• How can I help to protect myself from tax-related identity theft?

    Every year, a significant number of US taxpayers fall victim to tax-related identity theft. According to the IRS, tax-related identity theft occurs when someone uses your stolen Social Security number to file a tax return claiming a fraudulent refund.

    You may not realize that this has happened until you try to file your taxes and discover that a return has already been filed, or you may receive a letter from the IRS indicating that there has been suspected fraud connected to your Social Security number.

    Due to this risk, it is important that we all take steps to protect our Social Security numbers and electronic W2 forms. W2 forms are especially valuable for potential thieves as they contain all relevant information needed to file a tax return. The best method to protect online access to your W2 form through PeopleSoft is to enable two-step verification on your Harvard Key.

    Two-step verification, also known as two-factor authentication, is a method of requiring an additional step in order to log into your account. You log in as normal with your Harvard Key credentials, then verify your identity through the use of a second factor, such as a code sent to your mobile device. In the case of Harvard Key, we’ve Partnered with DUO Security in order to provide an easy to use smartphone application that will verify your identity.

    Two-step verification is the best way to protect not only your Harvard Key credentials but also your personal email, storage, and social media accounts. HMS Information Security strongly urges all members of the community to enable two-step verification where ever possible.

    If you haven’t claimed your HarvardKey, please do so at https://key.harvard.edu. In order to enable two-step verification, log into your Harvard Key account at http://key.harvard.edu and select Manage Two-step Verification, and follow the instructions.

    Additional resources on safe computing are available on the Harvard University IT Security web site.

    The US Internal Revenue Service has additional information here: https://www.irs.gov/uac/IRS-Security-Awareness-Tax-Tips

  • How can I protect my computer from viruses, malware, and spyware?

    Antivirus is absolutely essential to have on every single desktop or laptop. Updated antivirus software can help to stop malicious software, such as viruses, and ransomware. 

    HMS IT provides antivirus software to all supported endpoints as part of its required information security software

  • How can I secure my data (backup and recovery)?

    Regularly scheduled backups are the best way to protect your data from unexpected loss, ransomware, and other risks. HMS provides backup software as part of its Cyber Essentials plan. For full details, see our Software and Backup page.

  • How can I securely dispose of equipment?

    Harvard University Information Security policy conforms to the Massachusetts law that mandates confidential information must be protected. If computer equipment designated for recycling contains data (e.g. a hard drive), contact your local Client Services Representative so they can remove the hard drive for secure disposal. 

    For more information, read about computer and hard drive disposal at HMS.

  • How do I identify a Phishing email?

    Phishing can come in many different forms, from obvious-to-spot frauds to sophisticated deceptions, but they share some common characteristics. Before you click a link, consider if the message you are reading contains these suspicious attributes:

    1. Sense of urgency and time constraint
    2. Fear of losing money or winnings
    3. Requests to verify accounts or credit card numbers
    4. Communication from services you do not use
    5. PDF attachments from businesses
    6. Generic email providers
    7. Poor grammar and spelling
    8. Confirmations that lack details, such as delivery locations or travel dates
    9. Any emails from the IRS
    10. Unexpected, but out of character, emails from people you know
    11. Files or links that require you to download additional software to view them
    12. Close, but not quite right, links.

    Phishing email handout from HUIT Information Security


  • How often should I change my password?

    Harvard Medical School systems require us to change our passwords every 364 days. Does this mean that you should wait that long to change yours? It depends. If you are conforming to the bare minimum requirement for password strength, then you should change your password more often. Choose a memorable password that you won't forget. Always remember to never write passwords down or share them.

    However, if you are using a password that is very strong (E.G., over 10 characters in length, mixed case letters, numbers, and special characters), then you are in a much more secure position to change your password once per year. To make generating passwords easy and take the worry out of remembering them, Harvard recommends and provides LastPass password manager. It's also a great idea to enable two-step verification on LastPass!

  • Should I use my personal email or storage service for HMS?

    Put simply, you should not use your personal accounts for HMS information. There have been questions and some unclear guidance around the use of email, specifically as it relates to personal email accounts, such as Gmail, Yahoo, Outlook.com, AOL, etc. and the use of these services relative to Harvard information, especially Harvard Confidential Information. Even though Harvard’s policies do not contain explicit statements about the use of these accounts as they relate to Harvard’s business we can use our policy statements to provide some guidance.

