Computer Use/Electronic Information: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
No edit summary
 
(27 intermediate revisions by 3 users not shown)
Line 20: Line 20:
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
width="20">[[Intellectual Property]]</td>
width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</tr>
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]]
<br /><br />
<br /><br />
Policy No.: '''6051'''<br />
Policy No.: '''6051'''<br />
Effective Date: '''04/25/07'''<br />
Effective Date: '''04/25/07'''<br />
Revised Date: '''08/20/13'''<br />
Revised Date: '''draft'''<br />
Reviewed Date: '''08/20/13'''<br /><br />
Reviewed Date: '''09/19/17'''<br /><br />
<big>'''Computer Use and Electronic Information Security Policy'''</big>
<big>'''Computer Use and Electronic Information Security Policy'''</big>
== Introduction ==
== Introduction ==
University of Nebraska Medical Center (UNMC) has a robust information technology environment. It is the responsibility of the workforce to utilize information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality.
University of Nebraska Medical Center (UNMC) has a robust information technology environment. It is the responsibility of the workforce to utilize information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality.
== Basis for Policy ==
== Basis for Policy ==
The University of Nebraska has issued Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources], which sets forth the University’s administrative policy and provides guidance relating to the responsible use of the University’s electronic information systems. It is the intent of this policy to confirm campus adherence to Executive Memorandum 16.<br />
The University of Nebraska has issued Executive Memorandum No. 16, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-for-responsible-use-of-university-computers-and-information-systems.pdf Policy for Responsible Use of University Computers and Information Systems], which sets forth the University’s administrative policy and provides guidance relating to the responsible use of the University’s electronic information systems. It is the intent of this policy to confirm campus adherence to Executive Memorandum 16.<br /><br />Information technology resources are owned by UNMC and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, all applicable [[Policies_and_Procedures|UNMC policies]], including sexual harassment, patent and copyright, patient and student confidentiality, and student and employee disciplinary policies, as well as by applicable federal, state and local laws.
<br />
Information technology resources are owned by UNMC and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, all applicable [[Policies_and_Procedures|UNMC policies]], including sexual harassment, patent and copyright, patient and student confidentiality, and student and employee disciplinary policies, as well as by applicable federal, state and local laws.
== Policy ==
== Policy ==
=== Acceptance and Adherence to Policy ===
It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality to protect the integrity of all data and the business interests of the entity.  
Using UNMC’s information systems by anyone shall constitute agreement to abide by and be bound by the following:
 
#Provisions of this policy
It is the responsibility of the workforce to protect all confidential and proprietary information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device, external storage or cloud system storage. (See End User Device Security Policy).  
#[http://www.unmc.edu/its/information_security_procedures.htm UNMC Information Security Procedures]
 
#UNMC Policy 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]] 
Information technology resources are owned by Nebraska Medicine/UNMC and are intended for use in completing the Nebraska Medicine/UNMC’s mission. Information generated during Nebraska Medicine/UNMC operations is a valuable asset and property of Nebraska Medicine/UNMC.
#<big>'''''Information Technology Security Procedures'''''</big>delete??
 
#Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
==== Acceptance and Adherence to Policy ====
#Executive Memorandum No. 26, [http://nebraska.edu/docs/president/26%20Information%20Security%20Plan%20%28GLB%20Compliance%29.pdf University of Nebraska Information Security Plan]
Use of Nebraska Medicine/UNMC information systems by anyone shall constitute agreement to abide by and be bound by the provisions of this policy and (See; Privacy, Confidentiality and Security of Patient and Proprietary Information Policy). Departmental personnel with system administrator responsibilities must conform to all Nebraska Medicine/UNMC Information Technology and Information Security policies and procedures.
#Executive Memorandum No. 27, [http://nebraska.edu/docs/president/27%20HIPAA%20Compliance.pdf HIPAA Compliance Policy]
User Responsibility
=== Access ===
 
Physical and electronic access to proprietary information and computing resources is controlled. The level of control will depend on user need and the level of risk and exposure to loss or compromise. Access will be assigned based upon the information needed to perform assigned duties. On campus electronic access is controlled through user id and password. Off Campus electronic access in some instances requires two-factor authentication.
* Users are responsible and accountable for access under their personal accounts.
====UNMC Net ID accounts====
* Users should never use the ID or password of another. (See; Password Security Policy)
UNMC Net ID accounts will only be issued to the following individuals
* User should not provide their ID or password to another. (See; Password Security Policy)
#Faculty, staff and students of UNMC   
* Users are responsible to either lock their computer or log off the computer when leaving their computer.
#Retired faculty who have an emeritus appointment
 
#Individuals who have a relationship with UNMC and need access to electronic resources in order to perform their duties.  
==== Access ====
##Individuals must have a department chair or section chief sponsor their need for this account.
Physical and electronic access to proprietary information and computing resources is controlled. Access will be assigned based upon the information needed to perform assigned duties. Electronic access is controlled through a combination of user defined access and device defined access.
##The department chair or section chief is responsible for ensuring that the individual is aware of all UNMC policies and procedures relating to the use of the electronic resources.  
User Responsibility
##The department chair or section chief is responsible for coordinating with ITS to ensure that all software license regulations are honored by granting this account.  
 
