1.180 Data Security

Op10.04-23 Data Security

Purpose

To prescribe practices which secure electronic patient protected health information in compliance with federal law and best information management practices and in accordance with 45 CFR 164.530 ( c) (1) and (2), and 45 CFR Part 2.

Application

Applies to Missouri State University, its Health Care Components (HCC) and workforce

  1. Contents
    1. Definitions
    2. Data Security
    3. Sanctions
    4. Review Process
    5. Policy Control
  2. Definitions
    1. Computer Systems: Computers connected to local and statewide communication networks, database storage or electronic records systems, Internet or email.
    2. Missouri State Network: Electronic network allowing access to the Missouri State’s personal computers, facility-based systems, and centrally-based systems (e.g., AS/400, Windows 2000 Server, Mainframe, etc.) and electronic data.
    3. Local Area Network: Electronic network access allowing access to an individual facility’s electronic data and computers.
    4. Network attached computer: Any computer with access to a local area network and/or the Missouri State network.
    5. Missouri State Workforce: Includes employees, volunteers, contract workers, trainees and other persons who are in a Missouri State facility on a regular course of business. This shall include students, faculty and staff employed by Missouri State or any of its facilities.
    6. Patient: Any individual who has received or is receiving services from a facility operated, licensed, certified or funded by Missouri State University.
    7. Restricted Access: Computer systems with access limited to specific systems, activities, or files.
    8. Security Officer (University Security Officer): Individual designated by Missouri State to oversee all activities related to the development, implementation, maintenance of, and adherence to University and facility policies and procedures covering the electronic and physical security of, and access to, protected health information and other Missouri State data in compliance with federal and state laws and regulations. 
    9. Media: Backup tapes, hard drives, floppy diskettes, CDs, DVDs, zip drives cartridges, optical, and paper hard copies.
    10. Protected Health Information (PHI): Individually identifiable health information. See HIPAA Procedure 1.005, 1.b. and c.
  3. Data Security
    1. Users shall be automatically logged off their workstations after a maximum period of 15 minutes of inactivity.
    2. Access to Missouri State networks from public networks shall be protected by access control systems such as firewalls, access control lists, and user authentication under the auspices of designated Missouri State IT staff.
    3. Designated Missouri State IT staff shall back up all PHI and other business-essential data nightly.
    4. Designated Missouri State IT shall ensure that all media has been thoroughly cleansed of any client data before the media is surplused or disposed of.
    5. Access to media containing client data shall be controlled, by designated IT staff through:
      1. Access control lists to network media;
      2. Physical access control to Missouri State hardware;
      3. Purging Missouri State data on any type of media before it is surplused or discarded; and
      4. Storage of data on media that is backed up.
    6. Designated staff in the Office of Information Technology shall maintain an up to date Standards List which prescribes appropriate procedures and practices for data security purposes
    7. Virus protection for the Missouri State network shall be maintained by designated IT staff, pursuant to the Missouri State virus protection procedures listed below.
      1. Email Servers. All Missouri State email servers shall be protected using the email-specific anti-virus software.
      2. Network and Member Servers. All network and member servers shall be protected using the anti-virus software.
      3. Workstations, Laptops, PDAs. All workstations, laptops or any other device that connects to the Missouri State network shall be protected using the anti-virus software for that device listed on the Missouri State Standards List and installed by designated IT staff.
      4. Virus Signature Updates
        1. Anti-virus server software shall be configured by designated IT staff to check for virus signature updates daily.
        2. Anti-Virus PC, Laptops. Software will check for virus signature updates daily from the master console of the anti-virus program, as a result of IT staff actions.
        3. Special virus signature updates created in the event of a known virus, will be provided by designated IT staff to all servers, PCs and laptops when reconnected to the network or within 24 hours of the time the receipt of the update has been received at the master console.
      5. Software Updates. Anti-virus software shall be kept by designated IT staff at the current release or no more than one release below the most current release version.
      6. Software Support. The Missouri State Director of Computer Services shall maintain a support contract with the anti-virus software vendor(s) to ensure uninterrupted support.
      7. Attachments. To avoid potentially virus-carrying attachments, designated Missouri State staff shall not allow certain types of attachments, such as executable and JPEG files to automatically pass through email as defined by the computer services IT standards.
    8. Missouri State workstations shall be situated by respective designated staff to minimize more than incidental observation of work product.
  4. Sanctions. Failure of workforce members to comply or assure compliance with this procedure may result in disciplinary action, including dismissal.
  5. Review Process. The University Security Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.

HISTORY: Effective March 21, 2003