ROWAN UNIVERSITY POLICY
Title: Protection of Sensitive Electronic Information
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI: 2013: P10
Issuing Authority: President
Responsible Officer: RowanSOM Chief Compliance & Privacy Officer and Rowan Chief Information Security Officer
Last Revision: 7/1/2013
To develop an overall policy to facilitate the Rowan School of Osteopathic Medicine (RowanSOM) compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Standards Final Rule CFR Part 164, the Family Educational Rights and Privacy (FERPA), the Gramm-Leach-Bliley (GLB) Safeguard Rules, and other applicable state and federal regulations which will provide for the development and implementation of policies and procedures:
- to prevent, detect, contain, and correct security violations;
- to ensure that all members of RowanSOM workforce have appropriate access to sensitive electronic information (SEI) and to prevent those workforce members who do not have access from obtaining access to SEI;
- to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed;
- for responding to an emergency or other occurrence that damages systems that contain SEI;
- that govern the receipt and removal of hardware and electronic media that contain SEI into and out of a facility, and the movement of these items within the facility;
- that address the final disposition of SEI, and/or the hardware or electronic media on which it is stored;
- to protect SEI from improper alteration or destruction;
- that document repairs and modification to the physical components of RowanSOM facilities which are related to security (for example, hardware, walls, doors, and locks);
- for removal of SEI from electronic media before the media are available for re-use; and
- that terminate an electronic session after a predetermined time of inactivity.
Under the direction of the President, the Sr. Vice President and CIO, the Dean, Chief Information Security Officer, Chief Compliance & Privacy Officer, shall ensure compliance with this policy. The Associate Dean for Clinical Affairs, the Clinical Chairs and the Executive Director.
This policy shall apply to any SEI that is generated during provision of education, research, or health care under the auspices of RowanSOM or by any of its agents. The responsibility for protecting RowanSOM SEI applies to RowanSOM workforce members and business associates working at RowanSOM facilities and at any other locations where RowanSOM SEI may reside.
- Data Steward - a person who creates, maintains, manages, controls or stores data or a file which contains SEI and is responsible for that data, file or database. Data Steward acts as the primary contact for issues related to the data for which the data steward is responsible.
- Hardware and Electronic Media - any device capable of creating, maintaining, storing, transmitting or receiving data.
- Workforce - Faculty, staff, students, volunteers, trainees, and other persons whose conduct, in the performance of work for RowanSOM and/or its units, is under the direct control of such entity(ies), whether or not they are paid by RowanSOM.
- SEI Officer - the individual with unit specific responsibility for publishing and disseminating policies, developing procedures, tracking SEI security training, and assisting with SEI security breaches. The SEI Officer could be either; the Chief Compliance & Privacy Officer, a GLB Officer, a FERPA Officer, or any other Officer designated to comply with the other applicable state and federal regulations, or a combination thereof.
- Technical Coordinator - the individual assigned to assist the SEI Officer with implementing their unit specific responsibilities.
- Sensitive Electronic Information (SEI) - includes electronic information that is protected by state or federal regulations. As such, it includes Protected Health Information (PHI) as defined under HIPAA regulations, as well as information governed by GLB and other applicable regulations.
- Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule
- Federal Trade Commission 16 CFR Part 314, Standards for Safeguarding Customer Information (GLB Safeguards Rule)
- Records Management
- Patient Confidentiality and Health Information
- Renovation/Alteration/New Construction
- Physical Plant Work Requests
- Access to University Administered Systems
- Rights & Responsibilities for the Use of University-Accessed Electronic Information Systems
- Protection and Authentication of Electronically Communicated Confidential or Sensitive Information
- Information Classification
- Information Security: Mobile Computing and Removable Media
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- NIST SP 800-88 “Guidelines for Media Sanitization”
A. Security Violations
- Data Stewards shall define “security violation” with regard to the information they manage. A violation could include but is not limited to:
- Unauthorized access or modification to information,
- Excessive unsuccessful attempts to access information,
- Misuse (alteration or destruction) of information,
- Excessive unsuccessful log on or break-in attempts.
- An audit trail shall be maintained where technically feasible containing sufficient information such that the violation and the user responsible may be identified. The audit trail shall contain information to identify the user ID under which the access or attempted access occurred, time and date of occurrence, the information accessed and the action in violation. The audit trail shall be kept safe to prevent modification or destruction.
- Security incidents such as security breaches, violations of policy, unauthorized access, audit trail data or other system warnings about unusual or inappropriate activity, and identified weaknesses in security measures shall promptly be reported by the Data Steward to the Compliance Hotline at 1-855-431-6697.
- The SEI Officer for RowanSOM shall be responsible for developing the procedures specific to their unit including:
- Review of the audit trail,
- Frequency of review,
- Parties to be notified upon discovery of a violation.
- Documentation showing evidence of the audit trail reviews, violations issued and corrective action taken shall be maintained in a secure manner.
- Access to institutional databases, servers and networks is a privilege granted by RowanSOM, to be used only for those purposes for which the access is authorized. The nature and extent of authorized access to institutional databases, servers and networks shall be determined by legitimate needs to fulfill job responsibilities.
- Access to and use of these resources for purposes or activities which do not support RowanSOM’s mission are subject to regulation and restriction to ensure that they do not interfere with legitimate work; any access to or use of these resources and services that interferes with RowanSOM’s missions and goals is prohibited. The use and/or release of RowanSOM data is further restricted under specific laws such as FERPA, GLB Safeguards Rule, and Health Information Portability and Accountability Act (HIPAA) and laws that govern intellectual property rights.
- In general, only workforce members and business associates of RowanSOM shall have access to SEI. Under certain circumstances non-employees may be granted access under carefully monitored and restricted conditions. The access must be justified to have benefit to the operation of the institution. RowanSOM will require an executed confidentiality agreement before such access is granted.
- Privileged access to operating system or database administration tools and interfaces for enterprise systems or systems housing confidential data or information will be at the discretion of the Vice President for IST.
- Each individual who develops or is given access to institutional databases or networks shall read and understand this policy and all derivative policies.
- Each user is responsible for all actions and transactions occurring under his/her userID while the ID is logged onto RowanSOM’s network or systems.
- Each Data Steward shall have responsibility for:
- The classification of RowanSOM’s information under their control as Confidential, Private, Internal or Public.
- The maintenance of an inventory of all systems that create, process, collect, store or transmit their information identifying:
- organization name (as stated in their Business Impact Analysis (BIA))
- business unit name (as stated in their BIA)
- business function name (as stated in their BIA)
- business function narrative description (as stated in their BIA)
- name of the information system
- name of the data steward
- name of the business unit’s compliance officer
- information system manager
- inherent risk of the information system (as calculated in the Information Security Risk Assessment;
- Annually assess and update the Information and Risk Classification of their information, and report any changes to the Dean, the Information Security Office and the information system manager.
- Establish procedures to comply with the NIST Guidelines for Media Sanitization to securely wipe information classified as Confidential or Private stored on mobile computing devices or removable media.
- periodic reviewing and modifying as necessary; the users’ right of access (authorization).
- The Vice President for IST shall be responsible for providing RowanSOM wide infrastructure with the proper level of security and authentication mechanisms by which access will be restricted to specific systems, applications and data for authorized users.
- In order to establish individual accountability for actions on line and to implement access controls based on individual needs, every individual shall have a unique identifier or log on ID for use in logging into patient care information systems.
- Users will be authorized to access and retrieve only that information for which they have a legitimate need to know.