U.S. Department of Health and Human Services Assistant Secretary for Administration, Office of the Chief Information Officer

CYBERSECURITY AWARENESS TRAININGIntroduction Objectives Lessons Resources

WELCOME

This training provides the U.S. Department of Health and Human Services (HHS) employees, contractors, interns, and others with the knowledge to protect HHS information and information systems, and to minimize the risks of internal and external cyber threats1. The goal of this training is to inform the HHS workforce of threats to HHS information and information systems, and provide best practices to defend the HHS mission from these threats. Learner’s Corner o The transcript icon on the upper right provides access to the transcript document.o When necessary, the footnote text follows immediately the reference.o Navigation to lessons is provided in the upper right section of the page or in the bookmarks.o Click on the X in the top right corner of the window or ALT+F4 to close forms and pop-up windows.o The training is fully accessible through keyboard and shortcuts.

This training fulfills the Federal Information Security Modernization Act of 2014 requirement and HHS IS2P recommendation for security awareness training for users of federal information systems.

1 2 3 4 YOU ARE THE TARGET T L

What do hackers look for? Hackers and adversaries are constantly seeking personally identifiable information (PII) and protected health information (PHI) stored on HHS information systems for the purpose of committing health insurance fraud, identity theft, and other financial crimes. As an HHS employee, contractor, intern, or Commissioned Corps of the U.S. Public Health Service personnel, you are a target because you have access to what the cybercriminals are looking for—PII, PHI, financial, personnel, grant, research, and patient medical information.

Hackers’ Methods to obtain your information

Unattended devices

Information from your online profiles

Email/ Phone scams

Compromised passwords

TRAINING OBJECTIVES T L

Click on the objective icon below to the left or use the down arrow to advance to the next objective.

Objective 1 Develop and demonstrate foundational-level knowledge of cybersecurity.

TRAINING OBJECTIVES 2 T L

Click on the objective icon below to the left or use the down arrow to advance to the next objective.

Develop and demonstrate foundational-level knowledge of cybersecurity.

Objective 1

Employ best practices to protect privacy and safeguard Controlled Unclassified Information (CUI).

Objective 2

TRAINING OBJECTIVES 3 T L

Click on the objective icon below to the left or use the down arrow to advance to the next objective.

Objective 1 Develop and demonstrate foundational-level knowledge of cybersecurity.

Objective 2 Employ best practices to protect privacy and safeguard Controlled Unclassified Information (CUI).

Objective 3 Recognize cyber threats to information systems.

TRAINING OBJECTIVES 4 T L

Develop and demonstrate foundational-level knowledge of Objective 1 cybersecurity.

Objective 2 Employ best practices to protect privacy and safeguard Controlled Unclassified Information (CUI).

Objective 3 Recognize cyber threats to information systems.

Objective 4 Identify and report potential cybersecurity and privacy incidents promptly.

TABLE OF CONTENTS T

Select a lesson to progress through the training.

In this training, we will discuss why you need cybersecurity in the workplace, how to secure HHS information, and how to identify social engineering tricks often used by cyber criminals. We will also describe different types of cybersecurity breaches and how to report them.

1 CONTROLLED UNCLASSIFIED INFORMATIONDefinitions and examples of CUI, PII and PHI.

2 SECURING INFORMATION Best practices to protect HHS information assets.

3 SOCIAL ENGINEERING Methods used to manipulate people.

4 BREACHES & REPORTING What are breaches and how to report them?

L

1 2 3 4 LESSON 1 — CUI T L

OVERVIEW This lesson describes cybersecurity and the different types of Controlled Unclassified Information (CUI), including PII and PHI. The lesson also identifies best practices for you to apply within your workplace.

OBJECTIVES • Define Cybersecurity.• Describe the different types of CUI.• Define and give examples of PII and PHI.

1 CONTROLLED UNCLASSIFIED INFORMATIONDefinitions and examples of CUI, PII and PHI.

• What is Cybersecurity?

• What is CUI?

• Definitions and examples of

PII and PHI.

1/8

1 2 3 4 WHAT IS CYBERSECURITY? T L

Cybersecurity is the action taken to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

On a daily basis, we use many convenient ways to access information and information systems. They include the use of passwords, personal identity verification (PIV) cards, email, remote access, etc. Using the best practices within this training on a daily basis helps HHS personnel protect HHS information from hackers attempting to gain access.

2/8

1 2 3 4 WHAT IS CUI? T L

Controlled Unclassified Information CUI (sensitive data) is information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the operation of HHS programs, or the privacy of the Health Insurance Portability and Accountability Act (HIPAA).

In this training, we will refer to sensitive data as CUI.

Types of CUI

• Personally Identifiable Information (PII)

• Protected Health Information (PHI)

• Intellectual Property

• Financial Data

In this training, we will focus on PII and PHI.

The CUI framework outlined in the NIST SP 800-60 Rev 1 memo is intended to replace common—but inconsistently applied—markings such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU) with one framework for the federal government to designate, mark, safeguard, and disseminate information.

3/8

1 2 3 4 PII & PHI T L

What is PII? PII is “information which can be used to distinguish or trace an individual's identity, such as their name, social security number (SSN), biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” 1

What is PHI? PHI is defined as any individually identifiable health information that is explicitly linked to a particular individual and health information which can allow individual identification.2

PHI also includes many common identifiers as name, address, birth date, and social security number.

Click on the PII/PHI icon for examples.

PII PHI

1. Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.

2. Defined in the Health Insurance Portability and Accountability Act of 1996 [HIPAA].4/8

1 2 3 4

5

LESSON 1 KNOWLEDGE CHECK T L

Read the following scenario, and then answer the question.

Please select from the

answers below.

Do you think the following information can be used to identify Mr. Rabia?

A dentist office recently provided Ms. Jasmin Smith with a copy of her referral documents for the orthodontist. The following information was accidentally included in the file forwarded to Ms. Smith:

• Applicant name: Mr. Renee Rabia• Height: 6”• Eye color: Brown• Hair color: Brown• Zip Code: 22033• Birthplace: Mozambique Age: 40• City of Residence: Fairfax, VA

Yes

No

5/8

1 2 3 4

LESSON 1 SUMMARY T L

In this lesson, you learned to:

• Define cybersecurity, CUI, PII and PHI.

• Identify CUI, PII and PHI.

Your ability to identify and protect CUI,

including PII and PHI, will help you

integrate a solid foundation of cybersecurity

best practices into your daily work tasks,

and projects.

6/8

1 2 3 4 LESSON 1 – QUIZ 1 T L

Read the scenario below and answer the question. Please select from the answers below.

1) In 2016, a hospital reported to the Department a security breach that affected the

records of up to 405,000 patients, employees, and employees’ beneficiaries. What type of

data was lost?

A. PII B. PHI

C. Both D. None

7/8

1 2 3 4 LESSON 1 – QUIZ 2 T L

Read the scenario below and answer the question. Please select from the answers below.

2) Jane works in a medical facility. Jane’s sister, Sharon, treated in the same facility,asked her to check her lab results. Can Jane give her sister the results?

A. Yes B. No

8/8

1 2 3 4 LESSON 2 — SECURING INFORMATION T L

OVERVIEW All HHS employees, contractors, and personnel have a responsibility to protect HHS information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

OBJECTIVES • Identify the characteristics of a “strong” password.

• Apply GFE protection rules.

• Create and send encrypted email.

• List steps to store and dispose of data.

2 SECURING INFORMATIONBest practices to protect HHS information assets.

• PIV Card and Passwords.

• Wi-Fi Networks.

• GFE during Foreign Travel.

• Email Use and Encryption.

• Data storage and Disposal.

1/16

1 2 3 4 PIV CARDS T L

Personal Identity Verification Card Personal Identity Verification (PIV) cards are official government-issued identification cards that permit you authorized access to HHS government buildings and secured areas based on your job role. You will also use it as an authentication device to access your government-issued computer. PIV cards contain your digital credentials used to encrypt emails, digitally sign documents, and verify physical access privileges.

2/16

1 2 3 4

LESSON 2 BRAIN TEASER 1 T L

Time to tease your brain with a quick

question!

Do you want to learn more? Click on the Tip icon to the right for the best practices to protect your

PIV card.

You received an encrypted email and want

to read it. Do you need your PIV card to

decrypt the email message? Yes or No?

Click on the question mark icon to see the answer.

3/16

1 2 3 4 PASSWORDS 3 T L

Strong Passwords What are “Strong” Passwords1? A strong password includes a random combination of 8 or more numbers, symbols, capital and lower-case letters. Using a variety of character types increases the time it takes to crack the password. Please use an easily remembered phrase and substitute letters and numbers for words. This is called a passphrase. Here’s an example: “I Like To Sing and Take Long Walks” = 1L2$&Tlw. Click on the key image for strong password characteristics.

Do Not… • Create easy-to-remember passwords.

• Use obvious passwords related to commoninformation such as a child’s or pet’s name,or your favorite sports team.

• Use passwords that someone can guess,using your social media information.

• Write down your password in a place that isaccessible to others.

• Share your password with anyone, includingsystems administrators.

1. For additional information, please see the HHS ISP policy on passwords at—OIS Policies, Standards, Memoranda & Guides.4/16

1 2 3 4 LESSON 2 BRAIN TEASER 2 T L

Now that we’ve discussed the topic of

passwords, let’s answer a question.

Do you want to learn more? Click on this Tip icon.

Which of the following is a good way to remember a password?

A. Use a favorite team name.

B. Use a familiar word with your birthdate.

C. Create a word with your child’s name.

D. Create a passphrase.

5/16

1 2 3 4 WI-FI NETWORKS T L

It’s important to remember that malicious actors could be lurking in the free Wi-Fi networks that you may be accustomed to accessing while at your local coffee shop, or while traveling. Do not expose your Government Furnished Equipment (GFE) to unnecessary security risks by connecting to free unsecure Wi-Fi networks. Only use secured Wi-Fi networks such as your home Wi-Fi or Hotspot devices (mobile phone/tablet).

Click on the blue ball to the right for more guidelines.

6/16

1 2 3 4 LESSON 2 KNOWLEDGE CHECK T L

Read the following scenario, and then answer the question.

Please select from the

answers below.

You are a grant management analyst and you’re attending a workshop in a hotel conference center. It’s now during your lunch break and you receive a phone call from your supervisor asking you to email some important grant documents to her. You only have access to the conference center’s guest Wi-Fi, which is open for public use.

Ideally, which action is NOT recommended from the below list?

A. Apologize to your supervisor that you cannot send her the list untilyou are connected to a secure Wi-Fi.

B. Use a secure browser and secure VPN if you have one.

C. Send your supervisor the information using the unsecure Wi-Fi atthe hotel.

D. Do not work on sensitive materials while connected to unsecureWi-Fi.

A

B

C

D

7/16

1 2 3 4 GFE DURING FOREIGN TRAVEL T L

According to the HHS Chief Information Officer, Use of Government Furnished Equipment (GFE) During Foreign Travel memo (dated December 2016), “HHS travelers should not have any expectation of privacy regarding any communication while traveling to foreign countries. Moreover, one may expose and compromise GFE to an increased level of risk during foreign travel. Someone other than the intended recipient may intercept unencrypted email communications and non-secure phone calls and our adversaries overseas and other bad actors, such as international criminal organizations, often target GFE. HHS GFE is not permitted on unofficial, personal foreign travel. All HHS personnel traveling abroad on official business must follow the Office of Security and Strategic Information’s (OSSI) Foreign Travel Checklist guidelines and contact OSSI at International@hhs.gov as early as possible.1”

• Use of GFE during Foreign Travel

• Office of Information Security (OIS) Policies, Standards, Memoranda & Guides8/16

1 2 3 4 EMAIL PROTOCOLS T L

HHS Email Accounts

HHS email accounts are for official

government business; however, employees

may have limited personal use of their HHS

email. Employees should NEVER conduct

official HHS business with their personal

email accounts.1

Do Not… • Use your HHS email address to create

personal commercial accounts for thepurpose of receiving personal notifications,set up a personal business or website, or tosign up for memberships.

• Let your personal emails disrupt yourproductivity, interrupt service, or causecongestion on the network (e.g., sendingspam or large media files), or to engage ininappropriate activities.

1- Review the Rules of Behavior for Use of HHS Information Resources for more information.9/16

1 2 3 4 ENCRYPTION T L

Encryption Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not prevent interception, but denies the unauthorized persons and software the ability to interpret the message content. HHS policy requires files containing CUI to have encryption enabled while in transfer and while stored.1 Emails that contain CUI must have encryption enabled before the sender sends them.