##ITS is responsible for maintaining a log of  
* Users are responsible and accountable for access under their personal accounts.
###Individual name
* Users should never use the ID or password of another. (See; Password Security Policy)
###Contact information
* User should not provide their ID or password to another. (See; Password Security Policy)
###Sponsoring Department Chair or Section Chief
* Users are responsible to either lock their computer or log off the computer when leaving their computer.
###Resources accessed
 
###Reason for account/relationship to UNMC
==== Appropriate Use ====
##The Assistant Vice Chancellor or designee will approve requests for these types of accounts.
Nebraska Medicine/UNMC information technology resources are to be used for completing Nebraska Medicine/UNMC's work related business. Misuse of Nebraska Medicine/UNMC information systems is prohibited. Misuse includes but is not limited to the following:
====UNMC email accounts ====
 
UNMC email accounts will only be issued to the following individuals: 
# Attempting to add, modify, move or remove computer equipment, software, or peripherals without proper authorization.
#Faculty (excluding volunteer appointments) staff and students of UNMC
# Vandalism of computers, computer systems or computer networks, including any attempt to alter, destroy or damage data or the integrity of the computer or computer networks.
##Upon an employee’s entry into SAP or a student being admitted to a program, an email account will automatically be generated. It is the expectation that all faculty/staff/student will read and maintain their UNMC email account. Important information regarding the activities of UNMC is communicated via email.
# Accessing without proper authorization computers, software, information or networks to which Nebraska Medicine/UNMC utilizes regardless of whether the resource accessed is owned by Nebraska Medicine/UNMC or the abuse takes place from a non-Nebraska Medicine/UNMC site.
#Retired faculty who have an emeritus appointment
# Taking actions, without authorization, which disrupts the access of others to information systems.
#If a department identifies the need for an individual who does not meet the criteria to have an email account, a request for a policy exception can be made:
# Circumventing logon or other security measures.
##Individuals must have a department chair or section chief sponsor their need for this account.
# Using information systems for any illegal or unauthorized purpose.
##The department chair or section chief is responsible for ensuring that the individual is aware of all UNMC policies and procedures relating to the use of the electronic resources.
# Sending any fraudulent electronic communication.
##The department chair or section chief is responsible for coordinating with ITS to ensure that all software license regulations are honored by granting this account.  
# Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner.
##ITS is responsible for maintaining a log of
# Using electronic communications to harass or threaten others.
###Individual name
# Forgery of or interference with electronic communication.
###Contact information
# Launching a computer worm, computer virus or other rogue program.
###Sponsoring Department Chair or Section Chief
# Downloading or posting illegal, proprietary or damaging material to a Nebraska    Medicine/UNMC computer.
###Resources accessed
# Transporting illegal, proprietary or damaging material across a Nebraska Medicine/UNMC    network.
###Reason for account/relationship to UNMC
# Personal use of any Nebraska Medicine/UNMC information system to access, download, print, store, forward, transmit or distribute obscene material.
##The Assistant Vice Chancellor or designee will approve requests for these types of accounts.
# Violating any state or federal law or regulations in connection with use of any information system.
NOTE:  If an individual is a volunteer, please refer to UNMC Policy No. 6053, [[Volunteer]].<br />
 
<br />
 
Individual Personal accounts will always be utilized to access confidential information.<br />
Persons using Nebraska Medicine/UNMC's information technology facilities and services bear the primary responsibility for the material they choose to access, send or display. It is a violation to access and view materials which would create the existence of a hostile working, patient care, or educational environment.
<br />
 
Users are responsible and accountable for access under their personal accounts. No one should use the ID or password of another, nor should anyone provide his or her ID or password to another, except in the cases necessary to facilitate computer maintenance and repairs. Your password should only be given to Information Technology Support Personnel upon presentation of identification. If your password is shared with Information Technology Support Personnel, where technically feasible the password should be flagged, necessitating that it be changed the next time the user logs on.<br />
It is the workforce's responsibility to notify the IT Helpdesk when an information security incident appears to have happened. (See; Information Security Incident Reporting and Response policy). A security incident includes, but is not limited to the following events, regardless of platform or computer environment:
<br />
 
A strong password is the “first defense” against an information security attack upon the UNMC network. It is imperative that all users select a strong password. (See [http://www.unmc.edu/its/docs/security_PasswordSecurity.pdf ITS Security Procedure: Password Security]).<br />
# Evidence of tampering with data.
<br />
# System is overloaded to the point that no activity can be performed (Denial of     service attack on the network);
Access to electronic mail, voice mail, administrative, student and patient care information systems will be obtained through the appropriate authorization process. (See [http://www.unmc.edu/its/docs/security_AccessControlforITResources.pdf ITS Security Procedure: Access Control to IT Resources]). Unauthorized access to information systems is prohibited. Users must not attempt to gain access to information or systems for which they are not granted access. <br />
# Web site defacement.
<br />
# Unauthorized access or repeated attempts at unauthorized access (from either internal    or external sources);
Remote access to systems which contain confidential information will be accomplished through a strong authentication method with the appropriate approval processes. (See ITS Security Procedure: Workforce Member Remote Access). Individuals requiring remote access to UNMC’s e mail system will purchase an internet service provider and utilize the web based e mail product.<br />
# Social engineering incidents (using false identity/pretenses).
<br />
# Virus attacks which cause workstations or servers to be inoperable.
Information Technology Support Personnel will inactivate or delete IDs/password, as appropriate, of individuals who no longer have a relationship with UNMC.
# Email which includes threats or material that could be considered harassment.
===Appropriate Use===
# Discovery of unauthorized or missing hardware or software in your area.
It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner.  Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality in order to protect the integrity of all data and of the interests of the entity.<br />
# Other incidents that could undermine confidence in Nebraska Medicine/UNMC information technology systems.
<br />
 
It is the responsibility of the workforce to protect confidential information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device or a diskette (See [http://www.unmc.edu/its/images/security_enduserdevice.pdf ITS Security Procedure: End User Device]).<br />
==== '''Privacy''' ====
<br />
Nebraska Medicine/UNMC exercises exclusive control over this property and individuals should not expect privacy regarding their use of any computer or network.
UNMC’s information technology resources are to be used predominately for completing UNMC work related business. Misuse of University information systems is prohibited. Misuse includes the following (see Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources])
 
#Attempting to modify or remove computer equipment, software, or peripherals without proper authorization.
==== '''E-mail, Collaboration Tools and Voice Mail''' ====
#Accessing without proper authorization computers, software, information or networks which the University belongs, regardless of whether the resource accessed is owned by the University or the abuse takes place from a non-University site.
All policies stated herein are also applicable to all communication systems including e-mail and voice mail. Persons using Nebraska Medicine/UNMC's e-mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications.
#Taking actions, without authorization, which interfere with the access of others to information systems.
 
