Computer Security: A Call to Action for Every One of Us

In the past two months, UCSF has announced two security breaches, both of which had the potential to expose sensitive and private patient information to the outside world. Those breaches were very different and they have led to a renewed effort to tackle computer security across the UCSF community. Each member of the UCSF community is responsible for the security and protection of electronic Information Resources. Electronic Information Resources include electronic information and the systems that are used to store, manipulate or translate electronic information. The University of California, along with UCSF, has created policies, guidelines and standards to assist individuals in protecting their electronic information. (See http://security.ucsf.edu/EIS/PoliciesGuidelinesandProcedures.html.) "UCSF must ensure that it has the systems and everyday practices in place to protect sensitive data," said UCSF Chancellor J. Michael Bishop, who launched a top-level task force late last month to address the issue. "This is of the utmost priority for both the campus and the Medical Center." The campus already has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered the most recent breach. However, this event and others nationwide have caused UCSF to redouble its efforts in this area. Chancellor-Appointed Task Force The Chancellor's task force, under the leadership of Executive Vice Chancellor and Provost Eugene Washington, has undertaken a campus-wide review of computer security to identify where the system is vulnerable and how to fix it. That effort will affect every department, unit and laboratory on the campus and medical center alike. "For most of us, computer and data security can seem tangential to our everyday work, something that can wait until next week or next month," Washington said. "In fact, computer and data security must be a part of what we do everyday. Each of us must take responsibility to ensure we are doing all we can to ensure computer and data security." Every UCSF faculty member, staff member and student can take the simplest of steps to ensure computer and data security. It starts with ensuring your computer is secured with a password. Do not share your password with anyone and never open email and attachments from unknown sources. The UCSF web site provides the following information to help protect system security (follow the links for more information on each):

• 1. Use a firewall to help protect your computer from remote attacks: Web-connected computers face constant and evolving attacks from viruses, malicious hackers and criminals. A firewall helps block incoming data that can open the door to those attacks.
• 2. Ensure anti-virus software is installed, active, and updated: Viruses can be used to steal personal or sensitive data, passwords, usernames, and company data. Using an anti-virus program can help reduce or eliminate these threats.
• 3. Turn off unnecessary services: The best way to limit being the target of a remote attack is to minimize the ways an attacker can get into your computer. Turn off web- or file-servers, iTunes file sharers or other services that aren't being used.
• 4. Tools to detect and remove spyware and other similar threats: Anti-spyware can protect against programs that track users' keystrokes, web use and hard drive files to collect personal information.
• 5. Check for operating system updates and fixes: Operating system updates often address newly discovered security vulnerabilities. By using automatic operating system updates, these vulnerabilities can be addressed on an ongoing basis.
• 6. Make sure that updates have been installed for all software: Most software updates address the same issues as operating system updates. For programs that do not have an auto-update function, UCSF recommends checking the vendor's website monthly for updates.
• 7. Logoff or lock the computer desktop whenever you walk away: A 10-minute dash for coffee can give someone ample time to gain access to secure files. Desktop locking enables users to protect their data while away from their desk.
• 8. Manage and protect your computer accounts and passwords: Choose passwords that aren't in a dictionary or that a computer or hacker would have trouble guessing, then never store them in a place that's not encrypted.
• 9. Secure PII and ePHI by using encryption: UCSF offers encryption software to meet your needs for encoding data, whether it's secure email, whole-disk encryption or file encryption. Check with IT to ensure yours meets your needs.

For more detailed information on security practices for faculty, staff, students and guests, please visit: http://security.ucsf.edu/EIS/BestPractices.html. Medical Center faculty and staff can contact Jose Claudio, Director of Enterprise Systems and Security, at [email protected] for additional information.