1-Be sure to refer to your Operating Division Help Desk for instructions on how to use encryption technology. Encryption information and alternativescan be found by visiting HHS Cybersecurity Program Encryption. 10/16

1 2 3 4 EMAIL ENCRYPTION T L

When encrypting emails using Microsoft (MS) Outlook® and a PIV card, it’s important to remember that the email can only be unencrypted by internal HHS recipients. If the user is sending an encrypted email from an HHS email account to an external recipient, the recipient will not be able to unencrypt or read the content of the email. When the recipients open the email, they will enter their PIN number and MS Outlook ® will decrypt and display the contents of the email.

Click on the red box in the right corner for an example of an encrypted message.

Email Encryption Steps:

1. Insert your PIV card into the PIV cardreader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, select the “Encrypt”

4. Type your message and hit “Send” button.

11/16

1 2 3 4 LESSON 2 BRAIN TEASER 3 T L

Let’s see if you’ve learned what is needed to

open an encrypted email.

Which of the following items are necessary when opening an encrypted email? A. E-signature.B. Digital certificate.C. User’s PIN.D. PIV Card.

Click on the question mark icon to see the answer.

12/16

1 2 3 4 DATA STORAGE & DISPOSAL T L

Data Storage is maintaining or storing CUI. When safeguarding CUI, back up all stored or transmitted information, encrypt them, and file/archive the encrypted backup information.

Data Disposal: If a media device containing CUI is obsolete or no longer usable or required, it should be disposed in accordance with applicable laws and regulations. Disposal rules apply to information in paper, computer, or any other format.1 Click on the folders icon on the right for data disposal methods.

1- For more information, visit the Record Management webpage.13/16

1 2 3 4 LESSON 2 SUMMARY T L

In this lesson, you learned how to:

• Create and protect strong passwords.

• Protect your PIV card from unauthorizeduse.

• Send an encrypted email.

Applying these best practices will help protect HHS information and information systems from hackers. Cybersecurity starts with you!

14/16

1 2 3 4 LESSON 2 - QUIZ 1 T L

Read the scenario below and answer the question. Please select from the answers below.

Which of the following answers list the correct steps to send an encrypted email in MS Outlook ® 2010?

Choice A

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, check the “Request aRead Receipt” box.

4. Type your message and hit “Send” button.

Choice B

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, select the “Encrypt” icon.

4. Type your message and hit the “Send” button.

Choice C

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, select the “Permission”icon.

4. Type your message and hit the “Send” button.

Choice D

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, check the “Request aDelivery Receipt” box.

4. Type your message and hit the “Send” button.

15/16

1 2 3 4 LESSON 2 - QUIZ 2 T L

Read the scenario below and answer the question. Please select from the answers below.

2) Mark is a new employee who just joined the Department. He received an email from theHelp Desk to update his profile in the staff directory. The email included a link that Markwas instructed to click for access to his profile. The email also includes a telephonenumber for additional assistance.

What should Mark do?

A. Click on the link to update his profile. B. Call the Help Desk number on theIntranet to verify the email.

C. Delete the email; it’s spam. D. Mark should call the number given inthe email to confirm the request.

16/16

1 2 3 4 LESSON 3 — SOCIAL ENGINEERING T L

OVERVIEW Welcome to Lesson 3! In this lesson, we will identify how social engineers use phishing, phone scams, and social media to bait unsuspecting HHS employees into providing them access to HHS information and information systems.

OBJECTIVES • Define social engineering and the types of attacksassociated with it.

• Identify and report phishing emails.• Determine ways to limit information posted onsocial media.

• Recognize techniques to handle suspicious phonecalls.

• Identify and report Insider Threats.

3 SOCIAL ENGINEERINGMethods used to manipulate people.

• Social Engineering Overview

• Phishing

• Social Media

• Phone Scams

• Insider Threat

1/12

1 2 3 4 SOCIAL ENGINEERING T L

It’s critical that you understand the most common methods used by criminals to manipulate people into providing information. Social engineering (human manipulation) is the use of deception to manipulate individuals into divulging confidential or personal information that the social engineer may use for fraudulent purposes. Malicious actors could appear to be a coworker or a “friend” in an effort to gain your trust so that they can obtain access to HHS information and information systems through you.

2/12

1 2 3 4 PHISHING T L

What’s Phishing? Phishing is a social engineering scam whereby intruders seek access to information and information systems by posing as a real business or organization with legitimate reason to request information.

Phishing emails (or texts) quite often alert you to a problem with your account and ask you to click on a link and provide information to correct the problem. Click on the Hacker’s icon to the right for a phishing example.

How it works? These emails look real and often contain the organization’s logo and trademark. The uniform resource locator (URL) in the email can resemble the authentic URL web address, for example, “Amazons.com” with a very minor spelling error that one can overlook. Links included in phishing emails can download malicious programs onto your computer or mobile device and allow the attacker access to the device, connected devices, and the information stored on those devices.

3/12

1 2 3 4 SUSPICIOUS EMAILS T L

• Forward the email to spam@hhs.gov and

then delete it permanently from your Inbox

and Trash folders.

• Do not click on the links provided in theemail.

If you are suspicious of an email:

• Do not open any attachments in the email.

• Do not provide personal information orfinancial data.

4/12

1 2 3 4 LESSON 3 BRAIN TEASER T L

Let’s take a look at the following phishing

brain teaser!

Brian received a phone call at work. “Tech Support” called to verify information on his computer. Brian was instructed to provide network and password information over the phone. Brian obliged and provided the requested information. Did Brian take the correct action? Yes or No?

Click on the question mark icon to see the answer.

5/12

1 2 3 4 SOCIAL MEDIA T L

It’s critical that you understand the threats you may encounter when using your social media accounts. Malicious actors may often pretend to be a coworker, a “friend,” or to have a common social media interest in an effort to gain your trust so that they can obtain unauthorized access to HHS information and information systems. To the right, there are some recommendations to ensure your information security.

•Do not associate your employment at HHS withyour social media accounts.

•A social engineer may aggregate and use multipleposts about your job with malicious intent.

•Be mindful of what you tweet, Instant Message(IM), or post online because once it’s on theInternet it’s on the Internet forever!

6/12

1 2 3 4 PHONE SCAMS T L

Many people think cybercriminals only use phishing and other unethical computer tactics to obtain sensitive information from unsuspecting victims. However, cybercriminals use phone scams too. A cybercriminal could claim to be from a trusted location at work and ask for PII from an HHS employee. The employee may receive an email from "technical support" in which they should call a certain number to ensure that their computer is working correctly, or complete the installation of software. Be aware of these tactics and do not fall prey to social engineers.

Click on the red circle to the left for a phone scam story.

7/12

1 2 3 4 LESSON 3 KNOWLEDGE CHECK T L

Read the following scenario, and then answer the question.

Please select from the

answers below.

Allison received an email from a coworker she does not know regarding the upcoming office Holiday party. Included in the email is an attachment listing the attendees and the food items they are bringing to the party. The coworker has requested that Allison immediately review the list and verify what she will bring to the party.

Based on the answers provided below, what should Allison do next? A. Examine the email and check for red flags indicating that it

may be a phish.B. Call the coworker to verify the legitimacy of the email.C. If the recipient cannot verify the email, forward it to

spam@hhs.gov.

D. All of the above.

A

B

C

D

8/12

1 2 3 4 INSIDER THREAT T L

Insider threats are the most extreme type

of social engineering. An insider threat is a

malicious threat to an organization that

comes from current or former employees or

contractors within the organization, who

have inside information concerning the

organization's security practices, data, and

computer systems. Instances of insider

threats are rare but very serious.

HHS is a multi-disciplined, geographically distributed public health enterprise whose missions include research, innovation, regulation, prevention, and response. HHS has information of interest to foreign intelligence agents or organizations, and insider threats. If you have significant reason to suspect an employee is an insider threat, report it to the OSSI: Counter-intelligence Directorate at awareness@hhs.gov.

9/12

1 2 3 4 LESSON 3 SUMMARY T L

In this lesson, you learned how to:

• Report suspicious emails to spam@hhs.gov andverify links and file attachments before clickingon them;

• Be aware of human manipulation methods usedby cybercriminals to trick you into providingControlled Unclassified Information (CUI); and

• Report suspicious activity to the OSSI: Counter-intelligence Directorate at awareness@hhs.gov

It’s important for you to identify these methods so that you can help prevent cybersecurity breaches.

10/12

1 2 3 4 LESSON 3 - QUIZ 1 T L

Read the scenario below and answer the question. Please select from the answers below.

1) Updating his social media accounts is one of Trevor’s favorite activities. Trevor likes to telleveryone how lucky he is to work at HHS. One day, Trevor’s old friend Mike from high schoolsent him a “friend” request. Trevor hasn’t spoken to Mike in a while but accepted thefriendship in hopes that they could catch up. Trevor clicks on a link in a social media instantmessage from Mike while working on his HHS laptop. The link went to a blank page. Trevorrealized that the friend request was actually from someone he didn’t know. Trevorimmediately “un-friended” the person.

Should Trevor worry about his HHS laptop being compromised?

A. Yes B. No

11/12

1 2 3 4 LESSON 3 - QUIZ 2 T L

Read the scenario below and answer the question. Please select from the answers below.

2) Lucy sent her coworker an email containing CUI just before the end of her workday. The

next day, Lucy realized she forgot to encrypt the email.

Should Lucy be concerned?

A. Yes B. No

12/12

1 2 3 4 T L

OVERVIEW

LESSON 4 — BREACHES & REPORTING

Welcome to Lesson 4! In this lesson, we will learn how to prevent and limit the impact of a breach by identifying incidents and learning when and how to promptly report them.

OBJECTIVES • Identify the different types of cybersecurity and

privacy incidents.

• Examine information and differentiate public fromprivate use.

• Perform the steps to report a suspected orconfirmed cybersecurity or privacy incident toproper authorities.

4 BREACHES AND REPORTINGWhat are breaches and how to report them?

• Recognize Incidents

• Reporting Incidents

1/8

1 2 3 4 RECOGNIZING INCIDENTS T L

Information Security Incidents Understanding the actions and situations that can cause a security incident is critical to the protection of HHS information and information systems. To the right is a list of incidents that must be reported immediately to the 24-hour Computer Security Incident Response Center (CSIRC) at csirc@hhs.gov and to your OpDiv’s Incident Response Team.

Types of Incidents: • Loss, damage, or theft, of equipment, media, ordocuments containing PII.

• Accidentally sending a report containing PII to aperson not authorized to view the report or sendingit unencrypted.

• Allowing an unauthorized person to use yourcomputer or credentials to access PII.

• Discussing CUI in a public area.• Accessing the private records of friends, neighbors,celebrities, etc. for casual viewing.

• Any security situation that could compromise HHSinformation or information systems (e.g., virus,phishing email, social engineering attack).

2/8

1 2 3 4 LESSON 4 BRAIN TEASER T L

Time for a question! One day, Katherine realized that she forgot to bring her laptop to work. She needed to finalize a presentation for her meeting at 1PM. Katherine’s coworker, Dan, agreed to let her use his computer once he completed his monthly report. After Dan finished his report, he gave his laptop to Katherine with his PIV card still inside. Katherine completed her presentation, but before giving Dan his computer back, she decided to take a look at a few shared folders that she realized she didn’t have access to on her own laptop. Katherine then returned the laptop and thanked Dan for his help. Should Dan consider this an “incident?”

3/8

1 2 3 4 REPORTING INCIDENTS T L

It’s important to understand what an “incident” is, and how to report one should one occur. Reporting all possible security incidents immediately gives the 24-hour CSIRC and your OpDiv’s Incident Response Team the best chance to minimize the negative impact of the incident. Today’s high-speed internet connections can allow an adversary to steal gigabytes of data in minutes. Every second counts when it comes to reporting security incidents. Failing to report an incident immediately allows the hacker to operate unnoticed in the HHS network for a longer period of time. Ethically, it is your responsibility to report incidents as soon as you identify them. So stay alert! Your quick response can prevent a breach.

The scenarios in this lesson will help you understand how to quickly take action when incidents happen. If any privacy or data incidents occur (as listed in the “Recognizing Incidents” section), please report them at once!

Click on the image to the right for the list of HHS OpDiv Incident Response Teams.

4/8

1 2 3 4 LESSON 4 KNOWLEDGE CHECK T L

Read the following scenario, and then answer the question.

Please select from the

answers below.

Tammy and Jill went to a local coffee shop for a short break. Over coffee, they discussed client details and other CUI relating to their department. At the end of their discussion, they realized that someone from another department had been watching them and listening to their discussion a few tables away. This person should not have heard any of their private discussion. What should they do?

