Computer Use/Electronic Information: Difference between revisions

no edit summary
No edit summary
No edit summary
(19 intermediate revisions by 2 users not shown)
Line 23: Line 23:
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]]
<br /><br />
<br /><br />
Policy No.: '''6051'''<br />
Policy No.: '''6051'''<br />
Effective Date: '''04/25/07'''<br />
Effective Date: '''04/25/07'''<br />
Revised Date: '''08/20/13'''<br />
Revised Date: '''08/20/13'''<br />
Reviewed Date: '''08/20/13'''<br /><br />
Reviewed Date: '''09/19/17'''<br /><br />
<big>'''Computer Use and Electronic Information Security Policy'''</big>
<big>'''Computer Use and Electronic Information Security Policy'''</big>
== Introduction ==
== Introduction ==
Line 40: Line 40:
Using UNMC’s information systems by anyone shall constitute agreement to abide by and be bound by the following:
Using UNMC’s information systems by anyone shall constitute agreement to abide by and be bound by the following:
#Provisions of this policy  
#Provisions of this policy  
#[http://www.unmc.edu/its/information_security_procedures.htm UNMC Information Security Procedures]  
#[https://info.unmc.edu/its-security/policies/procedures/index.html UNMC Information Security Procedures]  
#UNMC Policy 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]]   
#UNMC Policy 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]]   
#Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
#Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
#Executive Memorandum No. 26, [http://nebraska.edu/docs/president/26%20Information%20Security%20Plan%20%28GLB%20Compliance%29.pdf University of Nebraska Information Security Plan]  
#Executive Memorandum No. 26, [http://nebraska.edu/docs/president/26%20Information%20Security%20Plan%20%28GLB%20Compliance%29.pdf University of Nebraska Information Security Plan]  
#Executive Memorandum No. 27, [http://nebraska.edu/docs/president/27%20HIPAA%20Compliance.pdf HIPAA Compliance Policy]
#Executive Memorandum No. 27, [http://nebraska.edu/docs/president/27%20HIPAA%20Compliance.pdf HIPAA Compliance Policy]
=== Access ===
=== Access ===
Physical and electronic access to proprietary information and computing resources is controlled. The level of control will depend on user need and the level of risk and exposure to loss or compromise. Access will be assigned based upon the information needed to perform assigned duties. On campus electronic access is controlled through user id and password. Off Campus electronic access in some instances requires two-factor authentication.
Physical and electronic access to proprietary information and computing resources is controlled. The level of control will depend on user need and the level of risk and exposure to loss or compromise. Access will be assigned based upon the information needed to perform assigned duties. On campus electronic access is controlled through user id and password. Off Campus electronic access in some instances requires two-factor authentication.
Line 78: Line 79:
###Reason for account/relationship to UNMC  
###Reason for account/relationship to UNMC  
##The Assistant Vice Chancellor or designee will approve requests for these types of accounts.
##The Assistant Vice Chancellor or designee will approve requests for these types of accounts.
NOTE:   If an individual is a volunteer, please refer to UNMC Policy No. 6053, [[Volunteer]].<br />
NOTE: If an individual is a volunteer, please refer to UNMC Policy No. 6053, [[Volunteer]].<br />
<br />
<br />
Individual Personal accounts will always be utilized to access confidential information.<br />
Individual Personal accounts will always be utilized to access confidential information.<br />
Line 84: Line 85:
Users are responsible and accountable for access under their personal accounts. No one should use the ID or password of another, nor should anyone provide his or her ID or password to another, except in the cases necessary to facilitate computer maintenance and repairs. Your password should only be given to Information Technology Support Personnel upon presentation of identification. If your password is shared with Information Technology Support Personnel, where technically feasible the password should be flagged, necessitating that it be changed the next time the user logs on.<br />
Users are responsible and accountable for access under their personal accounts. No one should use the ID or password of another, nor should anyone provide his or her ID or password to another, except in the cases necessary to facilitate computer maintenance and repairs. Your password should only be given to Information Technology Support Personnel upon presentation of identification. If your password is shared with Information Technology Support Personnel, where technically feasible the password should be flagged, necessitating that it be changed the next time the user logs on.<br />
<br />
<br />
A strong password is the “first defense” against an information security attack upon the UNMC network. It is imperative that all users select a strong password. (See [http://www.unmc.edu/its/docs/security_PasswordSecurity.pdf ITS Security Procedure: Password Security]).<br />
A strong password is the “first defense” against an information security attack upon the UNMC network. It is imperative that all users select a strong password. (See [https://info.unmc.edu/its-security/policies/procedures/passwords.html ITS Security Procedure: Password Security]).<br />
<br />
<br />
