Information Security

The Health Information Security Unit exists to ensure the highest level of security and compliance with Health Insurance Portability and Accountability (HIPAA), Family Educational Rights and Privacy Act (FERPA), and Personally Identifiable Information (PII) standards, to ensure the protection of Intellectual Property (IP) and Personal Health Information (PHI). This unit is responsible for establishing and implementing college wide security programs, monitoring and enforcing information security standards to ensure confidentiality, integrity, and availability of information and technical assets across the College of Medicine’s core mission in Education, Research and Healthcare.

This group proactively oversees and leads the on-going security risk assessments for the clinical practice, actively monitors and manages technical risks for the organization, and provides incident response upon occurrence. Security professionals also manage the Vendor Risk Management (VRM) Process in partnership with the CISO office to review and document identified risks of new technologies and solutions within the environment. In concert with the CISO office, security awareness and training programs are aligned with specific emphasis in HIPAA security.  Development of university-wide HIPAA security policies are drafted by this unit and presented to the University HIPAA Collaborative Workgroup, with representation from other university clinical entities, for review and adoption at a university level.

InfoSec: Security Awareness Newsletter

KnowBe4 Newsletter – Understanding the Attackers

UCF ISO’s Student InfoSec Brochure

Latest News

1.26.2024 – Phishing Threat Currently Targeting the UCF Community

The UCF Information Security Office (InfoSec) team has identified a phishing threat currently targeting the UCF community.

The email message or SMS text appears to come from a UCF address and offers recipients the opportunity to earn money by working from home for a company dedicated to positive social impact. The message solicits information via an alternate, non-UCF “direct” email that recipients are requested to contact.

If you receive such a message, DO NOT click on the link or reply to the sender.  Report it to the Security Incident Response Team (SIRT) by using the Phish Alert Button or by forwarding it as an attachment to SIRT@ucf.edu.

Often, financial loss may result if you respond to these scams and comply with the sender’s requests. If you have provided personal information, you can visit https://www.identitytheft.gov/#/ to report it and get a recovery plan.

If you clicked on a link in such a message and downloaded any files to your system, please contact SIRT immediately at SIRT@ucf.edu .

For additional protection during tax season, you can request an Identity Protection PIN from the IRS. This PIN will prevent someone else from filing a tax return using your Social Security number: https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin

To learn more about common email scams, please visit https://infosec.ucf.edu/scam.

4.26.23 – Multi-Factor Authentication Coming Soon for Webcourses Access

Submitted by: Matthew Fitzgerald, Deputy Chief Information Security Officer
Submitted For: David Zambri, Chief Information Security Officer and Assc. VP
Subject: Multi-Factor Authentication Coming Soon for Webcourses Access

As part of the University’s ongoing efforts to enhance the security of our network and academic data, we will add Multi-Factor Authentication (MFA) protection for all faculty, staff and students to access their Webcourses accounts.

The new requirements will go into effect starting May 8. Faculty and staff who have volunteered to participate in the ‘Passwordless Authentication’ pilot program will be prompted to use Microsoft Authenticator for Webcourses. Additional information will be communicated to this group in the coming month.

All others will use DUO MFA to sign into Webcourses– the same Multi-Factor Authentication (MFA) app used to sign into Workday, MyUCF and other applications.

What do you need to do? If you are not a DUO user and are not currently enrolled in the ‘Passwordless Authentication’ pilot program, please use this DUO MFA Knowledge Base Article to register a device for MFA use: https://ucf.service-now.com/ucfit?id=kb_article&sys_id=00ba24941b8b05106f0ee3fb234bcb39

-=-=-=
UCF Information Security Office
https://infosec.ucf.edu | https://twitter.com/UCF_InfoSec | infosec@ucf.edu

UCF will never send email messages asking you to respond and provide personal information, login credentials, or passwords via email. You are not required, nor does UCF encourage or recommend providing your passwords and/or other secret login credentials to anyone claiming to represent UCF. Never reply to unsolicited email messages requesting your password, credentials, or other confidential information and never share your password with anyone. Regard all unsolicited messages with extreme caution and alert the Security Incident Response Team at mailto:sirt@ucf.edu if a message appears suspicious.