A. Ignore the eavesdropper…maybe this person didn’t hear thediscussion after all.

B. Ask the eavesdropper not to disclose any information thats/he overheard.

C. Immediately report the “incident” to the 24-hour CSIRC(csirc@hhs.gov) and to your OpDiv’s Incident Response Team.

D. None of the above.

A

B

C

D

5/8

1 2 3 4 LESSON 4 SUMMARY T L

In this lesson, you learned how to:

• Define and identify types of cybersecurity incidents.

• Report an incident.

Being able to identify and report an “incident” is imperative in a workplace that deals with highly sensitive information. The impact of some incidents can be minimized by simply encrypting emails containing CUI, and/or by your quick action to report an incident. These are all simple actions, yet imperative and mandated. Remember, report all breaches to the 24-hour CSIRC (csirc@hhs.gov) and to your OpDiv’s Incident Response Team. Report malicious/spam emails to spam@hhs.gov.

6/8

1 2 3 4 LESSON 4 - QUIZ 1 T L

Read the scenario below and answer the question. Please select from the answers below.

1) Carol realized that she forwarded a sensitive HHS email to the wrong person.

What should she do?

A. Immediately report the “incident” tothe 24-hour CSIRC (csirc@hhs.gov) and toyour OpDiv’s Incident Response Team.

B. Inform the recipient to disregard anddelete the contents of the email that wassent erroneously.

C. Both. D. None of the above.

7/8

1 2 3 4 LESSON 4 - QUIZ 2 T L

Read the scenario below and answer the question. Please select from the answers below.

2) An OpDiv experienced laptop thefts. What should the manager on site do?

A. Immediately report the “incident” tospam@hhs.gov.

B. No rush…but report the “incident” atsome point this week.

C. Immediately report the “incident” tothe 24-hour CSIRC (csirc@hhs.gov) and toyour OpDiv’s Incident Response Team.

D. None of the above.

8/8

1 2 3 4 TRAINING WRAP-UP T L

Understanding how to protect HHS CUI, PII, and PHI is critical to ensuring the mission of HHS. Training you to effectively apply cybersecurity best practices is the focus of this training. Identifying cybersecurity incidents and understanding how to report them will improve the security posture of HHS information and information systems. You are encouraged to immediately apply the best practices you learned from this training into your daily work habits.

In this training, you learned to: • Define cybersecurity and ControlledUnclassified Information (CUI).

• Define privacy and PII and means to protectPII in different contexts and formats.

• Create strong passwords and protect your PIVcard from unauthorized use.

• Safeguard GFE during foreign travel.• Define encryption and determine how andwhen to encrypt.

• Describe human manipulation methods oftenused by hackers.

• Report suspicious emails and activities toreporting authorities.

• Identify the different types of incidentsincluding insider threats, and how to reportthem.

1/7

1 2 3 4 TRAINING QUIZ - 1 T L

Read the scenario below and answer the question. Please select from the answers below.

1) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fredis an HHS contractor. His laptop contained pictures of his children; five HHS granteeapplications with grantees full names, home addresses, work addresses, SSN’s, employeridentification numbers (EIN), and a couple of case files containing patient full name, address,gender, date of birth, medical record number, medical notes, address, and health carefacility name.

Does Fred’s laptop contain PII?

A. Yes B. No

2/7

1 2 3 4 TRAINING QUIZ - 2 T L

Read the scenario below and answer the question. Please select from the answers below.

2) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fredis an HHS contractor. His laptop contained pictures of his children; five HHS granteeapplications with grantees full names, home addresses, work addresses, SSN’s, employeridentification numbers (EIN), and a couple of case files containing patient full name,address, gender, date of birth, medical record number, medical notes, address, and healthcare facility name.

In the previous scenario, which of the following is not HHS PII?

A. Grantee’s social security number B. Patient’s date of birth

C. Pictures of Fred’s children D. Patient’s gender

3/7

1 2 3 4 TRAINING QUIZ - 3 T L

Read the scenario below and answer the question. Please select from the answers below.

3) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fredis an HHS contractor. His laptop contained pictures of his children; five HHS granteeapplications with grantees full names, home addresses, work addresses, SSN’s, employeridentification numbers (EIN), and a couple of case files containing patient full name,address, gender, date of birth, medical record number, medical notes, address, and healthcare facility name.

Should Fred report this incident? Why or why not?

A. Yes, Fred should report the incidentbecause he lost personal information.

B. Yes, Fred does need to report this incidentbecause it involved HHS information. AllHHS employees, contractors, and personnelare responsible for reporting cybersecuritybreaches.

C. No, Fred does not need to report theincident because the computer is replaceable.

D. No, Fred should not report the incidentbecause he is a contractor.

4/7

1 2 3 4 TRAINING QUIZ - 4 T L

Read the scenario below and answer the question. Please select from the answers below.

4) Alan works on the third floor at a medical clinic. Alan’s coworker, Debby, cannot get intothe electronic health record (EHR) system, because she has failed to enter the correctpassword. In order to reset the password, Debby would have to go see a representativefrom the Password Distribution Center (PDC), on the first floor of the building, leaving thesecured floor where she is located. Debby is unable to go to the PDC, because she cannotfind her PIV card and believes she has misplaced it. Debby asks Alan for his logincredentials, so that she may access the EHR system.

Should Alan allow Debby to use his credentials?

A. Yes, she is Alan’s trusted coworker. B. Yes, if Alan’s manager gives himpermission.

C. No, sharing user credentials is a privacyviolation. D. A and B

5/7

1 2 3 4 TRAINING QUIZ - 5 T L

Read the scenario below and answer the question. Please select from the answers below.

5) Alan decides not to share his credentials with Debby. Debby now asks to borrow Alan’s PIVcard, so that she may leave the secured floor, and get her password reset at the PDC.

What should Alan do?

A. Give Debby his PIV so she can leave thefloor to reset her password.

B. Alan should tell her to ask anothercoworker for their PIV card.

C. Alan should escort Debby to the PDC soshe can get her password reset since shedoesn’t have her PIV card.

D. B and C

6/7

1 2 3 4 TRAINING QUIZ - 6 T L

Read the scenario below and answer the question. Please select from the answers below.

6) This time Alan decides not to let Debby borrow his PIV card, because it would create a privacyincident.

What other privacy incident has already occurred?

A. Debby asked to borrow Alan’s credentials. B. Debby has misplaced her PIV card andcannot find it.

C. Debby asked to borrow Alan’s PIV card. D. A and C

7/7

1 2 3 4 RESOURCES T L

Training Resources

Learn more about the Federal

and Departmental laws and

regulations that guide your

cyber activities.

Additional Resources

Additional Guidance

Additional resources and full

URLs for useful links relating

to information security are

provided in the links below.

Federal Rules & Guidance Departmental Guidance

Acknowledge & Complete

Click the below link to learn how

to complete the training and

receive the Certificate of

Completion.

Acknowledge & Feedback

HHS CATE Resources: The HHS Cybersecurity Awareness Training and Education (CATE) team has also developed CyberCare and Healthy Technology as additional resources for you. We hope that you find them helpful. At the end of the training, you will be asked to provide feedback relating to CyberCare.

Thank you for completing

The Cybersecurity Awareness Training

DEPARTMENTAL GUIDANCE

Click on each title below to learn more.

In order to understand Information Security Policy

and Governance, it’s important to first take a look

at guidance on the departmental level.

Office of Secretary

HHS CybersecurityProgram

Operating Divisions(OpDivs)

Click Alt+F4 to close this window

DEPARTMENTAL GUIDANCE — Part 3

Operating Divisions

Operating Divisions (OpDivs)

OpDivs implement programs that meet specific

business needs, provide business/domain

expertise, and manage implementation at

the OpDiv level.

The OpDivs also develop policies and procedures

specific to the operating environment, and help

to manage ongoing operations.

Click Alt+F4 to close this window

DEPARTMENTAL GUIDANCE — Part 2

HHS Cybersecurity Program

It is the Department’s information security

program. Oversight is provided by the Office

of the Chief Information Officer (CIO) and

Chief Information Security Officer (CISO).

The Program is led by these policies:

• HHS-OCIO Policy for Information SystemsSecurity and Privacy.

• HHS-OCIO Policy for Responding toBreaches of Personally IdentifiableInformation.

• Rules of Behavior for Use of HHSInformation Resources.

The hyperlinks for the program’s policies are provided in slide notes.

HHS-OCIO Policy & Privacy

Provides direction on developing, managing, and

operating an IT security program to the OpDivs

and Staff Divisions (StaffDivs).

HHS-OCIO Policy for Breaches

Establishes actions taken to identify, manage, and

respond to suspected or confirmed incidents

involving Personally Identifiable Information (PII).

Rules of Behavior

Provides the rules that govern the appropriate use

of all HHS information resources for Department

users. Click Alt+F4 to close this window

DEPARTMENTAL GUIDANCE — Part 1

Office of Secretary Office of Secretary

Sets programmatic direction by providing an

enterprise-wide perspective, and coordinating

among key stakeholders.

The Department also sets standards and

provides guidance, to support streamlined

reporting and metrics capabilities.

Click Alt+F4 to close this window

STRONG PASSWORD CHARACTERISTICS

• At least eight characters in length

• Contains upper-case letter(s)

• Contains lower-case letter(s)

• Contains number(s)

• Contains special character(s): (%,^,*,?,<,>)

Click Alt+F4 to close this window

LESSON 2 - QUIZ 2 KEY

2) Mark is a new employee who just joined the Department. He received an email from the

Help Desk to update his profile in the staff directory. The email included a link that Mark

was instructed to click for access to his profile. The email also includes a telephone number

for additional assistance. What should Mark do?

B. Call the Help Desk number on the Intranet to verify the email.

Explanation: Sometimes the Help Desk sends email notifications regarding network enhancements, outages, and inventory updates. If you ever doubt the validity of a Help Desk email, consult a trusted source like the Intranet, a coworker, or call the Help Desk to verify the legitimacy of the email before clicking on any links or opening attachments. Remember the Help Desk will never ask for your password.

Click Alt+F4 to close this window

LESSON 4 - QUIZ 1 KEY

1) Carol realized that she forwarded a sensitive HHS email to the wrong person. What

should she do?

C. Both

Explanation: While the recipient of the email may or may not adhere to a request to disregard the contents of the email, it never h urts to m ake the request anyway, just in case. Definitely report this as an “incident” to th e 24-hour CSIRC (csirc@hhs.gov) and to y our OpDiv’s Incident Response Team.

Click Alt+F4 to close this window

EXAMPLE OF AN ENCRYPTED MESSAGE - OUTLOOK 2007

Click Alt+F4 to close this window

Click here to view message encryptions in Outlook 2010, 2013 and 2016

LESSON 1 – QUIZ 2 KEY

2) Jane works in a medical facility. Jane’s sister, Sharon, treated in the same facility, asked

her to check her lab results. Can Jane give her sister the results?

B. No

Explanation: Checking medical records of any patient without a “need to know” is strictly prohibited. Although Jane is an employee and has access to medical records, she is not authorized to provide her sister with this information. CUI in the form of PHI must only be disclosed to authorized personnel.

Click Alt+F4 to close this window

LESSON 3 - QUIZ 2 KEY

2) Lucy sent her coworker an email containing CUI just before the end of her workday. The

next day, Lucy realized she forgot to encrypt the email.

Should Lucy be concerned?

A. Yes

Explanation: Lucy should have taken more time to be sure that she sent her email with

the proper precautions. One must always encrypt emails with CUI first. It’s important to

report this as an “incident” immediately.

Click Alt+F4 to close this window

LESSON 2 BRAIN TEASER 1

Time to tease your brain with a quick

question!

You received an encrypted email and want

to read it. Do you need your PIV card to

decrypt the email message? Yes or No?

Answer: Yes

Explanation: Your PIV card contains the digital credentials required to encrypt and decrypt HHS emails; and must connect to your laptop to decrypt emails and digitally sign emails.

Click Alt+F4 to close this window

TRAINING QUIZ - 4 KEY

4) Alan works on the third floor at a medical clinic. Alan’s coworker, Debby, cannot get into theelectronic health record (EHR) system, because she has failed to enter the correct password. In order to reset the password, Debby would have to go see a representative from the Password Distribution Center (PDC), on the first floor of the building, leaving the secured floor where she is located. Debby is unable to go to the PDC, because she cannot find her PIV card and believes she has misplaced it. Debby asks Alan for his login credentials, so that she may access the EHR system.

C. No, sharing user credentials is a privacy violation.

Click Alt+F4 to close this window

FEEDBACK AND ACKNOWLEDGMENT

What do you Think?

Thank you for completing the Cybersecurity

Awareness Training. Please provide your

feedback in the form below. Your feedback

provides valuable insight used to improve

HHS computer-based trainings. Please

follow the instructions on the form to

submit it.

