratedrive security is set up so that the “U” drive is only accessible by you as the owner of that folder. Nobody else can access your “U” drive data.
How is access to the files on our departmental Piratedrive managed?
For departmental Piratedrive data, a designated administrator in your area maintains security access controls through file and folder permissions. Security is set so that only those users designated by the admin can access the folder data.
Are the files and data stored on my Piratedrive safe from hackers?
No computer system can prevent every hacker attack, but your Piratedrive is firewall-protected, and access is only allowed to those persons connected to ECU’s network. However, a compromise of your PirateID or local computer can lead to a compromise of the files on your Piratedrive. The entire ECU community should follow safe computing practices both on and off campus.
Are my files backed up?
Yes, data on Piratedrive is backed up nightly.
What if I delete some files and realize I still need them?
ITCS maintains disk images of Piratedrive for 14 days, and users can restore data using the “Previous Versions” tab in Windows Explorer. If it has been longer than 14 days, a monthly backup is retained for 3 months. This can also be accessed through the “Previous Versions” tab in Windows Explorer.
How can I find out more about Piratedrive options?
Visit the ITCS Piratedrive web page for information on the Piratedrive. Jump to the specific topic for which you need assistance. If you have questions, please contact the ITCS Helpdesk 252.328.9866/1.800.340.7081.