Computer Use/Electronic Information: Difference between revisions
No edit summary |
Mhurlocker (talk | contribs) m (→Definitions) |
||
(15 intermediate revisions by 3 users not shown) | |||
Line 20: | Line 20: | ||
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" | <td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" | ||
width="20">[[Intellectual Property]]</td> | width="20">[[Intellectual Property]]</td> | ||
<td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | |||
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" | |||
width="20">[[Faculty]]</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
<br /> | <br /> | ||
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | ||
<br /><br /> | <br /><br /> | ||
Policy No.: '''6051'''<br /> | Policy No.: '''6051'''<br /> | ||
Effective Date: '''04/25/07'''<br /> | Effective Date: '''04/25/07'''<br /> | ||
Revised Date: ''' | Revised Date: '''draft'''<br /> | ||
Reviewed Date: ''' | Reviewed Date: '''09/19/17'''<br /><br /> | ||
<big>'''Computer Use and Electronic Information Security Policy'''</big> | <big>'''Computer Use and Electronic Information Security Policy'''</big> | ||
== Introduction == | == Introduction == | ||
University of Nebraska Medical Center (UNMC) has a robust information technology environment. It is the responsibility of the workforce to utilize information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality. | University of Nebraska Medical Center (UNMC) has a robust information technology environment. It is the responsibility of the workforce to utilize information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality. | ||
== Basis for Policy == | == Basis for Policy == | ||
The University of Nebraska has issued Executive Memorandum No. 16, [ | The University of Nebraska has issued Executive Memorandum No. 16, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-for-responsible-use-of-university-computers-and-information-systems.pdf Policy for Responsible Use of University Computers and Information Systems], which sets forth the University’s administrative policy and provides guidance relating to the responsible use of the University’s electronic information systems. It is the intent of this policy to confirm campus adherence to Executive Memorandum 16.<br /><br />Information technology resources are owned by UNMC and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, all applicable [[Policies_and_Procedures|UNMC policies]], including sexual harassment, patent and copyright, patient and student confidentiality, and student and employee disciplinary policies, as well as by applicable federal, state and local laws. | ||
<br /> | |||
Information technology resources are owned by UNMC and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, all applicable [[Policies_and_Procedures|UNMC policies]], including sexual harassment, patent and copyright, patient and student confidentiality, and student and employee disciplinary policies, as well as by applicable federal, state and local laws. | |||
== Policy == | == Policy == | ||
=== Acceptance and Adherence to Policy === | It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality to protect the integrity of all data and the business interests of the entity. | ||
It is the responsibility of the workforce to protect all confidential and proprietary information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device, external storage or cloud system storage. (See End User Device Security Policy). | |||
Information technology resources are owned by Nebraska Medicine/UNMC and are intended for use in completing the Nebraska Medicine/UNMC’s mission. Information generated during Nebraska Medicine/UNMC operations is a valuable asset and property of Nebraska Medicine/UNMC. | |||
==== Acceptance and Adherence to Policy ==== | |||
Use of Nebraska Medicine/UNMC information systems by anyone shall constitute agreement to abide by and be bound by the provisions of this policy and (See; Privacy, Confidentiality and Security of Patient and Proprietary Information Policy). Departmental personnel with system administrator responsibilities must conform to all Nebraska Medicine/UNMC Information Technology and Information Security policies and procedures. | |||
User Responsibility | |||
=== Access === | * Users are responsible and accountable for access under their personal accounts. | ||
Physical and electronic access to proprietary information and computing resources is controlled | * Users should never use the ID or password of another. (See; Password Security Policy) | ||
==== | * User should not provide their ID or password to another. (See; Password Security Policy) | ||
UNMC | * Users are responsible to either lock their computer or log off the computer when leaving their computer. | ||
