Equipment and Data Security

Download PDF
3 downloads 6444 Views 125KB Size Report
Comment
o SecureDoc (Windows and Macs) o FileVault2 (Mac OS 10.8.3 or later) o Bitlocker (for Windows 7 or Windows 8 computers not otherwise compatible with.
   

Equipment and Data Security Physical Security Laptops and Other Portable Devices Data on Portable Devices   

Storage and use of sensitive or confidential data on a laptop/portable device should be purely temporary. The primary location of all sensitive or confidential data should be on the Medical School Network Attached Storage (NAS) device. MSIT is not responsible for any data on laptops or portable devices. It is the responsibility of the individual who owns the data to ensure that it is backed up. o In the event of hardware or software failure, MSIT will attempt to recover data, but cannot guarantee any data will be recovered.

Drive Encryption 

 

All desktops and laptops hard drives must employ one of the following Full Disk Encryption (FDE) mechanisms: o SecureDoc (Windows and Macs) o FileVault2 (Mac OS 10.8.3 or later) o Bitlocker (for Windows 7 or Windows 8 computers not otherwise compatible with SecureDoc) Minimum 128-bit key length. No exceptions for any laptop that is UT property will be allowed.

Locking Devices  

All laptop computers must have a hardware locking mechanism. All laptops must be either physically secured in locked drawers/cabinets/etc. or by their locking mechanism when not in use, regardless of location.

Exceptions 

Any exception to this should follow the IT Security exception policy.

Other Portable Devices 

 

Other portable devices may include but are not limited to all of the following: o PDAs o USB (Flash) Drives o Smartphones o Portable Hard Drives Because these devices are small and can easily be lost or stolen, confidential or protected data should never be stored unencrypted on a portable device. If sensitive data must be stored on such a device, the following precautions should be taken: o The device should not be left unattended. o If the device must be left unattended:  All doors leading to the device should be locked.  The device should be left in a locked drawer if possible, with the key in the owner's possession at all times.

Desktops and Other Stationary Computer Equipment    

All stationary computer equipment must also be physically secured against unauthorized access. Auto log on computers are to be used only in the exam rooms. Offices or areas with desktop computers should be locked when unoccupied. Servers that are not accessed directly should be kept in the 3rd floor Data Center. Your LAN Manager will be able to help coordinate this with the systems group.

Missing/Stolen Equipment 

If any computer equipment is missing or suspected stolen, contact your LAN Manager immediately. They will assist in taking all the necessary actions such as: o Contacting all department employees to make sure nobody has the equipment in question o Contacting UT Police if necessary o Filling out a missing/stolen equipment report o Contacting the proper authorities to notify them of potential loss of personal records

Data Security Protected Health Information (PHI) Data The Health Insurance Portability and Accountability Act (HIPAA) of 1996 defines Protected Health Information as: Individually identifiable health information that is related to the "past, present or future physical or mental health condition" of a person. A full description of what is and is not protected can be found here.

 

Storing PHI Data Securely  

Always store PHI Data on a server in the secured portion of the network known as "Zone 100", such as the NAS. PHI data should never be stored on: o Desktop computers o Laptops o Other Portable Devices o Removable media (CD, Floppy, Zip)

Encryption If PHI Data must be stored somewhere other than a secured server for any reason, it must be encrypted using one of the following means:   

A flash drive that supports hardware encryption, such as a Lok-It Secure USB Drive. No University data should be stored on a non FDE encrypted disk or drive. A laptop using disk encryption software such as o SecureDoc (Windows XP, Win7 and Mac OS 10.6 – 10.8) o FileVault2 (Mac OS 10.8.3 or later) o Bitlocker (for Windows 7 computers not otherwise compatible with SecureDoc)

PHI Data in Email   

Any email containing PHI data must be encrypted. Sending email to another UT Health email address: When sending PHI data to another UT email address, use a UTHSCH Digital ID.  Sending email to non-UT Health email addresses: When sending PHI data to any email address other than a UT Health email address, IronPort email security must be used. To obtain an IronPort account, contact your LAN Manager.

Virus Protection 

All Medical School computers must have virus protection software installed. o Windows computers on the UT network are to be protected using the Health Science Center’s Microsoft ForeFront Client Security site license. o Off network/Home users should also take care to protect their systems by installing Microsoft’s free Security Essentials Antivirus program. This can be downloaded directly from the Microsoft Security Essentials web site located at http://www.microsoft.com/Security_Essentials/.

Virus Protection for Macs  

 

Mac users are responsible for providing their own virus protection, via department or personal funds. MSIT suggests the following products for Mac users: o ClamXav - Free, open-source antivirus

Virus Definition Updates 

PCs that are part of the UTHOUSTON domain generally have their virus definitions updated automatically. It is the responsibility of the user to manually keep definitions up-to-date on: o Research computers o Macs o Laptops o Computers kept at an individual's residence o Computers not owned by UT

Screen Savers  

All UT computers must have a password-protected screensaver. All PCs that are part of the UTHOUSTON domain have their screensaver activated and passwordprotected automatically. The screensaver will have to be manually activated and passwordprotected on: o Macs o Research machines o Laptops not joined to the domain

Software Updates     

All software, including operating systems, should have the latest updates to protect it from known vulnerabilities. Most Windows computers will update automatically on Wednesday nights. Macintosh users must use the Apple Software Update tool to download and install their updates. Research PCs will not receive automatic updates, but should be updated via the Windows Update site at least once every month. It is the responsibility of users of Macs and research computers to keep their operating systems and software up to date.

Data Backup    

All data of any importance should be backed up on a regular basis. Most important data can be stored on the Medical School's Network Attached Storage (NAS) device, which is backed up on a regular schedule (described below). Data that cannot be stored on the NAS for whatever reason must still be backed up on a regular basis. Any user who cannot store their data on the NAS for any reason should contact his/her LAN Manager to discuss the best method for keeping secure, reliable backups.

NAS Backup Policy    

The backup retention period for backups of the UTHSC-H Medical School enterprise storage server commonly referred to as the “NAS” is 14 days. Backups are replicated to an offsite location at Guhn Road, but are maintained for Disaster recovery only. NAS "snapshots" are taken at regular intervals and maintained for 14 days. Because the snapshots reside on the NAS itself, they cannot be used to recover data in the event of a natural disaster.

Exceptions for Research Machines 

   

The following medical school policies are currently automatically enforced by MSIT on all PCs through Active Directory: o Screensaver Passwords o Software Updates o Virus Protection Owners of research computers or their delegates may request an exception to automatic enforcement of these policies if there is a possibility of disrupting data collection/analysis/etc. The owner of the machine is still responsible for maintaining compliance with all MSIT policies; this exception only prevents updates and changes from being applied automatically. For a research computer to be considered for exception, the owner or his/her delegate must fill out an IT Security Exception Request and submit it to his/her LAN Manager. Computers placed in the Research OU will be periodically audited for compliance with virus protection, screen saver, and software update policies.

Domain Membership  

 

Unless granted an exception by a LAN Manager, all desktops and laptops at the Medical School must be joined to the UT domain. Being joined to the domain offers several key benefits, including: o Single sign-on - the same username and password grants access to the computer, email, and network resources. o Updates - MSIT can ensure that critical security patches and virus definition updates are applied in a timely fashion and are working properly. o Shared resources - greatly simplifies sharing of resources such as printers, scanners, etc. o Recovery - forgotten UT passwords can be reset by contacting the University’s Helpdesk at 713-486-4848.