A security incident involving electronic information or information technology includes the following, whether suspected, attempted, or actual:
- Unauthorized access, use, disclosure, modification, or destruction of electronic information
- Violation of acceptable use policies for information or technology
- Interference with the operation of university information technology resources, such as a denial of service attack
- Discovery of weaknesses in the safeguards protecting electronic information or information systems
- Ransom messages that request money to get a decryption key or to prevent the release of information
- Loss or theft of laptops, desktops or other equipment used to access or store university data, including mobile phones, thumb drives and external hard drives
- Intrusion into a computer system
- Unauthorized access to sensitive information, such as Social Security numbers or restricted research data, whether intentional or accidental
- Unauthorized use of another user’s credentials or impersonating another university user
- A denial of service attack
- A compromised user account
If you are unsure whether an event is a security incident, it is best to err on the side of caution, and report the event.
Using a compromised computer or device could worsen the security incident and negatively affect the investigation. Your actions may alert the attacker and they may take action to remove evidence or delete files.
- TAKE A PICTURE: If you see a ransom note, take a picture with your phone of all the information (including the header) and send picture to email@example.com.
- STOP: Power off your PC, laptop or other device
- DISCONNECT: If possible after powering off, disconnect the Ethernet network cable
- Then STEP AWAY from the computer. DO NOT touch it, or take any other action, until advised by Tufts Technology Services (TTS).
- DO NOT ENGAGE OR PAY: If you see a ransom note, DO NOT contact the hackers. DO NOT pay any fees, buy gifts cards, or send cryptocurrency.
The approach to reporting an incident will depend on whether the incident involves Protected Health Information (PHI) or not.
Security Incidents involving Protected Health Information (PHI) in One of the Four Units Subject to HIPAA
If the security incident has occurred in one of the following four units subject to HIPAA (i.e., a covered entity) and the incident involves PHI, report it immediately to the unit’s HIPAA Privacy Officer as follows:
|Tufts University School of Dental Medicine||Jill Leclare||Jill.Leclare@tufts.edu|
|Health and Wellness Services||Michelle Bowdler||617-627-3766
|Human Resources||Robbyn Dewar||617-627-2118
- Disclosure of information about a patient’s diagnosis or treatment
- Disclosure of a patient’s medical report or medical record number
- Disclosure of details of a patient’s medical appointment
All Other Security Incidents involving Electronic Information or Information Technology
All other security incidents involving electronic information or information technology should be reported promptly to the:
TTS Service Desk at (617) 627-3376.
The Service Desk will instruct you on any actions you need to take while they analyze the situation and escalate the incident to the appropriate team(s).
Serious Security Incidents: Important Additional Reporting Advice
Some security incidents are much more serious than others. They are more likely to cause significant harm or to have a substantial impact on the university or individuals. The following types of events should be considered serious security incidents:
- Involves restricted or other sensitive information—See Table I
- Data is actively being encrypted or already has been encrypted probably by ransomware, where threat actors are threatening to release data if the ransom is not paid, or if you find an electronic ransom note on your screen or in a README file
- Could result in serious harm to the University or to an individual or individuals (including significant reputational harm or identity theft)
- Involves serious legal issues (including the potential imposition of civil or criminal penalties)
- May result in serious disruption to critical University services
- Involves widespread improper disclosure or use of electronic information or information technology
- Is likely to raise substantial public interest
These serious security incidents require immediate action and should be reported immediately to both:
- The TTS Service Desk at (617) 627-3376 (available 24x7), AND
- If during business hours, also call the Office of Information Security at (617) 627-6070; during off hours email firstname.lastname@example.org
The Office of Information Security, in coordination with the Office of the CIO, will promptly notify University Counsel and other University groups as necessary.
- STAY CALM. There is an established protocol for handling incidents, and Information Security and University Counsel are equipped to guide the process.
- DO NOT DISCUSS the incident with anyone except your unit’s manager, your Information Steward, the TTS staff involved with your incident, and/or the University Counsel, unless you are authorized to do so. Limit discussing information to a strict need-to-know basis.
- DO NOT SPECULATE. This is critical to ensure that only accurate information is disseminated, rather than suppositions or guesses as to what happened or the impact. The facts of the situation are often not clear until a thorough investigation and analysis have been completed.
After an investigation, senior management will determine whether an event is an incident, and whether the incident is a breach.
- WRITE A DETAILED DESCRIPTION to be shared with the incident team. Include details such as: what made you suspect the incident, what you know happened thus far, information on the device and the data affected, and what actions have been taken so far.
- DO NOT PAY. If the incident involves a ransom demand, do not respond and do not pay. Make sure this information is escalated to the Office of Information Security who will take appropriate next steps.
Table I: Restricted or Other Sensitive Information
Sensitive Personal Information (SPI)
Student Data in Education Records regulated by FERPA
Note: FERPA does not prohibit the disclosure of Directory Information, provided the student does not have a Privacy Block.
Credit Card data subject to the Payment Card Industry Data Security Standards (PCI DSS)
Sensitive information subject to other government regulation
Sensitive information that must be kept confidential by contract, agreement or other formal obligation, including funding and research restrictions
Important Note: Limit discussing the incident—to avoid speculation and prevent inaccurate information being disseminated until a thorough investigation has been completed—to those who strictly need to know such as:
- Your unit’s manager
- Your Information Steward
- TTS staff involved with your incident
- University Counsel, and
- Other people they specifically designate.