# | |||
# | ==== Access ==== | ||
# | Physical and electronic access to proprietary information and computing resources is controlled. Access will be assigned based upon the information needed to perform assigned duties. Electronic access is controlled through a combination of user defined access and device defined access. | ||
## | User Responsibility | ||
## | |||
# | * Users are responsible and accountable for access under their personal accounts. | ||
# | * Users should never use the ID or password of another. (See; Password Security Policy) | ||
# | * User should not provide their ID or password to another. (See; Password Security Policy) | ||
# | * Users are responsible to either lock their computer or log off the computer when leaving their computer. | ||
# | ==== Appropriate Use ==== | ||
Nebraska Medicine/UNMC information technology resources are to be used for completing Nebraska Medicine/UNMC's work related business. Misuse of Nebraska Medicine/UNMC information systems is prohibited. Misuse includes but is not limited to the following: | |||
# | |||
# Attempting to add, modify, move or remove computer equipment, software, or peripherals without proper authorization. | |||
UNMC | # Vandalism of computers, computer systems or computer networks, including any attempt to alter, destroy or damage data or the integrity of the computer or computer networks. | ||
# Accessing without proper authorization computers, software, information or networks to which Nebraska Medicine/UNMC utilizes regardless of whether the resource accessed is owned by Nebraska Medicine/UNMC or the abuse takes place from a non-Nebraska Medicine/UNMC site. | |||
# Taking actions, without authorization, which disrupts the access of others to information systems. | |||
# | # Circumventing logon or other security measures. | ||
# | # Using information systems for any illegal or unauthorized purpose. | ||
## | # Sending any fraudulent electronic communication. | ||
# | # Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner. | ||
# | # Using electronic communications to harass or threaten others. | ||
# | # Forgery of or interference with electronic communication. | ||
# | # Launching a computer worm, computer virus or other rogue program. | ||
# Downloading or posting illegal, proprietary or damaging material to a Nebraska Medicine/UNMC computer. | |||
# Transporting illegal, proprietary or damaging material across a Nebraska Medicine/UNMC network. | |||
# Personal use of any Nebraska Medicine/UNMC information system to access, download, print, store, forward, transmit or distribute obscene material. | |||
# Violating any state or federal law or regulations in connection with use of any information system. | |||
Persons using Nebraska Medicine/UNMC's information technology facilities and services bear the primary responsibility for the material they choose to access, send or display. It is a violation to access and view materials which would create the existence of a hostile working, patient care, or educational environment. | |||
It is the workforce's responsibility to notify the IT Helpdesk when an information security incident appears to have happened. (See; Information Security Incident Reporting and Response policy). A security incident includes, but is not limited to the following events, regardless of platform or computer environment: | |||
# Evidence of tampering with data. | |||
# System is overloaded to the point that no activity can be performed (Denial of service attack on the network); | |||
# Web site defacement. | |||
# Unauthorized access or repeated attempts at unauthorized access (from either internal or external sources); | |||
# Social engineering incidents (using false identity/pretenses). | |||
# Virus attacks which cause workstations or servers to be inoperable. | |||
# Email which includes threats or material that could be considered harassment. | |||
# Discovery of unauthorized or missing hardware or software in your area. | |||
# Other incidents that could undermine confidence in Nebraska Medicine/UNMC information technology systems. | |||
==== '''Privacy''' ==== | |||
Nebraska Medicine/UNMC exercises exclusive control over this property and individuals should not expect privacy regarding their use of any computer or network. | |||
==== '''E-mail, Collaboration Tools and Voice Mail''' ==== | |||
All policies stated herein are also applicable to all communication systems including e-mail and voice mail. Persons using Nebraska Medicine/UNMC's e-mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications. | |||
Nebraska Medicine/UNMC has implemented an encrypted email solution to ensure security of email which contains PHI. (See; E-mail Containing Protected Health Information (PHI) Policy) | |||
The use of non-corporate e-mail and collaboration tool systems is prohibited. Email acceptable use is defined in Email Acceptable Use Policy. | |||
==== '''Nebraska Medicine/UNMC Networks and Systems for Nebraska Medicine/UNMC Business''' ==== | |||
Enterprise-wide Nebraska Medicine/UNMC Systems and Networks, such as but not limited to learning management, email, storage, identity and security services, shall be used for Nebraska Medicine/UNMC business. Nebraska Medicine/UNMC data and records (institutional and research) shall not be stored outside of Nebraska Medicine/UNMC Information Systems. Nebraska Medicine/UNMC Systems and Networks have appropriate security safeguards in place to protect Nebraska Medicine/UNMC data and records and are managed and administered by Nebraska Medicine/UNMC Information Technology employees. Contracts associated with and for Nebraska Medicine/UNMC Systems and Networks contain provisions that require appropriate technical safeguards and security measures to protect the confidentiality of Nebraska Medicine/UNMC records and data, and address responsibilities in the event of a data breach. | |||