Acknowledge the Rules & Complete the Training

Employees and contractors without access to the HHS Learning Management System (LMS) can certify completion of this training by:

1) Reading the HHS Rules of Behavior;2) Printing and signing the Cybersecurity Awareness Training Certificate below. Submit the form to your cybersecurity awareness training Point of Contact.(All other employees/contractors with LMS access must complete the training through their LMS account.)

Click Alt+F4 to close this window

1. The training is outlined in a way that increases my interest and awareness of

cybersecurity and privacy threats.

2. The training helped me develop skills to recognize cybersecurity incidents and

privacy threats.

3. The training activities, interaction, and knowledge checks helped me

understand the content more clearly.

Delivery

4. The online delivery had the right level of user interaction and involvement.

5. The length of the training is appropriate to learn the information presented.

6. Navigation and links are easily accessible and helped me learn more about

cyber security.

7.

CyberCARE

Are you familia r with CyberCARE awareness articles? Yes No

8. I have read _____CyberCARE awareness articles.

9. I have found CyberCARE articles to be helpful.

Cybersecurity Awareness Training

Office of the Chief Information OfficerAssistant Secretary for AdministrationU.S. Department of Health and Human Services

A. Strongly Agree; B. Agree; C. Neutral; D. Disagree; E. Strongly Disagree.

Feedback is optional, but needed for the continuous improvement of the training. If you decide to complete the form, please click on Submit Form to send it to OIS_Training@hhs.gov. Please use the following scale to answer the questions below:

Content

(A. 0 B. 1-5 C. 6-10 D. 10 E. More than 10)

(A. Strongly Agree; B. Agree; C. Neutral; D. Disagree; E. Strongly Disagree.)

LESSON 4 - QUIZ 2 KEY

2) An OpDiv experienced laptop thefts. What should the manager on site do?

Explanation: It’s imperative to report stolen Government Furnished Equipment (GFE) like laptops immediately to the 24-hour CSIRC (csirc@hhs.gov) and to your OpDiv’s Incident Response Team.

While the laptops are replaceable, the loss of information co ntained on them is not.

Click Alt+F4 to close this window

C. Immediately report the “incident” to the 24-hour CSIRC (csirc@hhs.gov) and to your OpDiv’s Incident Response Team.

LESSON 1- KNOWLEDGE CHECK - ANSWER KEY

Answer: Yes

Explanation: The file forwarded to Ms. Smith

contains some PII details that can identify Mr.

Rabia easily if complemented with other details

from social media or public directories.

Click Alt+F4 to close this window

DATA DISPOSAL METHODS

Records

Any information deemed a record should be disposed in accordance with approved records disposition schedules and departmental policies. Consult the HHS records retention policy or contact the HHS Record Management office before disposal of any information to prevent destruction of records that employees should preserve.

Non- Digital

If CUI is on non-digital media, such as paper, and is not a record, one should take the following measure: • Refrain from

disposing in the trashbin.

• Shred paper usingcross cut shredders.

Digital

Electronic or digital media are hard drives, disks, floppies, tapes, flash memory, Universal Serial Bus (USB), phones, mobile computing devices, networking devices, etc. If CUI is on electronic media and is not a record, submit the media to the Operating Division (OpDiv) Help Desk for sanitization.

Click Alt+F4 to close this window

TRAINING QUIZ - 3 KEY

3) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fred is

an HHS contractor. His laptop contained pictures of his children; five HHS grantee applications

with grantees full names, home addresses, work addresses, SSN’s, employer identification

numbers (EIN), and a couple of case files containing patient full name, address, gender, date of

birth, medical record number, medical notes, address, and health care facility name.

B. Yes, Fred does need to report this incident because it involved HHS information. All HHS employees, contractors, and p ersonnel are responsible for reporting cybersecurity breaches.

Click Alt+F4 to close this window

LESSON 1 – QUIZ 1 KEY

1) In 2016, a hospital reported to the Department a security breach that affected the

records of up to 405,000 patients, employees, and employees’ beneficiaries. What type of

data was lost?

C. Both

Explanation: Along with the PHI that had been stolen, the malicious actors gained access

to the PII of employees and their beneficiaries. PII includes social security numbers,

addresses, dates of birth, etc.

Click Alt+F4 to close this window

1

2

3

4

5

PIV PROTECTION PRACTICES

Never allow someone physical access to a secured area without a PIV card.

Keep your PIV card on you at all times as you move around your office, and/or office buildings.

Never leave your PIV card unattended.

Lock your computer and remove your PIV card from your computer when you are not at your desk.

Never allow someone else to use your PIV card to access a computer system.

Click Alt+F4 to close this window

PASSWORD PROTECTION TIPS

Mandatory practices: Best practices:

NEVER share your password with anyone. Report anyone who asks for your password to the 24-hour CSIRC (csirc@hhs.gov) and to your OpDiv’s Incident Response Team

Create a different password for each system, application, financial institution, or social website.

If you suspect your password is compromised, change it immediately and report the compromised password as an incident.

Change your password periodically in accordance with HHS policy.

Commit passwords to memory. One way to do this is to use an easily remembered song or phrase and substitute letters and numbers for words. Example: “I Like To Sing and Take Long Walks” = 1L2$&Tlw.

Do not reuse passwords until after using at least six other passwords.

Click Alt+F4 to close this window

LESSON 2 - QUIZ 1 KEY

1) Which of the following answers list the correct steps to send an encrypted email in MS

Outlook ® 2010?

Choice B 1. Insert your PIV card into the PIV card reader.2. Under the Home tab, select “New Email.”3. Under the Options tab, select the “Encrypt” icon.4. Type your message and hit the “Send” button.

Explanation: The “Encrypt” button is under the “Option” tab in Outlook ®. You need to

encrypt every email containing CUI.

Click Alt+F4 to close this window

LESSON 3 - QUIZ 1 KEY

1) Updating his social media accounts is one of Trevor’s favorite activities. Trevor likes to telleveryone how lucky he is to work at HHS. One day, Trevor’s old friend Mike from high schoolsent him a “friend” request. Trevor hasn’t spoken to Mike in a while but accepted thefriendship in hopes that they could catch up. Trevor clicks on a link in a social media instantmessage from Mike while working on his HHS laptop. The link went to a blank page. Trevorrealized that the friend request was actually from someone he didn’t know. Trevor immediately“un-friended” the person. Should Trevor worry about his HHS laptop being compromised?

A. Yes

Explanation: Trevor put his HHS laptop at risk by visiting a social media website and clicking on

an unverified link. In doing so, he unsuspectingly downloaded a virus onto his HHS laptop.

Trevor should worry th at his action compromised the HHS laptop, and he must immediately report

the incident to the 24-hour CSIRC (csirc@hhs.gov) and to his OpDiv’s Incident Response Team.

Click Alt+F4 to close this window

LESSON 2- KNOWLEDGE CHECK - ANSWER KEY

Answer: C

Explanation: CUI information shall not be

transferred using unsecured public Wi-Fi. CUI

must only be transmitted through secured network

environments.

Click Alt+F4 to close this window

TRAINING LEGEND PREVIEW

Click Alt+F4 to close this window

Office of the Chief Information Officer Assistant Secretary for AdministrationDepartment of Health and Human Services

FY18 Cybersecurity Awareness Training Training Transcripts

Security Governance, Risk Management, and Compliance (GRC)

Office of the Chief Information Officer

Assistant Secretary for Administration

U.S. Department of Health and Human Services

Click Alt+F4 to close this window

Table of Contents Section 1 - Introduction .................................................................................... 3

Welcome! ..................................................................................................... 3

Lesson 4 – Breaches and Reporting.................................................................32

Learner’s Corner ............................................................................................ 3You are the Target ......................................................................................... 4Training Objectives ........................................................................................ 4Table of Contents .......................................................................................... 5

Section 2 - Lessons .......................................................................................... 6Lesson 1 – Controlled Unclassified Information .................................................. 6

Overview ................................................................................................... 6Objectives ................................................................................................. 6Topics ....................................................................................................... 6Lesson Summary ...................................................................................... 11Lesson Quiz ............................................................................................. 11

Lesson 2- Securing Information ......................................................................12Overview ................................................................................................. 12Objectives ............................................................................................... 12Topics ..................................................................................................... 12Lesson 2 Summary ................................................................................... 20Lesson Quiz ............................................................................................. 21

Lesson 3- Social Engineering ..........................................................................23Overview ................................................................................................. 23Objectives ............................................................................................... 23Topics ..................................................................................................... 23Lesson Summary ...................................................................................... 30Lesson Quiz ............................................................................................. 31

Overview ................................................................................................. 32Objectives ............................................................................................... 32Topics ..................................................................................................... 32Lesson Summary ...................................................................................... 35Lesson Quiz ............................................................................................. 36

Section 3 - Conclusion .................................................................................... 37Training Wrap Up ..........................................................................................37Training Quiz ...............................................................................................38Resources ....................................................................................................40

Training Resources ................................................................................... 40Additional Guidance .................................................................................. 40

Acknowledgment and Feedback ......................................................................42

What Do You Think? ................................................................................. 42

Acknowledge & Complete It .......................................................................... 42

Feedback Form ...........................................................................................44

2

Section 1 - Introduction

Welcome!

This training provides the U.S. Department of Health and Human Services (HHS)

employees, contractors, interns, and others with the knowledge to protect HHS

information and information systems, and to minimize the risks of internal and

external cyber threats1. The goal of this training is to inform the HHS workforce of

threats to HHS information and information systems, and provide best practices to

defend the HHS mission from these threats.

Learner’s Corner

o The transcript icon on the upper right provides access to the transcript

document.

o The slide notes contain answers to the knowledge checks and any additional

information accessible through a pop-up window.

1 This training fulfills the Federal Information Security Modernization Act (FISMA) of 2014 requirement and HHS IS2P recommendation for security awareness training for users of federal information systems.

3

o Navigation to lessons is provided in the upper right section of the Powerpoint

or in the bookmarks in the PDF version.

o Click on the X in the top right corner of the window to close forms and pop-

up windows.

o The training is fully accessible through keyboard and shortcuts.

You are the Target

What do hackers look for?

Hackers and adversaries are constantly seeking personally identifiable information

(PII) and protected health information (PHI) stored on HHS information systems for

the purpose of committing health insurance fraud, identity theft, and other financial

crimes. As an HHS employee, contractor, intern, or Commissioned Corps of the U.S.

Public Health Service personnel, you are a target because you have access to what

the cybercriminals are looking for—PII, PHI, financial, personnel, grant, research, and

patient medical information.

Hackers’ methods to obtain your information:

• Unattended devices

• Information from your online profile

• Email/ phone scams

• Compromised passwords

Training Objectives

Click on the icon on the left below or use the shortcut Alt+H to advance to the next objective.

1- Develop and demonstrate foundational-level knowledge of cybersecurity.

2- Employ best practices to protect privacy and safeguard Controlled Unclassified

Information (CUI).

3- Recognize cyber threats to information systems.

4- Identify and report potential cybersecurity and privacy incidents promptly.

4

Table of Contents Select a lesson to progress through the training.

In this training, we will discuss why you need cybersecurity in the workplace, how to

secure HHS information, and how to identify social engineering tricks often used by

cyber criminals. We will also describe different types of cybersecurity breaches and

how to report them.

Lesson 1 — Controlled Unclassified Information— Definitions and examples of CUI,

PII and PHI.

Lesson 2 — Securing information— Best practices to protect HHS information assets.

Lesson 3 — Social Engineering— Methods used to manipulate people.

Lesson 4 — Breaches and Reporting — What are breaches and how to report them?

5

Section 2 - Lessons

Lesson 1 – Controlled Unclassified Information Definitions and examples of CUI, PII and PHI

Overview

This lesson describes cybersecurity and the different types of Controlled Unclassified

Information (CUI), including PII and PHI. The lesson also identifies best practices for

you to apply within your workplace.

Objectives

• Define cybersecurity.

• Describe the different types of CUI.

• Define and give examples of PII and PHI.

Topics

• What is Cybersecurity?

• What is CUI?

• Definitions and examples of PII and PHI

What is Cybersecurity?

Cybersecurity is the action taken to protect information and information systems

from unauthorized access, use, disclosure, disruption, modification, or destruction.

On a daily basis, we use many convenient ways to access information and

information systems. They include the use of passwords, personal identity

verification (PIV) cards, email, remote access, etc. Using the best practices within

this training on a daily basis helps HHS personnel protect HHS information from

hackers attempting to gain access.

6

What is CUI?

