Frequently Asked Questions (FAQ)

The Information Security Team gets a variety of questions asked of them and has put together this list to try and answer some of UW Medicine workforce members more commonly asked questions.

If you do not find an answer to your question here please look around the site before opening a Help Desk ticket. If you would like to have a security team member contact you about a question that you can not find an answer to please contact the IT Services Help Desk here: mcsos@u.washington.edu

General FAQ

1. I forgot my password. What should I do?

• For AMC passwords: If you know your UW NetID password, you can retrieve your AMC password here: https://apps.medical.washington.edu/pwdupdate?source=
• For UW NetID passwords: You can reset your password by phone or in person. Follow the instructions on UW IT's site: http://www.washington.edu/itconnect/accounts/#passwords

2. I think I was hacked! What should I do?

• First. Don't panic.
• Second, Don't make any changes. DO NOT POWER OFF THE SYSTEM and Stop using the system immediately.
• Now, Contact the ITS Help Desk to report the incident. For urgent reports call 206-543-7012. For all other reports send email to mcsos@uw.edu.

3. Can you tell me if "some service or system" is secure?

• ITS Security can help you assess services and systems for security risk based on your specific use. Contact us to set up a consultation.

4. Can I send email to ______@_______ securely?

• Refer to the email guidance for more information about sending email securely.

5. How can I test my application/computer/system to see if it's secure?

• For one-off assessments consider using the Self Service Vulnerability Assessment tool. For best results, be sure to provide a valid set of credentials and allow the scanners through your firewall. If you have questions about the scanning process or results contact ITS Security.
• For larger or more complex systems, ITS Security can help you assess risk and technical vulnerabilities for your applications, computer, or system. Contact us to learn more.

6. I need access to ___________.

• ITS Security doesn't grant access to systems. Contact the ITS Help Desk at mcsos@uw.edu to be routed to the appropriate group.

7. My printer stops working properly about once a month. What's happening?

• This may be related to automated scanning processes run by UW Security on campus. You can request to be excluded from scanning by opening a ticket to ITS Security through the Help Desk at mcsos@uw.edu.

Laptop and Mobile Device Encryption

1. I can't use any software you recommended?

• You may need Administrator access; in that case, work with your desktop support group or administrator to get their assistance.
• You may not have a listed Operating System; for example, you could be using a mobile device which runs neither Windows nor MacOS X. In that case, explore the vendor's site and search the Internet for software products which meet the criteria for full disk encryption on that platform. (Or you may need to upgrade the device.)
• The free tools may just be too demanding. The commercial products are usually easier to get running. Check the commercial products to see if there is one that fits your situation better.
• Let the Security Team know if you still can't find a solution and still need to process PHI on your mobile device.

2. What do I do if I just got a new laptop or mobile device?

If you have a mobile device running Microsoft Windows, you may be fortunate enough to already have it running. To find out if BitLocker is running, go here: Microsoft BitLocker Guidance. If it's not running, see the BitLocker, TrueCrypt or FileVault guidance for installation. See the Mobile Device Encryption page for more information.

3. What are the minimum system requirements for using the encryption solutions?

The minimum system requirements change depending on the vendor solution. Please check the vendor site of the product that you are installing to get the most up to date technical requirements.

If your laptop or mobile device is more than 3 years old you should verify that the encryption solution you want to install will work on your device.

4. How do people know if they have PHI on their device?

If you deliberately process or store PHI on the mobile device, do implement full disk encryption. If you are unsure, you can err on the side of caution and encrypt.

5. What are "administrator" rights?

An Administrator is a local account or an account that a support team uses that has complete access to modify any data on your computing device. For End Device Support managed devices; the EDS team manages and maintains the Administrator accounts. For non-EDS devices you can contact your local IT group or go into the user settings to see if you account is labeled as an administrator account.

6. If I'm using remote access, what do I do?

If you use the SSLVPN, Remote Desktop, VNC, Citrix and other remote access technologies, and process sensitive data which is stored remotely, inside of a terminal session, you may be protecting the data adequately and not have to encrypt the storage on the mobile device. If you are in doubt, you can choose to implement encrypted storage for further assurance.

7. When do I have to have this done by?

Within a month would be ideal. If you've read the full disk encryption guide for your OS, and you still can't see yourself accomplishing this within three months, contact the Security team to sign up for the brown bag sessions on full disk encryption

8. How will you know if I don't do it?

UW Medicine is a hybrid entity; it is a federation of health care [providers]. The central Security team in IT Services is not in a position to know your systems settings to that level of detail. The responsibility to ensure that the information is protected adequately is on the shoulders of the data custodian. If you are using the laptop, that is you. We are counting on you to put forth your best effort. Please work with the system owner to make a plan to protect your laptop if it's not already protected.

9. What if I choose not to?

If you don't have protected health information (PHI) or other confidential information on your computing device, then that's not a problem.

It's also okay to have protected health information on a mobile device and not take it off site.

But if you do have protected information on a mobile device, you must protect it. Security has chosen to mandate that full disk encryption be in place. Failure to implement this protection subjects you to sanctions which would be recommended by Compliance and enforced your management.

10. Is there something I should have signed when I was issued the ,equipment, warning me about this requirement for encryption or data handling?

Privacy, Confidentiality, and Information Security Agreement

Yes we believe that these aspects of the PCISA apply:

• Comply with UW and UW Medicine policies
• Support compliance with federal and state statutory and regulatory requirements
• Maintain the confidentiality of information to which I am given access privileges
• Accept accountability for all activities associated with the use of my individual user accounts and related access privileges
• Not to change the computer configuration unless specifically approved to do so
• I understand that where I have access to or use of information classified as RESTRICTED or CONFIDENTIAL, additional protections are expected.
• I understand that failure to comply with the above Privacy, Confidentiality, and Information Security agreement may result in disciplinary action up to and including denial of access to information and termination of my employment at the University to Washington. I have been given access to all of the UW Medicine Privacy and Information Security Policies.