Transmission of Protected Information | UH Information Security

Whenever protected information is transmitted the sender must take care to secure that information and inform the recipient(s), including those involved in the delivery process, that the transmission contains protected information and must be secured.

Security of Paper Transmissions

When transmitting protected information on paper (via hard copy), the sender shall mark the envelope as “CONFIDENTIAL” as appropriate to minimize the chance of unnecessary exposure and shall similarly mark the documents as “CONFIDENTIAL” when feasible and appropriate.

Security of Digital Transmissions

Protected information shall be strongly encrypted whenever transmitted over public networks or carriers in digital form. This includes the transmittal of protected information via email, file transfers (SFTP), web transactions (HTTPS), instant messaging or terminal login sessions. The UH FileDrop service provides a secure mechanism for exchange of protected information.

Security of Fax Transmissions

When transmitting protected information by facsimile (fax), the sender shall ensure that the information is promptly retrieved and properly protected at both the sending and receiving locations, with telephone/email confirmation as appropriate.

Email and Protected Information

Given the very real possibility of an email message going astray due to human error or otherwise, transmission of protected information by email is strongly discouraged unless protected by strong personal end-to-end encryption (such as PGP, GPG or similar tools). Exchange of protected information over networks can instead be done using a secure file exchange service, such as the UH FileDrop utility, which enables the exchange of information using strong end-to-end encryption to or from members of the UH community.

When it is necessary to transmit protected information by standard email, the sender shall absolutely minimize the inclusion of protected information and take special care to ensure that the information is only received by authorized users. Both sender and receiver shall delete all copies of the protected information as soon as practicable, and the sender shall include a notice informing any recipient that the message contains protected information and requesting appropriate handling. Similar language shall be used when transmitting any protected information via the UH FileDrop service or other means.