Controlled Unclassified Information

CUI (sensitive data) is information that has a degree of confidentiality such that its

loss, misuse, unauthorized access, or modification could compromise the element of

confidentiality and thereby adversely affect national health interests, the operation of

HHS programs, or the privacy of the Health Insurance Portability and Accountability

Act (HIPAA). In this training, we will refer to sensitive data as CUI.2

Types of CUI

• Personally Identifiable Information (PII)

• Protected Health Information (PHI)

• Intellectual Property

• Financial Data

In this training, we will focus on PII and PHI.

2 The CUI framework outlined in the NIST SP 800-60 Rev 1 memo is intended to replace common—but inconsistently applied—markings such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU) with one framework for the federal government to designate, mark, safeguard, and disseminate information.

7

PII & PHI

What is PII?

PII is “information which can be used to distinguish or trace an individual's identity,

such as their name, social security number (SSN), biometric records, etc. alone or

when combined with other personal or identifying information which is linked or

linkable to a specific individual, such as date and place of birth, mother’s maiden

name, etc.”3

What is PHI?

PHI is defined as any individually identifiable health information that is explicitly

linked to a particular individual and health information which can allow individual

identification. PHI also includes many common identifiers as name, address, birth

date, and social security number.4

Click on the PII/ PHI icon for examples.

PII

Personally Identifiable Information (PII)

The following list contains examples of information that may be considered PII:

• Name, such as full name, maiden name, mother’s maiden name, or alias.

• Personal identification number, such as SSN, passport number, driver‘s

license number, taxpayer identification number, patient identification

number, and financial account or credit card number.

• Address information, such as street address or email address.

• Telephone numbers, including mobile, business, and personal numbers.

• Information identifying personally owned property, such as vehicle

registration number or title number and related information.

3 Defined in Office of Management and Budget (OMB) M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.

4 (Defined in the Health Insurance Portability and Accountability Act of 1996 [HIPAA.])

8

• Asset information, such as Internet Protocol (IP) or Media Access Control

(MAC) address.

• Personal characteristics, including photographic image (especially of face or

other distinguishing characteristic), x-rays, fingerprints, or other biometric

image or template data (e.g., retina scan, voice signature, facial

geometry).

• Information about an individual that is linked or linkable to one of the

above (e.g., date of birth, place of birth, race, religion, weight, activities,

geographical indicators, employment information, medical information,

education information, financial information).

PHI

PHI is information, including demographic data that relates to the following:

• The individual’s past, present, or future physical or mental health or condition;

• The provision of health care to the individual; and

• The past, present, or future payment for the provision of health care to the

individual.

9

Knowledge Check

Read the following , and then answer the question.

Do you think the following information can be used to identify Mr. Rabia?

A dentist office recently provided Ms. Jasmin Smith with a copy of her referral

documents for the orthodontist. The following information was accidentally included

in the file forwarded to Ms. Smith:

Applicant name: Mr. Renee Rabia

Height: 6”

Eye color: Brown

Hair color: Brown

Zip Code: 22033

Birthplace: Mozambique Age: 40

City of Residence: Fairfax, VA

Do you think this information can help identify Mr. Rabia?

• Yes

• No

Answer: Yes

Explanation: The file forwarded to Ms. Smith contains some PII details that can

identify Mr. Rabia easily if complemented with other details from social media or

public directories.

10

Lesson Summary

In this lesson, you learned to—

• Define cybersecurity, CUI, PII and PHI.

• Identify CUI, PII and PHI.

Your ability to identify and protect CUI, including PII and PHI, will help you integrate

a solid foundation of cybersecurity best practices into your daily work tasks, and

projects.

Lesson Quiz

Read the scenarios below and answer the question. Click on the “?” or use the

shortcut Alt+H for the answer key.

1) In 2016, a hospital reported to the Department a security breach that affected

the records of up to 405,000 patients, employees, and employees’

beneficiaries. What type of data was lost?

A. PII

B. PHI

C. Both

D. None

Answer: C

Explanation: Along with the PHI that had been stolen, the malicious actors gained

access to the PII of employees and their beneficiaries. PII includes social security

numbers, addresses, dates of birth, etc.

2) Jane works in a medical facility. Jane’s sister, Sharon, treated in the same

facility, asked her to check her lab results. Can Jane give her sister the

results?

• Yes

• No

Answer: No

Explanation: Checking medical records of any patient without a “need to know” is

strictly prohibited. Although Jane is an employee and has access to medical records,

she is not authorized to provide her sister with this information. CUI in the form of

PHI must only be disclosed to authorized personnel.

11

Lesson 2- Securing Information Best practices to protect HHS information assets.

Overview

All HHS employees, contractors, and personnel have a responsibility to protect HHS

information and information systems from unauthorized access, use, disclosure,

disruption, modification, or destruction.

Objectives

• Identify the characteristics of a “strong” password.

• Apply GFE Protection Rules.

• Create and send encrypted email.

• List steps to store and dispose of data.

Topics

• PIV Card and Passwords

• Wi-Fi Networks.

• GFE during Foreign Travel.

• Email Use and Encryption.

• Data storage and Disposal.

PIV Cards

Personal Identity Verification Cards

Personal Identity Verification (PIV) cards are official government-issued identification

cards that permit you authorized access to HHS government buildings and secured

areas based on your job role. You will also use it as an authentication device to

access your government-issued computer. PIV cards contain your digital credentials

used to encrypt emails, digitally sign documents, and verify physical access

privileges.

12

Brain Teaser

The Brain Teaser question, answer key, and explanation are provided in the slide

notes.

Time to tease your brain with a quick question!

Click on the Q icon below for a brain teaser.

You received an encrypted email and want to read it. Do you need your PIV card to

decrypt the email message?

• Yes

• No

Answer: Yes

Explanation: Your PIV card contains the digital credentials required to encrypt and

decrypt HHS emails; and must connect to your laptop to decrypt emails and digitally

sign emails.

Do you want to learn more? Click on the Tip icon to the right for the best practices to

protect your PIV card.

PIV Protection Practices

1. Lock your computer and remove your PIV card from your computer when you

are not at your desk.

2. Never leave your PIV card unattended.

3. Keep your PIV card on you at all times as you move around your office, and/or

office buildings.

4. Never allow someone physical access to a secured area without a PIV card

5. Never allow someone else to use your PIV card to access a computer system.

13

Passwords5

Strong Passwords

What are “strong” passwords?

A strong password includes a random combination of 8 or more numbers, symbols,

capital and lower-case letters. Using a variety of character types increases the time

it takes to crack the password. Please use an easily remembered phrase and

substitute letters and numbers for words. This is called a passphrase. Here’s an

example: “I Like To Sing and Take Long Walks” = 1L2$&Tlw.

Do Not…

• Create easy-to-remember passwords.

• Use obvious passwords related to common information such as a child’s or

pet’s name, or your favorite sports team.

• Use passwords that someone can guess, using your social media information.

• Write down your password in a place that is accessible to others.

• Share your password with anyone, including systems administrators.

Click on the Key image for strong passwords characteristics.

Strong Passwords Characteristics

• At least eight characters in length

• Contains upper-case letter(s)

• Contains lower-case letter(s)

• Contains number(s)

• Contains special character(s): (%,^,*,?,<,>)

5 For additional information, please see the HHS ISP policy on passwords at—OIS Policies, Standards, Memoranda & Guides

14

Brain Teaser

The Brain Teaser question, answer key, and explanation are provided in the slide

notes.

Now that we’ve discussed the topic of passwords, let’s answer a question.

Click on the Q icon below for a quick brain teaser.

1. Which of the following is a good way to remember a password?

A. Use a favorite team name.

B. Use a familiar word with your birthdate.

C. Create a word with your child’s name.

D. Create a passphrase.

Answer: D.

Explanation: A passphrase is a phrase used to help you to remember a password.

It’s known only to you. It contains at least one upper-case letter, one lower-case

letter, one number, and a special character.

Do you want to learn more? Click on this Tip icon.

Password Protection Tips

Mandatory practices:

• NEVER share your password with anyone. Report anyone who asks for your

password to the 24-hour CSIRC (csirc@hhs.gov) and to your OpDiv’s Incident

Response Team.

• If you suspect your password is compromised, change it immediately and

report the compromised password as an incident.

• Commit passwords to memory. One way to do this is to use an easily

remembered song or phrase and substitute letters and numbers for words.

Example: “I Like To Sing and Take Long Walks” = 1L2$&Tlw.

Best practices:

• Create a different password for each system, application, financial institution,

or social website.

• Change your password periodically in accordance with HHS policy.

• Do not reuse passwords until after using at least six other passwords.

15

Wi-Fi Networks It’s important to remember that malicious actors could be lurking in the free Wi-Fi

networks that you may be accustomed to accessing while at your local coffee shop,

or while traveling. Do not expose your Government Furnished Equipment (GFE) to

unnecessary security risks by connecting to free unsecure Wi-Fi networks. Only use

secured Wi-Fi networks such as your home Wi-Fi or Hotspot devices (mobile

phone/tablet).

Click on the Blue Ball to the right for more guidelines.

Guidelines on the secure use of Wi-Fi

• Ensure the proper configuration of the wireless security options on your

computing wireless devices and the router or the modem used to connect to

the Internet.

• Do not access or transmit Controlled Unclassified Information (CUI) when

using an unsecure connection.

Knowledge Check Read the following scenario, and then answer the question. You are a grant management analyst and you’re attending a workshop in a hotel

conference center. It’s now during your lunch break and you receive a phone call

from your supervisor asking you to email some important grant documents to her.

You only have access to the conference center’s guest Wi-Fi, which is open for

public use.

Ideally, which action is NOT recommended from the below list?

A. Apologize to your supervisor that you cannot send her the list until you are

connected to a secure Wi-Fi.

B. Use a secure browser and secure VPN if you have one.

C. Send your supervisor the information using the unsecure Wi-Fi at the hotel.

D. Do not work on sensitive materials while connected to unsecure Wi-Fi.

Answer: C

Explanation: CUI information shall not be transferred using unsecured public Wi-Fi.

CUI must only be transmitted through secured network environments.

16

GFE during Foreign Travel

According to the HHS Chief Information Officer, Use of Government Furnished

Equipment (GFE) During Foreign Travel memo (dated December 2016), “HHS

travelers should not have any expectation of privacy regarding any communication

while traveling to foreign countries. Moreover, one may expose and compromise GFE

to an increased level of risk during foreign travel. Someone other than the intended

recipient may intercept unencrypted email communications and non-secure phone

calls and our adversaries overseas and other bad actors, such as international

criminal organizations, often target GFE. HHS GFE is not permitted on unofficial,

personal foreign travel. All HHS personnel traveling abroad on official business must

follow the Office of Security and Strategic Information’s Foreign Travel Checklist

guidelines and contact OSSI at International@hhs.gov as early as possible.6”

Email Protocols

HHS Email Accounts

HHS email accounts are for official government business; however, employees may

have limited personal use of their HHS email. Employees should NEVER conduct

official HHS business with their personal email accounts7.

Do Not …

• Use your HHS email address to create personal commercial accounts for the

purpose of receiving personal notifications, set up a personal business or

website, or to sign up for memberships.

• Let your personal emails disrupt your productivity, interrupt service, or cause

congestion on the network (e.g., sending spam or large media files), or to

engage in inappropriate activities.

6 Use of Government Furnished Equipment (GFE) During Foreign Travel OIS Policies, Standards, Memoranda & Guides

7 Review the Rules of Behavior for Use of HHS Information Resources for more information.

17

Encryption

Encryption is the process of encoding messages or information in such a way that

only authorized parties can read it. Encryption does not prevent interception, but

denies the unauthorized persons and software the ability to interpret the message

content. HHS policy requires files containing CUI to have encryption enabled while in

transfer and while stored8. Emails that contain CUI must have encryption enabled

before the sender sends them.

When encrypting emails using MS Outlook and a PIV card, it’s important to

remember that the email can only be unencrypted by internal HHS recipients. If the

user is sending an encrypted email from an HHS email account to an external

recipient, the recipient will not be able to unencrypt or read the content of the email.

When the recipients open the email, they will enter their PIN number and MS Outlook

will decrypt and display the contents of the email.

Email Encryption Steps:

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New E-mail.”

3. Under the Options tab, select the “Encrypt”

4. Type your message and hit “Send” button.

Click on the Red box in the right corner for an example of an encrypted message.

8 Be sure to refer to your Operating Division helpdesk for instructions on how to use encryption technology. Encryption information and alternatives can be found by visiting HHS Cybersecurity Program Encryption

18

An email image with “Big secrets inside” in the subject line. The message body

reads, “This message contains TOP SECRET information!”

An arrow in the Outlook points to the “Encrypt” button. A text box below the arrow

reads, “Encrypt this message to make it harder for unauthorized people to read it.”

This text box message is viewable when hovering over the “Encrypt” button as shown

in the image. Click here for message encryption in Outlook 2010, 2013 and 2016.

