MUSC Policy: Information Security - Data Protection

 TITLE: Information Security - Data Protection  ID:
 ORIGINATOR: Information Security Office  DATE: April 20, 2009
 REVIEWED: President's Council  DATE: January 26, 2011
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: January 26, 2011
 IMPLEMENTATION: Enterprise-wide  DATE: January 26, 2011

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.306(a) General requirements
HIPAA Security: 164.308(a)(ii)( A) Risk analysis
HIPAA Security: 164.308(a)(ii)( B) Risk management
SC Financial Identity Fraud and Identity Theft Protection Act of 2008

2. POLICY

Information in electronic form that is classified as MUSC Restricted or MUSC Protected shall, to the extent possible, be stored only in appropriately protected repositories within formally established and authorized information systems, and shall not be stored in end-user computing, storage, or communication devices (including but not limited to: desktop computers, laptops, tablets, PDAs, thumb drives, memory cards, or communication devices such as cell phones or smart phones).

In exceptional circumstances, there may be an unavoidable business requirement to store MUSC Protected information on an end-user device. In these circumstances, the Administrators, Users and Custodians of the device shall meet the baseline data protection requirements outlined in this policy.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Baseline Data Protection Requirements for End-User Devices

3.2.1. Minimization

The amount of MUSC Protected information stored on an end-user device shall be minimized at all times. The number of locations within the device where the MUSC Protected information is stored should be minimized, and the MUSC Protected information should be securely removed (purged) from the device as soon as it is no longer needed.

3.2.2. Inventory

A complete and accurate inventory of the MUSC Protected information that is stored on an end-user device shall be maintained, and stored independently of the device. The inventory should be kept in sufficient detail to permit MUSC's incident response team to identify the specific records that are at risk of unauthorized disclosure if the device is lost or stolen, or otherwise breached.

3.2.3. Encryption

Any MUSC Protected information that is stored on an end-user device shall be be stored only in an approved encrypted format. Encryption algorithms and procedures for storing MUSC Protected information must be approved by the Information Security Office.

3.2.4. Physical Security

End-user devices containing MUSC Protected information shall be kept physically secure by the User or Custodian who is responsible for the device. In particular, these devices should not be left unattended in any location where theft is a reasonably anticipated and avoidable risk.

3.2.5. Incident Reporting

If an end-user device containing MUSC Protected information is lost or stolen, the User or Custodian who is responsible for the device shall immediately report the incident. See Incident Reporting Procedure.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Asset Inventory and Classification
MUSC Policy: Information Security - Risk Management
MUSC Policy: Information Security - Device and Media Controls
MUSC Policy: Information Security - Encryption
MUSC Policy: Information Security - Incident Response

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.