Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 11 - Device & Media Controls

 

Title: Electronic Media Disposal & Re-use Policy: SEC-11.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(d)(2)(i)
Standard: Device & Media Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

The purpose of this policy is to address the appropriate protection of sensitive electronic information (SEI) when it is stored, transferred or accessed on portable devices such as: Laptops / PDAs / Smart Phones (devices with operating systems) or removable media such as: USB Flash drives / Memory cards / Floppy Disks / CDs / DVDs. This policy is not intended to address non-classified data.

This policy covers all OSU-owned, leased, or managed portable devices or removable media.  At the discretion of the organization, it also may apply to any third-party (e.g., staff member or contractor) owned or managed devices or media as a pre-condition for being granted authorization to OSU-managed SEI.
Policy

OSU will implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.  §164.310(d)(2)(i)

OSU will implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.  §164.310(d)(2)(ii)

Measures must be followed on hardware and software installations as well as user conduct to ensure that the integrity and security of the data is not compromised.  All electronic media that is to be decommissioned or repurposed must have all PHI removed so that no private or confidential information is retrievable from the media according to Department of Defense decommissioning and NIST standards.  Electronic media includes, but is not limited to, tapes, hard drives, solid state storage units, compact disks (CDs), and thumb drives.  If the media cannot be sanitized, such as with CDs, the media must be physically destroyed.  The purpose of this policy is to outline the precautions to protect data that is stored on all electronic media.

The workforce shall take all reasonable and prudent measures to ensure the safety and confidentially of all Sensitive Electronic Information that is downloaded to any removable media or portable device. e.g. PDA, laptop, etc.  Reasonable measures include but are not limited to: storing large files and databases only on network shares, password protecting sensitive files or using an approved encryption method.  

The workforce shall take all reasonable and prudent measures to physically secure all removable media or to portable devices.  Users shall not open or attempt to open the encasement of any removable media or portable devices nor otherwise circumvent any lock system that secures the device or its components.  User should take reasonable measure to secure device at all time and report any lost or stolen removable media or portable devices immediately.
Procedure

Hardware
Desktops and laptops are to be configured by Information Technology personnel before they are installed.  Configuration is defined by the Information Technology Department.  Users must call the Help Desk for assistance from Information Technology personnel in disconnecting and reconnecting the desktop in the event of an office move.  The Inventory Transfer form must be complete before the move to ensure that moveable equipment inventory (MEI) will contain the correct location of the device.

All OSU campuses are responsible for tracking inventory. 

When any computing device (desktop, laptop, printer, etc.) has lived out its useful life or is being repurposed, the user must complete a Fixed Asset Disposal Request form or a Fixed Asset Transfer Request form whichever is applicable and send the completed form to the Purchasing Department.  Purchasing department personnel will arrange with the Facilities Department to retrieve the equipment. All servers, desktops and laptops are delivered to I.T. for decommissioning of the hard drive.  Appropriate computer personnel will eliminate all data from the hard drive to the DOD & NIST standards before the hardware is moved, salvaged, or auctioned.  Hard drives that cannot be decommissioned are physically removed and destroyed.  A Computer Decommissioning/Sanitation Form will be completed for each laptop and desktop hard drive that is decommissioned.  A copy of the Decommissioning/Sanitation Form will be attached to the desktop or laptop.  A copy of the Decommissioning/Sanitation Form and the Inventory Disposal Form are made and kept in the I.T. department records.  The originals of the Inventory Disposal Form and the Decommissioning/Sanitation Form are sent to the Purchasing Department. A log is maintained of all sanitizing actions identifying the media owner, media type, date of completion, and the name of the staff member or members who perform the sanitization.  If IT receives a Hard Drive from a vendor for destruction, IT will make a best effort to appropriately complete the Computer Decommissioning/Sanitation Form.

Software

Information Technology and associated vendors will be the only individuals approved to install operating or application software on the network.  Users must call the Help Desk to request the installation of software for their desktop or laptop.  Proof of licensing will be required before the software can be installed.  If a user requires assistance with removing desktop software, they should call the Help Desk for assistance.  Any permanent backups required of the desktop/laptop will be the responsibility of the user.  If a software package that is installed on the network becomes obsolete the removal request should be made through the Help Desk.  Information Technology will ensure that no one is referencing the software and make the necessary permanent backups before removing the software.

 

Media

The media used in creating the official backup will be housed in locked computer rooms on the appropriate campuses.  Information Technology personnel will be handling the transport of this media to its off-site storage location.  Refer to Contingency Planning Backup for details.

Media that is obsolete, has been requested to be destroyed, and that cannot be sanitized as described above under the hardware procedures should be sent to I.T. for destruction.  A log is maintained of all destruction actions identifying the media owner, media type, date of completion, and the name of the staff member or members who perform the destruction.

Users must protect their data and files by preventing unauthorized access.  Users must protect their storage media by not leaving their storage media lying around and locking up their storage media. Users must not make copies of data files with identifiable data or data that would allow individual identities to be deduced unless specifically authorized to do so.

Reference

Setting Up Users’ PCs

Fixed Asset Transfer Request

Fixed Asset Disposal Request

Contingency Planning Backup


top of page top

 

Title: Accountability–Tracking Equipment and Media Movement Policy: SEC-11.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(d)(2)(iii)
Standard: Device & Media Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Define procedures for tracking the movement of electronic media and equipment in order to comply with Federal and state statutes regarding the privacy and confidentiality of medical, financial, research, and personnel information.

