MUSC Policy: Information Security - Encryption

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.312(a)(1) Standard: Access control
HIPAA Security: 164.312(a)(2)(iv) Encryption and decryption
HIPAA Security: 164.312(e)(1) Standard: Transmission security
HIPAA Security: 164.312(e)(2)(ii) Encryption

2. POLICY

If an MUSC System is used to create, store, process or transmit Protected Information, then the designated Owner of the System is responsible for ensuring that the System's mechanisms for encrypting data are sufficient to meet all legal, ethical and business requirements.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Scope and Appropriateness of Controls

The process of determining whether encryption is necessary, and the type(s) of encryption to be used within the System, should be guided by the System Owner's Risk Assessment. It may be necessary to encrypt Protected Information during storage, during processing, and/or during transmission over electronic communication networks.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Risk Management
MUSC Policy: Information Security - Access Control
MUSC Policy: Information Security - Person or Entity Authentication

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.