Checklist of Requirements for Protection of Restricted Data College of Medicine Departments (v 03/2014)

Transcription

1 hecklist of Requirements for Protection of Restricted ata ollege of Medicine epartments (v 03/2014) These requirements must be met to comply with U data protection policies, including HIPAA Policies and HIPAA Administrative, Physical, and Technical Safeguards. Separate documents list where help can be obtained to meet a requirement and provide templates to assemble information that must be submitted to the ean s Office. Requirement The University of incinnati s ata Protection Policy 9.1.1B defines Restricted ata as the most sensitive data requiring the highest level of protection. It includes, for example: Protected Health Information (PHI, HIPAA), personal identity information, social security/driver s license numbers, credit card numbers, data from research involving human subjects, student transcripts, and any other data the institution considers highly sensitive. To comply with University of incinnati policies on HIPAA Information Security, the Senior Associate ean for Administration and Finance has been designated the owner of systems within the ollege of Medicine that create, access, transmit or receive PHI. epartments are the responsible custodians of the restricted data, including PHI. The epartment Business Administrator inserts data into templates provided by the ean s Office with the following information and s the information and subsequent updates to comit@uc.edu. Questions should be addressed to Erin Groeting in the ean s office (erin.groeting@uc.edu; ) 1) Name, job title, and employer of all faculty, staff, trainees, and students within the epartment who have access to U networks and/or Restricted ata. 2) All computing devices used by individuals within the epartment that can access secure data systems or store Restricted ata: name of the device, U inventory I number, their owner/user, and physical location, e.g. office number. This includes desktop computers, laptops, tablets, smartphones, cell phones, personal data assistants, external hard drives, and thumb drives. 3) The ean s office will collate the information and provide it to appropriate offices at U, such as UIT and General ounsel. All faculty, staff, trainees, and students within the epartment: 1) Must complete U required HIPAA security training. 2) The Business Administrator inserts data into templates provided by the ean s Office. This includes the names of faculty/staff/students within the department and documentation of security training for each individual. E- mail the information and updates to comit@uc.edu. Questions should be addressed to Erin Groeting in the ean s office (erin.groeting@uc.edu; ). 3) The dean s office will collate the information and provide it to appropriate offices at U, such as UIT and General ounsel. esktop, laptop, and tablet computers used to store, access or transmit Restricted ata must follow current secure configuration standards, for example: 1) Whole disk encryption. 2) An operating system that is supported by the vendor and permits automatic installation and updating of antivirus, antispyware software and other patches via central computer management software. 3) Lock after 5 unsuccessful attempts to enter a password. 4) Automatic locking and password protection of device screens after 15 minutes of inactivity. 5) Removal of administrative privileges of users. Administrative privileges are restricted to OM esktop Support. 6) Removal of applications that increase the vulnerability of computers such as ()entral or ()ept* ompleted/

2 Requirement Peer to Peer (P2P) file sharing. 7) Locking cables or equivalent physical protection (e.g., locked cabinets) for all devices when not in the user s physical custody. 8) Loss or theft of computing devices must be reported immediately (within no more than 2 calendar days) to UIT s at abuse@uc.edu and to comit@uc.edu. Personal computing and other mobile data devices (e.g. smartphones, flash drives) that create, store, access, transmit, or receive Restricted ata, whether University of incinnati-issued or personal: 1) Must be under the physical control (protect against loss) of the owner at all times. 2) Must be protected by password access. 3) Must lock after 5 unsuccessful attempts to enter a password. 4) ata on the device must be encrypted. 5) Smartphones must be capable of remote deletion and locking. To comply, a user can configure the U exchange account on the mobile device via ActiveSync, this allows the user and U administrators to remotely wipe those devices through existing Microsoft Exchange server capability. 6) Applications that create, store, access, send or receive Restricted ata must meet U security standards. ustom developed applications used on mobile data devices must undergo a security design review and application vulnerability scan by UIT s. 7) Systems or networks containing Restricted ata must not be accessible to portable devices unless the owner of the Restricted ata approves it. UIT will setup firewall rules to restrict access to Restricted ata and/or network segments to approved users. 8) Loss or theft of mobile devices that can access Restricted ata must be reported immediately (within no more than 2 calendar days) to UIT s Office of Information Security at abuse@uc.edu and to comit@uc.edu. Servers, data storage devices, and other IT equipment utilized by the epartment must be kept within the U OM ata enter or an approved facility that provides: 1) Knowledgeable IT staff. 2) Key/I badge access control. 3) Surveillance monitoring. 4) Fire suppression. 5) Uninterruptible/back-up power supplies. 6) ata back-up off site. 7) isaster recovery. 8) Regular audit of logs to verify only authorized users accessed data. All new desktop and laptop computers must be purchased from University of incinnati managed device portfolio facilitated via OM IT and U Purchasing. Faculty and staff who require remote access to on-campus systems that store Restricted ata: 1) Must use a university provided, fully managed and encrypted device. 2) Must log-in via a VPN connection. 3) As an interim solution for users who require remote access from unmanaged devices, OM-IT (comit@uc.edu) will allow users to use a Remote esktop Protocol client (RP) to obtain a remote console of their U workstation. Users are required to register their unmanaged device with OM-IT, if they intend to use RP for remote access. 4) All other forms of remote access, including but not limited to drive mapping, ssh, ftp, vnc, etc. are prohibited. 5) Users are prohibited from copying data from their U system to any unmanaged device. accounts ()entral or ()ept* ompleted/