All devices that are used for Nebraska Medicine/UNMC business shall be managed by the Information Technology office. | |||
==== '''Security Awareness Training''' ==== | |||
All users accessing Nebraska Medicine/UNMC Information Systems will participate in the Nebraska Medicine/UNMC security awareness training within thirty (30) days of commencing their employment or affiliation with Nebraska Medicine/UNMC location and annually thereafter according to Security Awareness Training Standards (See; Information Security and Awareness Training policy). | |||
==== '''Information Systems Security''' ==== | |||
Nebraska Medicine/UNMC Information Technology Department, provides enterprise-wide endpoint management services that shall be used to securely manage Nebraska Medicine/UNMC Endpoints and Systems to comply with Executive Memorandum 16. | |||
# All Nebraska Medicine/UNMC owned Endpoints and Systems are to be inventoried and managed by IT and the associated IT distributed IT staff leveraging enterprise-wide endpoint management services. | |||
# All Nebraska Medicine/UNMC owned Endpoints and Systems must enable access control measures such as a password , which comply with (See Identification and Authorization policy). | |||
# Endpoint device management, inventory software, and anti-virus/anti-malware software are provided by Information Technology and are required to be installed and kept up to date on all Nebraska Medicine/UNMC-owned Endpoints and Systems. | |||
# Endpoints and Systems where it is not technically feasible to leverage enterprise-wide endpoint management services shall apply for an exception. | |||
# Nebraska Medicine/UNMC Networks will be managed by Information Technology. | |||
==== '''Vulnerability Management''' ==== | |||
All Nebraska Medicine/UNMC Information Systems procured or developed with Nebraska Medicine/UNMC resources will be subject to inventory, scanning, and security review in accordance with the Risk Management Policy. All scanning and security reviews will be conducted under the supervision of the Information Security Office. Information Systems are required to meet Configuration Management standards to be allowed to access the network. | |||
==== '''Operating System and Application Patch Management''' ==== | |||
All operating systems and applications must be current and supported by vendors. All operating systems and applications must be patched and updated in accordance with the System and Information Integrity Policy. | |||
==== '''Removable Media/Media Protection''' ==== | |||
Removable media is intended to facilitate the transfer of data between Information Systems and not intended for storage or long-term archive. Nebraska Medicine/UNMC data and records should be stored on Nebraska Medicine/UNMC Information Systems. Removable media can be used to transfer high or medium risk data only if the media or data is encrypted in a manner that is consistent with the data requirements. Removable media storing Nebraska Medicine/UNMC data or any classification are subject to Nebraska Medicine/UNMC data retention policies, procedures, and practices. If removable media is involved in a Nebraska Medicine/UNMC e-discovery investigation, the data will be retained, and personnel must ensure that the data destruction process does not destroy any relevant data. | |||
==== '''Password Management''' ==== | |||
Passwords for all systems and devices must comply with Nebraska Medicine/UNMC (See; Password Policy; Identification and Authorization Policy). | |||
==== '''BYOD Devices''' ==== | |||
Nebraska Medicine/UNMC employees, agents, affiliates, or workforce members who use personally owned devices for Nebraska Medicine/UNMC related business are responsible for maintaining device security, data return and deletion, incident reporting, response to public records requests and discovery requests, and must produce their devices for inspection when required. | |||
If a member of the workforce wishes to use a personal device to access Nebraska Medicine/UNMC Resources, the device must be managed by the Enterprise Mobile Device Management System (See Mobile Device Policy). | |||
=== | ==== '''Exception Process''' ==== | ||
UNMC | Nebraska Medicine/UNMC recognizes that there may be academic research pursuits that require deviations from the policies, standards, and procedures. Therefore, Nebraska Medicine/UNMC has developed an exception process that users may utilize to justify such deviations and document the associated risks. Exceptions to any portion of this policy require an acceptance of risk and must be jointly approved by the Chief Information Security Officer and the Chief Innovation and Information Officer, that has been reviewed and accepted by Technical and Security Governance. | ||
=== | ==== '''Security Administration''' ==== | ||