#Circumventing logon or other security measures.
Nebraska Medicine/UNMC has implemented an encrypted email solution to ensure security of email which contains PHI.  (See; E-mail Containing Protected Health Information (PHI) Policy)
#Using information systems for any illegal or unauthorized purpose.
 
#Personal use of information systems or electronic communications for non-University consulting, business or employment, except as expressly authorized pursuant to Section 3.4.5 of the Bylaws of the Board of Regents.
The use of non-corporate e-mail and collaboration tool systems is prohibited. Email acceptable use is defined in Email Acceptable Use Policy.
#Sending any fraudulent electronic communication.
 
#Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner.
==== '''Nebraska Medicine/UNMC Networks and Systems for Nebraska Medicine/UNMC Business''' ====
#Using electronic communications to violate the property rights of authors and copyright owners. (Be especially aware of potential copyright infringement through the use of e-mail.)
Enterprise-wide Nebraska Medicine/UNMC Systems and Networks, such as but not limited to learning management, email, storage, identity and security services, shall be used for Nebraska Medicine/UNMC business. Nebraska Medicine/UNMC data and records (institutional and research) shall not be stored outside of Nebraska Medicine/UNMC Information Systems. Nebraska Medicine/UNMC Systems and Networks have appropriate security safeguards in place to protect Nebraska Medicine/UNMC data and records and are managed and administered by Nebraska Medicine/UNMC Information Technology employees. Contracts associated with and for Nebraska Medicine/UNMC Systems and Networks contain provisions that require appropriate technical safeguards and security measures to protect the confidentiality of Nebraska Medicine/UNMC records and data, and address responsibilities in the event of a data breach.
#Using electronic communications to harass or threaten users in such a way as to create an atmosphere which unreasonably interferes with the education or the employment experience.  Similarly, electronic communications shall not be used to harass or threaten other information recipients, in addition to University users.
 
#Using electronic communications to disclose proprietary information without the explicit permission of the owner.
All devices that are used for Nebraska Medicine/UNMC business shall be managed by the Information Technology office.
#Reading other user’s information or files without permission.
 
#Academic dishonesty.
==== '''Security Awareness Training''' ====
#Forging, fraudulently altering or falsifying, or otherwise misusing University or non-University records (including computerized records, permits, identification cards, or other documents or property).
All users accessing Nebraska Medicine/UNMC Information Systems will participate in the Nebraska Medicine/UNMC security awareness training within thirty (30) days of commencing their employment or affiliation with Nebraska Medicine/UNMC location and annually thereafter according to Security Awareness Training Standards (See; Information Security and Awareness Training policy).
#Using electronic communications to hoard, damage, interfere with academic resources available electronically.
 
#Using electronic communications to steal another individual’s works, or otherwise misrepresent one’s own work.
==== '''Information Systems Security''' ====
#Using electronic communications to fabricate research data.
Nebraska Medicine/UNMC Information Technology Department, provides enterprise-wide endpoint management services that shall be used to securely manage Nebraska Medicine/UNMC Endpoints and Systems to comply with Executive Memorandum 16.
#Launching a computer worm, computer virus or other rogue program.
 
#Downloading or posting illegal, proprietary or damaging material to a University computer.
# All Nebraska Medicine/UNMC owned Endpoints and Systems are to be inventoried and managed by IT and the associated IT distributed IT staff leveraging enterprise-wide endpoint management services.
#Transporting illegal, proprietary or damaging material across a University network.
# All Nebraska Medicine/UNMC owned Endpoints and Systems must enable access control measures such as a password , which comply with (See Identification and    Authorization policy).
#Personal use of any University information system to access, download, print, store, forward, transmit or distribute obscene material.
# Endpoint device management, inventory software, and anti-virus/anti-malware software are    provided by Information Technology and are required to be installed and kept up to date on all Nebraska Medicine/UNMC-owned Endpoints and Systems.
#Violating any state or federal law or regulations in connection with use of any information system.
# Endpoints and Systems where it is not technically feasible to leverage enterprise-wide endpoint management services shall apply for an exception.
Persons using UNMC's information technology facilities and services bear the primary responsibility for the material they choose to access, send or display. It is a violation to access and view materials which would create the existence of a sexually hostile working, patient care, or educational environment.<br />
# Nebraska Medicine/UNMC Networks will be managed by Information Technology.
<br />
 
It is the workforce‘s responsibility to notify ITS when an information security incident appears to have happened. (See [http://www.unmc.edu/its/docs/security_informationsecurityincidentreporting.pdf ITS Security Procedure: Information Security Incident Reporting and Response]). A security incident includes, but is not limited to the following events, regardless of platform or computer environment:
==== '''Vulnerability Management''' ====
#Evidence of tampering with data
All Nebraska Medicine/UNMC Information Systems procured or developed with Nebraska Medicine/UNMC resources will be subject to inventory, scanning, and security review in accordance with the Risk Management Policy. All scanning and security reviews will be conducted under the supervision of the Information Security Office. Information Systems are required to meet Configuration Management standards to be allowed to access the network.
#System is overloaded to the point that no activity can be performed (Denial of service attack on the network)
 
#Web site defacement
==== '''Operating System and Application Patch Management''' ====
#Unauthorized access or repeated attempts at unauthorized access (from either internal or external sources)
All operating systems and applications must be current and supported by vendors. All operating systems and applications must be patched and updated in accordance with the System and Information Integrity Policy.
#Social engineering incidents
 
