Email safety and security

The Medical Center provides electronic mail accounts to all staff, faculty and students because it recognizes the value of email as a communication tool.  To protect that tool, we are continuously engaged in scanning and "filtering" (blocking) high volumes of spam and malware-infected attachments destined for your email inbox.

Watch what you do

Technical mechanisms like scanning and filtering only go so far.  E-mail security depends on you, too.  There are many things you can do to ensure that your email usage is more secure.

(1) Be cautious of sending confidential information in e-mail.  Sending email to another person within the Medical Center Exchange email system is a secure practice -- secure, that is, in the purely technical sense that access to Exchange is restricted to UM employees with valid Medical ID credentials, and the messages are encrypted as they move from sender to recipient(s). 

Additionally, if you send an e-mail to an "outside" account (e.g. Yahoo, AOL, MSN, or any other e-mail address that doesn't end in "miami.edu" or "um-jmh.org"), and the message contains credit card numbers, medical record numbers, or social security numbers, the email will be encrypted. Soon, the encryption system, Securemail,  will also scan outbound messages for possible private health information. Encryption of these messages ensures security of the content if the message is intercepted as it travels across the public Internet to its recipient.

Even e-mail sent within the Medical Center system is not completely secure because you are always dependent on the security practices of the person(s) with whom you correspond.  It only takes one careless "forward" -- or a "reply" that adds an inappropriate party --  to expose the information within an e-mail to the wrong people.

(2) Minimize the use of attachments as much as possible.  Just as we scan e-mail contents, we scan e-mail file attachments for viruses and other malicious software.  While the scanning and filtering systems are accurate to higher than 99.9 percent and block approximately 3 million malicious messages per month, we can't catch all dangerous attachments.  The ability to filter malicious e-mail traffic is only as good as the latest anti-virus/spam "signature" files (the digital fingerprints of viruses and other malware). 

(3) Copy and paste text into your email as often as possible.  This generally saves storage space, and limits your chances of receiving an infected attachment in return.  Attachments can easily get infected by a computer that already has a virus; however, viruses cannot "live" inside plain text.

There is another benefit here:  When you cut and paste, you have a chance to read what you are sending.  When you attach a file, the contents of which you have not carefully read, you may expose information inadvertently.  (Attached files from office software like MS Word can also contain "meta" data such as the author name, file creation and modification history, and even deleted content if you have enabled change tracking.)

We understand how important it is to be able to utilize file attachments as part of your work and only request that you use them wisely.  If you need to transfer files, you can use Securesend instead of e-mail attachments.  Securesend allows you to send unlimited file sizes by sending a link to any mailbox.

(4) Question unsolicited file attachments.  Unsolicited bulk mail (spam) can put you and the organization at risk.  If you've received an unsolicited file attachment, do not open itDelete it immediately.  Then, empty your "Deleted Items" and "Sent Items" folders.

(5) Never respond to a SPAM e-mail's instructions to reply with the word "remove" or any variation of this.  This is usually a trick to get you to react to the unsolicited e-mail.  By replying to the e-mail, you verify that your e-mail address is a "live" one and messages to it are being read.  This greatly increases the value of your address to spammers, and could result in your address being put on more spam lists.

Instead, forward these messages to spam@med.miami.edu.  The Data Center Services group will analyze the message and its heuristics and determine if there is a means by which we can block further messages of the same content. Additionally, you can manage your spam messages, blocked addresses, and more at http://spamreport.med.miami.edu.  

(6) Never sign up with Web sites that promise to remove your name from spam lists.  Some of these are legitimate businesses.  However, others are actually spam address collectors.  Unfortunately, detecting which is legitimate and which is not is often a difficult task.  We recommend you stay away from sites that advertise this "remove me" function.

(7) Question executable programs received via email.  This is a very common means for passing on viruses.  Do not open these files and do not pass them on!  Delete unsolicited e-mail that contains executable programs immediately.

To protect the Medical Center's electronic mail systems and network infrastructure, we are blocking a number of executable file attachments.  Please review information on executable files for more details.

(8) Disable macros on your machine.  Macros are a means to run executable programs on your computer.  Within your Internet browser or e-mail software, search the help menu for "macros" and how to disable them.

(9) Notify the person from whom you received an infected file.  Only do this if you know the person and are sure that the originating email address is accurate.  This helps the sender correct the problem within their system before passing the virus on to other users.

Keep your software current

(10) Keep your anti-virus protection up-to-date.  The University has a site license for anti-virus software.  This allows us to manage anti-virus updates for the thousands of computers on the Medical Center's network -- keeping all workstations up to date without you having to worry about it.

As part of this site license, each employee is authorized to obtain anti-virus software for personal use.  You can obtain a this software by downloading it from our downloads page.

(11) Keep the rest of your software updated.  This is especially important for your e-mail "client" software and for the operating system as a whole.  Vulnerabilities in un-updated software are always targeted by hackers.

Remember that even the newest software cannot assure 100 percent security.  If you don't use e-mail safely, using the guidelines above, you're likely to encounter problems sooner or later.  For additional tips, see the guides to computer security at home, at work, and on the move.

Learn more

Cyber Security Tips: Email and Communications (US-CERT)
An excellent series on various aspects of email safety

Safer emailing and IM-ing(UM Privacy Project)
Basic content on all aspects of email/IM safety and politeness