Cyber Security in Higher Ed: How to Avoid Becoming the Next Target
New regulations should reduce number of costly attacks
Higher education institutions are major targets for hackers. Their databases contain a perfect trifecta of personal information, financial and health data for what’s considered high-value targets on the black market. Last year, a hacker known as Rasputin breached over 60 universities and government agencies and the tally continued to grow into 2017, becoming one of the largest higher education breaches in history. This sole cybercriminal made news, but hacks are really just the tip of a very large iceberg of breaches that are primarily caused by negligence.
In 2016, the U.S. Department of Education said they would require colleges and universities to comply with requirements laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are designed to protect the confidentiality of “controlled unclassified information.” The first compliance deadline schools must meet is December 31, 2017.
Colleges and universities have a wide array of vulnerabilities, but in the interest of brevity and relevance, we’re going to focus on a few recent cloud email and storage related events in higher education that will be addressed by several of the 800-171 requirements.
After Oregon Health & Science University (OHSU) suffered its fourth major breach in 2012, two employees were placed on administrative leave for the “unlawful release” of 22,00 pages of records from the university president’s office. These records included confidential information on faculty, staff, and students. The data was stored in Google’s Gmail and Drive applications by resident physicians and discovered by another faculty member in 2013. In addition to the 1,361 individuals facing significant harm due to their diagnoses being leaked, credit card data, payment information, procedures, photos, driver’s license numbers and Social Security numbers were included in the breach for thousands of others.
The OHSU breach is about as bad as they come since it included both HIPAA and FERPA violations. To prevent future breaches, the university agreed to a four-point strategy:
The remediation process, fines, and strategy cost the university $2.7 million. This entire event could have easily been prevented with a cloud security solution that monitored files for sensitive data. However, given that this situation was handled beginning in 2013, OHSU was able to get ahead of about 99% of their fellow universities that have been dealt one blow after another in more recent years.
This year, the University of Oklahoma (OU) experienced a similar data leak to OHSU. OU uses Microsoft Office Delver, an internal intelligent search engine. In just 30 of the hundreds of documents made publicly discoverable on Delve, there were more than 29,000 instances in which students’ private information were made available to users within OU’s email system. With a simple Delve search, student journalists discovered four spreadsheets that included students financial information along with the amounts of money they received in scholarships, grants, loans or waivers from 2012 through 2016! But wait, there’s more:
Another series of spreadsheets listed students who had received a grade of incomplete during the six semesters starting Fall 2014 through Fall 2016. One document listed the names and social security numbers of 30 students, including the names of athletes now playing professionally. It’s not clear why the document existed or how these students were related.
Two other documents listed the visa statuses of more than 500 international students. Several documents included information about current OU athletes’ scholarships and their eligibility statuses, including one that listed which students were barred from practice this past summer due to failed drug tests, recruiting violations, or academic misconduct.
These files were easily discovered by the student journalists who reported it, so the impact and breadth of the leak are still unknown and the investigation is ongoing.
At this point, you might be dismissing these examples, since all these breaches took place in the cloud. But this year there have also been several instances of physical theft. A Washington State University (WSU) researcher noticed that an 85-pound safe that contained a hard drive was missing from a WSU storage unit. The drive contained names of about a million people, and the social security numbers and health history of some of them.
Think this is just a one-off? The University of Ottawa also found itself the subject of an investigation after the information of some 900 students was exposed when an external hard drive went missing. The data included people with disabilities and mental health issues.
In both cases, the hard drives are assumed to be unencrypted and investigations are ongoing.
A new set of federal regulations is set to tighten the cybersecurity practices of colleges and universities. There are six major steps higher education leaders can take to develop a program that fulfills new contractual obligations required for continuing federal grants, research contracts and other transactions in which institutions receive data from the federal government, which is most of them, according to Deloitte and EDUCAUSE:
There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests in which affected programs must meet.
For a complete list of policy tests included under each of the 14 categories, please refer to the NIST SP800-171 web page. A deadline to comply or to report delays in compliance has been set for December 31, 2017.