#Virus attacks which adversely affect servers or multiple workstations
==== '''Removable Media/Media Protection''' ====
#E-mail which includes obscene material, threats or material that could be considered  harassment
Removable media is intended to facilitate the transfer of data between Information Systems and not intended for storage or long-term archive. Nebraska Medicine/UNMC data and records should be stored on Nebraska Medicine/UNMC Information Systems. Removable media can be used to transfer high or medium risk data only if the media or data is encrypted in a manner that is consistent with the data requirements. Removable media storing Nebraska Medicine/UNMC data or any classification are subject to Nebraska Medicine/UNMC data retention policies, procedures, and practices. If removable media is involved in a Nebraska Medicine/UNMC e-discovery investigation, the data will be retained, and personnel must ensure that the data destruction process does not destroy any relevant data.
#Discovery of unauthorized or missing hardware in your area
 
#Other incidents that could undermine confidence and trust in the UNMC’s information technology systems
==== '''Password Management''' ====
ITS or other personnel must take immediate action to mitigate any threats that have the potential to pose a serious risk to campus information system resources. If the threat is deemed serious enough, the system(s) or individual posing the threat will be blocked from network access. Communication with department leadership regarding such action will take place as soon as possible. The block will be removed as soon as the threat has been repaired. (See UNMC ITS Security Procedure: Information Security Incident Reporting and Response)
Passwords for all systems and devices must comply with Nebraska Medicine/UNMC (See; Password Policy; Identification and Authorization Policy).
===Copyright===
 
UNMC maintains strict compliance with the Digital Millennium Copyright Act of 1998 and applicable amendments. It should be noted that traditionally a user purchases a software “license,” which is a right to use.  Many times the licenses can only be loaded on one machine.   Violating any software license or copyright is in violation of university policy. 
==== '''BYOD Devices''' ====
#Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
Nebraska Medicine/UNMC employees, agents, affiliates, or workforce members who use personally owned devices for Nebraska Medicine/UNMC related business are responsible for maintaining device security, data return and deletion, incident reporting, response to public records requests and discovery requests, and must produce their devices for inspection when required.  
#[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998]
 
#[http://www.copyright.gov/ U.S. Copyright Office - General Guidelines About Copyright Law]
If a member of the workforce wishes to use a personal device to access Nebraska Medicine/UNMC Resources, the device must be managed by the Enterprise Mobile Device Management System (See Mobile Device Policy).
#UNMC Policy No. 6036, [[Reproducing_Copyrighted_Materials|Reproduction of Copyrighted Materials]]
 
#Public Affairs Copyright and Disclaimer
==== '''Exception Process''' ====
===Privacy===
Nebraska Medicine/UNMC recognizes that there may be academic research pursuits that require deviations from the policies, standards, and procedures. Therefore, Nebraska Medicine/UNMC has developed an exception process that users may utilize to justify such deviations and document the associated risks. Exceptions to any portion of this policy require an acceptance of risk and must be jointly approved by the Chief Information Security Officer and the Chief Innovation and Information Officer, that has been reviewed and accepted by Technical and Security Governance.
Users should be aware that privacy cannot be guaranteed. UNMC ITS staff do not regularly audit e-mail, voice mail or other information systems for content except under the direction of UNMC internal investigations. However, users should be aware that UNMC information technology technical personnel have authority to access individual user files, data and voice mail in the process of performing repair, maintenance of information systems or supporting UNMC internal or external investigations (See UNMC Policy No. 6055, [[Fraud]] and Executive Memorandum No. 16 [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]). In the event violations to this policy are discovered as a result of the maintenance activity, ITS will bring the issue to the attention of the appropriate dean, director or department head and the Assistant Vice Chancellor for Human Resources.<br />
 
<br />
==== '''Security Administration''' ====
UNMC Information Technology Services will not release IDs/passwords for voice mail or information systems to anyone other than the user without explicit review by and permission from the Assistant Vice Chancellor for Human Resources or Vice President General Counsel.
Nebraska Medicine/UNMC Information Security Office is responsible for implementing and monitoring a consistent data security program. System administrators are responsible for operation and maintenance of their information systems as the data stewards. System administrators and information custodians are responsible for implementing the security policy and standards within their applications.
===E-mail, Instant Messaging and Voice Mail===
 
All policies stated herein are also applicable to all communication systems including e mail, instant messaging and voice mail. Persons using UNMC’s e mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications.<br />
==== '''Training''' ====
<br />
All members of the workforce will be trained in information security awareness. Periodic reminders regarding information security awareness and current threats will be communicated to the workforce.
E-mail attachments and files transfer utilizing instant messaging capabilities represent a significant risk to the organization.  Many computer viruses are distributed through e-mail attachments or files received via instant messaging. Users should be careful about opening e-mail attachments or accepting file transfers via instant messaging.  
 
===Controlling the Distribution of Non-Solicited Marketing E-mail===
==== '''Web Development''' ====
Electronic mail sent externally by UNMC personnel for the primary purpose of promoting UNMC’s “commercial” products or services must comply with the '''ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email'''. Examples of such products or services include publications and membership solicitations. <br />
All web development shall be developed in a standardized manner. (See; World Wide Web Policy, MI05).
<br />
 
The Act is applicable only to e-mail that constitutes a commercial advertisement or promotion of a commercial product or service. The Act is not applicable to commercial e-mail in general, to e-mail advertising or promoting “activity” or to e-mail simply because the e-mail references or solicits funds. Further, it is not applicable to e-mail messages sent to provide information about UNMC’s undergraduate, graduate, or professional degree-granting programs. Some programs not a part of the regular campus curriculum might be considered commercial “services” depending upon the facts. Advice from the Compliance Officer should be sought about such programs.
==== '''Faxing''' ====
====Exemptions====
Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. It is easy to misdirect faxes to unauthorized recipients; faxes could be intercepted or lost in transmission. Thus, the potential for breach of confidentiality exists every time someone utilizes faxing. Therefore, all faxing must be done in accordance with (See; Nebraska Medicine/UNMC Facsimile Transmission policy).
The Act exempts “transactional or relationships messages” from the procedural requirements when the primary purpose of the message is to achieve on of the following:
 
*Facilitate, complete or confirm a commercial transaction that the recipient has previously agreed to, such as messages confirming registration, purchase or reservations.  
==== '''Compliance''' ====
*Provide warranty information or product recall or safety/security information with respect to a product or service used or purchased by the recipient
Employees who fail to comply with this policy may be subject to corrective action up to and including termination (See Nebraska Medicine/UNMC Corrective Action policy).
*Notify the recipient about substantive changes in an existing subscription or related benefit plan in which the recipient is currently participating.  
 
