UNC-CH wants vigilance

CHAPEL HILL -- In a never-ending battle against hackers, the head of information technology at UNC-Chapel Hill has a message for campus workers: take ownership of your computer.

That's a core theme of a new policy that Vice Chancellor Larry Conrad is trumpeting on a campus where 80,000 computers and other electronic devices tap into the campus network.

Though the policy won't solve all of UNC-CH's network security problems, Conrad points to one piece of his proposal as an example of its larger philosophy: Employees with computers must keep their virus software and security patches up to date, just as they would for their personal computers.

"The practical reality is that information security is an afterthought for a lot of people," Conrad said. "It gets in the way. But it's a risk-management issue."

Many workers may simply not know they're expected to keep such security updates current, so part of Conrad's initiative is a campaign to educate workers.

Conrad will discuss his proposal with faculty members this week. It was being developed prior to the recent discovery of a security breach at UNC-CH's medical school that may have exposed research data related to 160,000 participants in a mammography databank, including 114,000 Social Security numbers.

Conrad wants clear, easy-to-read security guidelines that employees can understand, because on a campus as large as UNC-CH, the technology office cannot be the sole security officer, he said.

"The magnitude of the problem for a large research university really is quite substantial," he said. "For any one system, it's not rocket science, but the sheer volume, how do you get to them all?"

Universities are constantly dealing with hackers. Conrad said the university staved off 27 million attacks last year alone but concedes that there are occasional breaches. The medical school incident is thought to have originated in Ukraine, a part of the world where such attacks are common.

"There's a whole set of countries where [hackers] operate with impunity," he said. "There's no way to get at them."

The medical school intrusion was detected in July but may have occurred as far back as 2007. A hacker got into the Carolina Mammography Registry, a 14-year-old UNC-CH medical research project that stores and analyzes mammogram information submitted by radiologists across the state.

Conrad said he doesn't think the medical school hacker stole any research data. The school set up a telephone line for women who had submitted mammography information and were concerned. As of earlier this week, that call center, which has been open for nearly two weeks, has fielded about 230calls, said Karen McCall, a UNC Health Care spokeswoman.

Latest Comment View all comments