Brain Teaser

The Brain Teaser question, answer key, and explanation are provided in the slide

notes.

Let’s see if you've learned what is needed to open an encrypted email.

Click on the “Q” icon for a quick brain teaser.

Which of the following items are necessary when opening an encrypted email?

A. E-signature.

B. Digital certificate.

C. User’s PIN.

D. PIV Card.

Answer: C and D.

Explanation: Remember, both PIN number and PIV card are required to decrypt

and read an email sent from an HHS email account. If the user is sending an

encrypted email from an HHS email account to an external recipient, the recipient will

not be able to unencrypt or read the content of the email.

Data Storage & Disposal

Data Storage is maintaining or storing CUI. When safeguarding CUI, back up all stored or transmitted information, encrypt them, and file/archive the encrypted backup information.

Data Disposal: If a media device containing CUI is obsolete or no longer usable or required, it should be disposed in accordance with applicable laws and regulations. Disposal rules apply to information in paper, computer, or any other format.

19

Click on the folders icon on the right for data disposal methods.

Records

Any information deemed a record should be disposed in accordance with approved

records disposition schedules and departmental policies. Consult the HHS records

retention policy or contact the HHS Record Management office before disposal of any

information to prevent destruction of records that employees should preserve.9

Digital

Electronic or digital media are hard drives, disks, floppies, tapes, flash memory,

Universal Serial Bus (USB), phones, mobile computing devices, networking devices,

etc. If CUI is on electronic media and is not a record, submit the media to the

Operating Division (OpDiv) Help Desk for sanitization.

Non-Digital

If CUI is on non-digital media, such as paper, and is not a record, one should take

the following measure:

• Refrain from disposing in the trash bin.

• Shred paper using cross cut shredders.

Lesson 2 Summary

In this lesson, you learned how to:

• Create and protect strong passwords.

• Protect your PIV card from unauthorized use.

• Send an encrypted email.

Applying these best practices will help protect HHS information and information

systems from hackers. Cybersecurity starts with you!

9 For more information, visit Record Management webpage.

20

Lesson Quiz Read the scenario below and answer the question. Please select from the answers below or use the shortcut Alt+H for the answer key.

1) Which of the following options list the correct steps to send an encrypted email

in MS Outlook 2010?

Choice A

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, check the “Request a Read Receipt” box.

4. Type your message and hit “Send” button.

Choice B (Correct Answer)

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, select the “Encrypt” icon.

4. Type your message and hit the “Send” button.

Choice C

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, select the “Permission” icon.

4. Type your message and hit the “Send” button.

Choice D

1. Insert your PIV card into the PIV card reader.

2. Under the Home tab, select “New Email.”

3. Under the Options tab, check the “Request a Delivery Receipt” box.

4. Type your message and hit the “Send” button.

Answer: B

Explanation: The “Encrypt” button is under the “Option” tab in Outlook. You need

to encrypt every email containing CUI.

21

2) Mark is a new employee who just joined the Department. He received an

email from the Help Desk to update his profile in the staff directory. The email

included a link that Mark was instructed to click for access to his profile. The

email also includes a telephone number for additional assistance.

What should Mark do?

A. Click on the link to update his profile.

B. Call the Help Desk number on the Intranet to verify the email.

C. Delete the email; it’s spam.

D. Mark should call the number given in the email to confirm the request.

Answer: B

Explanation: Sometimes the Help Desk sends email notifications regarding network

enhancements, outages, and inventory updates. If you ever doubt the validity of a

Help Desk email, consult a trusted source like the Intranet, a coworker, or call the

Help Desk to verify the legitimacy of the email before clicking on any links or opening

attachments. Remember the Help Desk will never ask for your password.

22

Lesson 3- Social Engineering Methods used to manipulate people.

Overview

Welcome to Lesson 3! In this lesson, we will identify how social engineers use

phishing, phone scams, and social media to bait unsuspecting HHS employees

into providing them access to HHS information and information systems.

Objectives

• Define social engineering and the types of attacks associated with it.

• Identify and report phishing emails.

• Determine ways to limit information posted on social media.

• Recognize techniques to handle suspicious phone calls.

• Identify and report Insider Threats.

Topics

• Social Engineering Overview

• Phishing

• Social Media

• Phone Scams

• Insider Threat

23

Social Engineering

It’s critical that you understand the most common methods used by criminals to

manipulate people into providing information. Social engineering (human

manipulation) is the use of deception to manipulate individuals into divulging

confidential or personal information that the social engineer may use for fraudulent

purposes.

Malicious actors could appear to be a coworker or a “friend” in an effort to gain your

trust so that they can obtain access to HHS information and information systems

through you.

Phishing

What’s phishing?

Phishing is a social engineering scam whereby intruders seek access to information

or information systems by posing as a real business or organization with legitimate

reason to request information.

Phishing emails (or texts) quite often alert you to a problem with your account and

ask you to click on a link and provide information to correct the problem.

How it works?

These emails look real and often contain the organization’s logo and trademark. The

uniform resource locator (URL) in the email can resemble the authentic URL web

address, for example, “Amazons.com” with a very minor spelling error that one can

overlook.

Links included in phishing emails can download malicious programs onto your

computer or mobile device and allow the attacker access to the device, connected

devices, and the information stored on those devices.

Click on the hacker’s icon to the right for a phishing example.

24

Email message description:

From: Katanabank <online_details@katanabank.co.nz>

To: John.Doe@nowhere.com

Sub: Online Access Confirmation

Start of Message

URGENT PLEASE

We are updating our online banking system and we need you to immediately access

information to enroll in the new system. Please click on the link below to update your

account.

Erroneous link

Misspelled line that quotes: verify your account immediately or it will be deleted.

2016 Katanabank Ltd.

End of Message

Ask yourself, "What's wrong with this email?"

25

Phishing Red flags:

1. Do you recognize the sender?

2. Does the email give a sense of urgency and immediate action is required?

3. Is the email asking you to follow a link?

4. Is it poorly written?

5. Does the email provide the sender’s contact information? Legitimate messages

provide a way for recipient to validate it (contact person/ department and

phone number)

6. Check the validity of the link by holding the mouse on the link for a moment.

Does the destination match the link text? Most email programs and web

browsers will display the actual destination of a link in a popup box. Fake

websites infect your computer with malware or steal your login credentials.

Check the web address by hovering your mouse pointer over the link in the

email to reveal the true website location.

Applying those flags to our e-mail image, there are few phishing signs that can be

found here:

1. Does the email give a sense of urgency and immediate action is required?

Flag: the email contains words like: Urgent Please, immediately, will be

deleted.

2. Is the email asking you to follow a link? Flag: the email has a link that is

different from the destination when user hovers on it.

3. Is it poorly written? Flag: the email has spelling mistakes in words like: verify,

immediately, deleted.

4. Does the email provide the sender’s contact information? Flag: the email ends

with 2016 Katanabank Ltd. and does not provide any contact information.

5. Check the validity of the link by holding the mouse on the link for a moment.

Does the destination match the link text? Flag: Hovering over the link shows a

destination that does not match with the link that users are required to follow.

26

Suspicious e-mails

If you are suspicious of an email:

• Forward the email to spam@hhs.gov and then delete it permanently from your

Inbox and Trash folders.

• Do not click on the links provided in the email.

• Do not open any attachments in the email.

• Do not provide personal information or financial data.

Brain Teaser

The Brain Teaser question, answer key, and explanation are provided in the slide

notes.

Let’s take a look at the following phishing brain teaser!

Click on the Q icon below for a quick brain teaser.

Brian received a phone call at work. “Tech Support” called to verify information on

his computer. Brian was instructed to provide network and password information

over the phone. Brian obliged and provided the requested information. Did Brian

take the correct action?

• Yes

• No

Answer: No

Explanation: It’s never a good idea to provide Controlled Unclassified Information

(CUI) over the phone. Think about it for a second… “Why would Tech Support need

to verify information that they should already have?” A more appropriate response

would be to either call Tech Support back on a verified number, or to walk over to

their department to determine if the request is legitimate. Always find a way to

verify before providing sensitive information in any form.

27

Social Media

It’s critical that you understand the threats you may encounter when using your

social media accounts. Malicious actors may often pretend to be a coworker, a

“friend,” or to have a common social media interest in an effort to gain your trust so

that they can obtain unauthorized access to HHS information and information

systems.

To the right, there are some recommendations to ensure your information security.

• Do not associate your employment at HHS with your social media accounts.

• A social engineer may aggregate and use multiple posts about your job with

malicious intent.

• Be mindful of what you tweet, Instant Message (IM), or post online because

once it’s on the Internet it’s on the Internet forever!

Phone Scams

Many people think cybercriminals only use phishing and other unethical computer

tactics to obtain sensitive information from unsuspecting victims. However,

cybercriminals use phone scams too. A cybercriminal could claim to be from a

trusted location at work and ask for PII from an HHS employee. The employee may

receive an email from "technical support" in which they should call a certain number

to ensure that their computer is working correctly, or complete the installation of

software. Be aware of these tactics and do not fall prey to social engineers.

Click on the red circle to the left for a phone scam story.

David is at work and receives a phone call. The caller tells him that he is with the

Internet Service Provider for HHS and has received a notification indicating that

David needs service on her computer. The caller explains to David that there is no

need to visit the Help Desk office, and that he can quickly assist her by using remote

access. He then sends David an email and asks him to click the link provided so that

he can service her computer right away. David finds the email and clicks on the link

as instructed. Unfortunately, David has just become the victim of a phone scam.

The caller is actually a hacker. Because David didn’t question or investigate the

intent of the caller, the hacker has just gained access to an HHS information system.

28

Knowledge Check Read the following scenario, and then answer the question. Allison received an email from a coworker she does not know regarding the

upcoming office Holiday party. Included in the email is an attachment listing the

attendees and the food items they are bringing to the party. The coworker has

requested that Allison immediately review the list and verify what she will bring to

the party.

Based on the options provided below, what should Allison do next?

A. Examine the email and check for red flags indicating that it may be a phish.

B. Call the coworker to verify the legitimacy of the email.

C. If the recipient cannot verify the email, forward it to spam@hhs.gov.

D. All of the above.

The answer is D

Explanation: It’s critical to evaluate emails prior to opening attachments even

when they appear to be coming from someone you may know. The red flags in this

email include:

(1) someone you don’t know, asking you to (2) immediately (3) open the attached

file. You should be suspicious of any email from an unknown person asking you to

click on a link or open an attachment. Taking the correct action will ensure the

privacy of HHS information and information systems.

Insider Threats

Insider threats are the most extreme type of social engineering. An insider threat is

a malicious threat to an organization that comes from current or former employees

or contractors within the organization, who have inside information concerning the

organization's security practices, data, and computer systems. Instances of insider

threats are rare but very serious.

HHS is a multi-disciplined, geographically distributed public health enterprise whose

missions include research, innovation, regulation, prevention, and response. HHS

has information of interest to foreign intelligence agents or organizations, and insider

threats. If you have significant reason to suspect an employee is an insider threat,

report it to the OSSI: Counter-intelligence Directorate at awareness@hhs.gov.

29

Lesson Summary

In this lesson, you learned how to:

• Report suspicious emails to spam@hhs.gov and verify links and file

attachments before clicking on them;

• Be aware of human manipulation methods used by cybercriminals to trick you

into providing Controlled Unclassified Information (CUI); and

• Report suspicious activity to the OSSI: Counter-intelligence Directorate at

awareness@hhs.gov

It’s important for you to identify these methods so that you can help prevent

cybersecurity breaches.

30

Lesson Quiz Read the scenario below and answer the question. Please select from the answers below or use the shortcut Alt+H for the answer key.

1) Updating his social media accounts is one of Trevor’s favorite activities. Trevor

likes to tell everyone how lucky he is to work at HHS. One day, Trevor’s old

friend Mike from high school sent him a “friend” request. Trevor hasn’t spoken

to Mike in a while but accepted the friendship in hopes that they could catch

up. Trevor clicks on a link in a social media instant message from Mike while

working on his HHS laptop. The link went to a blank page. Trevor realized

that the friend request was actually from someone he didn’t know. Trevor

immediately “un-friended” the person.

Should Trevor worry about his HHS laptop being compromised?

Answer: Yes

Explanation: Trevor put his HHS laptop at risk by visiting a social media website

and clicking on an unverified link. In doing so, he unsuspectingly downloaded a virus

onto his HHS laptop. Trevor should worry that his action compromised the HHS

laptop, and he must immediately report the incident to the 24-hour CSIRC

(csirc@hhs.gov) and to his OpDiv’s Incident Response Team.

2) Lucy sent her coworker an email containing CUI just before the end of her

workday. The next day, Lucy realized she forgot to encrypt the email. Should

Lucy be concerned?