Access to electronic mail, voice mail, administrative, student and patient care information systems will be obtained through the appropriate authorization process. (See [http://www.unmc.edu/its/docs/security_AccessControlforITResources.pdf ITS Security Procedure: Access Control to IT Resources]). Unauthorized access to information systems is prohibited. Users must not attempt to gain access to information or systems for which they are not granted access. <br />
Access to electronic mail, voice mail, administrative, student and patient care information systems will be obtained through the appropriate authorization process. (See [https://info.unmc.edu/its-security/policies/procedures/access-control.html ITS Security Procedure: Access Control to IT Resources]). Unauthorized access to information systems is prohibited. Users must not attempt to gain access to information or systems for which they are not granted access. <br />
<br />
<br />
Remote access to systems which contain confidential information will be accomplished through a strong authentication method with the appropriate approval processes. (See ITS Security Procedure: Workforce Member Remote Access). Individuals requiring remote access to UNMC’s e mail system will purchase an internet service provider and utilize the web based e mail product.<br />
Remote access to systems which contain confidential information will be accomplished through a strong authentication method with the appropriate approval processes. (See ITS Security Procedure: Workforce Member Remote Access). Individuals requiring remote access to UNMC’s e mail system will purchase an internet service provider and utilize the web based e mail product.<br />
<br />
<br />
Information Technology Support Personnel will inactivate or delete IDs/password, as appropriate, of individuals who no longer have a relationship with UNMC.
Information Technology Support Personnel will inactivate or delete IDs/password, as appropriate, of individuals who no longer have a relationship with UNMC.
===Appropriate Use===
===Appropriate Use===
It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality in order to protect the integrity of all data and of the interests of the entity.<br />
It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality in order to protect the integrity of all data and of the interests of the entity.<br />
<br />
<br />
It is the responsibility of the workforce to protect confidential information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device or a diskette (See [http://www.unmc.edu/its/images/security_enduserdevice.pdf ITS Security Procedure: End User Device]).<br />
It is the responsibility of the workforce to protect confidential information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device or a diskette (See [https://info.unmc.edu/its-security/policies/procedures/enduser.html ITS Security Procedure: End User Device]).<br />UNMC’s information technology resources are to be used predominately for completing UNMC work related business. Misuse of University information systems is prohibited. Misuse includes the following (see Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources])
<br />
<br />
UNMC’s information technology resources are to be used predominately for completing UNMC work related business.  Misuse of University information systems is prohibited.  Misuse includes the following (see Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources])
 
#Attempting to modify or remove computer equipment, software, or peripherals without proper authorization.
#Attempting to modify or remove computer equipment, software, or peripherals without proper authorization.
#Accessing without proper authorization computers, software, information or networks which the University belongs, regardless of whether the resource accessed is owned by the University or the abuse takes place from a non-University site.
#Accessing without proper authorization computers, software, information or networks which the University belongs, regardless of whether the resource accessed is owned by the University or the abuse takes place from a non-University site.
Line 106: Line 108:
#Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner.
#Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner.
#Using electronic communications to violate the property rights of authors and copyright owners. (Be especially aware of potential copyright infringement through the use of e-mail.)
#Using electronic communications to violate the property rights of authors and copyright owners. (Be especially aware of potential copyright infringement through the use of e-mail.)
#Using electronic communications to harass or threaten users in such a way as to create an atmosphere which unreasonably interferes with the education or the employment experience. Similarly, electronic communications shall not be used to harass or threaten other information recipients, in addition to University users.
#Using electronic communications to harass or threaten users in such a way as to create an atmosphere which unreasonably interferes with the education or the employment experience. Similarly, electronic communications shall not be used to harass or threaten other information recipients, in addition to University users.
#Using electronic communications to disclose proprietary information without the explicit permission of the owner.
#Using electronic communications to disclose proprietary information without the explicit permission of the owner.
#Reading other user’s information or files without permission.
#Reading other user’s information or files without permission.