Nebraska Medicine/UNMC Information Security Office is responsible for implementing and monitoring a consistent data security program. System administrators are responsible for operation and maintenance of their information systems as the data stewards. System administrators and information custodians are responsible for implementing the security policy and standards within their applications. | |||
==== | ==== '''Training''' ==== | ||
All members of the workforce will be trained in information security awareness. Periodic reminders regarding information security awareness and current threats will be communicated to the workforce. | All members of the workforce will be trained in information security awareness. Periodic reminders regarding information security awareness and current threats will be communicated to the workforce. | ||
===Web | |||
==== '''Web Development''' ==== | |||
All web development shall be developed in a standardized manner. (See; World Wide Web Policy, MI05). | |||
==== '''Faxing''' ==== | |||
Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. It is easy to misdirect faxes to unauthorized recipients; faxes could be intercepted or lost in transmission. Thus, the potential for breach of confidentiality exists every time someone utilizes faxing. Therefore, all faxing must be done in accordance with (See; Nebraska Medicine/UNMC Facsimile Transmission policy). | |||
==== '''Compliance''' ==== | |||
Employees who fail to comply with this policy may be subject to corrective action up to and including termination (See Nebraska Medicine/UNMC Corrective Action policy). | |||
===Faxing=== | ==== '''Audits of Electronic Protected Health Information (ePHI)''' ==== | ||
Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. It is easy to misdirect faxes to unauthorized recipients | Patient information including demographic and medical data contained in or obtained from any Nebraska Medicine/UNMC information system is confidential data. Individual access to this data will be audited to ensure compliance with federal and state law and Nebraska Medicine/UNMC policies and procedures (See; Audit of Electronic Protected Health Information Policy). | ||
===Demonstration of | |||
Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should | ==== '''Demonstration of electronic systems ''' ==== | ||
Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should NOT be used. | |||
==Definitions== | ==Definitions== | ||
''' | '''Affiliated Covered Entity (ACE)''' | ||
Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current Nebraska Medical ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. | |||
'''Information''' is data presented in readily comprehensible form. Information may be stored or transmitted via electronic, media on paper or other tangible media, or be known by individuals or groups. | |||
'''Information technology resources (system)''' include but are not limited to voice, video, data and network facilities and services. | |||
'''Information custodians''' are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes what categories of users are allowed to read and update various items. They also are responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact. | |||
'''System administrators''' are those responsible for maintaining computer hardware and operating systems. | |||
'''Information''' is data presented in readily comprehensible form. | |||
'''Confidential information''' includes proprietary information and protected health information (PHI). | |||
'''Information custodians''' are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes | |||
'''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and meeting minutes. | |||
''' | |||
'''Protected Health Information (PHI)''' is individually identifiable health information. Health information means any information whether oral or recorded in any medium. | |||
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss. | |||
''' | |||
'''Workforce''' refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct, in the performance of work for Nebraska Medicine or UNMC, is under the direct control of Nebraska Medicine or UNMC, whether or not they are paid by Nebraska Medicine or UNMC. | |||
'''Shared accounts''' (i.e. Generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password. | |||
'''Personal accounts''' allow an individual user to logon to specific applications or systems using personal or unique ID and password. | |||
'''Strong authentication''' method is a layer of security which requires a token or biometric authentication. This represents two factor authentication involving something you know (i.e. user id) and something you have (i.e. grid card). | |||
'''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and | |||
'''Information system''' is an interconnected set of informational resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. | |||
'''Protected Health Information (PHI)'''is individually identifiable health information. Health information means any information | |||
'''Shared file''' is a collection of electronic PHI maintained on any medium that will store digital data (i.e. computers, PDA's, memory sticks, iPods, laptops, mobile wireless devices, etc.) | |||
