Electronic Information
Security –
What Researchers Need
to Know
University of California
Office of the President
Office of Research
May 2005
1
Federal, State and UC Rules
re Information Security





HIPAA Security Rule (45 CFR 160, 162, 164)
California Confidentiality of Medical
Information Act (Cal. Civil Code 56 - 56.16)
California law governing information security
breaches (Cal. Civil Code 1798.29)
California law governing use of social security
numbers (Cal. Civil Code 1798.85)
UC electronic information security guidelines
(Bus. & Fin. Bulletin IS-3)
2
HIPAA Security Rule –
What is It?


Federal Rule
Requires healthcare providers and businesses to
protect the privacy and confidentiality of
electronic Protected Health Information (ePHI)
 ePHI is patient health information that is
stored, maintained, processed or transmitted
in any electronic media, such as computers,
laptops, disks, memory stick, PDA, network,
email.
3
HIPAA Security Rule – What’s
Required?


If you use ePHI in your research, you must meet
the Information Security Standards
What are the Information Security Standards?



Confidentiality – Information is not disclosed to
unauthorized entities
Integrity – Information is not altered or destroyed in
unauthorized manner, and is transmitted accurately
Availability – Information is accessible and useable
upon demand by authorized person
4
UC Guidelines on Information
Security - IS-3

Guidelines for campuses on:
 Technical, physical and administrative
security measures
 Disaster recovery
 Information Security Program at every
campus
 <http://www.ucop.edu/ucophome/policie
s/bfb/is3.pdf>
5
What are the Risks when
Confidentiality is Breached?




Risk to Human Subject of:
 Identity theft, embarrassment, misuse of personal
information, victimization in fraudulent scams
Risk to Research of:
 Loss of data and loss of integrity
Risk to UC of:
 Loss of trust; media attention to security lapse;
litigation by subject; penalties; prosecution
Risk to Investigator of:
 Loss of data, time and money; embarrassment; media
attention to security lapse; litigation by subject;
internal disciplinary action; penalties; prosecution
6
How Do I Protect Electronic
Information?
Technical safeguards, e.g., passwords,
encryption, archiving, anti-virus software
(10% of Information Security)
AND
 Good Computing Practices, i.e.,
COMMON SENSE
(90% of Information Security)

7
What are the Technical
Safeguards?
1.
2.
3.
4.
5.
Unique log-in access 6.
7.
Passwords
Workstation security 8.
9.
Portable device
security
Data management,
10.
e.g., back-up and
archive
Remote access security
Safe e-mail use
Safe Internet Use
Report security
incidents and stolen
devices
Clean data off
computers before
recycling
8
Technical Safeguard:
PASSWORD

Don't use a word that is obvious or can be found in a dictionary. Every
word in a dictionary can be hacked within minutes.




Don't share your password.
Don't let your Web browser remember your password.
Use a minimum of eight characters containing at least one each of
the following:

Uppercase letters ( A-Z )

Lowercase letters ( a-z )

Numbers ( 0-9 )

Punctuation marks ( !@#$%^&*()_+=- )
Better yet, use a “pass-phrase” to remember your password:
 MCp1t@DR! (My Cat purrs louder than a Dosco Roadheader!)
 Jw1n,aDTtr! (Just what I need, another Dumb Thing to
remember!)
9
Technical Safeguard:
WORKSTATION SECURITY




LOCK UP offices, windows, workstations,
sensitive papers, laptops, PDAs, mobile
devices and mobile media.
LOG OFF before leaving a workstation
unattended.
AUTO LOG-OFF – Configure workstation to
automatically log off and require user to re-log
in if left unattended for more than 15 minutes.
SCREEN SAVER - Set to 5 minutes with
password protection.
10
Technical Safeguard:
PORTABLE DEVICE
SECURITY
In addition to Workstation Security measures:
 DELETE identifiable data when no longer
needed
 Use up-to-date anti-virus software
 Install computer software updates
 Back-up critical data and software programs
 Encrypt and password protect portable devices
Refer questions to your Information Security Office
11
More PORTABLE DEVICE
SECURITY Safeguards
Ask your Information Security Office about:
 Turning off your wireless port if you are not using
it.
 Using a Virtual Private Network if you are using a
wireless connection
 Installing a firewall
 Encrypting data during transmission.
Refer questions to your Information Security Office
12
What are Good Computing
Practices?
COMMON SENSE








Do NOT use a portable device for storing ePHI, e.g., laptop,
PDA, memory stick, cell phone
If you do store ePHI on a portable device, either de-identify or
encrypt the data
Keep subject identifiers physically separate from de-identified
data
Once you are finished using ePHI on the portable device,
delete it
Do NOT use social security numbers as subject identifiers
Do NOT transmit ePHI on the Internet
Do NOT transmit ePHI by email
If you must transmit ePHI on the Internet or by email be sure it
13
is encrypted
More COMMON SENSE
Good Computing Practices






Use COMMON SENSE when handling
individually identifiable information
Do not leave sensitive or identifiable information
lying around for anyone to read
LOCK UP your equipment when not in use
ENGRAVE a personal ID on your laptop or other
transportable device so it is less likely to be
stolen
DO NOT share your password with anyone
LOG OFF before leaving your computer
14
Campus Resource for IT Help
and for Reporting Security
Incidents
[http://www.ucop.edu/research/policies/data
security/UC Security Officers HIPPA]
15