Line 121: Line 123:
Persons using UNMC's information technology facilities and services bear the primary responsibility for the material they choose to access, send or display. It is a violation to access and view materials which would create the existence of a sexually hostile working, patient care, or educational environment.<br />
Persons using UNMC's information technology facilities and services bear the primary responsibility for the material they choose to access, send or display. It is a violation to access and view materials which would create the existence of a sexually hostile working, patient care, or educational environment.<br />
<br />
<br />
It is the workforce‘s responsibility to notify ITS when an information security incident appears to have happened. (See [http://www.unmc.edu/its/docs/security_informationsecurityincidentreporting.pdf ITS Security Procedure: Information Security Incident Reporting and Response]). A security incident includes, but is not limited to the following events, regardless of platform or computer environment:
It is the workforce‘s responsibility to notify ITS when an information security incident appears to have happened. (See [https://info.unmc.edu/its-security/policies/procedures/incident-reporting.html ITS Security Procedure: Information Security Incident Reporting and Response]). A security incident includes, but is not limited to the following events, regardless of platform or computer environment:
#Evidence of tampering with data
#Evidence of tampering with data
#System is overloaded to the point that no activity can be performed (Denial of service attack on the network)  
#System is overloaded to the point that no activity can be performed (Denial of service attack on the network)  
Line 128: Line 130:
#Social engineering incidents  
#Social engineering incidents  
#Virus attacks which adversely affect servers or multiple workstations  
#Virus attacks which adversely affect servers or multiple workstations  
#E-mail which includes obscene material, threats or material that could be considered harassment  
#E-mail which includes obscene material, threats or material that could be considered harassment  
#Discovery of unauthorized or missing hardware in your area  
#Discovery of unauthorized or missing hardware in your area  
#Other incidents that could undermine confidence and trust in the UNMC’s information technology systems
#Other incidents that could undermine confidence and trust in the UNMC’s information technology systems
ITS or other personnel must take immediate action to mitigate any threats that have the potential to pose a serious risk to campus information system resources. If the threat is deemed serious enough, the system(s) or individual posing the threat will be blocked from network access. Communication with department leadership regarding such action will take place as soon as possible. The block will be removed as soon as the threat has been repaired. (See UNMC ITS Security Procedure: Information Security Incident Reporting and Response)
ITS or other personnel must take immediate action to mitigate any threats that have the potential to pose a serious risk to campus information system resources. If the threat is deemed serious enough, the system(s) or individual posing the threat will be blocked from network access. Communication with department leadership regarding such action will take place as soon as possible. The block will be removed as soon as the threat has been repaired. (See UNMC ITS Security Procedure: Information Security Incident Reporting and Response)
 
===Copyright===
===Copyright===
UNMC maintains strict compliance with the Digital Millennium Copyright Act of 1998 and applicable amendments. It should be noted that traditionally a user purchases a software “license,” which is a right to use. Many times the licenses can only be loaded on one machine.   Violating any software license or copyright is in violation of university policy.   
UNMC maintains strict compliance with the Digital Millennium Copyright Act of 1998 and applicable amendments. It should be noted that traditionally a user purchases a software “license,” which is a right to use. Many times the licenses can only be loaded on one machine. Violating any software license or copyright is in violation of university policy.   
#Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
#Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
#[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998]  
#[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998]  
Line 146: Line 149:
All policies stated herein are also applicable to all communication systems including e mail, instant messaging and voice mail. Persons using UNMC’s e mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications.<br />
All policies stated herein are also applicable to all communication systems including e mail, instant messaging and voice mail. Persons using UNMC’s e mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications.<br />
<br />
<br />
E-mail attachments and files transfer utilizing instant messaging capabilities represent a significant risk to the organization. Many computer viruses are distributed through e-mail attachments or files received via instant messaging. Users should be careful about opening e-mail attachments or accepting file transfers via instant messaging.  
E-mail attachments and files transfer utilizing instant messaging capabilities represent a significant risk to the organization. Many computer viruses are distributed through e-mail attachments or files received via instant messaging. Users should be careful about opening e-mail attachments or accepting file transfers via instant messaging.  
