Are there policies concerning remotely accessing my desktop?

The policies state that you must use a secure method to connect to the network, Citrix or VPN clients are currently the approved methods of access.  Please check with your local IT support on the department approved method of connecting.

Can I use Google Apps to store information?

We do not have a signed Business Associates Agreement (BAA) with Google.  In addition, Google is not HIPAA compliant.  This is not an approved vendor.

Can I use GotomyPC or PC Anywhere?

These tools are non-compliant with the Information Security Policies.  These tools provide random access into the environment to bypass authorized remote access mechanisms.
Please contact your local IT Support of Information Security at infosec@wustl.edu for approved solutions.

Can I use my personal laptop?

Prior to connecting to the network, personal devices must adhere to their departments procedures whether it is allowed or not.  The personal device needs to be verified by the departments IT group that the laptop is current with the anti-virus, anti-spyware and personal firewall.   If the device will be storing protected health information (PHI) the device will need to be encrypted.

Do you have an Android mobile?

From elitetele.com

Protect your business mobile by complying with the steps below.
1. Use a PIN or password
Ensure that a PIN is required to access your home screen.
2. Keep it up to date
Updates to operating systems include patches for newly-discovered security vulnerabilities.
3. Be careful with apps
Unless you are an information security expert, you should only download apps from the official app stores.
4. Turn off Wifi and Bluetooth
If you aren’t using them, you should turn off wireless communications features.
5. Backup your data
Sometimes the only way to be sure the virus is to remove is to completely wipe its memory. You should make regular backups to preserve your contact, message, photos and apps.

Does access to patient information with a reduced or single sign-on satisfy HIPAA requirements?

This process does meet the HIPAA requirements.  The security behind the user id and password is dependent on the individual protecting this information.  It is his or her responsibility to secure the login credentials.

Does the university have processes in place to remove spam and harmful emails?

Most mail systems have spam filtering processes in place.  While this will reduce the amount of spam that you receive, this will not stop it completely.
Please beware of any e-mails that request passwords, personal or financial information.  These may be phishing attempts.  If you have concerns about an e-mail forward a copy to Infosec@wustl.edu and the information security team will review and advise on whether it is valid or not.
Instructions on reporting SPAM are available on SPAM Filtering.

Computers are a popular gift during the holiday season. People with a new computer often wonder about the best way to get rid of the old one. OnGuardOnline.gov, the computer safety Web site managed by the Federal Trade Commission, has some tips to make this task easier – and more secure.
Passwords, health information, and other sensitive personal data should be saved elsewhere and erased off the old computer. This protects consumers’ privacy and safeguards them from identity theft. People who use their computers for work should check with their employers regarding the legal requirements businesses must comply with to secure and dispose of data.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

How can I send or receive files 32 MB or larger?

Large File Transfer https://lft.wustl.edu

How can I set up Skype securely?

Contact your IT Department or email infosec@wustl.edu.

How do I dispose of a hard drive that contains confidential or protected information?

Check with your local IT Department and EH&S.  If they do not provide the service, contact Information Security infosec@wustl.edu.

I need an encrypted USB drive.  What vendors provide this?

Please check out the secure USB drives from Kanguru.


I received a notice that a complaint about copyright infringement has been traced to my computer, what is this?  What do I need to do?

The Recording Industry Association of America (RIAA) represents the U.S. recording industry. The RIAA monitors piracy and illegal downloading of songs without approval.
For more information on the RIAA http://www.riaa.com/physicalpiracy.php?content_selector=piracy_online_the_law
Washington University receives complaints when user’s accounts on our network may have used to reproduce and/or distribute the unauthorized copies of one or more copyrighted sound recordings.  The materials are to be immediately removed.  If further incidents occur the appropriate people will be notified.  Please see the University Computer Use Policy for more information.  http://www.wustl.edu/policies/compolcy.html

I think my computer has been hacked, what should I do?

If you think your pc may have been hacked, depending on the information that may have been compromised:

1) No protected information, call your Help Desk immediately.

2) Protected information, call both your Help Desk and your HIPAA Security Liaison immediately.

How do I reduce the risk of identity theft?

Review your monthly statements
Shred documents
Use caution when sharing personal or financial information
Keep systems secure – update and patch
Review your credit report annually
Use strong passwords

What to do if you are a victim of ID theft?

