Equipment and Data Security

Updated: 5.21.08

Contents 1 Physical Security 1.1 Laptops and Other Portable Devices 1.1.1 Drive Encryption 1.1.2 Locking Devices 1.1.3 User Laptop Agreement 1.1.4 Use of Personal Laptops 1.1.5 Exceptions 1.1.6 Other Portable Devices 1.2 Desktops and Other Stationary Computer Equipment 1.3 Missing/Stolen Equipment 2 Data Security 2.1 Protected Health Information (PHI) Data 2.1.1 Storing PHI Data Securely 2.1.2 Encryption 2.1.3 PHI Data In Email 2.2 Virus Protection 2.2.1 Virus Protection for Macs 2.2.2 Virus Definition Updates 2.3 Screen Savers 2.4 Software Updates 2.5 Data Backup 2.5.1 NAS Backup Policy 2.6 Exceptions for Research Machines 2.7 Domain Membership

Physical Security

Laptops and Other Portable Devices

Drive Encryption

• All laptops hard drives must employ one of the following whole-disk encryption mechanisms:
  • Safeboot (Windows)
  • FileVault (Mac OS 10.3 or later)
• Minimum 128-bit key length.
• No exceptions for any laptop that is UT property will be allowed.
• Even with whole disk encryption, storage and use of transient sensitive or confidential data on a laptop/portable device should be purely temporary.

Locking Devices

• All laptop computers must have a hardware locking mechanism.
• All laptops must be physically secured in locked drawers/cabinets/etc. or by their locking mechanism when not in use, regardless of location.

User Laptop Agreement

• All personnel who are assigned a University provided laptop must sign a User Laptop Agreement.
• No lease or purchase requests for laptops will be approved until the responsible employee has signed this agreement

Use of Personal Laptops

• Any laptop or desktop computer used to do work for UT must meet the same Minimum Hardware and Software Requirements as university-owned machines.
• If a computer is not owned by UT, the owner will be responsible for purchasing licenses for the following required software:
  • SafeBoot - $35
  • Computrace - $90/three year subscription (only if the machine has a Computrace-enabled BIOS)
  • Locking mechanism - to be purchased at the expense of the laptop owner

• Staff and faculty requiring the use of a laptop to fulfill their duties should request and secure approval and funding for a laptop from their department if possible.

Exceptions

• Any exception to this should follow the IT Security exception policy found at http://www.uth.tmc.edu/itsecurity/policy/policyExceptions.html

Other Portable Devices

• Other portable devices may include but are not limited to all of the following:
  • PDAs
  • Flash Drives
  • Smartphones
  • Portable Hard Drives
• Because these devices are small and can easily be lost or stolen, confidential or protected data should never be stored unencrypted on a portable device.
• If sensitive data must be stored on such a device, the following precautions should be taken:
  • The device should not be left unattended
  • If the device must be left unattended:
    • All doors leading to the device should be locked
    • The device should be left in a locked drawer if possible, with the key in the owner's possession at all times

Desktops and Other Stationary Computer Equipment

• All stationary computer equipment must also be physically secured against unauthorized access
• Offices or areas with desktop computers should be locked when unoccupied
• Servers that are not accessed directly should be kept in the 3rd floor datacenter. Your LAN Manager will be able to help coordinate this with the systems group

Missing/Stolen Equipment

• If any computer equipment is missing or suspected stolen, contact your LAN Manager immediately. They will assist in taking all the necessary actions such as:
  • Contacting all department employees to make sure nobody has the equipment in question
  • Contacting UT Police if necessary
  • Filling out a missing/stolen equipment report
  • Contacting the proper authorities to notify them of potential loss of personal records

Data Security

Protected Health Information (PHI) Data

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 defines Protected Health Information as:

"individually identifiable health information that is related to the "past, present or future physical or mental health condition" of a person."

A full description of what is and is not protected can be found here.