Answer: Yes

Explanation: Lucy should have taken more time to be sure that she sent her email

with the proper precautions. One must always encrypt emails with CUI first. It’s

important to report this as an “incident” immediately.

31

Lesson 4 – Breaches and ReportingWhat are breaches and how to report them?

Overview

Welcome to Lesson 4! In this lesson, we will learn how to prevent and limit the

impact of a breach by identifying incidents and learning when and how to promptly

report them.

Objectives

• Identify the different types of cybersecurity and privacy incidents.

• Examine information and differentiate public from private use.

• Perform the steps to report a suspected or confirmed cybersecurity or privacy

incident to proper authorities.

Topics • Recognizing incidents

• Reporting incidents

Recognize IncidentsInformation Security Incidents

Understanding the actions and situations that can cause a security incident is critical

to the protection of HHS information and information systems. To the right is a list of

incidents that must be reported immediately to the 24-hour Computer Security

Incident Response Center (CSIRC ) at csirc@hhs.gov and to your OpDiv’s Incident

Response Team. • Loss, damage, or theft, of equipment, media, or documents containing PII.

• Accidentally sending a report containing PII to a person not authorized to view

the report or sending it unencrypted.

• Allowing an unauthorized person to use your computer or credentials to access

PII.

• Discussing CUI in a public area.

• Accessing the private records of friends, neighbors, celebrities, etc. for casual

viewing.

• Any security situation that could compromise HHS information or information

systems (e.g., virus, phishing email, social engineering attack).

32

Brain Teaser

The Brain Teaser question, answer key, and explanation are provided in the slide

notes.

Time for a question!

Click on the “Q” icon to complete a short Brain Teaser.

One day, Katherine realized that she forgot to bring her laptop to work. She needed

to finalize a presentation for her meeting at 1PM. Katherine’s coworker, Dan,

agreed to let her use his computer once he completed his monthly report. After Dan

finished his report, he gave his laptop to Katherine with his PIV card still inside.

Katherine completed her presentation, but before giving Dan his computer back, she

decided to take a look at a few shared folders that she realized she didn’t have

access to on her own laptop. Katherine then returned the laptop and thanked Dan

for his help. Should Dan consider this an “incident?”

Answer: Yes

Explanation: Dan should have logged out of his computer and removed his PIV

card prior to allowing Katherine to use it. It was okay that Dan helped Katherine.

However, Katherine should have logged in with her own credentials and PIV card. If

she had logged in correctly, she would have not had access to the folders on Dan’s

computer. Once Dan realizes that he allowed Katherine to use his computer under

his login, he should report it as an “incident.”

33

35

Reporting Incidents

It’s important to understand what an “incident” is, and how to report one should one

occur. Reporting all possible security incidents immediately gives the 24-hour CSIRC

and your OpDiv’s Incident Response Team the best chance to minimize the negative

impact of the incident. Today’s high-speed internet connections can allow an

adversary to steal gigabytes of data in minutes. Every second counts when it comes

to reporting security incidents. Failing to report an incident immediately allows the

hacker to operate unnoticed in the HHS network for a longer period of time.

Ethically, it is your responsibility to report incidents as soon as you identify them. So

stay alert! Your quick response can prevent a breach.

The scenarios in this lesson will help you understand how to quickly take action when

incidents happen. If any privacy or data incidents occur (as listed in the

“Recognizing Incidents” section), please report them at once!

Click on the image to the right for the list of HHS OpDiv Incident Response Teams.

Name Email Address HHS CSIRC csirc@hhs.gov

ACF os-irt@hhs.gov

ACL csirt@acl.hhs.gov

AHRQ csirt.ahrq@ahrq.hhs.gov

CDC secops@cdc.gov

CMS imt@cms.hhs.gov

FDA csirt@fda.hhs.gov

HRSA csirt@hrsa.hhs.gov, hrsasoc@hrsa.gov

IHS csirt@ihs.gov

NIH csirt@nih.hhs.gov

OIG csirt@oig.hhs.gov

OS os-irt@hhs.gov

SAMHSA infosecurity@samhsa.hhs.gov

Knowledge Check Read the following scenario, and then answer the question.

Tammy and Jill went to a local coffee shop for a short break. Over coffee, they

discussed client details and other CUI relating to their department. At the end of

their discussion, they realized that someone from another Department had been

watching them and listening to their discussion a few tables away. This person

should not have heard any of their private discussion.

What should they do?

A. Ignore the eavesdropper…maybe this person didn’t hear the discussion after all

B. Ask the eavesdropper not to disclose any information that s/he overheard.

C. Immediately report the “incident” to the 24-hour CSIRC (csirc@hhs.gov) and

to your OpDiv’s Incident Response Team.

D. None of the above.

Answer: C

Explanation: Remember, immediately reporting the “incident” gives the 24-hour

CSIRC and your OpDiv’s Incident Response Team the best chance to minimize the

negative impact of the incident. Report all breaches as soon as they occur to the

24-hour CSIRC (csirc@hhs.gov) and to your OpDiv’s Incident Response Team.

Lesson Summary

In this lesson, you learned how to:

• Define and identify types of cybersecurity incidents.

• Report an incident.

Being able to identify and report an “incident” is imperative in a workplace that deals

with highly sensitive information. The impact of some incidents can be minimized by

simply encrypting emails containing CUI, and/or by your quick action to report an

incident. These are all simple actions, yet imperative and mandated. Remember,

report all breaches to the 24-hour CSIRC (csirc@hhs.gov) and to your OpDiv’s

Incident Response Team.

35

Lesson Quiz Read the scenario below and answer the question. Please select from the answers below or use the shortcut Alt+H for the answer key.

1) Carol realized that she forwarded a sensitive HHS email to the wrong person.

What should she do?

A. Immediately report the “incident” to the 24-hour CSIRC (csirc@hhs.gov)and to your OpDiv’s Incident Response Team.

B. Inform the recipient to disregard and delete the contents of the email

that was sent erroneously.

C. Both.

D. None of the above.

Answer: C

Explanation: While the recipient of the email may or may not adhere to a request

to disregard the contents of the email, it never hurts to make the request anyway,

just in case. Definitely report this as an “incident” to the 24-hour CSIRC

(csirc@hhs.gov) and to your OpDiv’s Incident Response Team.

2) An OpDiv experienced laptop thefts. What should the manager on site do?

a. Immediately report the “incident” to spam@hhs.gov.

b. No rush…but report the “incident” at some point this week.

c. Immediately report the “incident” to the 24-hour CSIRC (csirc@hhs.gov)

and to your OpDiv’s Incident Response Team.

d. None of the above.

Answer: C

Explanation: It’s imperative to report stolen Government Furnished Equipment

(GFE) like laptops immediately to the 24-hour CSIRC (csirc@hhs.gov) and to

your OpDiv’s Incident Response Team. While the laptops are replaceable, the

loss of information contained on them is not.

36

Section 3 - Conclusion Understanding how to protect HHS CUI, PII, and PHI is critical to ensuring the

mission of HHS. Training you to effectively apply cybersecurity best practices is the

focus of this training. Identifying cybersecurity incidents and understanding how to

report them will improve the security posture of HHS information and information

systems. You are encouraged to immediately apply the best practices you learned

from this training into your daily work habits.

Training Wrap Up In this training, you learned to:

• Define cybersecurity and Controlled Unclassified Information (CUI).

• Define privacy and PII and means to protect PII in different contexts and

formats.

• Create strong passwords and protect your PIV card from unauthorized use.

• Safeguard GFE during foreign travel.

• Define encryption and determine how and when to encrypt.

• Describe human manipulation methods often used by hackers.

• Report suspicious emails and activities to reporting authorities.

• Identify the different types of incidents including insider threats, and how to

report them.

37

Training Quiz Read the scenario below and answer the question. Please select from the answers below or use the shortcut Alt+H for the answer key.

1) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS

laptop. Fred is an HHS contractor. His laptop contained pictures of his

children; five HHS grantee applications with grantees full names, home

addresses, work addresses, SSN’s, employer identification numbers (EIN), and

a couple of case files containing patient full name, address, gender, date of

birth, medical record number, medical notes, address, and health care facility

name.

Does Fred’s laptop contain PII?

• Yes

• No

Answer: Yes, Fred’s laptop contains PII.

2) In the previous scenario, which of the following is not HHS PII?

A. Grantee’s social security number

B. Patient’s date of birth

C. Pictures of Fred’s children

D. Patient’s gender

Answer: C. Pictures of Fred’s children.

3) Should Fred report this incident? Why or why not?

A. Yes, Fred should report the incident because he lost personal information.

B. Yes, Fred does need to report this incident because it involved HHS

information. All HHS employees, contractors, and personnel are

responsible for reporting cybersecurity breaches.

C. No, Fred does not need to report the incident because the computer is

replaceable.

D. No, Fred should not report the incident because he is a contractor.

Answer: B. Yes, Fred does need to report this incident because it involved HHS

information. All HHS employees, contractors, and personnel are responsible for

reporting cybersecurity breaches.

38

4) Alan works on the third floor at a medical clinic. Alan’s coworker, Debby,

cannot get into the electronic health record (EHR) system, because she has

failed to enter the correct password. In order to reset the password, Debby

would have to go see a representative from the Password Distribution Center

(PDC), on the first floor of the building, leaving the secured floor where she is

located. Debby is unable to go to the PDC, because she cannot find her PIV

card and believes she has misplaced it. Debby asks Alan for his login

credentials, so that she may access the EHR system.

Should Alan allow Debby to use his credentials?

A. Yes, she is Alan’s trusted coworker.

B. Yes, if Alan’s manager gives him permission.

C. No, sharing user credentials is a privacy violation.

D. A and B.

Answer: C. No, sharing user credentials is a privacy violation.

5) Alan decides not to share his credentials with Debby. Debby now asks to

borrow Alan’s PIV card, so that she may leave the secured floor, and get her

password reset at the PDC. What should Alan do?

A. Give Debby his PIV so she can leave the floor to reset her password.

B. Alan should tell her to ask another coworker for their PIV card.

C. Alan should escort Debby to the PDC so she can get her password reset

since she doesn’t have her PIV card.

D. B and C.

Answer: C. Alan should escort Debby to the PDC so she can get her password reset

since she doesn’t have her PIV card.

6) This time Alan decides not to let Debby borrow his PIV card, because it would

create a privacy incident. What other privacy incident has already occurred?

A. Debby asked to borrow Alan’s credentials.

B. Debby has misplaced her PIV card and cannot find it.

C. Debby asked to borrow Alan’s PIV card.

D. A and C.

Answer: B. Debby has misplaced her PIV card and cannot find it.

39

Resources Training Resources

Additional resources and full URLs for useful links relating to information security are

available in slide notes and the links below.

[Resources Window]

HHS Rules of Behavior

Personal Use Policy

HHS Cybersecurity and Privacy Policies

Use of GFE during Foreign Travel

Additional Guidance

Learn more about the Federal and Departmental laws and regulations that guide your

cyber activities.

1- Federal Laws and Guidance:

Acts:

• E-Government Act of 2002

• Clinger-Cohen Act of 1996

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Privacy Legislation:

• Privacy Act of 1974

• Paperwork Reduction Act

• Children’s Online Privacy Protection Act (COPPA)

OMB Circulars:

• OMB Circular A-130

• OMB-07-16

National Institute of Standards and Technology (NIST):

• Cybersecurity Framework

• NIST Special Publications

40

2- Departmental Guidance

In order to understand Information Security Policy and Governance, it’s important to

first take a look at guidance on the departmental level.

1) Office of Secretary:

Sets programmatic direction by providing an enterprise-wide perspective, and

coordination among key stakeholders.

The Department also sets standards and provides guidance, to support streamlined

reporting and metrics capabilities.

2) HHS Cybersecurity Program:

This is the Department’s information security program. The CIO and CISO provide

oversight. These policies lead the program:

A. HHS-OCIO Policy and Privacy:

Provides direction on developing, managing, and operating an IT security program

to the OpDivs and Staff Divisions (StaffDivs).

B. HHS-OCIO Policy for Breaches:

Establishes actions taken to identify, manage, and respond to suspected or

confirmed incidents involving PII.

C. Rules of Behavior:

Provides the rules that govern the appropriate use of all HHS information

resources for Department users

3) Operating Divisions (OpDivs):

41

OpDivs implement programs that meet specific business needs, provide business/ domain expertise, and manage implementation at the OpDiv level.

The OpDivs also develop policies and procedures specific to the operating environment, and help to manage ongoing operations.

3. HHS CATE Resources

The HHS Cybersecurity Awareness Training and Education team has also developed

CyberCare and Healthy Technology as additional resources for you. We hope that you find

helpful. At the end of the training, you will be asked to provide feedback relating to

CyberCare.