File a police report
File complaint with Federal Trade Commission
Flag credit reports – Equifax (800-525-6285); TransUnion (800-680-7289); or Experian (888-397-3742).

Is the Google Voice service approved for use?

After reviewing the information from Google and other security related sources I would not recommend using this service for clinical or human study research purposes.
The following quotes are from the Google Voice Privacy Policy:
‘Google Voice stores, processes and maintains your call history, voicemail greeting(s), voicemail messages, short message service (SMS) text messages, recorded conversations, and other data related to your account…’
‘ When you use Google Voice, Google’s servers automatically record certain information about your use of Google Voice. …  Google server’s also automatically collect telephony log information (including calling-party number, forwarding number, time and dates of calls, and IP-addresses.’
By storing this information there would be enough to identify the person and maybe the study or visit information.  This is enough to be of concern from a patient/subject privacy viewpoint and since the University does not have a Business Associates Agreement with Google there are no protections if they used or disclosed this information.

What can I do to help keep my system safe from threats and vulnerabilities such as hackers and viruses?

There are several ways that each user can help keep systems safe.

1) Setup secure account passwords that are changed on a regular basis (don’t share this information with anyone)
2) Use screen saver passwords
3) Patch applications regularly
4) Make regular backups
5) Use and update anti-virus / anti-spyware software
6) Use encryption for confidential or protected information
7) Do not open email attachments from someone you do not know or were not expecting
8) Report security incidents
9) Dispose of confidential or protected information effectively

For more examples contact your computer support area or email us at Infosec@wustl.edu

What do I do if I receive an email that is abusive in nature?

If you receive e-mails that are abusive in nature, you can report them to abuse@wustl.edu and they will work with the service provider.

What if I find a USB Drive?

Do not plug it in – may have malicious files
Send to Information Security Office (Campus Box 8218) to review content

What if I lose a smartphone, laptop, USB Drive, tape, CD or other system/device?

Immediately contact IT Department, Protective Services, Information Security, HIPPA Privacy Office
Report where the device was lost or stolen, system information (make, model, serial number) and what was on the system, if the system was encrypted or password protected

What is a virus?

A virus is a computer program that copies itself from one computer to another.  The computer code is written into a legitimate document or program.  When the document or program is launched the code begins to run.  Viruses are often spread by email, either by someone forwarding an infected document to another user or by self-propagating, automatically sending email to everyone in the infected computers address book.  Viruses can erase data or interrupt the computer’s operating system.  If your anti-virus software is up-to-date it should catch most viruses.

What is a worm?

A worm is much like a virus but does not need any help from a person to spread.  They spread from computer to computer via networks.  Worms exploit holes in operating system security so it is important to download and install patches.

What is Phishing?

Phishing is an attempt to deceive an individual into divulging personal and / or financial information.  These attempts come in the form of unsolicited email that appears to be from a legitimate financial institution, business or utilities company.  Within the email there will be directions and a link for a phony website that requests the social security number or other account information.  If you receive an email like this, delete the message and do not respond or click on any links.

What is spyware?

Spyware is a computer program that installs into your computer without your knowledge.  It is often bundled with another harmless program that is downloaded from the internet.  Spyware does not destroy data on your computer.

What should I do if I responded to a phishing email?

If your WUSTL Key Account:  Go to https://connect.wustl.edu/selfservice/ and follow the Change my WUSTL Key Password link to make sure someone cannot use your credentials to login to any system.

If your domain account:  Contact your local IT Department Support for assistance changing this password.

If you use the same password for both accounts – or on any other accounts – we recommend changing all passwords.  It is recommended that you use more than one password for these systems.

What should I do if I suspect someone has access to my account?

Contact local IT Department if suspicious activity has been detected.

Change any account passwords that may have been compromised.

What text should I use for my HIPAA disclosure statement?

You can add the following to your email as the HIPAA disclosure statement:

The materials in this email are private and may contain Protected Healthcare Information. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited.  If you have received this email in error, please immediately notify the sender via telephone or email.

When I get a mass e-mail how can I check it out to see if the information is true before I forward the e-mail?

Mass e-mails generally have some false information in them.  A few websites that you can check these e-mails out on are

Snopes – www.snopes.com
TruthorFiction – www.truthorfiction.com
Urban Legends – www.urbanlegends.about.com

Who can help with security cables for my laptop?