*Deliver goods or services, including upgrades or updates, which the recipient has previously requested or ordered from the sender.<br />
==== '''Audits of Electronic Protected Health Information (ePHI)''' ====
<br />
Patient information including demographic and medical data contained in or obtained from any Nebraska Medicine/UNMC information system is confidential data. Individual access to this data will be audited to ensure compliance with federal and state law and Nebraska Medicine/UNMC policies and procedures (See; Audit of Electronic Protected Health Information Policy).
For more information, see Contro<big>lling the Distribution of Non-Solicited Marketing E-mail Procedures.</big>
 
===Campus-wide e-mail announcements===
==== '''Demonstration of electronic systems      ''' ====
Sending out mass distribution e-mails containing event and/or general announcement type information is discouraged.  If you have an event to publicize or an announcement to deliver to a large group of people, the best way to do this is through UNMC Today, the campus electronic newsletter. Contact Public Relations for additional information.<br />
Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should NOT be used.
<br />
 
However, if e-mailing to a large group is warranted, the content and size of the message must be approved by Public Relations. Delivery of the message must then be scheduled by the ITS department to minimize the demand on campus computer systems. Contact Public Relations (x9-4696) to obtain approval.
===Audits of Electronic Protected Health Information (PHI)===
Patient information including demographic and medical data contained in, or obtained from any UNMC information system is confidential data. Individual access to this data may be audited in order to ensure compliance with federal and state law and [[Policies and Procedures|UNMC Policies and Procedures]].  
====Information Systems====
Each information custodian is responsible to:
#Manage and approve access to the information.
#Implement audit mechanisms.
#Develop periodic audit process to validate that only those with a need to know are accessing ePHI (See UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]]).
#Develop and implement a formal process for audit log review
#Audit reports are confidential and should not be released without the approval of the HIPAA [mailto:swrobel@unmc.edu Privacy Officer] or the Human Resources Employee Relations Manager.
====Shared Files====
The owner of shared files is responsible to:
#Manage and approve access to the information
#Implement process such that the minimum necessary information is available to the user (See UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]]).
===Computer Crime===
Computer crime in any form will not be tolerated. This policy applies to all UNMC employees and will be enforced without regard to past performance, position held or length of service. All persons found to have committed computer crime relevant to UNMC assets shall be subject to disciplinary action up to and including termination and investigation by external law enforcement agencies when warranted.
===Security Administration===
UNMC ITS is responsible for implementing and monitoring a consistent data security program.  System administrators are responsible for operation and maintenance of information processing services.  The system administrator and information custodians are responsible for implementing the security policy and standards within their applications.
===Training===
All members of the workforce will be trained in information security awareness.  Periodic reminders regarding information security awareness and current threats will be communicated to the workforce.
===Web Pages===
UNMC web pages should consistently meet the highest standards of writing, content accuracy, image and presentation, keeping in mind that these documents create an image of UNMC to the world. UNMC shall reserve the right to monitor web pages and to remove any material that is unlawful or in violation of UNMC policies. Originators will be notified in the event that their page is removed.<br />
<br />
UNMC procedures and guidelines for web page development should be observed. The web handbook is also a useful tool. These guidelines are not intended nor do they supersede in anyway the well-recognized rights of academic freedom.
UNMC web pages are required to show:
#Date of the last revision
#Hot e-mail link to person responsible for the page
#UNMC logo (per Executive Memorandum 16)
#Link back to appropriate UNMC site (Internet or Intranet)
#Link to University of Nebraska Appropriate Use/Copyright Violations
===Faxing===
Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail.  It is easy to misdirect faxes to unauthorized recipients, faxes could be intercepted or lost in transmission.  Thus, the potential for breach of confidentiality exists every time someone utilizes faxing. Therefore, all faxing must be done in accordance with the faxing policy (See UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]]).
===Demonstration of Electronic Systems===
Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should not be used.
==Definitions==
==Definitions==
'''Computer crime''' examples would include:
'''Affiliated Covered Entity (ACE)'''
#Unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim’s computer via the Internet through a backdoor operated by a Trojan Horse program.
 
#Creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan horse).
Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current Nebraska Medical ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time.  The Notice of Privacy Practices lists current ACE members.
#Harassment and stalking in cyberspace.
 
#Using computers to commit crimes that could be committed without a computer such as counterfeiting, stealing, committing larceny or fraud.
'''Information''' is data presented in readily comprehensible form. Information may be stored or transmitted via electronic, media on paper or other tangible media, or be known by individuals or groups.
(Source:  Computer Crime by Ronald B. Stander, Copyright 1999, 2002, [http://www.rbs2.com www.rbs2.com])<br />
 
<br />
'''Information technology resources (system)''' include but are not limited to voice, video, data and network facilities and services.
'''Confidential information''' includes proprietary information and protected health information (PHI).<br />
 
<br />
'''Information custodians''' are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes what categories of users are allowed to read and update various items. They also are responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.
'''Denial of service''' is an event in which a user or organization is deprived of resource services that they would normally expect to have.<br />
 
<br />
'''System administrators''' are those responsible for maintaining computer hardware and operating systems.
'''Information''' is data presented in readily comprehensible form. (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.)  Information may be stored or transmitted via electronic media on paper or other tangible media, or be known by individuals or groups. Information generated in the course of University operations is a valuable asset of the University and property of the University.<br />
 
<br />
'''Confidential information''' includes proprietary information and protected health information (PHI).
'''Information custodians''' are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.<br />
 
