Data Broker Services : Telecommuting and Remote Work Guidelines

Employees who telecommute or work remotely must comply with all University of Miami policies and procedures. One such practice is to adequately safeguard and secure any sensitive or confidential information e.g. Protected Health Information – PHI, Personally Identifiable Information – PII of employees, research participants, students and job applicants as well as non-public University information including salary details, internal plans, University intellectual property (IP) etc. Below are some reminders for employees working remotely. Please note many items outlined here are basic good security practices that will protect your own personal and confidential information.


Hardware

  • Use of UM provided hardware (laptops, tablets etc.) is the required practice when accessing or storing confidential University data, including PHI.
    • UM hardware is managed by either UM IT or UHealth IT and has authorized UM applications installed, including full disk encryption as well as current security patches and anti-malware applications (Carbon Black).
  • University issued devices should only be used by the employee to which they were issued.
  • Only if necessary and unavoidable, personal hardware may be used, with knowledge and approval of your business unit leadership. All University of Miami IT BYOD policies should be followed.
    • Prior to connecting to the UM network/applications, ensure you have an updated anti-malware application. Common examples include Norton, Malwarebytes, Avast, Microsoft Security Essentials/Defender, etc.
  • Apply all applicable security updates.
    • Security updates are routinely released by hardware and software vendors. Your specific updates will depend on your device and installed applications. Common vendors will include Microsoft (Windows and MS Office), Apple (MacOs, iOS), Adobe (All Adobe applications, especially Flash), Oracle (Java) etc.
    • Please be aware this may take several hours depending on the number of outstanding patches and the speed of your internet connection.
    • This applies to PCs and Macs as well as tablets and smartphones.
  • Do NOT store any sensitive University information (PHI, PII, other non-public University information) on personal devices.
  • Immediately report lost or stolen University issued devices and/or loss of any University information.


    • Network

  • Secure your home network.
    • Ensure encryption is enabled (WPA2 or WPA3) on your home router/access point. Encryption scrambles information sent over your network so outsiders can’t read it. WPA2 and WPA3 are currently the most up-to-date encryption standards to protect information sent over a wireless network. Be aware these acronyms, which refer to current standards, are updated periodically. Most fairly new routers have encryption enabled by default. If no WPA3 or WPA2 options show up on your router then try updating your router software, then check again to see if WPA2 or WPA3 options are available. Note, accompanying this encryption capability is a “wifi” password, for allowing access to your network. This password, like any other password, should be long and complex (see password guidance below).
    • Change any default device passwords. This is different from the “wifi” password, referenced above. The manufacturer of your wireless router usually has a standard default password that allows you to set up and operate the router, as its “administrator.” Hackers know these default passwords, so change it to something only you know.  The same goes for any default “user” passwords. Use long and complex passwords – think at least 12 characters, with a mix of numbers, symbols, and upper- and lower-case letters.
    • Visit the manufacturer or provider website to learn how to update your router software, change the password, enable encryption as well as other security controls. Many providers (AT&T, Verizon, Comcast, etc.) may have provided this device for your home network. Contact their Technical Support for assistance.
  • Use of University of Miami’s virtual private network (VPN), Pulse Secure, should be limited to remote access to University on-premise systems/servers and for system administrators.
    • This is related to current load issues on the VPN appliances due to so many users having to work remotely because of the current COVID-19 pandemic.
    • In general and under normal circumstances, users should use the VPN when travelling or otherwise not on the UM network.
  • UM VPN is not required for off-campus access to University enterprise systems – including but not limited to: Workday; CaneLink; Microsoft Office 365/Outlook/Teams; Epic/UChart; Blackboard; Adobe Creative Cloud; cloud storage (i.e., OneDrive, and Google Drive); and Zoom.
  • If using UM VPN –
    • Do not stream unnecessary applications such as music streaming (Pandora, Spotify etc.) or non-business video streaming (YouTube, Facebook live etc.) while connected to the UM VPN.
    • Use UM provided video conferencing/meeting options only as needed.
      • If you do not need to use the video feature, then do not do so.
    • Please be aware that there may be intermittent connectivity issues due to volume of connections during the COVID-19 crisis.


