Ensuring a Secure Work and Learning SpaceSep 23, 2020
The shift to remote working and learning has posed many challenges from setting up a home office to juggling full time work duties and the managing of virtually educating students. Cybercriminals are aware of such challenges and the great amounts of stress they inflict. Thus, it is vital that we conduct our work with a mindset focused on a Secure Campus and a secure Working Remotely workspace. Securing both environments greatly reduces the potential for security incidents and loss (critical data, monetary, reputation, legal).
While the standard workspace has changed, CU policy and procedures for securing sensitive university information and HIPAA Protected Health Information (PHI) have not. In fact, the steps that we have all taken in the office to secure PHI and sensitive university information are one and the same when working remotely – with some additional precautions. Please refer to the CU Office of Information Security’s Top 10 Actions to Reduce Risk for ensuring the necessary protections are in place.
Additional precautions to secure university information while working and learning remotely
1. Secure all virtual meetings involving PHI and sensitive information. Please review the best practices for securing Zoom meetings. Creating secure virtual meetings lessens the chance that information falls into the wrong hands and the potential for the meeting to taken over by malicious individuals. Remember:
- Do not share meeting links on social media, the internet, or any public place
- Use generic meeting names
- Create strong and unique passcodes for virtual meetings. Enable the waiting room for virtual meetings.
- Restrict the sharing of sensitive files in virtual meetings
2. Be mindful when sharing or discussing university sensitive information including PHI in virtual meetings. Only share such information with people on a need to know basis.
3. Do not leave CU computers/devices containing sensitive information/ PHI in unsecure areas (Examples: a car, public business, another residence).
4. Store all PHI paper records behind two physical barriers. (Examples for home: a locked front door and a locked filing cabinet = two physical barriers.)
5. Do not approve random Duo multi-factor authentication (MFA) prompts on your devices. Remember multi-factor authentication takes two forms of authentication and is a triggered process. Cybercriminals are aware how this process works and might be trying to use MFA to get into your CU accounts if they have compromised your CU password. If the duo prompt did not come from your recent action (a trigger) deny it and change your CU password immediately!
6. Be aware of your environment while discussing PHI and university sensitive information (Examples: use headphones with a mic, behind closed/ locked doors).
7. Restrict friends and family from using your CU devices that contain PHI and sensitive information.
8. Only use CU-approved applications. If you are unsure that an application has been approved by CU, please send an email to the Risk and Compliance team.
9. Use anti-glare privacy filters to protect shoulder surfers from viewing sensitive information and PHI on your CU devices.
10. Secure your home Wi-Fi router by changing the default name, creating a strong unique Wi-Fi password, and enabling WPA2 encryption. Please reach out to your internet service provider if you need assistance editing your router settings.
11. Dispose of paper containing sensitive information using a crosscut shredder or wait until you return to your campus office.
As a reminder, a Secure Campus mindset is already being strengthened by the taking following precautions
- Do not open suspicious emails, do not click links within these emails, and do not enter your CU credentials from suspicious links. If you are not sure about an email, forward it as an attachment to firstname.lastname@example.org and then delete it immediately.
- Lock your computer systems when not in use
- Create strong and unique passwords
- Do not use your CU password for other website/services
- Consider using a password manager
- Go beyond the minimum password requirements when setting your password
- Encrypt email that contains PHI