Data Broker Services : Telecommuting and Remote Work Guidelines
Employees who telecommute or work remotely must comply with all University of Miami policies and procedures. One such practice is to adequately safeguard and secure any sensitive or confidential information e.g. Protected Health Information – PHI, Personally Identifiable Information – PII of employees, research participants, students and job applicants as well as non-public University information including salary details, internal plans, University intellectual property (IP) etc. Below are some reminders for employees working remotely. Please note many items outlined here are basic good security practices that will protect your own personal and confidential information.
Hardware
- UM hardware is managed by either UM IT or UHealth IT and has authorized UM applications installed, including full disk encryption as well as current security patches and anti-malware applications (Carbon Black).
- Prior to connecting to the UM network/applications, ensure you have an updated anti-malware application. Common examples include Norton, Malwarebytes, Avast, Microsoft Security Essentials/Defender, etc.
- Security updates are routinely released by hardware and software vendors. Your specific updates will depend on your device and installed applications. Common vendors will include Microsoft (Windows and MS Office), Apple (MacOs, iOS), Adobe (All Adobe applications, especially Flash), Oracle (Java) etc.
- Please be aware this may take several hours depending on the number of outstanding patches and the speed of your internet connection.
- This applies to PCs and Macs as well as tablets and smartphones.
Network
- Ensure encryption is enabled (WPA2 or WPA3) on your home router/access point. Encryption scrambles information sent over your network so outsiders can’t read it. WPA2 and WPA3 are currently the most up-to-date encryption standards to protect information sent over a wireless network. Be aware these acronyms, which refer to current standards, are updated periodically. Most fairly new routers have encryption enabled by default. If no WPA3 or WPA2 options show up on your router then try updating your router software, then check again to see if WPA2 or WPA3 options are available. Note, accompanying this encryption capability is a “wifi” password, for allowing access to your network. This password, like any other password, should be long and complex (see password guidance below).
- Change any default device passwords. This is different from the “wifi” password, referenced above. The manufacturer of your wireless router usually has a standard default password that allows you to set up and operate the router, as its “administrator.” Hackers know these default passwords, so change it to something only you know. The same goes for any default “user” passwords. Use long and complex passwords – think at least 12 characters, with a mix of numbers, symbols, and upper- and lower-case letters.
- Visit the manufacturer or provider website to learn how to update your router software, change the password, enable encryption as well as other security controls. Many providers (AT&T, Verizon, Comcast, etc.) may have provided this device for your home network. Contact their Technical Support for assistance.
- This is related to current load issues on the VPN appliances due to so many users having to work remotely because of the current COVID-19 pandemic.
- In general and under normal circumstances, users should use the VPN when travelling or otherwise not on the UM network.
- Do not stream unnecessary applications such as music streaming (Pandora, Spotify etc.) or non-business video streaming (YouTube, Facebook live etc.) while connected to the UM VPN.
- Use UM provided video conferencing/meeting options only as needed.
- If you do not need to use the video feature, then do not do so.
- Please be aware that there may be intermittent connectivity issues due to volume of connections during the COVID-19 crisis.
Online Messaging / Meetings
- Always make sure all sensitive conversations take place in private or behind closed doors to prevent eavesdropping.
Document Storage
- If you have an unavoidable and approved use case i.e. explicit approval from your business unit leadership, then proper disposal of such information is critical. Some individuals do have a home crosscut shredder which is the preferred solution. At the very minimum, destroy, (e.g. cutting up via scissors), all areas with identifiable information such as name, address, telephone number, email address, MRN or other identifiable information. Again, avoid use unless absolutely needed.
- Store electronic documents in University-approved cloud storage solutions to minimize the use of paper, which can be easily lost or stolen.
- You may use the option of printing to pdf if you need to retain/maintain documents. These documents can be saved to a UM Cloud storage option, attached to UM email, or shared to UM authorized individuals via UM Cloud resources.
- Please remember that the “minimum necessary” standard is one of the cornerstones of HIPAA and always applies when sharing and using PHI. Only use the minimum information necessary to accomplish the goal.
Cybersecurity Risks
- Poor grammar and syntax as well as poor wording or numerous misspellings.
- Note while this is general guidance, increasingly these phishing attacks do not contain such obvious errors.
- Vagueness - subject of the message or any attachments are suspiciously nonspecific and don’t reference anything familiar
- With respect to the current COVID-19/Corona virus, here are some current terms and organizations that are being used as part of cyber scams:
- COVID-19/Coronavirus updates/information, stimulus checks, IRS Alerts, COVID-19 cures/testing, selling health insurance, student loan forgiveness, Social Security Administration fraud activity, delivery of grocery/consumer items, Work from Home offers.
- These scams are actively circulating via emails and text messages but increasingly via voice calls.
- Recognizable name on message but strange content (for example, the message seems out of character, asks for personal information or for you to click a strange link). An email address can be easily faked of someone you’re already in contact with.
- Be cautious before clicking on links in these suspicious messages/texts or providing your personal or University information. You may not see any obvious issues, but frequently by clicking on the link, you can install malware on your device.