    The Harvard Information Security Policy statements provide guidance regarding what is appropriate. All Harvard staff, faculty, and students are responsible for the protection of Harvard Information. Based on the policy statements, the use of personal email services is incompatible with the Information Security Policy for the following reasons:

    • Harvard has not specifically approved these services for Harvard business use or for the storage and processing of Harvard Information, especially Harvard Confidential Information
    • Harvard does not have insight into the security controls of personal email services, which can vary with each account
    • Harvard has no contractual right to access Harvard data stored in personal email accounts
    • Harvard has no contractual guarantee that Harvard data is being kept confidential, is being disposed of properly, or that access to Harvard data is limited to only authorized individuals
    • Harvard has no legal protection from breaches, subpoenas, etc.
    • Harvard does not retain ownership of Harvard data in personal email services; in some cases, the service provider may claim ownership of this information as a condition of use

    By the same token, this also applies to the use of personal storage accounts, such as Google Drive, iCloud Drive, Dropbox, and other such services.

    These services may be used for Harvard business if the following conditions are true:

    • The service has been vetted for security controls and approved by a Harvard Security Officer
    • A Harvard School or department has a contract between the Harvard School or department and the service provider that contains provisions relative to the protection of data and data ownership. Such contracts must be reviewed by the Harvard Office of General Counsel and the school security officer.
  • What are some good security practices for social media?

  • What is the school's guidance on passwords?

    Passwords are your first line of defense. Choosing a good password can be difficult, especially when security professionals say that you need to have a long and complex password that is different for each account. Your Harvard and HMS accounts should have different passwords from your Facebook, Twitter, and other account passwords. Ideally, your Harvard Key and HMS passwords should also be different from each other. The rationale behind this is that a compromise in one system will not lead to a compromise in another system.

    In order for a password to be optimal, it should be at least 10 characters in length, contain upper and lower case letters, numbers, and special characters. The password should not contain dictionary words, unless efforts are made to substitute characters in order to modify them. Common words, such as "password" or "Harvard" should never be used in a password.

    The best way to manage passwords is through the use of a password manager. Harvard recommends and provides LastPass for free to all members of the Harvard community. It's also a great idea to turn on two-step verification in LastPass.

    Anytime you need IT assistance with a password creation or reset, you will be required to answer questions to verify your identity, due to heightened security measures.

  • What technologies are approved for use with Harvard Data?

    The matrix below represents technologies that have been vetted by HMS IT or have been identified for use with certain data classification levels.

    A matrix showing data security approval levels for various tools.


  • What is two-step verification and why is it important?

    Two-step verification, otherwise known as two-factor authentication, or multi-factor authentication is a method for verifying the identity of someone logging onto a system. Two-step verification, as the name implies, requires two steps to verify you are who you are claiming to be. The first step is generally entering a username and password combination. The second step is to verify you by means of a second factor, such as a code sent to an authorized device, such as a mobile phone.

    The importance of two-step verification is that it greatly reduces the risk of credential theft. If someone has your username and password, they would still need to have your device in order to complete the authentication process. All members of the Harvard Community should turn on two-step verification wherever it is available. Some important accounts to look at are:

    • Harvard Key
    • LastPass
    • Your online bank access (most banks have this available now)
    • Access to credit card accounts (if available)
    • Apple
    • Amazon
    • Google
    • Dropbox
    • Twitter
    • Facebook
    • Tumblr
    • LinkedIn

    To see if your accounts support 2fa, you can checkout twofactorauth.org

  • What's the best way to securely transfer data?

    Harvard Medical School uses a secure file transfer service that has been approved up to Harvard security level 4. The service, at https://filetransfer.harvard.edu, encrypts file attachments and can be used to securely send these attachments to anyone via email. The system can be utilized by anyone needing to securely send attachments within the HMS community and beyond.

    It is important to note that the system encrypts only the attachments and not the content of messages. Any confidential information should be attached rather than input in plain text.

    The secure file transfer system is not appropriate for all cases. For other options, please contact the Information Security Office at iso@hms.harvard.edu.

  • When, and how, should I encrypt?

    Encryption is one of the best controls to mitigate the risk of stolen data. The Harvard Information Security Policy requires that any laptop or other mobile device (smartphone, portable drive, etc.) be encrypted when used to store Harvard confidential information. This requirement serves as the bare minimum for the HMS community.