Policy

OSU will maintain a record of the movements of hardware and electronic media and any person responsible therefore.  §164.310(d)(2)(iii)

Electronic media and equipment must often be moved due to office relocation, equipment upgrades, vaulting of media for disaster recovery, and other issues.  A paper and/or electronic log specifying the location of the device is to be maintained at all times.

Procedure

The physical movement of such items is to be coordinated through the Information Technology Department.  They will be responsible for maintaining a log, either electronic or paper, tracking the movement of electronic media and equipment, including software.  This log will also identify the individuals who have access to such media and equipment once the item(s) have moved.

To facilitate the maintenance of the tracking log, all movement of media and equipment must be coordinated through the Information Technology Department.

Individuals are forbidden to remove any equipment from their offices or the campus, unless explicitly approved by his/her supervisor and the HIPAA Compliance Office.  The data and equipment are OSU property and no employee is entitled to it for personnel use.

If an individual moves to another position within the University, the equipment will not move with him/her, unless explicitly approved by the supervisor, IT and HIPAA Compliance Office.

The HIPAA Compliance Office will create a tracking template for use across all campuses.  Copies of the logs must be filed with the compliance officer at least quarterly.

Reference

Disposal and Re-use of Electronic Media
Employee Termination Procedures
Personnel Security Policy and Procedure
Physical Access Control Policy and Procedure
Application Archives
Electronic Backups


top of page top

 

Title: Data Backup and Storage Policy: SEC-11.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(d)(2)(iv)
Standard: Device & Media Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Ensure continued operations in the event of a natural disaster, equipment failure and/or accidental removal of files and support the need to retrieve archived information.          

Policy

OSU will create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.  §164.310(d)(2)(iv)

Measures will be taken to create backup copies of all mission-critical data utilized on the network.  Mission-critical data is defined as any user-generated data or file configurations stored on the production network.  Methods are implemented for authorized users to gain access to the backup data quickly.  These procedures are updated to coincide with changes within the Center for Health Sciences and OSU Tulsa.  Offsite storage is utilized for critical tapes and documentation.  Access to the offsite storage and contents is documented and understood by responsible Information Technology personnel

Procedure
Responsibility of Information Technology

Two employees from each campus are assigned the responsibility of ensuring the completeness of the backup process each day, reporting any failures and taking appropriate action to correct any problems.  One will have the primary responsibility of performing this function on a daily basis and the other will complete the operation in the absence of the primary.

One complete backup excluding the system drive will be captured after close of business on Friday followed by four incremental backups after close of business Monday through Thursday.  Systems drives will be copied to tape when a server is installed and/or patches are applied.  Full backups are completed on the email servers and clinical medical servers each night.

Information Technology personnel will ensure that every Saturday morning a full backup is done on certain parts of each server, this may include all or part of each respective server.  Sunday through Friday, incremental backups will be done.  All backups will be retained for one (1) year.  January’s backup is to be retained for seven (7) years.  At the first of every month full backups are to be done.  All servers are housed in the OSU-Tulsa campus, all backup devices are housed at CHS, as a result, the off-site storage is already in place.  The remaining incremental tapes are reused every 90 days.  Full backup tapes are reused every 32 days. A paper log will be kept stating which tape(s) are pulled noting the tape name, serial number and date.

A list of devices and drives can be found in the Information Technology Operating Manual under Backup Schedule.

Responsibility of User

The user is responsible for maintaining copies of data stored on users’ computers.  In the event that a data file needs to be restored the user must call or email the help line with the request.  The restoration of the file(s) will be completed within a 24-hour time frame.  There is to be no PHI stored on the user’s computer.  If a user request’s a restoration of a file that does contain PHI, the HIPAA Compliance Office will be notified immediately, and the user may receive appropriate training and/or sanctions if necessary.


top of page top

 

Title: Electronic Portable Media Policy: SEC-11.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(d)(1)
Standard: Device & Media Controls Responsibility: Health Care Components
Effective Date: 6/1/2012
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Define procedures of all electronic media use within OSU and to comply with Federal and state statutes regarding the privacy and confidentiality of medical, financial, research, and personnel information.

Definition

Electronic Portable Media in this instance includes but not limited to Smartphones (iPhone, Android, Blackberry, etc.) PDA, MP3 players, tablets, cell phones, e-Readers, etc

Policy

All OSU employees who use an Electronic Portable Media Device for work purposes, whether the device is the employees personal device, or an OSU owned device, and also stores OSU’s medical, financial, demographic, research, personnel information and/or OSU email on the device, are to ensure it has a security locking mechanism in place, No Exceptions.

Procedure
  1. Users must protect their data and files by preventing unauthorized access. 
  2. Users must protect their portable media by not leaving their Electronic Media Device lying around and locking up their portable media device.
  3. Users must not make copies of data files with identifiable data or data that would allow individual identities to be deduced unless specifically authorized to do so.
  4. Transmission of ePHI must follow OSU Policy SEC–16.01 & 16.02 and PRV-01.18 Use-Disclosure in Social Media
  5. Usage of Electronic Portable Media for uses stated in the policy section above are to be used only as a means of last resort, and if the employee can avoid such usage the employee is highly encouraged to do so.
  6. All users/employees are solely responsible for the protection of their device and the content thereof.
  7. If a user/employee loses their device or is a victim of theft of their Electronic Portable Media device and it contains OSU data or is suspected it may contain OSU data, the user/employee is to notify the HIPAA Compliance Officer immediately upon realization of the loss.
  8. Refer to SEC-01.03 Sanctions Policy for next steps.
Reference

Encryption & Email, Texting
Use/Disclosure In Social Media
Fixed Asset Transfer Request
Fixed Asset Disposal Request
Contingency Planning Backup


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube