Requirements and procedures are in support of governing CU Policies and CUIMC Information Security Procedures.
Computers and any other devices that access information electronically will store it in some manner, whether permanent or temporarily, in locations that may not be obvious to the average user. This can include:
- Email (including any attachments) on a computer, smartphone or other device
- Documents, spreadsheets, images etc. on a computer or network drive
- Backups or copies stored on removable media such as USB keys, CDs or DVDs, or external drives
- Records and information accessed via login to a program
- Cached data stored on a computer's hard drive or any other device
Requirements
Adequately protect data according to its classification level
Columbia University's Data Classification Policy covers requirements for types of data based on its level of sensitivity. This is regardless of the format, and applies to any data being processed, stored and/or transmitted.
Common examples are listed below for convenience only and are not all-inclusive. Be sure to read and understand the full policy as well as any appendixes. Files containing mixed levels of data must be treated at the highest level of sensitivity.
NOTE: Data provided by the U.S. Centers of Medicare and Medicaid Services (CMS) must follow additional procedures.
- Sensitive Data - Any information protected by federal, state and local laws and regulations and industry standards, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the U.S. Family Educational Rights and Privacy Act (FERPA), the New York State Information Security Breach and Notification Act, similar state laws and the Payment Card Industry Data Security Standard (PCI-DSS). Examples include but are not limited to:
- Personally Identifiable Information (PII) - SSN, credit card, bank account numbers
- Protected Health Information (PHI) - medical history, medical charts, X-rays
- Research Health Information (RHI) - personally identifiable data used in research that isn't considered PHI
- Student Education Records - "Directory information" such as student's name, address, degrees and awards, subject to certain requirements as specified in FERPA
For more guidance see Encryption Best Practices and how to identify PHI and PII data.
- Confidential Data - "Information that is contractually protected as confidential by law or by contract and any other information that is considered by the University appropriate for confidential treatment." Examples include personnel and payroll records, unpublished research data, applicant financial information, student education records, non public intellectual property, and more.
- Internal Data - "Any information that is proprietary or produced only for use by members of the University community who have a legitimate purpose to access such data." Examples include internal operating procedures, memos, reports, emails, and technical documents such as system configurations or floor plans, etc.
- Public Data - "Any information that may or must be made available to the general public, with no legal restrictions on its access or use." Publicly posted press releases, University maps, newsletters, statements or reports filed with federal or state governments and generally available to the public, directory information under FERPA.
Protection of Data
Data must be protected according to its level of classification regardless of where/how it is stored. The following policies detail specific requirements such as password protection, encryption, updates, backups and more:
Storage providers
OneDrive for Business at CUIMC may be used as outlined. Other commercial hosting services (i.e. Dropbox, Apple iCloud, etc.) do not have a signed Business Associates Agreement with CUIMC to protect data containing PHI as required by policy. Allowing a non-approved vendor to store, transfer, process or access data containing this type of information is strictly prohibited.