'''Shared accounts''' (i.e. | |||
''' | |||
'''Strong authentication | |||
''' | |||
''' | |||
==Additional information== | ==Additional information== | ||
*[ | *[https://info.unmc.edu/its-security/index.html Information Technology Services] | ||
*UNMC Policy No. 6036, [[Reproducing_Copyrighted_Materials|Reproduction of Copyrighted Materials]] | *UNMC Policy No. 6036, [[Reproducing_Copyrighted_Materials|Reproduction of Copyrighted Materials]] | ||
*UNMC Policy No. 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]] | *UNMC Policy No. 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]] | ||
Line 260: | Line 205: | ||
*UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]] | *UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]] | ||
*UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]] | *UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]] | ||
*[ | *[https://info.unmc.edu/its-security/policies/procedures/index.html UNMC Information Security Procedures] | ||
*[https://www.unmc.edu/academicaffairs/_documents/compliance/Statement_of_Understanding.pdf Statement of Understanding] | |||
*Executive Memorandum No. 16, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-for-responsible-use-of-university-computers-and-information-systems.pdf Policy for Responsible Use of University Computers and Information Systems] | |||
*Executive Memorandum No. 26, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/university-of-nebraska-information-security-plan.pdf University of Nebraska Information Security Plan - Gramm Leach Bliley Compliance] | |||
*Executive Memorandum No. 27, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf HIPAA Compliance Policy] | |||
*Executive Memorandum No. 41, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-on-research-and-data-security.pdf Policy on Research Data and Security] | |||
*Executive Memorandum No. 42, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-on-risk-classification-and-minimum-security-standards.pdf Policy on Risk Classification and Minimum Security Standards] | |||
*[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998] | *[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998] | ||
*[http://www.copyright.gov/ U.S. Copyright Office - General Guidelines About Copyright Law] | *[http://www.copyright.gov/ U.S. Copyright Office - General Guidelines About Copyright Law] | ||
This page maintained by [mailto:dpanowic@unmc.edu dkp]. | This page maintained by [mailto:dpanowic@unmc.edu dkp]. |
Latest revision as of 11:45, October 4, 2023
Human Resources | Safety/Security | Research Compliance | Compliance | Privacy/Information Security | Business Operations | Intellectual Property | Faculty |
Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training
Policy No.: 6051
Effective Date: 04/25/07
Revised Date: draft
Reviewed Date: 09/19/17
Computer Use and Electronic Information Security Policy
Introduction
University of Nebraska Medical Center (UNMC) has a robust information technology environment. It is the responsibility of the workforce to utilize information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality.
Basis for Policy
The University of Nebraska has issued Executive Memorandum No. 16, Policy for Responsible Use of University Computers and Information Systems, which sets forth the University’s administrative policy and provides guidance relating to the responsible use of the University’s electronic information systems. It is the intent of this policy to confirm campus adherence to Executive Memorandum 16.
Information technology resources are owned by UNMC and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, all applicable UNMC policies, including sexual harassment, patent and copyright, patient and student confidentiality, and student and employee disciplinary policies, as well as by applicable federal, state and local laws.
Policy
It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality to protect the integrity of all data and the business interests of the entity.
It is the responsibility of the workforce to protect all confidential and proprietary information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device, external storage or cloud system storage. (See End User Device Security Policy).
Information technology resources are owned by Nebraska Medicine/UNMC and are intended for use in completing the Nebraska Medicine/UNMC’s mission. Information generated during Nebraska Medicine/UNMC operations is a valuable asset and property of Nebraska Medicine/UNMC.
Acceptance and Adherence to Policy
Use of Nebraska Medicine/UNMC information systems by anyone shall constitute agreement to abide by and be bound by the provisions of this policy and (See; Privacy, Confidentiality and Security of Patient and Proprietary Information Policy). Departmental personnel with system administrator responsibilities must conform to all Nebraska Medicine/UNMC Information Technology and Information Security policies and procedures. User Responsibility
- Users are responsible and accountable for access under their personal accounts.