===Controlling the Distribution of Non-Solicited Marketing E-mail===
===Controlling the Distribution of Non-Solicited Marketing E-mail===
Electronic mail sent externally by UNMC personnel for the primary purpose of promoting UNMC’s “commercial” products or services must comply with the [http://www.unmc.edu/its/docs/security_SpamCompliance.pdf ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email]. Examples of such products or services include publications and membership solicitations. <br />
Electronic mail sent externally by UNMC personnel for the primary purpose of promoting UNMC’s “commercial” products or services must comply with the [https://info.unmc.edu/its-security/policies/procedures/spam-compliants.html ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email]. Examples of such products or services include publications and membership solicitations. <br />
<br />
<br />
The Act is applicable only to e-mail that constitutes a commercial advertisement or promotion of a commercial product or service. The Act is not applicable to commercial e-mail in general, to e-mail advertising or promoting “activity” or to e-mail simply because the e-mail references or solicits funds. Further, it is not applicable to e-mail messages sent to provide information about UNMC’s undergraduate, graduate, or professional degree-granting programs. Some programs not a part of the regular campus curriculum might be considered commercial “services” depending upon the facts. Advice from the Compliance Officer should be sought about such programs.
The Act is applicable only to e-mail that constitutes a commercial advertisement or promotion of a commercial product or service. The Act is not applicable to commercial e-mail in general, to e-mail advertising or promoting “activity” or to e-mail simply because the e-mail references or solicits funds. Further, it is not applicable to e-mail messages sent to provide information about UNMC’s undergraduate, graduate, or professional degree-granting programs. Some programs not a part of the regular campus curriculum might be considered commercial “services” depending upon the facts. Advice from the Compliance Officer should be sought about such programs.
====Exemptions====
====Exemptions====
The Act exempts “transactional or relationships messages” from the procedural requirements when the primary purpose of the message is to achieve on of the following:
The Act exempts “transactional or relationships messages” from the procedural requirements when the primary purpose of the message is to achieve on of the following:
Line 158: Line 161:
*Deliver goods or services, including upgrades or updates, which the recipient has previously requested or ordered from the sender.<br />
*Deliver goods or services, including upgrades or updates, which the recipient has previously requested or ordered from the sender.<br />
<br />
<br />
For more information, see [http://www.unmc.edu/its/docs/security_SpamCompliance.pdf ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email].
For more information, see [https://info.unmc.edu/its-security/policies/procedures/spam-compliants.html ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email].
 
===Campus-wide e-mail announcements===
===Campus-wide e-mail announcements===
Sending out mass distribution e-mails containing event and/or general announcement type information is discouraged. If you have an event to publicize or an announcement to deliver to a large group of people, the best way to do this is through UNMC Today, the campus electronic newsletter. Contact Public Relations for additional information.<br />
Sending out mass distribution e-mails containing event and/or general announcement type information is discouraged. If you have an event to publicize or an announcement to deliver to a large group of people, the best way to do this is through UNMC Today, the campus electronic newsletter. Contact Public Relations for additional information.<br />
<br />
<br />
However, if e-mailing to a large group is warranted, the content and size of the message must be approved by Public Relations. Delivery of the message must then be scheduled by the ITS department to minimize the demand on campus computer systems. Contact Public Relations (x9-4696) to obtain approval.
However, if e-mailing to a large group is warranted, the content and size of the message must be approved by Public Relations. Delivery of the message must then be scheduled by the ITS department to minimize the demand on campus computer systems. Contact Public Relations (x9-4696) to obtain approval.
===Audits of Electronic Protected Health Information (PHI)===
===Audits of Electronic Protected Health Information (PHI)===
Patient information including demographic and medical data contained in, or obtained from any UNMC information system is confidential data. Individual access to this data may be audited in order to ensure compliance with federal and state law and [[Policies and Procedures|UNMC Policies and Procedures]].  
Patient information including demographic and medical data contained in, or obtained from any UNMC information system is confidential data. Individual access to this data may be audited in order to ensure compliance with federal and state law and [[Policies and Procedures|UNMC Policies and Procedures]].  
====Information Systems====
====Information Systems====
Each information custodian is responsible to:
Each information custodian is responsible to:
Line 171: Line 175:
#Develop periodic audit process to validate that only those with a need to know are accessing ePHI (See UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]]).  
#Develop periodic audit process to validate that only those with a need to know are accessing ePHI (See UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]]).  
#Develop and implement a formal process for audit log review  
#Develop and implement a formal process for audit log review  
#Audit reports are confidential and should not be released without the approval of the HIPAA [mailto:swrobel@unmc.edu Privacy Officer] or the Human Resources Employee Relations Manager.
