ROWAN UNIVERSITY POLICY
Title: Transmission of Sensitive Information Policy
Subject: Information Security
Policy No: ISO:2013:05
Issuing Authority: Vice President for Information Resources and Chief Information Officer
Responsible Officer: Chief Information Security Officer
Date Adopted: 07-01-2013
Last Revision: 06-01-2014
Last Review: 09-01-2014
This policy is required to comply with legal requirements regarding the protection of sensitive information in transit including, but not limited to Protected Health Information (PHI) and Personal Identifying Information (PII) from unauthorized access and to protect against data breaches. This policy sets forth requirements for the transmission or receipt of sensitive information on the Rowan University network.
Under the direction of the Vice President for Information Resources and Chief Information Officer, the Chief Information Officer and the Chief Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will also implement this policy in their respective areas.
This policy applies to all Users accessing the Rowan network or University information through computing devices owned or managed the University. All University faculty, students, staff, temporary employees, contractors, outside vendors and visitors to campus who have access to University-owned or managed information through computing systems or devices are "Users."
A. "Encryption" – the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
B. "Personal Identifying Information" (PII) – Personal Identifying Information includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, state identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or info that can be used to access a person's financial resources.
C, "Protected Health Information" (PHI) – Information covered by the Health Insurance Portability and Accountability Act (HIPAA).
D. "Public Network" – Any network outside the Rowan University network.
E. "Secure Backup" (Encryption Recommended) – The process of making a backup copy of information for the purpose of data recovery with security safeguards present to ensure the backup copy of the data remains protected from unauthorized access at all times. This may include physical protections as well as encryption to safeguard the backup information.
A. HIPAA http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
A. All sensitive information including Protected Health Information (PHI) and Personal Identifying Information (PII) (as defined below) that is transmitted or received by Rowan University's computer systems, including mobile devices, must be encrypted when transmitted over wireless or Public Networks, including when transmitted via FTP and electronic mail.
B. Examples of when encryption is required include, but are not limited to:
- A University employee, student, contractor, or vendor sending or receiving the University's PHI or PII using his/her home's Internet Service Provider (ISP) connection (e.g.cable company or DSL), unless both (a) using a VPN connection, and (b) transmitting only to a destination within the campus network.
- Any transmission of PHI or PII sent over any home, public, hotel, or the unsecured campus wireless network, unless both (a) using a VPN connection, and (b) transmitting only to a destination within the campus network. Use of the UNC-Secure campus wireless network does not require VPN as long as one is transmitting to a destination within the campus.
- A University employee, student, contractor, or vendor sending or receiving the University's PHI or PII to a destination address outside the campus network. (Encryption is required in this case, even if a VPN connection is used.)
- Any vendor transmissions of PHI or PII sent over the Internet.
- Use of a PDA to transmit PHI or PII over a Public Network.
C. Encryption is not required for a University employee who uses an on-campus workstation, with a wired connection to the University network, to transmit a document to another University User or to save a document containing PHI or PII to his/her University-managed network folder.
VII. NON-COMPLIANCE AND SANCTIONS
Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes.
By Direction of the CIO:
VP and Chief Information Officer