- Users should never use the ID or password of another. (See; Password Security Policy)
- User should not provide their ID or password to another. (See; Password Security Policy)
- Users are responsible to either lock their computer or log off the computer when leaving their computer.
Access
Physical and electronic access to proprietary information and computing resources is controlled. Access will be assigned based upon the information needed to perform assigned duties. Electronic access is controlled through a combination of user defined access and device defined access. User Responsibility
- Users are responsible and accountable for access under their personal accounts.
- Users should never use the ID or password of another. (See; Password Security Policy)
- User should not provide their ID or password to another. (See; Password Security Policy)
- Users are responsible to either lock their computer or log off the computer when leaving their computer.
Appropriate Use
Nebraska Medicine/UNMC information technology resources are to be used for completing Nebraska Medicine/UNMC's work related business. Misuse of Nebraska Medicine/UNMC information systems is prohibited. Misuse includes but is not limited to the following:
- Attempting to add, modify, move or remove computer equipment, software, or peripherals without proper authorization.
- Vandalism of computers, computer systems or computer networks, including any attempt to alter, destroy or damage data or the integrity of the computer or computer networks.
- Accessing without proper authorization computers, software, information or networks to which Nebraska Medicine/UNMC utilizes regardless of whether the resource accessed is owned by Nebraska Medicine/UNMC or the abuse takes place from a non-Nebraska Medicine/UNMC site.
- Taking actions, without authorization, which disrupts the access of others to information systems.
- Circumventing logon or other security measures.
- Using information systems for any illegal or unauthorized purpose.
- Sending any fraudulent electronic communication.
- Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner.
- Using electronic communications to harass or threaten others.
- Forgery of or interference with electronic communication.
- Launching a computer worm, computer virus or other rogue program.
- Downloading or posting illegal, proprietary or damaging material to a Nebraska Medicine/UNMC computer.
- Transporting illegal, proprietary or damaging material across a Nebraska Medicine/UNMC network.
- Personal use of any Nebraska Medicine/UNMC information system to access, download, print, store, forward, transmit or distribute obscene material.
- Violating any state or federal law or regulations in connection with use of any information system.
Persons using Nebraska Medicine/UNMC's information technology facilities and services bear the primary responsibility for the material they choose to access, send or display. It is a violation to access and view materials which would create the existence of a hostile working, patient care, or educational environment.
It is the workforce's responsibility to notify the IT Helpdesk when an information security incident appears to have happened. (See; Information Security Incident Reporting and Response policy). A security incident includes, but is not limited to the following events, regardless of platform or computer environment:
- Evidence of tampering with data.
- System is overloaded to the point that no activity can be performed (Denial of service attack on the network);
- Web site defacement.
- Unauthorized access or repeated attempts at unauthorized access (from either internal or external sources);
- Social engineering incidents (using false identity/pretenses).
- Virus attacks which cause workstations or servers to be inoperable.
- Email which includes threats or material that could be considered harassment.
- Discovery of unauthorized or missing hardware or software in your area.
- Other incidents that could undermine confidence in Nebraska Medicine/UNMC information technology systems.
Privacy
Nebraska Medicine/UNMC exercises exclusive control over this property and individuals should not expect privacy regarding their use of any computer or network.
E-mail, Collaboration Tools and Voice Mail
All policies stated herein are also applicable to all communication systems including e-mail and voice mail. Persons using Nebraska Medicine/UNMC's e-mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications.
Nebraska Medicine/UNMC has implemented an encrypted email solution to ensure security of email which contains PHI. (See; E-mail Containing Protected Health Information (PHI) Policy)
The use of non-corporate e-mail and collaboration tool systems is prohibited. Email acceptable use is defined in Email Acceptable Use Policy.