<br />
'''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and meeting minutes.
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.<br />
 
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Health information means any information whether oral or recorded in any medium.
'''Information systems''' are an interconnected set of informational resources under the same direct management control that shares common functionality.<br />
 
<br />
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.
'''Information technology resources (system)''' include but are not limited to voice, video, data and network facilities and services.<br />
 
<br />
'''Workforce''' refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct, in the performance of work for Nebraska Medicine or UNMC, is under the direct control of Nebraska Medicine or UNMC, whether or not they are paid by Nebraska Medicine or UNMC.
'''Information Technology Support Personnel''' are the individuals who as a function of their job provides IT support.  This includes ITS support staff, departmental system administrators and IT support staff within the units.<br />
 
<br />
'''Shared accounts''' (i.e. Generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password.
'''Personal accounts''' allow an individual user to logon to specific applications or systems using personal or unique ID and password.<br />
 
<br />
'''Personal accounts''' allow an individual user to logon to specific applications or systems using personal or unique ID and password.
'''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.<br />
 
<br />
'''Strong authentication''' method is a layer of security which requires a token or biometric authentication. This represents two factor authentication involving something you know (i.e. user id) and something you have (i.e. grid card).
'''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and student records. (See UNMC Policy No. 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]] for more detailed information.)<br />
 
<br />
'''Information system''' is an interconnected set of informational resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
'''Protected Health Information (PHI)'''is individually identifiable health information. Health information means any information, whether oral or recorded in any medium, that:
 
#is created or received by UNMC; and  
'''Shared file''' is a collection of electronic PHI maintained on any medium that will store digital data (i.e. computers, PDA's, memory sticks, iPods, laptops, mobile wireless devices, etc.)
#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
 
Records containing PHI, in any form, are the property of UNMC. The PHI contained in the record is the property of the individual who is the subject of the record.<br />
<br />
'''Shared accounts''' (i.e., generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password.<br />
<br />
'''Shared file''' is a collection of electronic PHI maintain on personal or departmental computers.  This would include spreadsheets, databases, correspondence, quality improvement and research data files.<br />
<br />
'''Social engineering''' describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.<br />
<br />
'''Strong authentication method''' is a layer of security which requires a token or biometric authentication. This represents two factor authentication involving something you know (i.e. user id) and something you have (i.e., Secured card).<br />
<br />
'''System administrators''' are the people responsible for configuring, administering, and maintaining hardware and operating systems.<br />
<br />
'''Workforce''' refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br />
<br />
Reference: [http://www.ucop.edu/information-technology-services/ University of CA Guidelines], January 28, 2004
==Additional information==  
==Additional information==  
*[http://www.unmc.edu/its/information_security.htm Information Technology Services]
*[https://info.unmc.edu/its-security/index.html Information Technology Services]
*Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]
*Executive Memorandum No. 26, [http://nebraska.edu/docs/president/26%20Information%20Security%20Plan%20%28GLB%20Compliance%29.pdf University of Nebraska Information Security Plan]
*Executive Memorandum No. 27, [http://nebraska.edu/docs/president/27%20HIPAA%20Compliance.pdf HIPAA Compliance Policy]
*UNMC Policy No. 6036, [[Reproducing_Copyrighted_Materials|Reproduction of Copyrighted Materials]]  
*UNMC Policy No. 6036, [[Reproducing_Copyrighted_Materials|Reproduction of Copyrighted Materials]]  
*UNMC Policy No. 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]]
*UNMC Policy No. 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]]
Line 256: Line 205:
*UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]]  
*UNMC Policy No. 6057, [[Protected Health Information (PHI)|Use and Disclosure of Protected Health Information]]  
*UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]]
*UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]]
*[http://www.unmc.edu/its/information_security_procedures.htm UNMC Information Security Procedures]  
*[https://info.unmc.edu/its-security/policies/procedures/index.html UNMC Information Security Procedures]
*[https://www.unmc.edu/academicaffairs/_documents/compliance/Statement_of_Understanding.pdf Statement of Understanding]
*Executive Memorandum No. 16, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-for-responsible-use-of-university-computers-and-information-systems.pdf Policy for Responsible Use of University Computers and Information Systems]
*Executive Memorandum No. 26, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/university-of-nebraska-information-security-plan.pdf University of Nebraska Information Security Plan - Gramm Leach Bliley Compliance]
*Executive Memorandum No. 27, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf HIPAA Compliance Policy]
*Executive Memorandum No. 41, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-on-research-and-data-security.pdf Policy on Research Data and Security]
*Executive Memorandum No. 42, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-on-risk-classification-and-minimum-security-standards.pdf Policy on Risk Classification and Minimum Security Standards]
*[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998]  
*[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998]  
*[http://www.copyright.gov/ U.S. Copyright Office - General Guidelines About Copyright Law]  
*[http://www.copyright.gov/ U.S. Copyright Office - General Guidelines About Copyright Law]  


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].

Latest revision as of 12:45, October 4, 2023

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training

Policy No.: 6051
Effective Date: 04/25/07
Revised Date: draft
Reviewed Date: 09/19/17

Computer Use and Electronic Information Security Policy

Introduction

University of Nebraska Medical Center (UNMC) has a robust information technology environment. It is the responsibility of the workforce to utilize information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality.

Basis for Policy

The University of Nebraska has issued Executive Memorandum No. 16, Policy for Responsible Use of University Computers and Information Systems, which sets forth the University’s administrative policy and provides guidance relating to the responsible use of the University’s electronic information systems. It is the intent of this policy to confirm campus adherence to Executive Memorandum 16.

Information technology resources are owned by UNMC and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, all applicable UNMC policies, including sexual harassment, patent and copyright, patient and student confidentiality, and student and employee disciplinary policies, as well as by applicable federal, state and local laws.

Policy

It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality to protect the integrity of all data and the business interests of the entity.