Master Response Officer Phil Wieda currently is responsible for meeting with individuals interested in security cables for specific items (most often, computers).  He is in contact with our vendor regarding various types of cable systems, their availability and associated costs.  Please feel free to contact me at 362-0381 or Officer Wieda at 362-HELP during normal business hours.

Are there privacy concerns regarding the Amazon Echo?

  1. What is the Amazon Echo?

The Amazon Echo smart device is designed to be an “Intelligent Personal Assistant”. It is operated through voice interaction and connectivity to cloud services provided by Amazon. Though this is the intended function of the device, it’s reasonable to have certain privacy concerns regarding it with it.

  1. Is the Amazon Echo listening to everything that’s said all the time?

By default, the device is continuously “listening” to all audio, speech or otherwise. It listens for commands directed at it specifically by a “wake word”. Amazon is insistent that the device only begins recording audio once the device hears the “wake word”.

  1. Does the Amazon Echo ever think it hears the “wake word” by mistake? What if the Amazon Echo hears something that sounds close to “Alexa” or “Echo”?

Researchers have demonstrated that the device isn’t foolproof in it’s wake word detection. There are numerous examples of how sensitive the Echo is to hearing it’s wake word. If the word “Alexa” or “Echo” is used on television or in casual conversation, it often triggers the device to wake up. This could lead to accidental activation of the device and recorded conversations being uploaded and stored on Amazon’s servers.

  1. Can the Amazon Echo be operated without using a “wake word”?

The device does include a mute button that allows the microphones in the device to be turned off. Physical interaction with the device or a hardware remote is then required to activate the device.

  1. Is everything the Amazon Echo hears being recorded and saved somewhere?

All spoken commands to the Amazon Echo are recorded and stored on Amazon’s servers. Amazon uses these recordings to improve the Echo’s services. This means that a third party is reviewing recorded audio to at least some degree.

  1. Is it possible to look up what has been recorded, and/or delete a recording?

To address privacy concerns, Amazon does provide “Manage My Device” page where users are allowed to deleted recorded audio. Recordings of accidental audio are labeled as “Voice request not intended for your Alexa device.” on the “Manage My Device” page.

  1. Does the Amazon Echo save or upload any other sensitive or private information to Amazon?

Services provided by the Echo may also use other data the user has shared with Amazon in the past. This includes, but is not limited to the physical mailing address associated with the Amazon account that the device has been registered with, past Amazon purchases, and other smart devices that have been paired with the Echo.

However, this is information that has already been shared with Amazon. One should always take care with any information shared with third parties, regardless of sharing mechanism.

  1. Does the Amazon Echo share sensitive or private information with anyone other than Amazon?

Amazon provides an open API for developers to create additional functionality, or “Skills”, for the Echo and similar devices. Additional information may be accessed through third-party skills. e.g. A user’s financial information may be available through the available Capital One skill.

Also Anyone within earshot of the device potentially has access to any of the data that has been shared with Amazon’s services. This includes past purchases, credit card information, and personal preferences towards media.

  1. Can the Amazon Echo get a virus, like a computer?

Amazon provides an open API for developers to create additional functionality, or “Skills”, for the Echo and similar devices. The extent of the vetting process conducted by Amazon before making new “Skills” available publicly is not currently known. Also custom “Skills” can be readily added to the Echo without going through the directory provided and managed by Amazon.

There is an inherit risk to any device that is capable of running unverified third-party code. Reasonable caution should be taken when adding “skills” to the Echo.

  1. Can the Amazon Echo be configured to only listen for my voice, or perhaps be secured with a passphrase?

The Amazon Echo has very limited access control. It lacks any ability to distinguish who is using the device by voice, which is it’s primary mode of operation. Whomever the Echo can here, has the ability to operate the device.

Amazon does allow online purchases made via the Amazon Echo to be validated with a PIN. However, this is not on by default.

  1. Should someone be worried the Amazon Echo can be compromised or “hacked” by a malicious third-party?

Like any internet connected device, there are certain inherent risks. Researchers have shown, like with most devices, the Wi-Fi communications from the device are able to be intercepted. While the device makes requests to online services via secured HTTPS request by default, intercepted requests can be redirected “in the clear” to plaintext HTTP instead. This provides a way for a malicious attacker to access the recorded audio being saved on Amazon’s servers.

Reasonable caution should be taken when using any internet connected device.