Please be aware that portable data is vulnerable data and that the leading cause of data loss is stolen or misplaced personal computing devices. Moving data, especially protected health information (PHI), poses unique security risks for the University. Failure to abide by a few common-sense principles could result in disastrous consequences.
Some Guidelines:
Securing your personal device is very important with the amount of sensitive information stored on those devices. We are all at risk and the stakes are high. Secure your device by following the steps outlined in the device specific guidelines located under the Guidelines and Procedures section at http://security.bsd.uchicago.edu/security-policies/.
All devices (e.g., laptops, computer, tablets, and phones) must be protected with strong passwords AND encrypted. If you lose a device that is encrypted, it significantly decreases the burden of proof about data loss. Although it may seem obvious, do not write the password on the encrypted media. For more information, visithttps://security.bsd.uchicago.edu/security-policies/
The use of personally owned devices is covered under UCM Policy 06_POL-BD Personal Computing Device Policy. Ensuring your personally owned electronic device has active encryption enabled on the device is one of the most important steps to follow as part of this policy.
Being able to determine if your personally owned device is secure could be a challenge to verify by the Privacy Program. Without encryption, there is the potential for a breach of patient or other sensitive information if your device, such as your laptop, is lost or stolen. This is especially true if you have your UCM emails or other UCM confidential data available on the device. In certain circumstances, this could require the Privacy Program to have to review emails and other UCM applications to determine potential impacts when the laptop or other electronic device is not in the hands of the owner.
Take a moment to review the settings on your personal device and assure it has encryption enabled either through a program that comes on your device, for example File Vault for Apple devices or Bitlocker for Windows devices, or through a separate encryption software that you purchase and install on your device. It can also be helpful to take a quick screenshot of the active encryption display to save for yourself in case your device is lost or stolen. This could provide important information to the Privacy Program if your device is away from you. Please feel free to reach out me directly or to the Privacy Program with questions.
Never email unencrypted PHI to someone outside of the University. If you must email PHI, the Secure E-Mail Portal provides a secure way for employees to email Restricted information, such as PHI, to recipients outside of UCM and the BSD. For more information, visit the UCM Information Security Office Data Guardian Program webpage at http://home.uchospitals.edu/ ;
Go to Quick Links on the left hand side of the screen and click on “Information Security Office” > Data Guardian Program.
Everyone must enroll in 2Factor Authentication (2FA). 2FA enhances the security of your CNetID by using your phone to verify your identity. This prevents anyone but you from using your account to log in to University websites, even if they know your CNetID password. Please visit https://2fa.uchicago.edu and click on
‘Go to 2Factor’ to enroll today!
Never store restricted information in an unencrypted state where it might be compromised. This includes removable media such as flash drives and CDs. UChicagoBox — a cloud-based file storage and sharing service is available for storing patient information (HIPAA). Please visit
http://security.bsd.uchicago.edu/wp-content/uploads/sites/2/2016/09/UChicago-Box-Instructions-for-BSD.pdf for instructions on how to use the UChicagoBox, as
well as a step by step guide on how to secure Restricted information.
University Treatment of Confidential Information – 601. This is considered restricted vs. not, misuses of data, and consequences if confidential information is misused:https://humanresources.uchicago.edu/fpg/policies/600/p601.shtml
BSD Information Security Office
UCM Information Security Office 773-702-3456
UCM Privacy Program 773-834-9716
Anonymous Resource Line 1-877-440-5480, select option 2