UVa Seal

Policy: Electronic Storage of Highly Sensitive Data 


Date: 06/19/08 Policy ID: IRM-015 Status: Final

Policy Type: University
   
Contact Office: Information Security, Policy, and Records Office
   
Oversight Executive: Chief Information Officer
   
Applies To: Academic Division, Medical Center, College at Wise, and University-related Foundations. 
   
Table of Contents: 

Policy Statement
Procedures

   
Reason for Policy: The University of Virginia is strongly committed to maintaining the privacy and security of confidential personal information and other highly sensitive data it collects. It expects all those who store such information to treat these data with the utmost care. There are various University policies, federal and state laws and regulations, and contractual obligations that govern how such data must be protected. The purpose of this policy is to highlight specific requirements that must be met by all who store highly sensitive University data on individual-use electronic devices or electronic media, regardless of whether those are owned by the University or the individual. This policy does not supplant any other policies, legal requirements, or contractual obligations.
   
Policy Summary: 
   
Definition of Terms in Statement: 

Individual-Use Electronic Devices: Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g., EKG machines), etc.

Individual-Use Electronic Media: All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).

Highly Sensitive Data: For purposes of this policy, highly sensitive data currently include personal information that can lead to identity theft if exposed and health information that reveals an individual’s health condition and/or history of health services use. While other types of sensitive data, such as student names in combination with course grades obviously exist, the negative impact of unauthorized exposure of data specifically covered by this policy (and described in detail below) is especially acute.

  1. Personal information that, if exposed, can lead to identity theft. "Personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements about the individual:
    1. Social security number;
    2. Driver’s license number or state identification card number issued in lieu of a driver’s license number;
    3. Passport number; or
    4. Financial account number, or credit card or debit card number.
  2. Health information that, if exposed, can reveal an individual’s health condition and/or history of health services use.  “Health information,” also known as “protected health information (PHI),” includes health records combined in any way with one or more of the following data elements about the individual:
    1. Names;
    2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all zip codes with the same three initial digits contains more  than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;  
    3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
    4. Telephone numbers;
    5. Fax numbers;
    6. Electronic mail addresses;
    7. Social security numbers;
    8. Medical record numbers;
    9. Health plan beneficiary numbers;
    10. Account numbers;
    11. Certificate/license numbers;
    12. Vehicle identifiers and serial numbers, including license plate numbers;
    13. Device identifiers and serial numbers;
    14. Web Universal Resource Locators (URLs);
    15. Internet Protocol (IP) address numbers;
    16. Biometric identifiers, including finger and voice prints;
    17. Full face photographic images and any comparable images; and
    18. Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual. 

BACK TO TOP

   
Policy Statement: 

The risk of unauthorized disclosure of highly sensitive data is very high when such data are stored on individual-use electronic devices and media, since these items are easily stolen. The University, therefore, strictly limits the circumstances under which highly sensitive data may be stored on these devices and media. It further mandates that all of the requirements that follow be met when highly sensitive data must unavoidably be stored on individual-use electronic devices or electronic media. It is the responsibility of individuals to determine if they have highly sensitive data on their device(s) and media and, if so, to ensure compliance with this policy.

  1. The Vice President or Dean responsible for the department with which the individual is primarily affiliated must state in writing that such storage is an essential business need and must file the written statement and approval in a secure location for subsequent audit purposes.

  2. Highly sensitive data must be securely encrypted on the electronic device or media, according to encryption methods recommended by the University Information Security, Policy, and Records Office or, for Health Systems Technology Services (HSTS) users, the HSTS Security Office.

  3. A log-in password must be enabled for the electronic device and, if available, the electronic media. The password must meet or exceed appropriate complexity levels. The password must not be shared with anyone.

  4. A password-protected screen saver, if available, must be enabled on the electronic device and set to activate after a maximum of ten minutes of user inactivity. The password must meet or exceed appropriate complexity levels.

  5. The password must not be shared with anyone. (Exception: Use of a password-protected screen saver is not required if such use would disrupt patient care, such as operating rooms, radiological reading rooms, and procedure rooms.)

