Storing Sensitive Data

STORING SENSITIVE DATA

Survey of Sensitive Data Environment

All HealthTeam employees are required to complete the form for every computer used.  Please read the information below and then complete the form here:  http://shield.hit.msu.edu/sensitivesurvey.aspx.


Guidelines for Proper Storage of Data

All Health Affairs department, unit, clinic, office or user that collects, uses, and/or maintains institutional and or sensitive data must ensure that:

1. The data are stored in a secure and confidential environment
2. Data is to be used only for the purpose for which it was collected.
3. HIT guidelines for the disposal of data disposal are followed according to IS policies.

Institutional data is defined as any data that is used in the day-to-day business of the University.  Sensitive data is defined as any data that is mandated for protection by federal or state law or could cause financial repercussions for the University by the loss of such data e.g. HIPAA, FERPA, or research data.

It is very important that there is no storage of any sensitive data on the hard drive of your assigned workstation.  Instead, store this data on the P drive or a HIT supported server, both of which are assigned a greater level of security and daily backup of all files.  Click here for a video tutorial on how to move files to your P drive.

Sensitive data should not be stored unencrypted on a University-owned hard drive or any laptop regardless of ownership. 

Sensitive data should not be copied to or stored on smart phones, floppy disks, CD/DVDs, PDAs, non-encrypted USB flash drives, non-University-owned/-leased computing devices, or other portable storage or computing devices.  Computer applications that require the use of institutional and/or sensitive data, must access the data on a HealthTeam network server that is physically secured from access by unauthorized individuals, as well as protected against malicious software and unauthorized digital access. 

Physical documents containing sensitive data should be stored in a restricted access area, such as an office with secure cabinets or a locked desk available on a limited basis.  

Units must actively work to identify and remove sensitive data from local electronic files, databases, images, and paper documents unless approval to store the data has been granted by the HIT Security Officer or the Vice Provost of Libraries, Computing and Technology.

1. This is further defined at http://lct.msu.edu/guidelines-policies in the "Guidelines for Internal and External Reporting of Data System Security Breaches 25 Feb. 09 [PDF]"
2. All electronic Protected Health Information (PHI) must be accessed and stored only thru Centricity/EMR, IDX or a HIT supported server.
3. Sensitive data, such as Social Security Numbers, must be stored on your P drive as per MSU policy http://www.hr.msu.edu/documents/uwidepolproc/ssnprivacy.htm.
4. If research data is not stored on any HIT or BRIC server, then it must be encrypted to be stored elsewhere.
5. Report all suspicious computer behavior to HIT's Help Desk at 355-6531.