42

Acknowledgment and Feedback What Do You Think?

Thank you for completing the Cybersecurity Awareness Training. Please provide

your feedback in the form below. Your feedback provides valuable insight used to

improve HHS computer-based trainings. Please follow the instructions on the form

to submit it.

Acknowledge ROB and Complete Training

Employees and contractors without access to the HHS Learning Management

System (LMS) can certify completion of this training by: 1) Reading the HHS Rules

of Behavior;2) Printing and signing the below Cybersecurity Awareness Training

Certificate in this link: https://www.hhs.gov/about/agencies/asa/ocio/

cybersecurity/security-awareness-training/index.html. Submit the form to your

cybersecurity awareness training Point of Contact.

(All other employees/contractors with LMS access must complete the training

through their LMS account.)

Thank you for completing

FY18 Cybersecurity Awareness

Training

44

1

2

GUIDELINES ON THE SECURE USE OF WI-FI

Do not access or transmit Controlled Unclassified Information (CUI) when

using an unsecure connection.

Ensure the proper configuration of the wireless security options on your

computing wireless devices and the router or the modem used to connect to

the Internet.

Click Alt+F4 to close this window

TRAINING QUIZ - 2 KEY

2) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fred isan HHS contractor. His laptop contained pictures of his children; five HHS grantee applications with grantees full names, home addresses, work addresses, SSN’s, employer identification numbers (EIN), and a couple of case files containing patient full name, address, gender, date of birth, medical record number, medical notes, address, and health care facility name.

C. Pictures of Fred’s Children.

Click Alt+F4 to close this window

Guidance Laws

FEDERAL LAWS & GUIDANCE

Acts: • E-Government Act of 2002• Clinger-Cohen Act of 1996• Health Insurance Portability and

Accountability Act of 1996 (HIPAA)

Privacy Legislation: • Privacy Act of 1974• Paperwork Reduction Act• Children’s Online Privacy Protection

Act (COPPA)

OMB Circulars: • Office of Management and Budget

(OMB) Circular A-130• OMB-07-16

NIST Special Publications: • Cybersecurity Framework• NIST Special Publications

Click Alt+F4 to close this window

TRAINING QUIZ - 6 KEY

6) This time Alan decides not to let Debby borrow his PIV card, because it would create a privacyincident.

B. Debby has misplaced her PIV card and cannot find it.

Click Alt+F4 to close this window

LESSON 2 BRAIN TEASER 3

Let’s see if you’ve learned what is needed to

open an encrypted email.

Which of the following items are necessary when opening an encrypted email? A. E-signature. B. Digital certificate. C. User’s PIN. D. PIV Card.

Answer: C and D.

Explanation: Remember, both PIN number and PIV card are required to decrypt and read an email sent from an HHS email account. If the user is sending an encrypted email from an HHS email account to an external recipient, the recipient will not be able to unencrypt or read the content of the email.

PHONE SCAMS STORY

David is at work and he receives a phone call. The caller tells him that he is with the Internet Service Provide for HHS and has received a notification indicating to him that David needs service on his computer. The caller explains to David that there is no need to visit the Help Desk office, and that he can quickly assist him by using remote access. He then sends David an email and asks him to click the link provided so that he can service David’s computer right away. David finds the email and clicks on the link as instructed. Unfortunately, David has just become the victim of a phone scam. The caller is actually a hacker. Because David didn’t question or investigate the intent of the caller, the hacker has just gained access to an HHS information system.

Click Alt+F4 to close this window

TRAINING QUIZ - 1 KEY

1) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fred is an HHS contractor. His laptop contained pictures of his children; five HHS grantee applications with grantees full names, home addresses, work addresses, SSN’s, employer identification numbers (EIN), and a couple of case files containing patient full name, address, gender, date of birth, medical record number, medical notes, address, and health care facility name.

Yes, Fred’s laptop contains PII.

Click Alt+F4 to close this window

LESSON 3- KNOWLEDGE CHECK - ANSWER KEY

Answer: D

Explanation: It’s critical to evaluate emails prior to opening attachments even when they appear to be coming from someone you may know. The red flags in this email include: Receiving an email from a person you do not know; and opening an attachment from someone that you do not know. You should be suspicious of any email from a person whom you do not know that asks you to click on a link or open an attachment. Taking the correct action will ensure the privacy of HHS information and information systems.

Click Alt+F4 to close this window

PERSONALLY IDENTIFIABLE INFORMATION (PII) The following list contains examples of information that may be considered PII:

• Name, such as full name, maiden name,mother‘s maiden name, or alias.

• Personal identification number, such as socialsecurity number (SSN), passport number,driver‘s license number, taxpayeridentification number, patient identificationnumber, and financial account or credit cardnumber.

• Address information, such as street addressor email address.

• Telephone numbers, including mobile,business, and personal numbers.

• Information identifying personally ownedproperty, such as vehicle registration numberor title number and related information.

• Asset information, such as Internet Protocol(IP) or Media Access Control (MAC) address.

• Personal characteristics, includingphotographic image (especially of face orother distinguishing characteristic), x-rays,fingerprints, or other biometric image ortemplate data (e.g., retina scan, voicesignature, facial geometry).

• Information about an individual that is linkedor linkable to one of the above (e.g., date ofbirth, place of birth, race, religion, weight,activities, geographical indicators,employment information, medicalinformation, education information, financialinformation).

PHI Click Alt+F4 to close this window

PROTECTED HEALTH INFORMATION (PHI)

PHI is information, including demographic data, that relates to the

following:

• The individual’s past, present, or future physical or mental health

or condition;

• The provision of health care to the individual; and

• The past, present, or future payment for the provision of health

care to the individual.

PII Click Alt+F4 to close this window

PERSONALLY IDENTIFIABLE INFORMATION (PII) The following list contains examples of information that may be considered PII:

• Name, such as full name, maiden name,mother‘s maiden name, or alias.

• Personal identification number, such as socialsecurity number (SSN), passport number,driver‘s license number, taxpayeridentification number, patient identificationnumber, and financial account or credit cardnumber.

• Address information, such as street addressor email address.

• Telephone numbers, including mobile,business, and personal numbers.

• Information identifying personally ownedproperty, such as vehicle registration numberor title number and related information.

• Asset information, such as Internet Protocol(IP) or Media Access Control (MAC) address.

• Personal characteristics, includingphotographic image (especially of face orother distinguishing characteristic), x-rays,fingerprints, or other biometric image ortemplate data (e.g., retina scan, voicesignature, facial geometry).

• Information about an individual that is linkedor linkable to one of the above (e.g., date ofbirth, place of birth, race, religion, weight,activities, geographical indicators,employment information, medicalinformation, education information, financialinformation).

PHI Click Alt+F4 to close this window

PROTECTED HEALTH INFORMATION (PHI)

PHI is information, including demographic data, that relates to the

following:

• The individual’s past, present, or future physical or mental health

or condition;

• The provision of health care to the individual; and

• The past, present, or future payment for the provision of health

care to the individual.

PII Click Alt+F4 to close this window

PHISHING RED FLAGS EXAMPLE

Ask yourself what is wrong with this email?

Click Alt+F4 to close this window

LESSON 4- KNOWLEDGE CHECK - ANSWER KEY

Answer: C

Explanation: Remember, immediately reporting the

“incident” gives the 24-hour CSIRC and your OpDiv’s

Incident Response Team the best chance to minimize the

negative impact of the incident. Report all breaches as

soon as they occur to the 24-hour CSIRC (csirc@hhs.gov)

and to your OpDiv’s Incident Response Team.

Click Alt+F4 to close this window

LESSON 2 BRAIN TEASER 2

Now that we’ve discussed the topic of

passwords, let’s answer a question.

Which of the following is a good way to remember a password?

A. Use a favorite team name.

B. Use a familiar word with your birthdate.

C. Create a word with your child’s name.

D. Create a passphrase.

Answer: D.

Explanation: A passphrase is a phrase used to help you to remember a password. It’s known only to you. It contains at least one upper-case letter, one lower-case letter, one number, and a special character.

Click Alt+F4 to close this window

RESOURCE PAGE

Resources in This Module

• HHS Rules of Behavior

• Personal Use Policy

• HHS cybersecurity and privacy policies

• Use of GFE during Foreign Travel

Click Alt+F4 to close this window

TRAINING QUIZ - 5 KEY

5) Alan decides not to share his credentials with Debby. Debby now asks to borrow Alan’s PIV card, so that she may leave the secured floor, and get her password reset at the PDC.

C. Alan sh ould escort Debby to the PDC so she can get her password reset since she doesn’t haveher PIV card.

Click Alt+F4 to close this window

LESSON 4 BRAIN TEASER

Time for a question! One day, Katherine realized that she forgot to bring her laptop to work. She needed to finalize a presentation for her meeting at 1PM. Katherine’s coworker, Dan, agreed to let her use his computer once he completed his monthly report. After Dan finished his report, he gave his laptop to Katherine with his PIV card still inside. Katherine completed her presentation, but before giving Dan his computer back, she decided to take a look at a few shared folders that she realized she didn’t have access to on her own laptop. Katherine then returned the laptop and thanked Dan for his help. Should Dan consider this an “incident?”

Answer: Yes

Explanation: Dan should have logged out of his computer and removed his PIV card prior to allowing Katherineto use it. It was okay that Dan helped Katherine. However, Katherine should have logged in with her own credentials and PIV card. If she had logged in correctly, she would have not had access to the folders on Dan’s computer. Once Dan realizes that he allowed Katherine to use his computer under his login, he should report it as an “incident.”

Click Alt+F4 to close this window

csirt@hrsa.hhs.gov, hrsasoc@hrsa.gov

Office of the Chief Information Officer Assistant Secretary for Administration Department of Health and Human Service

Incident Response Team e-mail Addresses

Name Email Address HHS CSIRC csirc@hhs.gov ACF os-irt@hhs.gov ACL csirt@acl.hhs.gov AHRQ csirt.ahrq@ahrq.hhs.gov CDC secops@cdc.gov CMS imt@cms.hhs.gov FDA csirt@fda.hhs.gov HRSA IHS csirt@ihs.gov NIH csirt@nih.hhs.gov OIG csirt@oig.hhs.gov OS os-irt@hhs.gov SAMHSA infosecurity@samhsa.hhs.gov

Print List

Click Alt+F4 to close this window

LESSON 3 BRAIN TEASER

Let’s take a look at the following phishing

brain teaser!

Brian received a phone call at work. “Tech Support” called to verify information on his

computer. Bri an was instructe d to provide network and password information over the phone. Bria n obliged an d provi ded the

requested information. Did Brian take the correct action? Yes or No?

Answer: No Explanation: It’s never a good idea to provide Controlled Unclassified Information (CUI) over the phone. Think about it for a second… “Why would Tech Support need to verify information that they should already have?” A more appropriat e respons e would be to eithe r call Tech Support back on a verified number, or to walk over to the ir departmen t to determine if the request is legitimate. Always find a way to verify before providing sensitive information in any form.

Click Alt+F4 to close this window

PROTECTED HEALTH INFORMATION (PHI)

PHI is information, including demographic data, that relates to the

following:

• The individual’s past, present, or future physical or mental health

or condition;

• The provision of health care to the individual; and

• The past, present, or future payment for the provision of health

care to the individual.

PII Click Alt+F4 to close this window

PERSONALLY IDENTIFIABLE INFORMATION (PII) The following list contains examples of information that may be considered PII:

• Name, such as full name, maiden name,mother‘s maiden name, or alias.

• Personal identification number, such as socialsecurity number (SSN), passport number,driver‘s license number, taxpayeridentification number, patient identificationnumber, and financial account or credit cardnumber.

• Address information, such as street addressor email address.

• Telephone numbers, including mobile,business, and personal numbers.

• Information identifying personally ownedproperty, such as vehicle registration numberor title number and related information.

• Asset information, such as Internet Protocol(IP) or Media Access Control (MAC) address.

• Personal characteristics, includingphotographic image (especially of face orother distinguishing characteristic), x-rays,fingerprints, or other biometric image ortemplate data (e.g., retina scan, voicesignature, facial geometry).

• Information about an individual that is linkedor linkable to one of the above (e.g., date ofbirth, place of birth, race, religion, weight,activities, geographical indicators,employment information, medicalinformation, education information, financialinformation).

PHI Click Alt+F4 to close this window

PROTECTED HEALTH INFORMATION (PHI)

PHI is information, including demographic data, that relates to the

following:

• The individual’s past, present, or future physical or mental health

or condition;

• The provision of health care to the individual; and

• The past, present, or future payment for the provision of health

care to the individual.

PII Click Alt+F4 to close this window