Our information security program for 2012 has been reviewed and approved by UTMB President Dr. David L. Callender, William Elger, executive vice president and chief business and finance officer and Ralph Farr, vice president of Information Services. I can only hope that 2012 will be as good as, if not better than, 2011.
We had no significant incidents last year and saw a substantial increase in the number of inquiries from the UTMB community about our security program and how to properly protect our data. We also endured a five-week assessment of our security program by Deloitte and Touche, which I am proud to say we received positive results. Thank you.
Moving forward with 2012, I want to remind the community to continue to be diligent about the way we protect our data and use our information resource.
As a reminder, our security program logo has an acronym called SPURS: Secure Protect Report Update and Safeguard.
Secure your data – All confidential and UTMB proprietary data should only be stored on institutional servers. These systems are physically secure, redundant and backed up several times throughout the day. If a file is lost or accidently deleted, it can usually be restored within a few hours. Many desktops aren’t in a physically secure location, they’re not backed up and they sometimes endure hard-drive failures which usually result in a total loss of data. Portable computing equipment, i.e., laptops, iPhones, USB drives etc., suffer the same shortcoming as a desktop with a few added caveats, they’re easily lost or stolen.
Protect your password – I can’t emphasize this enough. NEVER SHARE YOUR PASSWORD WITH ANYONE. Everyone who accesses a UTMB information system must have an individually assigned computer account with an associated password.
Update your system – Fortunately, all UTMB supported computers are configured to automatically install the security fixes and update the antivirus and other programs. Occasionally users will be prompted to install an update or reboot their PC after an update has occurred. Be sure that these activities take place within a reasonable amount of time, typically within one business day.
Report weaknesses and violations –Our computing environment spans several hundred miles, is comprised of thousands of inter-connected devices with more than a petabyte of information being accessed, stored or processed by 11,000 faculty, staff and students spread across 160 locations. It takes an all-hands effort to effectively manage and monitor the overall security of an environment this large and complex. According to Caltech, two petabytes of data is equal to all the academic libraries in the United States.
If you are aware of unsecured data, or if you have access to information that you know you shouldn’t have access too, bring it to the attention of a member of management or my office as soon as practical. It may be more than just you who has access to it, it could be open to the world.
If you’re aware of policy violations, such as snooping in our EMR, installing unauthorized wireless access points or sharing account information report it to the Office of Information Security or Institutional Compliance immediately. Some violation can lead to heavy fines or a loss of certain types of certifications.
Safeguard your Hardware – Take the appropriate step to ensure that your information resources are properly secured. When traveling on airlines do not store your portable computing devices in your checked language. Never leave laptop, iPhones, iPad’s etc. visible in parked cars. If you use a laptop, purchase a cable lock so that it can be properly secured when in a public setting or a high traffic area.
In addition to properly protecting our data, we also need to be mindful of how we use our resources, especially when it comes to personal use. UTMB’s Information Resource Security Policy allows for incidental use. Meaning that faculty, staff and students can use our resources to have causal email exchange between family and friends or they can access the Internet for a little web browsing during down times. When using UTMB resources remember these simple rules
- Personal use of information resources cannot result in a direct cost to UTMB and it must not impact the performance of an employee
- Resources shall not be used to conduct personal “for profit” business. i.e., eBay business, tax preparation business etc.
- No resource shall be used for political campaigning
- Never use a UTMB resource to create, store or transmit material which may be considered offensive, indecent or obscene
- Don’t send unsolicited personal email to large groups of people, i.e. chain mail, jokes, etc.
- When using tag lines on email make sure they’re business appropriate. Think about whom your recipients are, will he/she find it to be inspirational or motivational.
Of course there are more dos and don’ts in the policy. But as I tell everyone at new employee orientation, if you’re professional and you know the difference between right and wrong, you’ll be in compliance with UTMB’s policy on Information Resources Security
As always, Information Sec-U-R-IT-y