    While the Harvard policy requires encryption for devices that store confidential information, at a minimum, HMS Information Security strongly recommends that all devices be encrypted - where this is feasible - regardless of the data stored or processed on them. This recommendation helps to eliminate the guesswork involved in decided what is confidential versus what is not. Broadly speaking, this also gains us a great compliance and reporting benefit making it easier for us to meet the requirements of other institutions with which we collaborate and reduces the need to report should a device be stolen.

    Whole-disk encryption (WDE) is a mature technology and is built into most modern operating systems. Processor overhead and performance issues related to encryption are now a thing of the past. Now that WDE is free, easy to manage, and lightweight there are very few cases where it should not be enabled.

    Encryption should be enabled by default and everywhere that it is possible to do so.

  • Why is HMS installing System Management Software on end points?

    Traditionally, Harvard Medical School has lacked transparency as to what endpoints are being used on our network. This lack of visibility creates a challenge, not just from a support perspective but from a security and risk perspective. Knowing what systems are in use and the security posture of those devices is critical for us to be able to make smart decisions about how to mitigate the risk presented by these devices.It is important to keep in mind that these software agents do not collect any data aside from system specific information. HMS CSG has worked up the following very helpful overview:

    Protects client’s computers and data
    • Enhanced functionality for managing system and data backup, antivirus, and encryption services.
    • Better management and deployment of updates to operating systems, applications and security tools.
    • Provides HMS IT the means to identify potential risks to data due to unpatched systems, missing passwords, missing or outdated antivirus software.
    Enhances support and service of the entire computer fleet

    Users can download and install a large selection of HMS licensed software without the need to contact their local CSR

    • Users can choose to automatically or manually install applications, system updates and patches
    • Remote Desktop support for users who want an HMS IT CSR to troubleshoot and repair a computer issue remotely.
    • Simplifies hardware & software inventory.
    • Opportunities for cost savings through software licensing agreements.
    • Easier identification of legacy hardware & operating systems (e.g. Win XP).
  • What Information is collected by System Management Software?

    • Hardware information - Manufacturer, model, hardware configuration, purchase date, serial number/service tag, warranty, etc.
    • Operating system information - Version, build, patch status.
    • Application information - Application name and version.
    • Security status - Patch status, antivirus status, encryption status, etc.
    • Login information - Last person to login and login name.
  • What information is NOT collected by System Management Software?

    These products are incapable of:

    • Collecting personal user information (i.e. passwords) - PASSWORDS ARE NOT READ, COLLECTED OR STORED in any way, shape, or form.
    • Collecting user data from Home or Documents folder. Local user data is never exposed through the automated services.
    • Browsing directories on the hard drive is NOT possible.
    • Identifying usage activities such as web pages that were accessed, what file servers were accessed, or what was done within a specific application.
    • Monitoring user activity.
    • Exception - Remote Desktop. End users MAY allow access to IT Staff to view this information, but users must acknowledge and allow a Remote Desktop session to begin.

    The above restrictions are a technical limitation of the tools.

  • Will my information remain private?

    • Only Computer hardware & software specifications are collected.
    • Personal information is never touched.
    • Local user data is never exposed.
    • Actions performed by the user cannot be monitored in any way.
    • Collected information is never exposed to anyone outside of HMS IT.
    • The HMS IT User Privacy Statement describes IT’s commitment to protecting the confidentiality of client data.
  • What is the impact to the user?

    • No discernible performance impact.
    • Software updates could occur at less than desirable moments, but can be deferred by user.
    • Updates can be scheduled outside of business hours.
    • Users will have immediate access to a broad selection of software, much of it at no cost.
    • Users always retain administrative control and access.
  • Is Remote Desktop support secure?

    • Remote Desktop to personal workstations requires user consent for every session: computers will never be accessed with out your knowledge and permission.
    • Remote Desktop to shared workstations is fully logged.
    • IT Support Staff can only access computers within assigned departments.
    • Remote Desktop software uses industry standard security protocols for communication.
  • Who is eligible for System Management Software?

    • Any desktop or laptop computer that HMS IT supports.
    • Shared workstations.
    • Instrument computers that are owned/supported by HMS IT.
    • Instruments with vendor support contracts may not be eligible.
  • Are these new software tools mandatory?

    No. However, we recommend that systems management software be installed by default on all computers with an option to opt-out. Reasons to opt-out may include:

    • Instrumentation, data collection and rig computers.
    • Computers not supported by HMS IT.