Nebraska Medicine/UNMC Networks and Systems for Nebraska Medicine/UNMC Business
Enterprise-wide Nebraska Medicine/UNMC Systems and Networks, such as but not limited to learning management, email, storage, identity and security services, shall be used for Nebraska Medicine/UNMC business. Nebraska Medicine/UNMC data and records (institutional and research) shall not be stored outside of Nebraska Medicine/UNMC Information Systems. Nebraska Medicine/UNMC Systems and Networks have appropriate security safeguards in place to protect Nebraska Medicine/UNMC data and records and are managed and administered by Nebraska Medicine/UNMC Information Technology employees. Contracts associated with and for Nebraska Medicine/UNMC Systems and Networks contain provisions that require appropriate technical safeguards and security measures to protect the confidentiality of Nebraska Medicine/UNMC records and data, and address responsibilities in the event of a data breach.
All devices that are used for Nebraska Medicine/UNMC business shall be managed by the Information Technology office.
Security Awareness Training
All users accessing Nebraska Medicine/UNMC Information Systems will participate in the Nebraska Medicine/UNMC security awareness training within thirty (30) days of commencing their employment or affiliation with Nebraska Medicine/UNMC location and annually thereafter according to Security Awareness Training Standards (See; Information Security and Awareness Training policy).
Information Systems Security
Nebraska Medicine/UNMC Information Technology Department, provides enterprise-wide endpoint management services that shall be used to securely manage Nebraska Medicine/UNMC Endpoints and Systems to comply with Executive Memorandum 16.
- All Nebraska Medicine/UNMC owned Endpoints and Systems are to be inventoried and managed by IT and the associated IT distributed IT staff leveraging enterprise-wide endpoint management services.
- All Nebraska Medicine/UNMC owned Endpoints and Systems must enable access control measures such as a password , which comply with (See Identification and Authorization policy).
- Endpoint device management, inventory software, and anti-virus/anti-malware software are provided by Information Technology and are required to be installed and kept up to date on all Nebraska Medicine/UNMC-owned Endpoints and Systems.
- Endpoints and Systems where it is not technically feasible to leverage enterprise-wide endpoint management services shall apply for an exception.
- Nebraska Medicine/UNMC Networks will be managed by Information Technology.
Vulnerability Management
All Nebraska Medicine/UNMC Information Systems procured or developed with Nebraska Medicine/UNMC resources will be subject to inventory, scanning, and security review in accordance with the Risk Management Policy. All scanning and security reviews will be conducted under the supervision of the Information Security Office. Information Systems are required to meet Configuration Management standards to be allowed to access the network.
Operating System and Application Patch Management
All operating systems and applications must be current and supported by vendors. All operating systems and applications must be patched and updated in accordance with the System and Information Integrity Policy.
Removable Media/Media Protection
Removable media is intended to facilitate the transfer of data between Information Systems and not intended for storage or long-term archive. Nebraska Medicine/UNMC data and records should be stored on Nebraska Medicine/UNMC Information Systems. Removable media can be used to transfer high or medium risk data only if the media or data is encrypted in a manner that is consistent with the data requirements. Removable media storing Nebraska Medicine/UNMC data or any classification are subject to Nebraska Medicine/UNMC data retention policies, procedures, and practices. If removable media is involved in a Nebraska Medicine/UNMC e-discovery investigation, the data will be retained, and personnel must ensure that the data destruction process does not destroy any relevant data.
Password Management
Passwords for all systems and devices must comply with Nebraska Medicine/UNMC (See; Password Policy; Identification and Authorization Policy).
BYOD Devices
Nebraska Medicine/UNMC employees, agents, affiliates, or workforce members who use personally owned devices for Nebraska Medicine/UNMC related business are responsible for maintaining device security, data return and deletion, incident reporting, response to public records requests and discovery requests, and must produce their devices for inspection when required.
If a member of the workforce wishes to use a personal device to access Nebraska Medicine/UNMC Resources, the device must be managed by the Enterprise Mobile Device Management System (See Mobile Device Policy).
