Recently, the School of Medicine experienced several events resulting in security breaches for the University. In order to address these vulnerabilities, we are making changes to our email configuration as a first step to securing the WUSM computing environment.
Effective March 2, 2020, School of Medicine Students, Faculty, and Staff will no longer be able to
- Automatically forward WUSTL email
- Utilize Email and/or calendar applications which Sync with WUSTL email (non-Outlook email and/or calendar applications)
Automatic Forwarding
Automatic Forwarding of WUSTL email will be blocked effective March 2.
|
Exception:
WUSTL email may be forwarded to email domains ending in “wustl.edu”, “va.gov”, and “bjc.org” |
Email and Calendar Applications
If you attempt to access your email and/or calendar from a non-Outlook application and: – You are continually prompted to enter your login credentials despite having entered them correctly. – This is evidence that the new rules have taken affect and are blocking this connection.
Please use one of the below approved methods for accessing WUSTL email on a personal device. |
|
Personal Computers and Laptops |
Use the web-based Outlook email through a browser, such as Google Chrome, Firefox, or Microsoft Edge.
Navigate to email.wustl.edu/mail to access your email. |
Mobile Devices (Cell Phones and Tablets) |
Use the web-based Outlook email through a browser on your device
OR Download the Outlook email application from the App Store (iOS) or Google Play (Android) and setup your WUSTL email account. Instructions are available for iOS and Android devices on the how-to pages. |
Note for iOS Devices |
Help is Available
Tech Tables will be available in various areas through the School of Medicine.
Please click here for a Tech Table availability.
Remove the ability to access Email and/or Calendars using applications which bypass 2 Factor Authentication
- The Outlook Application requires 2 Factor Authentication (Duo) in order to establish connection between a mobile device, computer, or laptop and the WashU Office 365 environment.
- Built-In mail and calendar applications and other email and/or calendar applications do not necessarily require 2 Factor Authentication. This opens a possible security breach.
- In order to block nefarious connections (individuals who have successfully phished a user’s login credentials) we are blocking non-outlook mail and calendar applications, which can bypass our 2 Factor Authentication (Duo), to prevent any such nefarious connections.
Washington University must have the ability to remove WUSTL email and/or calendar data from Mobile Devices
- In order to ensure the security of our email, calendar, and contact environment (Office 365) we must have the ability to remove this data from any Mobile device at any time.
- If we allow individuals to utilize their built-in mail, calendar, and contacts applications we must clear the memory of the entire device in order to remove this information.
- By requiring individuals to utilize the Outlook mobile application on mobile devices we have the ability to remove just the Washington University Office 365 data from the mobile devices without clearing the entire device.
Email must be kept in a Secure Environment
- Automatic forwarding of WUSTL email is being blocked effective March 2, to ensure email cannot be forwarded outside the WUSTL Office 365 environment to protect the security of any ePHI which may be contained within the email.
- 2 Exceptions: Automatic Email forwarding will still be allowed for @bjc.org and @va.gov addresses
How will know if I completed all of the required actions?
We will be sending follow-up communications, reminding individuals who have not yet removed Automatic Forwarding and/or who are still using a non-Outlook email application based on refreshed reporting.
If you no longer receive communications then you have completed these tasks.
iOS – How do I save my contacts when moving from Mail to Outlook
- Install the Outlook app
- Navigate to Account Settings in Outlook
- Select Save Contacts
Click here for detailed instructions with screenshots on page 5
How do I remove WUSTL Mail from my mobile device’s Built-in Mail App?
- iOS Devices:
- Go to Settings > Mail, Contacts, Calendars. The Accounts screen will open
- Tap the Exchange Account to remove your WUSTL email
- Scroll down and select Delete Account. A Delete Account warning window will open
- Select Delete Account to complete the removal
Click here for detailed instructions with screenshots on Page 6
- Android Devices:
- Go to Applications > Email. The Email screen will open
- Accessing the settings menu and select Accounts. The Accounts screen will open
- Press and hold the Exchange Account until the menu opens
- Select Remove Account. The Remove Account warning window will open
- Select OK or Remove Account to complete the removal
Click here for detailed instructions with screenshots on page 6
I cannot find the Outlook App on the App Store / Google Play. Am I looking in the wrong place?
Please ensure your mobile device is up to date (there are no pending updates for the device) as this usually corrects this problem.
How does limiting the apps we use on a personal device increase security?
By using the Outlook App we are able to expunge all email, calendar, and contact data from your device were it to be lost or compromised while leaving the other data untouched. Were you to use a different mail app, such as the built-in mail app, the mobile device would have to be wiped of all data in order to remove the WUSTL data.
I forward my WUSTL email to BJC and/or VA. Will I be still be able to forward to them?
Yes. Due to the partnership with these two organizations and the assurances regarding the security of their IT environments you will still be able to forward to @bjc.org and @va.gov email addresses.
I do not sync my email, but I do sync my calendar. Will I be affected by this change?
Yes, when syncing your calendar to your WUSTL account you are connecting an external app to the WUSTL Office 365 account, which could lead to a security breach.
Why do I need to change my email client if I only connect via WUSM-Secure?
Unfortunately we cannot ensure that devices will always connect via the WUSM-Secure network, especially if lost or stolen. Hence we must follow the approved methods for accessing email.
Why am I not receiving Push Notifications for Appointments?
Please ensure you have allowed Push Notifications on both your mobile device and within the Outlook App. Instructions are available for doing so for both iOS and Android.
Identified Vulnerability
The Office of Information Security has received increased reports of phishing attacks with the sole purpose of stealing and using login credentials to access University email accounts. These attackers are using e-mail clients which bypass our Duo multi-factor authentication when connecting to our Office 365 e-mail environment.
Associated Risk
When the attackers get access to an email account, they can download the contents of the mailbox and/or send out spam in an attempt to compromise other accounts. This could represent a breach of patient privacy for patient care areas.
Actions to Reduce Risk
The actions defined on this page are designed to mitigate this security vulnerability.