    Online Messaging / Meetings

  • Avoid logging in from public places where conversations may be overheard and/or confidential information may be viewed.
    • Always make sure all sensitive conversations take place in private or behind closed doors to prevent eavesdropping.
  • Orient computer screens and mobile devices to reduce the chance of “shoulder-surfing.”
  • Only use secure applications for work-related messaging, such as Skype for Business or Microsoft Teams.
  • Monitor participants on teleconference calls to reduce the chance of unauthorized persons on the calls.
  • When videoconferencing, always be mindful of others who may not wish to be visible or recorded in the background. Utilize virtual background features (available through Zoom, Teams) to prevent having surroundings or others visible. Visit UM IT/UHealth IT sites for specific guidance on use of current UM authorized video conferencing tools.


    • Document Storage

  • Always secure any physical documents and storage devices, including laptops, that contain confidential University data during non-working hours.
  • Avoid use of sensitive or identifiable paper documents at home, including printing of such documents.
    • If you have an unavoidable and approved use case i.e. explicit approval from your business unit leadership, then proper disposal of such information is critical. Some individuals do have a home crosscut shredder which is the preferred solution. At the very minimum, destroy, (e.g. cutting up via scissors), all areas with identifiable information such as name, address, telephone number, email address, MRN or other identifiable information. Again, avoid use unless absolutely needed.
  • Consider your workflow and how you can transition to electronic storage.
    • Store electronic documents in University-approved cloud storage solutions to minimize the use of paper, which can be easily lost or stolen.
    • You may use the option of printing to pdf if you need to retain/maintain documents. These documents can be saved to a UM Cloud storage option, attached to UM email, or shared to UM authorized individuals via UM Cloud resources.
    • Please remember that the “minimum necessary” standard is one of the cornerstones of HIPAA and always applies when sharing and using PHI. Only use the minimum information necessary to accomplish the goal.
  • Do NOT use personal cloud storage – Use only UM provided cloud storage accessible via your UM credentials (Cane ID/dual factor authentication).
    • Please note that the University will be moving from Box to OneDrive for cloud storage beginning June 17, 2020. The migration from Box to OneDrive is expected to be complete by August 2020. Files stored in Box will be moved to OneDrive as well as still be available in Box until September 2020 – in read-only mode. For information on the migration process to OneDrive from Box, please refer to https://my.it.miami.edu/projects/streamlining-cloud-storage/.
  • Lock your doors when leaving. Even if you are just running to the car or restroom, it is vital to secure your home and workspace.


    • Cybersecurity Risks

  • Working remotely presents various cybersecurity challenges that can be different from on-campus work. It is vital that the UM community remains vigilant. Some common threats are summarized below.
  • Phishing are scam messages (emails, texts, phone calls, etc.)  that appear to be from a legitimate company and ask you to provide sensitive information. Below are some tips on how to recognize and avoid falling victim to phishing attempts:
    • Poor grammar and syntax as well as poor wording or numerous misspellings.
      • Note while this is general guidance, increasingly these phishing attacks do not contain such obvious errors.
    • Vagueness - subject of the message or any attachments are suspiciously nonspecific and don’t reference anything familiar
      • With respect to the current COVID-19/Corona virus, here are some current terms and organizations that are being used as part of cyber scams:
        • COVID-19/Coronavirus updates/information, stimulus checks, IRS Alerts, COVID-19 cures/testing, selling health insurance, student loan forgiveness, Social Security Administration fraud activity, delivery of grocery/consumer items, Work from Home offers.
        • These scams are actively circulating via emails and text messages but increasingly via voice calls.
    • Recognizable name on message but strange content (for example, the message seems out of character, asks for personal information or for you to click a strange link). An email address can be easily faked of someone you’re already in contact with.
    • Be cautious before clicking on links in these suspicious messages/texts or providing your personal or University information. You may not see any obvious issues, but frequently by clicking on the link, you can install malware on your device.
  • See links below for current scams in circulation:

    • Data Broker Services