4.28.22 – UCF InfoSec Advisory – Gift Card Scams
Submitted by: Thierry Lechler, Information Security Professional III
Submitted for: David Zambri, Chief Information Security Officer & Associate Vice President
Subject: UCF InfoSec Advisory – Gift Card Scams
The Information Security Office has seen an increase in the number of reported gift card scams targeting UCF employees. In many cases, the email impersonates a UCF employee or supervisor.
While the sender information and message content may vary, the scam generally follows the same pattern of multiple stages. The initial email is intentionally vague and very brief. Once the UCF employee responds, the scammer then provides more details in several additional emails. Often, these emails request that gift cards be purchased for a special event, with the promise of reimbursement later.
Pay close attention to the sender’s email address when receiving an unexpected email. If the sender claims to be a UCF employee but the email address is from a third party (Gmail, yahoo, or anything other than ucf.edu) it’s most likely a scam. For more information about phishing emails and how to spot and report them, visit our Phishing Awareness page, please copy and paste this link into your browser: https://infosec.ucf.edu/phishing.
Report emails asking you to purchase gift cards on behalf of another UCF employee by clicking the Phish Alert button on the Outlook ribbon. It is recommend not replying to the sender. Remember to treat gift cards as cash, and never send pictures of cards and their codes via email.
To visit the Information Security Office website, please copy and paste this link into your browser: https://infosec.ucf.edu or contact us at mailto:infosec@ucf.edu if you have any questions.
———————
UCF will never send messages asking you to respond and provide personal information, login credentials, or passwords via email. You are not required, nor does UCF encourage or recommend providing your passwords and/or other secret login credentials to anyone claiming to represent UCF. Never respond to unsolicited email messages requesting your password, credentials, or other confidential information and never share your password with anyone. Regard all unsolicited messages with extreme caution and alert the Security Incident Response Team at mailto:SIRT@ucf.edu if a message appears suspicious.
2.28.22 – UCF InfoSec Advisory-Russian Escalation in Cyberspace
Submitted by:  Thierry Lechler and Delainey Strickland
Submitted for:  David Zambri, Chief Information Security Officer & Associate Vice President
Subject: UCF InfoSec Advisory— Russian Escalation in Cyberspace
Given recent global events in the news, there is an increased likelihood that UCF may become the target of disruptive activities. This may lead to UCF experiencing service interruptions and/or unintended breach of data. Please remain vigilant during this time and report any suspicious activities to SIRT@ucf.edu.
How can you protect yourself?
• Be wary of clicking on links within emails, even if they appear to be from a trusted user. If you’re unsure, type the fully formed URL into your web browser.
• Be vigilant about phishing attempts that try to take advantage of rising tension. For more information, please refer to https://infosec.ucf.edu/awareness/phishing/.
• Protect your digital assets by updating your systems and software that stores your professional and personal data to the latest known patches.
• Backup your valuable data, test your backups, and make sure to maintain an offline copy if possible.
• Keep your accounts secure by enabling Multi-Factor Authentication where you can and maintaining strong password practices.
• Be aware of suspicious charities or other scams as they become more commonplace as the spread of misinformation rises with the intent to manipulate emotions.
As always, if you receive suspicious emails in your UCF email, report them using the Phish Alert Button:  https://infosec.ucf.edu/awareness/phish-alert-button/ or by forwarding it as an attachment to SIRT@ucf.edu.
UCF InfoSec is here to help you with any information security concerns. Contact us at infosec@ucf.edu.
Thank you,
UCF Information Security Office
infosec.ucf.edu
———————
UCF will never send messages asking you to respond and provide personal information, login credentials, or passwords via email. You are not required, nor does UCF encourage or recommend providing your passwords and/or other secret login credentials to anyone claiming to represent UCF. Never respond to unsolicited email messages requesting your password, credentials, or other confidential information and never share your password with anyone. Regard all unsolicited messages with extreme caution and alert the Security Incident Response Team at SIRT@ucf.edu if a message appears suspicious.
1.20.22 – MFA Is Coming

With ever-increasing threats of phishing, keyloggers, credential stuffing, brute force and man-in-the-middle (MITM) attacks, it’s imperative that UCF implements multi-factor authentication (MFA).

All faculty and staff will begin mandatory enrollment for Microsoft O365 MFA, which provides another layer of protection for Outlook, OneDrive and other critical applications.

Starting February 17, enrollment will be divided into groups based on college/division. Each week, enrollment will occur Monday through Thursday, providing an opportunity for evaluation and adjustments on Fridays.

Thank you in advance for your help and your continued dedication to keeping the UCF community safe from external threats.

More information to come.

In the meantime, click here to learn more.

1.14.22 – UCF InfoSec Advisory-COVID Testing Scams
Submitted by:  Thierry Lechler and Delainey Strickland
Submitted for:  David Zambri, Chief Information Security Officer & Associate Vice President
Subject:  UCF InfoSec Advisory-COVID Testing Scams
Cyber criminals are taking advantage of the current pandemic by sending fake COVID testing or contact tracing messages via email, phone calls and text. These messages may ask you to click a link or provide personal information. The links can potentially download malicious software to your computer and lead to identity theft or financial loss.
How to protect yourself?
. Disregard unexpected text messages, emails, or phone calls with suspicion
. Do not click any links in these suspicious text messages or emails – it may download software that can access your personal and financial information
. If an unsolicited call asks for sensitive personal information, such as your Social Security Number or credit card number, hang up
For more information, please see these resources:
If you receive suspicious emails in your UCF email that ask you to download an attachment or click a link, report them using the Phish Alert Button:  https://infosec.ucf.edu/awareness/phish-alert-button/ or by forwarding it as an attachment to mailto:SIRT@ucf.edu.
UCF InfoSec is here to help you with any information security concerns. Contact us at mailto:infosec@ucf.edu .
Thank you,
UCF Information Security Office