News You Can Use: Cyber Safety

Cyber Health Checkup: Don’t Be Phish Food!

Cybersecurity is one of those annoyances that your institute’s information technology (IT) people take care of, right?

Wrong. That might have been the case a decade or two ago, but now, keeping NIH’s employees, patients, and systems safe from cyberattacks is a necessary responsibility for everyone who accesses NIH data and systems. Did you know than more than 99% of the emails coming into NIH are spoofing or phishing attempts (messages that masquerade as a trusted entity and try to trick recipients into sending money or clicking malicious links) or spam (unsolicited advertising email)? Every day, 23 million emails are blocked by the central NIH email filters and 36 million web connections to suspicious sites are stopped at the NIH firewall.

Last year, one spoof didn’t get blocked: Several employees received an email purporting to be from NIH Director Francis Collins asking them to use their government purchase cards to buy gift cards that supposedly would be distributed for employee recognition awards. Luckily, a careful recipient alerted the NIH IT Service Desk. The NIH information security team confirmed the spoof, removed the email from the inboxes of hundreds of employees, and determined that the director’s email had not been hacked. Without this alert, thousands of federal dollars might have been scooped up by the cyber criminals.

It’s not just taxpayer money that is at stake but also patient medical records, personal employee information that could be used in scams, and vital research data that could be sold.

Cyber risks don’t just come from the outside. One seemingly minor infraction is sharing login credentials with a friend or colleague. The potential for damage—to systems, to personnel, and to biomedical research—is huge. A few years ago, a peer reviewer at a university shared their NIH grant-review login information with a grant applicant, who was then able to access reviews and identify the reviewers of their own grant application. NIH takes the confidentiality and integrity of its vast grant-review process very seriously, and there are consequences from such misbehavior. When the breach was discovered, the resulting investigation led to the resignation of both researchers from their institutions.

NIHers may have noticed an increasing number of emails, announcements, and articles about cybersecurity at NIH over the past few months. These are part of the NIH Cyber Safety Awareness Campaign, an Optimize IT Security initiative, which aims to raise awareness of the real-life risks to NIH if cybersafe behaviors are not implemented and embraced.

Cybersecurity and research: Many scientists have seen IT security as an obstacle to research but are beginning to understand that the barriers are necessary for the protection of their work and NIH resources, said NCI staff scientist Art Shaffer. As a member of the Optimize IT team, he brings a bench researcher’s perspective to the work. Before COVID-19 forced many NIH employees to work from home, interactions between scientists were face-to-face with little cyber risk. Now “I can’t just take a flash drive with my two gigabytes of data over to my buddy’s computer at the other end of the lab,” said Shaffer. Instead, the data need to be transferred securely over the NIH network using a tool such as NIH Box. “Everyone relies on the technology for any work to get done. Cybersecurity issues have become even more important.”

Data sharing “is fundamental to the NIH mission, but we need to be able to do that safely,” reiterated Robert Balaban, the scientific director of the National Heart, Lung, and Blood Institute, during a recent virtual panel discussion about cyber safety and COVID-19. “The important thing to realize is that we are a connected community, and [anyone] could end up being one of the breaks in the system.”

Scientists might feel that a security-monitoring program, or “agent,” running on their laptop is slowing the computer down or that they are being spied on, said Ryan Dale, a senior scientist at the National Institute for Child Health and Human Development (NICHD). He certainly understands the pressure to get research done, but as NICHD’s scientific information officer, he also appreciates the importance of protecting the big cyber target that is the NIH. Thousands of vulnerabilities—old, unsafe operating systems, poorly configured software, and suspicious downloaded material—are identified each day by NIH’s security agents.

Collaborating safely: There are a lot of collaboration tools for sharing photos and data, but they are not all NIH approved or safe to use. The NIH Technology Availability Guide (NTAG) provides a list of approved tools that will enable research collaborations while protecting NIH digital assets. NIH has a robust set of collaboration and file-sharing tools that are approved and available for use including Box, Skype for Business, Jabber, Microsoft Teams, and Zoom. Using collaboration or file-sharing platforms that have not been approved for use by your information system security officer (ISSO) and are not listed on the NTAG may expose NIH to cyber threats, breaches, or data loss and should not be used. If you don’t already have access to a tool listed on NTAG, contact the NIH IT Service Desk for assistance. Before using any collaboration or file-sharing tool that is not listed on NTAG, contact your IC ISSO to ensure it is safe to use. If emailing sensitive or confidential information, encrypt the emails or send them via NIH Secure Mail. And if you need a collaboration tool that is not on the NTAG list, work with your IC ISSO to discuss your needs and have tools properly assessed before use. A single cybersecurity incident has the potential for widespread consequences; do not compromise your data or that of others, use NIH approved tools, and when in doubt, reach out to your IC ISSO for guidance.

Report anything suspicious: In general, “Don’t be afraid to report something” that seems unusual, said Jothi Dugar, chief information security officer at the Center for Information Technology, who is leading the Cybersecurity Awareness Campaign. Be on the lookout for suspicious emails, or computers acting weird (crashing frequently or showing strange popup ads, for example). “We’re not going to be coming after you for clicking on a link. We want to take care of the situation and provide guidance and training.”

Cyber safety needs to be a priority for all employees, integrated into their day-to-day jobs. The “protective shell of IT infrastructure armors NIH against cyberattacks on a daily basis,” said Schaffer. But all of us have a part to play as well.


Susan Chacko

Susan Chacko, who is a scientist on the Biowulf cluster staff at the Center for Information Technology, came to NIH as a postdoc in 1992. She leads a team of scientists who install and maintain scientific programs on Biowulf, helps intramural researchers implement large-scale computational research projects, and provides one-on-one support. In her spare time she writes for the NIH Catalyst, walks her dog, and volunteers as an election judge.