Reporting Information Security Incidents

If you suspect that a security incident involving electronic information or information technology has occurred, follow the 4-Step Approach below.

Important Note: Limit discussing the incident—to avoid speculation and prevent inaccurate information being disseminated until a thorough investigation has been completed—to those who strictly need to know such as:

  • Your unit’s manager
  • Your Information Steward
  • TTS staff involved with your incident
  • University Counsel, and
  • Other people they specifically designate.  

4-Step Approach

Step 1: Identify an Information Security Incident

A security incident involving electronic information or information technology includes the following, whether suspected, attempted, or actual:

  • Unauthorized access, use, disclosure, modification, or destruction of electronic information
  • Violation of acceptable use policies for information or technology
  • Interference with the operation of university information technology resources, such as a denial of service attack
  • Discovery of weaknesses in the safeguards protecting electronic information or information systems

Examples include:

  • Loss or theft of laptops, desktops or other equipment used to access or store university data, including mobile phones, thumb drives and external hard drives
  • Intrusion into a computer system
  • Unauthorized access to sensitive information, such as Social Security numbers or restricted research data, whether intentional or accidental
  • Unauthorized use of another user’s credentials or impersonating another university user
  • A denial of service attack
  • A compromised user account

If you are unsure whether an event is a security incident, it is best to err on the side of caution, and report the event.

 

Step 2: Stop, Disconnect, and Step Away

Using a compromised computer or device could worsen the security incident and negatively affect the investigation. Your actions may alert the attacker and they may take action to remove evidence or delete files.

Immediately:

  • STOP: Power off your PC, laptop or other device
  • DISCONNECT: If possible after powering off, disconnect the Ethernet network cable
  • Then STEP AWAY from the computer. DO NOT touch it, or take any other action, until advised by Tufts Technology Services (TTS).

 

Step 3: Report the Incident

The approach to reporting an incident will depend on whether the incident involves Protected Health Information (PHI) or not.

Security Incidents involving Protected Health Information (PHI) in One of the Four Units Subject to HIPAA

If the security incident has occurred in one of the following four units subject to HIPAA (i.e., a covered entity) and the incident involves PHI, report it immediately to the unit’s HIPAA Privacy Officer as follows:

Tufts University School of Dental Medicine Erin Grealy 617-636-6688
Erin.Grealy@tufts.edu
Health and Wellness Services Michelle Bowdler 617-627-3766
Michelle.Bowdler@tufts.edu
Human Resources Robbyn Dewar 617-627-2118
Robbyn.Dewar@tufts.edu
Athletics Nick Mitropoulos 617-627-5102
Nick.Mitropoulos@tufts.edu

 

Examples:

  • Disclosure of information about a patient’s diagnosis or treatment
  • Disclosure of a patient’s medical report or medical record number
  • Disclosure of details of a patient’s medical appointment

All Other Security Incidents involving Electronic Information or Information Technology

All other security incidents involving electronic information or information technology should be reported promptly to the:

TTS Service Desk at (617) 627-3376 or it@tufts.edu.

The Service Desk will instruct you on any actions you need to take while they analyze the situation and escalate the incident to the appropriate team(s).

Serious Security Incidents: Important Additional Reporting Advice

Some security incidents are much more serious than others. They are more likely to cause significant harm or to have a substantial impact on the university or individuals. The following types of events should be considered serious security incidents:

  • Involves restricted or other sensitive information—See Table I
  • Could result in serious harm to the University or to an individual or individuals (including significant reputational harm or identity theft)
  • Involves serious legal issues (including the potential imposition of civil or criminal penalties)
  • May result in serious disruption to critical University services
  • Involves widespread improper disclosure or use of electronic information or information technology
  • Is likely to raise substantial public interest 

These serious security incidents require immediate action and should be reported immediately to both:

  1. The TTS Service Desk at (617) 627-3376 or it@tufts.edu; and
  2. TTS Information Security at (617) 627-6070.

TTS Information Security, in coordination with the Office of the CIO, will promptly notify University Counsel and other University groups as necessary.

  

Step 4: Stay Calm, Document, and Avoid Speculating

  • STAY CALM. There is an established protocol for handling incidents, and Information Security and University Counsel are equipped to guide the process.
  • DO NOT DISCUSS the incident with anyone except your unit’s manager, your Information Steward, the TTS staff involved with your incident, and/or the University Counsel, unless you are authorized to do so. Limit discussing information to a strict need-to-know basis.
  • DO NOT SPECULATE. This is critical to ensure that only accurate information is disseminated, rather than suppositions or guesses as to what happened or the impact. The facts of the situation are often not clear until a thorough investigation and analysis have been completed.

    After an investigation, senior management will determine whether an event is an incident, and whether the incident is a breach.

  • WRITE A DETAILED DESCRIPTION to be shared with the incident team. Include details such as: what made you suspect the incident, what you know happened thus far, information on the device and the data affected, and what actions have been taken so far.

 

Table I: Restricted or Other Sensitive Information

Sensitive Personal Information (SPI)

  • Social Security Numbers
  • Driver’s License Numbers
  • Any Government-Issued Identification Number
  • Bank and other Financial Account Numbers
  • Credit and Debit Card Numbers
  • Biometric Indicators for Identity

Examples:

  • Passport Numbers
  • Visa Numbers
  • Checking Account Numbers
  • Fingerprints
  • Genetic Information

Student Data in Education Records regulated by FERPA

Examples:

  • Grades and GPAs
  • Disciplinary Records
  • Any other non-Directory Information

Note: FERPA does not prohibit the disclosure of Directory Information, provided the student does not have a Privacy Block.

Credit Card data subject to the Payment Card Industry Data Security Standards (PCI DSS)

Examples:

  • Credit card number and/or security code
  • Credit card expiration dates
  • Credit card verification codes

Sensitive information subject to other government regulation

Examples:

  • Data subject to Export Control Laws
  • Financial data subject to Gramm-Leach-Bliley
  • Data governed by government contracts subject to FISMA

Sensitive information that must be kept confidential by contract, agreement or other formal obligation, including funding and research restrictions

Examples:

  • Data set provided by a third party under a non-disclosure agreement
  • Sponsored research data subject to non-disclosure obligations
  • IRB restrictions