The Catalyst

Security changes set for home, mobile-device users

By Cindy Abole
Public Relations

MUSC has joined a growing wave of academic institutions, businesses and organizations that have committed to providing a higher level of security when it comes to managing health care data and accessing servers and networks.

Cyber attacks against an institution’s authentication systems and employee emails are steadily on the rise, compromising the safety of protected health information accounts, sensitive data, and administrative and financial records.

OCIO’s Clay Taylor speaks to University Finance & Administration managers about security changes recommended by the Information Security Advisory Council which will affect employees and students who remotely access email, calendars and manage data using MUSC servers. Users who register their devices before Sept. 15 will be entered into a drawing to win an iPad Mini.
OCIO’s Clay Taylor speaks to University Finance & Administration managers about security changes recommended by the Information Security Advisory Council which will affect employees and students who remotely access email, calendars and manage data using MUSC servers. Users who register their devices before Sept. 15 will be entered into a drawing to win an iPad Mini.

After a recommendation from the Information Security Advisory Council, the MUSC board of trustees and vice president’s council approved the purchase of two software security systems — PhoneFactor Active Authentication from Microsoft and XenMobile Device Manager from Citrix — as cost-effective solutions and a proactive response against phishing attacks and other online security threats. The change, which begins Oct. 1, will affect more than 13,000 MUSC employees, faculty and students.

MUSC users of personal or university-owned iOS and Android smartphone devices and tablets must enroll in the mobile device management solution and implement two-factor authentication technology to allow for remote access. MDM for Blackberry users will be coming soon.

Once enrolled in MDM, the system will check the configuration of the device and install a profile on the phone that requires users to set a pass code, helping users access MUSC email or information in a more secured format.

Two-factor authentication was originally developed for electronic computer authentication and requires the use of two types to verify a user’s identity – something you know (NetID and password) and something you have (phone).

Hackers would have to know the username and password in addition to processing the phone information to verify a user’s identity. Users will have the choice to receive a phone call, install an iOS or Android application, or answer three security questions after a two-minute wait period. MUSC’s two-factor authentication system integrates IT’s infrastructure with Outlook web access (webmail), Citrix Webapps and VPN.

According to Reece Smith, hospital compliance officer, “The effectiveness of single-password authentication has been increasingly under attack since the advent of mobile devices. A compromise to find an effective solution to protect users and sensitive information has been an institutional priority.”

Regarding MDM, MUSC’s privacy officer Mike Wheeler stated, “With the widespread use of cloud computing and other services to manage data, we were looking for a security solution that is easy to use and affordable for our mobile users. It is estimated that Mobile Device Management will affect more than 4,500 iPhone users and 4,000 Android users.”

Easy, Quick and Secure

At the request of the Information Security Advisory Council, the MUSC board of trustees, and the vice president’s council, OCIO, with the help of Mary Mauldin, Ed.D., executive director of the Office of Instructional Technology and Faculty Resources, has led the new system’s documentation, surveys, focus groups review, and training and communications efforts this spring.

Since June 1, information services engineers Clay Taylor, Lisa Pecsuk, Adrian Tippens and Scott Burroughs have been meeting with hospital and university human resources, new student groups, academic deans, and department and communications groups to answer questions about mobile device management and two-factor authentication efforts.

“We really wanted to get the word out about these initiatives as well as make sure users know that we can’t look at their personal data when they sign up for these programs. We can’t see a user’s pictures, text messages, phone call logs, emails, etc. The only thing that we are trying to accomplish with these initiatives is to protect MUSC data,” Taylor said.

The communications plan includes the posting of MDM and TFA posters throughout campus, communicating on the MUSC Facebook page, broadcast messages and other communications.
Information Services’ Support Desk will assist MUSC users during this implementation period via phone or online request. Users may call 792-9700 or submit an online request form.

To help users with registration, additional staff will be available at various locations to assist users throughout this process.

MDM Enrollment

For enrollment information, visit http://www.musc.edu/mdm.

Using the new system, people who routinely use their remote devices like smartphones, tablets or home computers to manage their email, work contacts and calendar information will be able to securely and automatically access the university’s networks and systems.

It provides added security by enforcing a four-digit PIN (or pattern on Android), and a means to prove that the password is in place.

Registered MDM users will have a secure passcode, password lock, inactivity timeout, and encryption for MUSC data, email, contacts and calendar information.

When a user registers his or her phone, the system will collect only limited information about the device. Installation of MDM will not affect the phone’s performance. If a device is lost or stolen, users have the ability to log into a self-service portal to lock their device or wipe their device of MUSC-related data, but leave their personal data untouched.

Two-factor authentication

For enrollment information, visit https://2factor.musc.edu/PhoneFactor.

MUSC employees, faculty, and students who use MUSC resources such as Outlook web access, Citrix web apps and VPN, are required to register for TFA.

Registered users are reminded to allow for push notifications through their mobile device to allow PhoneFactor to work. Smartphone users also can download the phone app and activate it using an easy to scan barcode.

Authentication works each time a user gains access. PhoneFactor authentication will place a confirmation call or push a digital request to the registered user’s phone (Android or iPhone) with the message: “This is MUSC calling to verify a login to your NetID. Press the # sign to complete authentication or press * to report fraud.” On an Android or iPhone, the user simply taps “authenticate” to complete the login.

Users of Outlook, Apple Mail, Thunderbird and other email clients must now establish a VPN connection (using NetID) from off campus to receive mail on their off-campus desktop or laptop.

September 6, 2013
 
 
 

© 2013  Medical University of South Carolina | Disclaimer