  6. The electronic device must at a minimum employ the basic security requirements described on the “Requirements for Securing Electronic Devices” web page.

  7. The data must be deleted from the individual-use device or media as soon as they are no longer required using secure methods according to the Electronic Data Removal Policy and the Records Management Policy.

  8. Management of the electronic device may not be outsourced to any party external to the University without written approval from the Vice President or Dean responsible for the department with which the individual is primarily affiliated. The Vice President or Dean must file the written statement and approval in a secure location for subsequent audit purposes. (Exception: Approval is not required if on the effective date of this policy management of the electronic device is already outsourced under an existing University contract.)

As noted earlier, it is the responsibility of individuals to determine if they have highly sensitive data on their individual-use device(s) and media and, if so, to ensure compliance with this policy. Failure to comply with requirements of this policy will result in disciplinary action up to and including termination.
BACK TO TOP

   
Procedures: 

Individuals are required to:

  1. Find highly sensitive data on their individual-use electronic devices and electronic media. If such data are not found, no further action is required.

  2. If highly sensitive data are found, individuals must either:
    1. securely delete it,
    2. move it to a secure server, or
    3. request approval from their vice presidents or deans to store the data on their individual-use device(s) and/or electronic media.

  3. Individuals who request approval to store highly sensitive data must take steps to protect those data while they await approval. Specifically, they must encrypt the data and apply log-in passwords, password-protected screen savers, and other basic security safeguards to their individual-use electronic devices and electronic media in accordance with this policy (see requirements b through e in Policy Statement).

  4. Individuals who are denied approval to store highly sensitive data must securely delete the data from their individual-use device(s) and/or electronic media.

Step-by-step compliance guidance is provided here.

Finding and Removing Sensitive Data – Easy to use University-provided software is available to help individuals locate certain personal information on their computers. Once installed, the software will scan all computer files and list those that appear to include social security numbers, credit card numbers, or, optionally, medical record numbers. The software presents the user with options for handling the files. In addition to periodically running this software, individuals should routinely delete files in a secure manner when they are no longer needed. Guidance for securely deleting files can be found here.
BACK TO TOP

Request and Approval Form – An individual requesting approval to store highly sensitive data on his or her individual-use electronic device or media must complete the form and submit it to his or her department head/chair. If the department head/chair supports the request, he or she must forward the forms to the appropriate vice president or dean for approval.
BACK TO TOP

   
Related Information: 

University-provided Software for Locating Personal Information
Administrative Data Access Policy
Institutional Data Protection Standards
Disclosure of University Records
IRM-004, Electronic Data Removal
Ethics in Computing Usage Policy
IRM-012, Information Security Incident Reporting
IRM-017, Records Management
Responsible Computing for Faculty and Staff Handbook
STU-002, Rights of Students at the University of Virginia Pursuant to the Family Educational Rights and Privacy Act
IRM-014, Protection and Use of Social Security Numbers
SSN Initiative
Medical Center Policy No. 0201 Patient Identification
Medical Center Policy No. 0253 Verification for Release of Patient Information
School of Medicine Policies:

1.430. Required HIPAA Privacy Training  
1.431. Violations of Confidentiality   
1.530  Records Management

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. 104-191 and implementing regulations issued by the U.S. Department of Health and Human Services including Standards for Privacy of Individually Identifiable Health Information, 45 CFR  Parts 160 and 164 (“Privacy Rule” )

The Commonwealth of Virginia Government Data Collection and Dissemination Practices Act §2.2-3800

   
Policy Background: Phased Compliance Strategy – Because of the magnitude of effort, the University of Virginia originally adopted a risk-based, phased approach for implementing this policy, with portable devices and media prioritized for quick action following the 6/19/2008 effective date and compliance for all individual-use electronic devices and electronic media required by 7/1/2009.
   
Major Category: Information Resource Management
   
Category Cross Reference: 
   
   
Process: 
   
Next Scheduled Review: 06/19/14
   
Approved By, Date: Executive Vice President and Chief Operating Officer, 06/19/08
   
Revision History: Updated 9/17/13, 7/28/11.
   
Supersedes (previous policy):