IRM-015: Electronic Storage of Highly Sensitive DataDate: 06/19/2008 Status: Final
The University of Virginia is strongly committed to maintaining the privacy and security of confidential personal information and other highly sensitive data it collects. It expects all those who store such information to treat these data with the utmost care. There are various University policies, federal and state laws and regulations, and contractual obligations that govern how such data must be protected. The purpose of this policy is to highlight specific requirements that must be met by all who store highly sensitive University data on individual-use electronic devices or electronic media, regardless of whether those are owned by the University or the individual. This policy does not supplant any other policies, legal requirements, or contractual obligations.
Highly Sensitive Data (2):
For purposes of this policy, highly sensitive data currently include personal information that can lead to identity theft if exposed and health information that reveals an individual’s health condition and/or history of health services use. While other types of sensitive data, such as student names in combination with course grades obviously exist, the negative impact of unauthorized exposure of data specifically covered by this policy (and described in detail below) is especially acute.
Personal information that, if exposed, can lead to identity theft. "Personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements about the individual:
- Social security number;
- Driver’s license number or state identification card number issued in lieu of a driver’s license number;
- Passport number; or
- Financial account number, or credit card or debit card number.
Health information that, if exposed, can reveal an individual’s health condition and/or history of health services use. “Health information,” also known as “protected health information (PHI),” includes health records combined in any way with one or more of the following data elements about the individual:
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual.
- Personal information that, if exposed, can lead to identity theft. "Personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements about the individual:
Individual–Use Electronic Devices:
Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g., EKG machines), etc.
Individual–Use Electronic Media:
All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).
The risk of unauthorized disclosure of highly sensitive data is very high when such data are stored on individual-use electronic devices and media, since these items are easily stolen. The University, therefore, strictly limits the circumstances under which highly sensitive data may be stored on these devices and media. It further mandates that all of the requirements that follow be met when highly sensitive data must unavoidably be stored on individual-use electronic devices or electronic media. It is the responsibility of individuals to determine if they have highly sensitive data on their device(s) and media and, if so, to ensure compliance with this policy.
The Vice President or Dean responsible for the department with which the individual is primarily affiliated must state in writing that such storage is an essential business need and must file the written statement and approval in a secure location for subsequent audit purposes.
Highly sensitive data must be securely encrypted on the electronic device or media, according to encryption methods recommended by the University Information Security, Policy, and Records Office or, for Health Systems Technology Services (HSTS) users, the HSTS Security Office.
A log-in password must be enabled for the electronic device and, if available, the electronic media. The password must meet or exceed appropriate complexity levels. The password must not be shared with anyone.
A password-protected screen saver, if available, must be enabled on the electronic device and set to activate after a maximum of ten minutes of user inactivity. The password must meet or exceed appropriate complexity levels.
The password must not be shared with anyone. (Exception: Use of a password-protected screen saver is not required if such use would disrupt patient care, such as operating rooms, radiological reading rooms, and procedure rooms.)
The electronic device must at a minimum employ the basic security requirements described on the “Requirements for Securing Electronic Devices” web page.
The data must be deleted from the individual-use device or media as soon as they are no longer required using secure methods according to policy IRM-004, Electronic Data Removal and IRM-017, Records Management.
Management of the electronic device may not be outsourced to any party external to the University without written approval from the Vice President or Dean responsible for the department with which the individual is primarily affiliated. The Vice President or Dean must file the written statement and approval in a secure location for subsequent audit purposes. (Exception: Approval is not required if on the effective date of this policy management of the electronic device is already outsourced under an existing University contract.)
As noted earlier, it is the responsibility of individuals to determine if they have highly sensitive data on their individual-use device(s) and media and, if so, to ensure compliance with this policy. Failure to comply with requirements of this policy will result in disciplinary action up to and including termination.
Find highly sensitive data on their individual-use electronic devices and electronic media. If such data are not found, no further action is required.
If highly sensitive data are found, individuals must either:
- securely delete it,
- move it to a secure server, or
- request approval from their vice presidents or deans to store the data on their individual-use device(s) and/or electronic media.
Individuals who request approval to store highly sensitive data must take steps to protect those data while they await approval. Specifically, they must encrypt the data and apply log-in passwords, password-protected screen savers, and other basic security safeguards to their individual-use electronic devices and electronic media in accordance with this policy (see requirements b through e in Policy Statement).
Individuals who are denied approval to store highly sensitive data must securely delete the data from their individual-use device(s) and/or electronic media.
Step-by-step compliance guidance is provided here.
Finding and Removing Sensitive Data – Easy to use University-provided software is available to help individuals locate certain personal information on their computers. Once installed, the software will scan all computer files and list those that appear to include social security numbers, credit card numbers, or, optionally, medical record numbers. The software presents the user with options for handling the files. In addition to periodically running this software, individuals should routinely delete files in a secure manner when they are no longer needed. Guidance for securely deleting files can be found here.
Request and Approval Form – An individual requesting approval to store highly sensitive data on his or her individual-use electronic device or media must complete the form and submit it to his or her department head/chair. If the department head/chair supports the request, he or she must forward the forms to the appropriate vice president or dean for approval.
Phased Compliance Strategy – Because of the magnitude of effort, the University of Virginia originally adopted a risk-based, phased approach for implementing this policy, with portable devices and media prioritized for quick action following the 6/19/2008 effective date and compliance for all individual-use electronic devices and electronic media required by 7/1/2009.