Use and Storage of Protected Information

Limited Use and Storage

Protected information should be stored only where it is specifically required and in as few systems as possible.

Security of Systems with Protected Information

Systems on which protected information is stored must minimally comply with all basic computer security standards including diligent attention to application of all available security patches to operating systems and software, maintenance of up-to-date anti-virus protection, implementation of secure password controls, etc. Standard logs must be maintained, minimally of all access to files, with a retention period not less than one year.

Unencrypted protected information shall be stored only on systems that are housed in secure and controlled environments. Where desktop systems can access protected information, they must not be set to log in automatically without entry of a password, must not be left logged in on an unattended basis, and must not be available for casual perusal by unauthorized individuals.

Encryption and Physical Security of Protected Data in Mobile Formats and Storage in Cloud Environments

Protected information stored on any environment, system or media that is subject to loss or theft — including laptops, USB drives, diskettes, CDs/DVDs, personal computers, departmental servers, and cloud environments — must be encrypted whenever not in active use.

Encryption is highly recommended for all other systems as well, whenever feasible. Systems susceptible to theft should also be physically secured, e.g. with use of secure laptop cables, whenever possible.

Decoupling of Personal Information

Wherever possible, such as for any research studies, protected data must be decoupled from all personally identifiable information. If it is necessary to maintain such linkages, a unique identifier should be used to “crosswalk” protected research information back to personal identities and the crosswalk table itself shall be protected as protected information and encrypted separately from the data.

Security of Non-Electronic Information

Paper documents and files containing protected information must be secured at all times. Such documents shall not be left in open view on desks and when not in use must be stored in secured areas or locked files with access limited to authorized users.