Storing PHI Data Securely

• Always store PHI Data on a server in the secured portion of the network known as "Zone 100", such as the NAS
• There should never be PHI data on:
  • Desktop computers
  • Laptops
  • #Other Portable Devices
  • Removable media (CD, Floppy, Zip)

Encryption

If PHI Data must be stored somewhere other than a secured server for any reason, it must be encrypted using one of the following means:

• A flash drive that supports encryption such as IronKey, Corsair Padlock, or Kingston DataTraveler Secure
• A folder on a desktop computer encrypted using:
  • Encrypted Folder Services (Windows)
  • FileVault (Mac OS 10.3 or later)
• A laptop using disk encryption software such as
  • Safeboot (Windows)
  • FileVault (Mac OS 10.3 or later)

PHI Data In Email

• Any email containing PHI data must be encrypted using a UTHSCH Digital ID

Virus Protection

• All Medical School computers must have virus protection software installed.
• The Medical School has a site-license for McAfee Virus Scan which allows all faculty, staff, and students to install it on their work and personal computers.
  • The latest version of McAfee Virus Scan Enterprise is available here.

Virus Protection for Macs

• Mac users are responsible for providing their own virus protection, via either department or personal funds.
• MSIT suggests the following products for Mac users:
  • ClamXav - Free, open-source antivirus
  • McAfee Virex - $109.65/3 licenses, from the makers of Virus Scan.
  • Norton Antivirus - $49.95, Mac version of Norton's popular antivirus suite.

Virus Definition Updates

• PCs that are part of the UTHOUSTON domain generally have their virus definitions updated automatically. It is the responsibility of the user to manually keep definitions up-to-date on:
  • Research computers
  • Macs
  • Laptops
  • Computers kept at an individual's residence
  • Computers not owned by UT

Screen Savers

• All UT computers must have a password-protected screensaver.
• All PCs that are part of the UTHOUSTON domain have their screensaver activated and password-protected automatically. The screensaver will have to be manually activated and password-protected on:
  • Macs
  • Research machines
  • Laptops not joined to the domain

Software Updates

• All software, including operating systems, should have the latest updates to protect it from known vulnerabilities
• Most Windows computers will update automatically on Wednesday nights
• Macintosh users must use the Apple Software Update tool to download and install their updates
• Research PCs will not receive automatic updates, but should be updated via the Windows Update site at least once every month
• It is the responsibility of users of Macs and research computers to keep their operating systems and software up to date

Data Backup

• All data of any importance should be backed up on a regular basis
• Most important data can be stored on the Medical School's Network Attached Storage (NAS) device, which is backed up on a regular schedule (described below)
• For data that can not be stored on the NAS for whatever reason, there are several backup options, including:
  • External hard drive(s)
  • Tape backup system
  • CD/DVD-RW
• Any user who cannot store their data on the NAS for any reason should contact his/her LAN Manager to discuss the best method for keeping secure, reliable backups

NAS Backup Policy

• The UTHSC-H Medical School enterprise storage server commonly referred to as the

“NAS” is backed up according to the following schedule:

• • Full backups are performed monthly
  • Differential backups are performed weekly
  • Incremental backups are performed daily
• The retention period for “NAS” backups is 90 days.
• Full and differential backups are retained as long as an incremental dependency exists. For example, when the last incremental backup of the month is performed it will be retained for 90 days. The last

full, differential, and incremental backups performed prior to the last incremental will be retained until the last incremental retention period expires.

• Backups are removed offsite to a data safe at University Center Tower each Monday following a full or differential backup.

Exceptions for Research Machines

• The following medical school policies are currently automatically enforced by MSIT on all PCs through Active Directory:
  • Screensaver Passwords
  • Software Updates
  • Virus Protection
• Owners of research computers or their delegates may request an exception to automatic enforcement of these policies if there is a possibility of disrupting data collection/analysis/etc.
• The owner of the machine is still responsible for maintaining compliance with all MSIT policies, this exception only prevents updates and changes from being applied automatically
• In order for a research computer to be considered for exception, the owner or his/her delegate must fill out a Request for Exception to Medical School Group Policies Form and submit it to his/her LAN Manager
• Computers in the Research OU will be periodically audited for compliance with virus protection, screen saver, and software update policies

Domain Membership

• Unless granted an exception by a LAN Manager, all desktops and laptops at the Medical School must be joined to the UT domain
• Being joined to the domain offers several key benefits, including:
  • Single sign-on - the same username and password grants access to the computer, email, and network resources
  • Updates - MSIT can ensure that critical security patches and virus definition updates are applied in a timely fashion and are working properly
  • Shared resources - greatly simplifies sharing of resources such as printers, scanners, etc.
  • Recovery - forgotten UT passwords can be reset by the Helpdesk (x4848)