It is the responsibility of the workforce to protect all confidential and proprietary information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device, external storage or cloud system storage. (See End User Device Security Policy).

Information technology resources are owned by Nebraska Medicine/UNMC and are intended for use in completing the Nebraska Medicine/UNMC’s mission. Information generated during Nebraska Medicine/UNMC operations is a valuable asset and property of Nebraska Medicine/UNMC.

Acceptance and Adherence to Policy

Use of Nebraska Medicine/UNMC information systems by anyone shall constitute agreement to abide by and be bound by the provisions of this policy and (See; Privacy, Confidentiality and Security of Patient and Proprietary Information Policy). Departmental personnel with system administrator responsibilities must conform to all Nebraska Medicine/UNMC Information Technology and Information Security policies and procedures. User Responsibility

  • Users are responsible and accountable for access under their personal accounts.
  • Users should never use the ID or password of another. (See; Password Security Policy)
  • User should not provide their ID or password to another. (See; Password Security Policy)
  • Users are responsible to either lock their computer or log off the computer when leaving their computer.

Access

Physical and electronic access to proprietary information and computing resources is controlled. Access will be assigned based upon the information needed to perform assigned duties. Electronic access is controlled through a combination of user defined access and device defined access. User Responsibility

  • Users are responsible and accountable for access under their personal accounts.
  • Users should never use the ID or password of another. (See; Password Security Policy)
  • User should not provide their ID or password to another. (See; Password Security Policy)
  • Users are responsible to either lock their computer or log off the computer when leaving their computer.

Appropriate Use

Nebraska Medicine/UNMC information technology resources are to be used for completing Nebraska Medicine/UNMC's work related business. Misuse of Nebraska Medicine/UNMC information systems is prohibited. Misuse includes but is not limited to the following:

  1. Attempting to add, modify, move or remove computer equipment, software, or peripherals without proper authorization.
  2. Vandalism of computers, computer systems or computer networks, including any attempt to alter, destroy or damage data or the integrity of the computer or computer networks.
  3. Accessing without proper authorization computers, software, information or networks to which Nebraska Medicine/UNMC utilizes regardless of whether the resource accessed is owned by Nebraska Medicine/UNMC or the abuse takes place from a non-Nebraska Medicine/UNMC site.
  4. Taking actions, without authorization, which disrupts the access of others to information systems.
  5. Circumventing logon or other security measures.
  6. Using information systems for any illegal or unauthorized purpose.
  7. Sending any fraudulent electronic communication.
  8. Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner.
  9. Using electronic communications to harass or threaten others.
  10. Forgery of or interference with electronic communication.
  11. Launching a computer worm, computer virus or other rogue program.
  12. Downloading or posting illegal, proprietary or damaging material to a Nebraska Medicine/UNMC computer.
  13. Transporting illegal, proprietary or damaging material across a Nebraska Medicine/UNMC network.
  14. Personal use of any Nebraska Medicine/UNMC information system to access, download, print, store, forward, transmit or distribute obscene material.
  15. Violating any state or federal law or regulations in connection with use of any information system.


Persons using Nebraska Medicine/UNMC's information technology facilities and services bear the primary responsibility for the material they choose to access, send or display. It is a violation to access and view materials which would create the existence of a hostile working, patient care, or educational environment.

It is the workforce's responsibility to notify the IT Helpdesk when an information security incident appears to have happened. (See; Information Security Incident Reporting and Response policy). A security incident includes, but is not limited to the following events, regardless of platform or computer environment:

  1. Evidence of tampering with data.
  2. System is overloaded to the point that no activity can be performed (Denial of service attack on the network);
  3. Web site defacement.
  4. Unauthorized access or repeated attempts at unauthorized access (from either internal or external sources);
  5. Social engineering incidents (using false identity/pretenses).
  6. Virus attacks which cause workstations or servers to be inoperable.
  7. Email which includes threats or material that could be considered harassment.
  8. Discovery of unauthorized or missing hardware or software in your area.
  9. Other incidents that could undermine confidence in Nebraska Medicine/UNMC information technology systems.

Privacy

Nebraska Medicine/UNMC exercises exclusive control over this property and individuals should not expect privacy regarding their use of any computer or network.

E-mail, Collaboration Tools and Voice Mail

All policies stated herein are also applicable to all communication systems including e-mail and voice mail. Persons using Nebraska Medicine/UNMC's e-mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications.

Nebraska Medicine/UNMC has implemented an encrypted email solution to ensure security of email which contains PHI.  (See; E-mail Containing Protected Health Information (PHI) Policy)

The use of non-corporate e-mail and collaboration tool systems is prohibited. Email acceptable use is defined in Email Acceptable Use Policy.

Nebraska Medicine/UNMC Networks and Systems for Nebraska Medicine/UNMC Business

Enterprise-wide Nebraska Medicine/UNMC Systems and Networks, such as but not limited to learning management, email, storage, identity and security services, shall be used for Nebraska Medicine/UNMC business. Nebraska Medicine/UNMC data and records (institutional and research) shall not be stored outside of Nebraska Medicine/UNMC Information Systems. Nebraska Medicine/UNMC Systems and Networks have appropriate security safeguards in place to protect Nebraska Medicine/UNMC data and records and are managed and administered by Nebraska Medicine/UNMC Information Technology employees. Contracts associated with and for Nebraska Medicine/UNMC Systems and Networks contain provisions that require appropriate technical safeguards and security measures to protect the confidentiality of Nebraska Medicine/UNMC records and data, and address responsibilities in the event of a data breach.

All devices that are used for Nebraska Medicine/UNMC business shall be managed by the Information Technology office.

Security Awareness Training

All users accessing Nebraska Medicine/UNMC Information Systems will participate in the Nebraska Medicine/UNMC security awareness training within thirty (30) days of commencing their employment or affiliation with Nebraska Medicine/UNMC location and annually thereafter according to Security Awareness Training Standards (See; Information Security and Awareness Training policy).

