Overview

Electronic mail (Email) is used as a means of communicating official company information to Medical Center employees and customers. The UVA Medical Center issues an email address and disk space (for email storage) to all Medical Center employees. Email accounts are also available upon request for non-Medical Center employees [e.g. School of Medicine (207), University Physician Group (UPG), etc.].

Purpose

To establish the conditions of use for email access within the Medical Center.

Scope

This standard applies to all Health System Email service customers.

Description

A. Guidelines of Use

The Medical Center uses electronic mail to communicate information related to Medical Center business to many kinds of employees and clients.  All email services customers are responsible for reading email on a frequent and regular basis since some official communications may be time sensitive.

The following standards should be maintained when communicating via Health System email:

  • Keep the number of lines and length of the overall email as brief as possible.
  • Do not use all capitals.
  • Emails may be subject to requests under the Freedom of Information Act, therefore, the tone of all emails should be professional and should not contain angry or inflammatory statements.
  • Minimize the use of cc’s.
  • Do not use "reply all" unless absolutely necessary.
  • If an exchange requires more than 2 replies, consider communicating via the telephone.
  • Limit the use of "deliver and read receipt" to essential messages with a priority deadline.
  • Limit the use of "High Importance" "!" emails to critical response or notification items only.
  • Include a pertinent "subject" (do not leave the subject line blank).
  • If you are not in the "to" line, a reply may not be necessary.
  • Eliminate all background color templates.

B. Security and Privacy

All Health System email services customers are responsible for keeping their email passwords confidential. Email passwords must not be shared with others, including supervisors, co-workers, friends and family members. The sharing of passwords is a violation of Health System policies.

If you believe a password violation has occurred you should complete a Computer Security Incident Report. A member of the HIT Security team will investigate the incident and report it to the appropriate parties.

C. Encrypted Communications

All messages that contain sensitive or confidential information, such as patient information, financial, and employee information, must be encrypted before being sent to an external email address.

Email messages can be encrypted setting the Confidential Flag in Outlook or by entering "[Secure]" on the subject line.

For questions regarding this process please contact the HIT Helpdesk at 434-924-5334 or refer to the Data Loss Prevention (DLP) FAQs.

 

D. Spam Filtering

Technology Services has implemented a process to help filter Spam messages in the same manner as viruses. Spam messages are filtered before their delivery to the Health System email system by using a vendor-supplied definition file and by accumulating samples reported from Health System email customers.

This process helps to reduce the amount of spam messages received, however it does not block all of them since new spam generators are created daily.

Technology Services requests that when you receive a message that appears to be spam, you forward the message to EMAIL@hscmail.mcc.virginia.edu in the Global Address List so that it can be reviewed for potential filtering. Spam messages can also be dragged and dropped into a public folder labeled report spam located under public folders, all public folders within Outlook. This method allows you to report the spam message without having to open the email.

Users have the ability to retrieve quarantined SPAM messages, using a SPAM Quarantine portal. (https:\\SPAM.hscs.virginia.edu)

For questions regarding this process please contact the HIT Help Desk at 434-924-5334.

E. Phishing

Many of our customers have received emails appearing as though they are from a legitimate business like eBay, a local or large bank such as Sun Trust or Citibank, or PayPal including the official logos or page designs. The email requests you to follow a link to supply your personal information such as user id, password, social security number, credit card numbers, bank account numbers and/or pin number. In 9 out 10 cases these emails were sent to you fraudulently without the company's knowledge. These emails are attempts from people who are trying to steal your identity or obtain your credit or banking information in order to gain access to your accounts.

The UVA Medical Center will NEVER send you a threatening email stating your account will be closed if you do not click on a link supplied within an email. These types of phishing emails often indicate you must provide your User ID and password in order for your account to stay active. Suspicious emails should be reported to the HIT Help Desk or the Email Team at email@hscmail.mcc.virginia.edu.

Customers may receive emails with attachments from unknown senders. You should never open an attachment from an unknown sender. Emails coming from legitimate sources may also contain malicious malware or viruses, these email attachments often comes as .zip files or pdf's but may come in other forms. Only open attachments you are expecting and from people that normally send you attachments if you receive a strange email requesting you open an attachment and don't believe it's legitimate you should contact the HIT Help Desk at 434-924-5334 or email Email@hscmail.mcc.virginia.edu who can assist you with verifying the emails authenticity.

There are some steps you can take to help protect yourself from falling victim to these scams. First, know the policy of the company you do business with. Do they send you emails requesting your personal information? For example eBay's policy states they will never send you an email requesting your information.

Second, if you believe the email you received to be of a legitimate nature and that you need to take some action on the company's website do not follow the links provided within the email. Go directly to the company's website via Internet Explorer just as you would do without having received the email. Logon with your credentials and then provide or change any of the necessary information within your account.

Third, many companies have a way for you to report any email you receive that appears to be coming from them. This is a way to verify if the email actually came from the company or from someone else. Just inquire with the company to obtain the email address you should use.

eBay and PayPal have an email address which you can forward to them any email you receive and they will let you know if they sent the email to you. The email addresses for these two companies are spoof@ebay.com or spoof@paypal.com. When you receive an email from ebay or PayPal you should forward it to the appropriate address before taking any action.

 

F. Email Retention/Restoration

Email backups are retained for 7 days. Please reference the Data Backup Standard, Email & File Restoration & Email Access Approval for information on Email Retention and Restoration procedures.

 

G. Termination of Email Account

Upon request for termination of access, email accounts are disabled for 30 days in order to accommodate reactivation requests. When the disabled account has reached 30 days without request for reactivation, email contents (i.e. email messages/address book/calendar etc.) will be permanently deleted and unrecoverable. Please reference Email and File Restoration and Email Access Approval for information on Email termination procedures.

Document Supporting Resources