#Audit reports are confidential and should not be released without the approval of the HIPAA [mailto:debrbishop@nebraskamed.com Privacy Officer] or the Human Resources Employee Relations Manager.
 
====Shared Files====
====Shared Files====
The owner of shared files is responsible to:
The owner of shared files is responsible to:
Line 179: Line 184:
Computer crime in any form will not be tolerated. This policy applies to all UNMC employees and will be enforced without regard to past performance, position held or length of service. All persons found to have committed computer crime relevant to UNMC assets shall be subject to disciplinary action up to and including termination and investigation by external law enforcement agencies when warranted.  
Computer crime in any form will not be tolerated. This policy applies to all UNMC employees and will be enforced without regard to past performance, position held or length of service. All persons found to have committed computer crime relevant to UNMC assets shall be subject to disciplinary action up to and including termination and investigation by external law enforcement agencies when warranted.  
===Security Administration===
===Security Administration===
UNMC ITS is responsible for implementing and monitoring a consistent data security program. System administrators are responsible for operation and maintenance of information processing services. The system administrator and information custodians are responsible for implementing the security policy and standards within their applications.  
UNMC ITS is responsible for implementing and monitoring a consistent data security program. System administrators are responsible for operation and maintenance of information processing services. The system administrator and information custodians are responsible for implementing the security policy and standards within their applications.  
===Training===
===Training===
All members of the workforce will be trained in information security awareness. Periodic reminders regarding information security awareness and current threats will be communicated to the workforce.
All members of the workforce will be trained in information security awareness. Periodic reminders regarding information security awareness and current threats will be communicated to the workforce.
===Web Pages===
===Web Pages===
UNMC web pages should consistently meet the highest standards of writing, content accuracy, image and presentation, keeping in mind that these documents create an image of UNMC to the world. UNMC shall reserve the right to monitor web pages and to remove any material that is unlawful or in violation of UNMC policies. Originators will be notified in the event that their page is removed.<br />
UNMC web pages should consistently meet the highest standards of writing, content accuracy, image and presentation, keeping in mind that these documents create an image of UNMC to the world. UNMC shall reserve the right to monitor web pages and to remove any material that is unlawful or in violation of UNMC policies. Originators will be notified in the event that their page is removed.<br />
Line 193: Line 198:
#Link to University of Nebraska Appropriate Use/Copyright Violations
#Link to University of Nebraska Appropriate Use/Copyright Violations
===Faxing===
===Faxing===
Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. It is easy to misdirect faxes to unauthorized recipients, faxes could be intercepted or lost in transmission. Thus, the potential for breach of confidentiality exists every time someone utilizes faxing. Therefore, all faxing must be done in accordance with the faxing policy (See UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]]).
Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. It is easy to misdirect faxes to unauthorized recipients, faxes could be intercepted or lost in transmission. Thus, the potential for breach of confidentiality exists every time someone utilizes faxing. Therefore, all faxing must be done in accordance with the faxing policy (See UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]]).
===Demonstration of Electronic Systems===
===Demonstration of Electronic Systems===
Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should not be used.
Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should not be used.
Line 202: Line 207:
#Harassment and stalking in cyberspace.  
#Harassment and stalking in cyberspace.  
#Using computers to commit crimes that could be committed without a computer such as counterfeiting, stealing, committing larceny or fraud.
#Using computers to commit crimes that could be committed without a computer such as counterfeiting, stealing, committing larceny or fraud.