Information Systems Security

Nebraska Medicine/UNMC Information Technology Department, provides enterprise-wide endpoint management services that shall be used to securely manage Nebraska Medicine/UNMC Endpoints and Systems to comply with Executive Memorandum 16.

  1. All Nebraska Medicine/UNMC owned Endpoints and Systems are to be inventoried and managed by IT and the associated IT distributed IT staff leveraging enterprise-wide endpoint management services.
  2. All Nebraska Medicine/UNMC owned Endpoints and Systems must enable access control measures such as a password , which comply with (See Identification and Authorization policy).
  3. Endpoint device management, inventory software, and anti-virus/anti-malware software are provided by Information Technology and are required to be installed and kept up to date on all Nebraska Medicine/UNMC-owned Endpoints and Systems.
  4. Endpoints and Systems where it is not technically feasible to leverage enterprise-wide endpoint management services shall apply for an exception.
  5. Nebraska Medicine/UNMC Networks will be managed by Information Technology.

Vulnerability Management

All Nebraska Medicine/UNMC Information Systems procured or developed with Nebraska Medicine/UNMC resources will be subject to inventory, scanning, and security review in accordance with the Risk Management Policy. All scanning and security reviews will be conducted under the supervision of the Information Security Office. Information Systems are required to meet Configuration Management standards to be allowed to access the network.

Operating System and Application Patch Management

All operating systems and applications must be current and supported by vendors. All operating systems and applications must be patched and updated in accordance with the System and Information Integrity Policy.

Removable Media/Media Protection

Removable media is intended to facilitate the transfer of data between Information Systems and not intended for storage or long-term archive. Nebraska Medicine/UNMC data and records should be stored on Nebraska Medicine/UNMC Information Systems. Removable media can be used to transfer high or medium risk data only if the media or data is encrypted in a manner that is consistent with the data requirements. Removable media storing Nebraska Medicine/UNMC data or any classification are subject to Nebraska Medicine/UNMC data retention policies, procedures, and practices. If removable media is involved in a Nebraska Medicine/UNMC e-discovery investigation, the data will be retained, and personnel must ensure that the data destruction process does not destroy any relevant data.

Password Management

Passwords for all systems and devices must comply with Nebraska Medicine/UNMC (See; Password Policy; Identification and Authorization Policy).

BYOD Devices

Nebraska Medicine/UNMC employees, agents, affiliates, or workforce members who use personally owned devices for Nebraska Medicine/UNMC related business are responsible for maintaining device security, data return and deletion, incident reporting, response to public records requests and discovery requests, and must produce their devices for inspection when required.

If a member of the workforce wishes to use a personal device to access Nebraska Medicine/UNMC Resources, the device must be managed by the Enterprise Mobile Device Management System (See Mobile Device Policy).

Exception Process

Nebraska Medicine/UNMC recognizes that there may be academic research pursuits that require deviations from the policies, standards, and procedures. Therefore, Nebraska Medicine/UNMC has developed an exception process that users may utilize to justify such deviations and document the associated risks. Exceptions to any portion of this policy require an acceptance of risk and must be jointly approved by the Chief Information Security Officer and the Chief Innovation and Information Officer, that has been reviewed and accepted by Technical and Security Governance.

Security Administration

Nebraska Medicine/UNMC Information Security Office is responsible for implementing and monitoring a consistent data security program. System administrators are responsible for operation and maintenance of their information systems as the data stewards. System administrators and information custodians are responsible for implementing the security policy and standards within their applications.

Training

All members of the workforce will be trained in information security awareness. Periodic reminders regarding information security awareness and current threats will be communicated to the workforce.

Web Development

All web development shall be developed in a standardized manner. (See; World Wide Web Policy, MI05).

Faxing

Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. It is easy to misdirect faxes to unauthorized recipients; faxes could be intercepted or lost in transmission. Thus, the potential for breach of confidentiality exists every time someone utilizes faxing. Therefore, all faxing must be done in accordance with (See; Nebraska Medicine/UNMC Facsimile Transmission policy).

Compliance

Employees who fail to comply with this policy may be subject to corrective action up to and including termination (See Nebraska Medicine/UNMC Corrective Action policy).

Audits of Electronic Protected Health Information (ePHI)

Patient information including demographic and medical data contained in or obtained from any Nebraska Medicine/UNMC information system is confidential data. Individual access to this data will be audited to ensure compliance with federal and state law and Nebraska Medicine/UNMC policies and procedures (See; Audit of Electronic Protected Health Information Policy).

Demonstration of electronic systems      

Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should NOT be used.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current Nebraska Medical ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time.  The Notice of Privacy Practices lists current ACE members.

Information is data presented in readily comprehensible form. Information may be stored or transmitted via electronic, media on paper or other tangible media, or be known by individuals or groups.

Information technology resources (system) include but are not limited to voice, video, data and network facilities and services.

Information custodians are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes what categories of users are allowed to read and update various items. They also are responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.

System administrators are those responsible for maintaining computer hardware and operating systems.

Confidential information includes proprietary information and protected health information (PHI).

Proprietary information refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and meeting minutes.

Protected Health Information (PHI) is individually identifiable health information. Health information means any information whether oral or recorded in any medium.

Information security is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.

Workforce refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct, in the performance of work for Nebraska Medicine or UNMC, is under the direct control of Nebraska Medicine or UNMC, whether or not they are paid by Nebraska Medicine or UNMC.

Shared accounts (i.e. Generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password.

Personal accounts allow an individual user to logon to specific applications or systems using personal or unique ID and password.

Strong authentication method is a layer of security which requires a token or biometric authentication. This represents two factor authentication involving something you know (i.e. user id) and something you have (i.e. grid card).

Information system is an interconnected set of informational resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

Shared file is a collection of electronic PHI maintained on any medium that will store digital data (i.e. computers, PDA's, memory sticks, iPods, laptops, mobile wireless devices, etc.)

Additional information

This page maintained by dkp.