Safe Computing

Collaboration on New HIPAA Course for the Shared Services Center (SSC)

Staff in the Shared Services Center (SSC) play an important role in properly handling sensitive institutional data, including data regulated by the Health Insurance Portability and Accountability Act (HIPAA). This past summer, the SSC decided it was time to update their HIPAA training, which they require annually of their staff.

The SSC noticed that Information and Technology Services (ITS) also offers HIPAA training for its staff in My LINC. While it was a good example of what the SSC wanted in an updated course, it was customized for ITS and didn’t include SSC-specific information. The SSC reached out to ITS and asked for a copy of the content to use as a starting point.

What happened next was a collaboration that enabled the SSC to use the same tools that ITS Information Assurance (IA) developed. As a starting point, ITS shared a copy of the course in the Claro eLearning authoring tool. SSC staff were given temporary licenses so they could edit the content.

ITS then helped them use My LINC to publish the course, assign it to SSC staff, and automate email notifications. The result is a consistent and repeatable process for providing cross-university information security and compliance training—and all of it done with a fraction of the effort that the SSC would have expended if they had had to start from scratch.

picture of researchers, medical staff and others

Duo Restore Function Enabled for iOS and Android

A new Duo option makes it easier to reactivate the Duo Mobile app when you get a new device. Duo Restore Prior to October 23, 2020, if you got a new smartphone or tablet and wanted to reactivate the Duo Mobile app on it, you needed to use an alternate method of Duo two-factor (such as a phone call) or contact the ITS Service Center for an activation link.

Now you can use the new Duo Restore option to speed things up. Duo Restore gets the app working on a new device without requiring a separate reactivation step when you restore your data and settings from a backup or transfer from your previous device. However, there are a few conditions that must be met first.

iOS device
You need an iCloud account configured on the device with iCloud Backup and iCloud Keychain enabled. You can restore only for devices on the same platforms (iOS to iOS).

Android device
You need access to the old device to complete activation. Also, the Duo Mobile app needs to be enabled for backup to Google Drive on the old device before starting the restore process on the new device. You can restore only for devices on the same platforms (Android to Android).

For more information and links to Duo’s how-to videos, see Reactivate or Restore the Duo Mobile App.






A New Email security tool — Virtru!

Make your U-M Gmail even more secure

Information and Technology Services (ITS) is happy to announce that students, staff, and faculty have access to a new email security tool — Virtru. (Note: Michigan Medicine provides a similar capability for their email service). With Virtru, you can send end-to-end encrypted email to any address, prevent a forwarded email from being read, set a read expiration, revoke the ability to read sent email, tell if the recipient has opened your email, and more!

For best results, use the Virtru extension for Chrome. After you install the Virtru extension, you’ll see a slider on top of your compose window so you can toggle encryption on and off and set other security settings for each email. Email recipients do not need to install Virtru to read or respond to your email.

Please remember that certain information should never be emailed even if encrypted. The “When to Use Virtru” section below covers some use cases.

When to use Virtru

U-M’s Google email is secure for the vast majority of your needs, but when you want it or need it, Virtru provides an additional layer of security. 

ITS Information Assurance recommends that you encrypt emails for which you want to control access or that need to be extra confidential. Here are some examples of information you might send in email with Virtru encryption:

  • Personally identifiable information (PII) such as name, birth date, and address
  • An Excel spreadsheet with names and uniqnames or UMID numbers of members of the U-M community
  • Grades and other student education records
  • And more!

send gmail with Virtru enabled

Email—even with Virtru—cannot be used for some information

Some sensitive information should never be sent through email, even with encryption. Here are some examples of information that should never be sent in email:

  • Payment Card Industry (PCI) data (credit card numbers)
  • Certain types of regulated data (consult ITS Information Assurance via the ITS Service Center)

Ready to get started?

Virtru email encryption is easy to use, and easy to get started. Visit the ITS Virtru page to get information on how to install Virtru on your computer, along with some helpful tips on how to use the tool.

If you have questions on what types of data are recommended for use with Virtru, visit the Sensitive Data Guide: Virtru at U-M for more guidance.

Password Tip: Use a Unique Password for Every Site and Service

Here is an important password tip: Do not reuse your UMICH (Level-1) password. Try to set a unique password for each site and online service you use (or use a password manager), and never use your UMICH password for non-university accounts or services.

Reusing passwords puts you at risk. There have been a number of data breaches outside U-M where reused UMICH passwords were exposed (such as breaches at LinkedIn and Chegg). When people use their U-M email address as their login ID on a third-party site that is breached, it makes it easier for attackers to connect a reused password to a U-M account. See, for example, this ITS Information Assurance advisory from July 2020: No U-M “data breach”—U-M user info used on 3rd party sites exposed.

computer monitor with a text that says password

If each of your accounts has a unique password, and there is a data breach at one site, the other accounts are still safe.

  • Using unique passwords helps you protect your personal, private data and all your online accounts. 
  • Using two-factor authentication for your personal accounts whenever it is available provides more protection. U-M implemented Duo to provide an additional layer of security for all faculty, staff, and student accounts.

If managing multiple unique passwords is a challenge, consider using a password manager, software that generates and keeps track of passwords for you. See Safe Computing: Manage Your Passwords for more tips on creating and remembering strong passwords.

If you have used your UMICH password anywhere outside the university, change that password today!