(Source: Computer Crime by Ronald B. Stander, Copyright 1999, 2002, [http://www.rbs2.com www.rbs2.com])<br />
(Source: Computer Crime by Ronald B. Stander, Copyright 1999, 2002, [http://www.rbs2.com www.rbs2.com])<br />
<br />
<br />
'''Confidential information''' includes proprietary information and protected health information (PHI).<br />
'''Confidential information''' includes proprietary information and protected health information (PHI).<br />
Line 208: Line 213:
'''Denial of service''' is an event in which a user or organization is deprived of resource services that they would normally expect to have.<br />
'''Denial of service''' is an event in which a user or organization is deprived of resource services that they would normally expect to have.<br />
<br />
<br />
'''Information''' is data presented in readily comprehensible form. (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.) Information may be stored or transmitted via electronic media on paper or other tangible media, or be known by individuals or groups. Information generated in the course of University operations is a valuable asset of the University and property of the University.<br />
'''Information''' is data presented in readily comprehensible form. (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.) Information may be stored or transmitted via electronic media on paper or other tangible media, or be known by individuals or groups. Information generated in the course of University operations is a valuable asset of the University and property of the University.<br />
<br />
<br />
'''Information custodians''' are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.<br />
'''Information custodians''' are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.<br />
<br />
<br />
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.<br />
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.<br />
Line 218: Line 223:
'''Information technology resources (system)''' include but are not limited to voice, video, data and network facilities and services.<br />
'''Information technology resources (system)''' include but are not limited to voice, video, data and network facilities and services.<br />
<br />
<br />
'''Information Technology Support Personnel''' are the individuals who as a function of their job provides IT support. This includes ITS support staff, departmental system administrators and IT support staff within the units.<br />
'''Information Technology Support Personnel''' are the individuals who as a function of their job provide IT support. This includes ITS support staff, departmental system administrators and IT support staff within the units.<br />
<br />
<br />
'''Personal accounts''' allow an individual user to logon to specific applications or systems using personal or unique ID and password.<br />
'''Personal accounts''' allow an individual user to logon to specific applications or systems using personal or unique ID and password.<br />
Line 224: Line 229:
'''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.<br />
'''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.<br />
<br />
<br />
'''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and student records. (See UNMC Policy No. 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]] for more detailed information.)<br />
'''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and student records. (See UNMC Policy No. 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]] for more detailed information.)<br />
<br />
<br />
'''Protected Health Information (PHI)'''is individually identifiable health information. Health information means any information, whether oral or recorded in any medium, that:
'''Protected Health Information (PHI)'''is individually identifiable health information. Health information means any information, whether oral or recorded in any medium, that:
#is created or received by UNMC; and  
#is created or received by UNMC; and  
#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Line 233: Line 238:
'''Shared accounts''' (i.e., generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password.<br />
'''Shared accounts''' (i.e., generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password.<br />
<br />
<br />
'''Shared file''' is a collection of electronic PHI maintain on personal or departmental computers. This would include spreadsheets, databases, correspondence, quality improvement and research data files.<br />
'''Shared file''' is a collection of electronic PHI maintain on personal or departmental computers. This would include spreadsheets, databases, correspondence, quality improvement and research data files.<br />
<br />
<br />
'''Social engineering''' describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.<br />
'''Social engineering''' describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.<br />
<br />
<br />
'''Strong authentication method''' is a layer of security which requires a token or biometric authentication. This represents two factor authentication involving something you know (i.e. user id) and something you have (i.e., Secured card).<br />
'''Strong authentication method''' is a layer of security which requires a token or biometric authentication. This represents two factor authentication involving something you know (i.e. user id) and something you have (i.e., Secured card).<br />
<br />
<br />
'''System administrators''' are the people responsible for configuring, administering, and maintaining hardware and operating systems.<br />
'''System administrators''' are the people responsible for configuring, administering, and maintaining hardware and operating systems.<br />
Line 245: Line 250:
Reference: [http://www.ucop.edu/information-technology-services/ University of CA Guidelines], January 28, 2004
Reference: [http://www.ucop.edu/information-technology-services/ University of CA Guidelines], January 28, 2004
==Additional information==  
==Additional information==  
*[http://www.unmc.edu/its/information_security.htm Information Technology Services]
*[https://info.unmc.edu/its-security/index.html Information Technology Services]
*Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
*Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
*Executive Memorandum No. 26, [http://nebraska.edu/docs/president/26%20Information%20Security%20Plan%20%28GLB%20Compliance%29.pdf University of Nebraska Information Security Plan]  
*Executive Memorandum No. 26, [http://nebraska.edu/docs/president/26%20Information%20Security%20Plan%20%28GLB%20Compliance%29.pdf University of Nebraska Information Security Plan]  
Line 255: Line 260:
*UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]]  
*UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]]  
*UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]]
*UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]]
*[http://www.unmc.edu/its/information_security_procedures.htm UNMC Information Security Procedures]  
*[https://info.unmc.edu/its-security/policies/procedures/index.html UNMC Information Security Procedures]  
*[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998]  
*[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998]  
*[http://www.copyright.gov/ U.S. Copyright Office - General Guidelines About Copyright Law]  
*[http://www.copyright.gov/ U.S. Copyright Office - General Guidelines About Copyright Law]  


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].