Exception Process
Nebraska Medicine/UNMC recognizes that there may be academic research pursuits that require deviations from the policies, standards, and procedures. Therefore, Nebraska Medicine/UNMC has developed an exception process that users may utilize to justify such deviations and document the associated risks. Exceptions to any portion of this policy require an acceptance of risk and must be jointly approved by the Chief Information Security Officer and the Chief Innovation and Information Officer, that has been reviewed and accepted by Technical and Security Governance.
Security Administration
Nebraska Medicine/UNMC Information Security Office is responsible for implementing and monitoring a consistent data security program. System administrators are responsible for operation and maintenance of their information systems as the data stewards. System administrators and information custodians are responsible for implementing the security policy and standards within their applications.
Training
All members of the workforce will be trained in information security awareness. Periodic reminders regarding information security awareness and current threats will be communicated to the workforce.
Web Development
All web development shall be developed in a standardized manner. (See; World Wide Web Policy, MI05).
Faxing
Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. It is easy to misdirect faxes to unauthorized recipients; faxes could be intercepted or lost in transmission. Thus, the potential for breach of confidentiality exists every time someone utilizes faxing. Therefore, all faxing must be done in accordance with (See; Nebraska Medicine/UNMC Facsimile Transmission policy).
Compliance
Employees who fail to comply with this policy may be subject to corrective action up to and including termination (See Nebraska Medicine/UNMC Corrective Action policy).
Audits of Electronic Protected Health Information (ePHI)
Patient information including demographic and medical data contained in or obtained from any Nebraska Medicine/UNMC information system is confidential data. Individual access to this data will be audited to ensure compliance with federal and state law and Nebraska Medicine/UNMC policies and procedures (See; Audit of Electronic Protected Health Information Policy).
Demonstration of electronic systems
Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should NOT be used.
Definitions
Affiliated Covered Entity (ACE)
Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current Nebraska Medical ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
Information is data presented in readily comprehensible form. Information may be stored or transmitted via electronic, media on paper or other tangible media, or be known by individuals or groups.
Information technology resources (system) include but are not limited to voice, video, data and network facilities and services.
Information custodians are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes what categories of users are allowed to read and update various items. They also are responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.
System administrators are those responsible for maintaining computer hardware and operating systems.
Confidential information includes proprietary information and protected health information (PHI).
Proprietary information refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and meeting minutes.
Protected Health Information (PHI) is individually identifiable health information. Health information means any information whether oral or recorded in any medium.
Information security is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.
Workforce refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct, in the performance of work for Nebraska Medicine or UNMC, is under the direct control of Nebraska Medicine or UNMC, whether or not they are paid by Nebraska Medicine or UNMC.
Shared accounts (i.e. Generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password.
Personal accounts allow an individual user to logon to specific applications or systems using personal or unique ID and password.
Strong authentication method is a layer of security which requires a token or biometric authentication. This represents two factor authentication involving something you know (i.e. user id) and something you have (i.e. grid card).
Information system is an interconnected set of informational resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
Shared file is a collection of electronic PHI maintained on any medium that will store digital data (i.e. computers, PDA's, memory sticks, iPods, laptops, mobile wireless devices, etc.)
Additional information
- Information Technology Services
- UNMC Policy No. 6036, Reproduction of Copyrighted Materials
- UNMC Policy No. 6045, Privacy, Confidentiality and Information Security
- UNMC Policy No. 6053, Volunteer
- UNMC Policy No. 6055, Fraud
- UNMC Policy No. 6057, Use and Disclosure of Protected Health Information
- UNMC Policy No. 6065, Facsimile Transmissions
- UNMC Information Security Procedures
- Statement of Understanding
- Executive Memorandum No. 16, Policy for Responsible Use of University Computers and Information Systems
- Executive Memorandum No. 26, University of Nebraska Information Security Plan - Gramm Leach Bliley Compliance
- Executive Memorandum No. 27, HIPAA Compliance Policy
- Executive Memorandum No. 41, Policy on Research Data and Security
- Executive Memorandum No. 42, Policy on Risk Classification and Minimum Security Standards
- The Digital Millennium Copyright Act of 1998
- U.S. Copyright Office - General Guidelines About Copyright Law
This page maintained by dkp.