3 Requirement 1) Users must not configure accounts which may receive or transmit Restricted ata to auto-forward messages. 2) Messages that contain health-related information must be encrypted. 3) ommercial accounts such as Google and Yahoo are not secure and must not be used to transmit Restricted ata and other protected information. Violations of HIPAA policies, information security incidents: 1) Must be reported UIT s at abuse@uc.edu and to comit@uc.edu. This includes loss of, improper disclosure of or improper access to PHI or Restricted ata (for example, the loss or theft of paper PHI; the loss or theft of a computer, smartphone, or thumb drive storing Restricted ata; or an electronic intrusion into a computer storing Restricted ata). 2) Will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff, and students. Users must securely destroy or delete Restricted ata when no longer needed or when retiring computers, smartphones or other mobile devices such as thumb drives. Emptying the recycle bin and trash does not delete data from your computer. Authentication and passwords: 1) All users that access computerized information system must be authenticated, typically by a unique identification code (user name) and password. 2) Passwords must consist of eight or more alphanumeric or special characters in a combination that is not obvious. 3) An account must lock after five consecutive invalid login attempts. 4) Passwords should be changed at least every 90 days. 5) Users who suspect that their passwords have been inadvertently disclosed or compromised must immediately report the suspected compromise to abuse@uc.edu and to comit@uc.edu. Users must change or reset all passwords in question. 6) Passwords must not be shared with anyone, including managers, students, fellows, administrative assistants, or secretaries. ()entral or ()ept* / ompleted/ * ()entral or ()ept: = entral function within OM IT; OM IT will take responsibility, but department needs to be aware of the requirement and support the OM IT efforts to comply. epartment should report to OM IT any non-compliance within the department. = Primarily a departmental function, with support from central OM IT.

4 Getting Help To Meet The Requirements For Protection Of Restricted ata (v 03/2014) Question or Problem General IT Questions General Security Questions Questions about U policies related to Restricted ata, HIPAA, HITEH requirements Information about required HIPAA training omplying with configuration standards for IT equipment disk encryption, updating antivirus, patching, malware Moving or maintaining equipment in a secure data center onfiguring smart phones for remote deletion and locking Vulnerability scanning of applications used on mobile devices to access Restricted ata Approval for portable devices to access Restricted ata or networks Encrypting e mails Purchasing of new desktop and laptop computers Setting up remote access to on-campus systems that store Restricted ata Reporting loss, improper disclosure, or improper access to Restricted ata estroying or disposing of devices that contain or can access Restricted ata Obtaining information about passwords ontact UIT Help esk HELP (4357) helpdesk@uc.edu ISE (4732) HIPAA Privacy Vicki Norton U Health, victoria.norton@uhealth.com irector of Quality Improvement, Office of General ounsel HIPAA Security Bo Vykhovanyuk, vykhovbn@ucmail.uc.edu Associate irector IT, Kim Logan, loganks@ucmail.uc.edu Information Security Officer, For 2014, U plans on adopting U Health training. More details pending. OM IT services: comit@uc.edu UIT ISE (4732) OM IT services: comit@uc.edu ISE (4732) Further discussion is needed related to Mobile evice Management (MM) Limited mobile capabilities. Evaluating tools now ISE (4732) The owner of Restricted ata must give permission for an individual to access the data using a portable device. ontact OM-IT, comit@uc.edu for additional information and to keep logs of permissions ISE (4732) OM IT services: comit@uc.edu U entral Purchasing OM IT services: comit@uc.edu U Network Operations enter (NO) and : Office of Information Security OM IT services: comit@uc.edu Security = abuse@uc.edu Privacy = Vicki Norton U Health, victoria.norton@uhealth.com irector of Quality Improvement, OM IT services: comit@uc.edu Office of Asset Management, OM IT services: comit@uc.edu

5 Passwords Policy isciplining individuals who violate security policies Human Resources, Obtaining de-identified data sets to support translational research TST (enter for linical Translational Science & Training) Brett Harnett