Information Security Program
Home >> Guidance >> Policies

System Security Standard  Find out the standard ways to secure at system at UW Medicine

New Data Stewardship Training  Know your Role and Responsibilities for Confidential Information

How to Encrypt Computing Devices and Electronic Data  How do I encrypt?

Information Security Policies  Home of the Information Security Policies

Departmental Training Materials  Training materials for use in departmental education

Self Service Vulnerability Assessement  Find your Vulnerabilities

Frequently Asked Questions  Find Security related answers

Glossary of Terms  Information Security Term Definitions

Contact the Information Security Team  We are here to Help

Secure Remote Access  UW Medicine Networks Team

UW Office of the CISO  UW Chief Information Security Officers Website

Electronic Data Policy

Click here for PDF Copy

Department: IT Services

Policy Number: SP-01

Effective Date: March 1st, 2012

Revision Date:

Reviewer:

Purpose

This policy establishes UW Medicine requirements for protecting the confidentiality, integrity and availability of electronic data. It also addresses related regulatory requirements, and summarizes existing University policies as they apply to the use and protection of electronic data.

Applicability

This Electronic Data Policy applies to all electronic data associated with UW Medicine business; UW Medicine electronic data and all other electronic data that applies to the University of Washington must also comply with UW Data Classification.

Policy

All workforce members must comply with the UW policies and the following requirements governing the classification, use, handling, transmittal, storage, retention, disposal, and manipulation of UW Medicine electronic data.

Data Classification (DC)

In order to know what security controls to put in place on a system and to safeguard the electronic data; it must be properly classified.

Requirement: (DC-1) All data must be classified as public, restricted, or confidential in accordance with the UW APS 2.10 - Minimum Data Security Standards: Data Classification and Related Measures of Protection.

Data Storage (DS)

Based on the data classification; there are specific requirements around how electronic data can be stored on a computing system or mobile computing device

Requirement: (DS-1) All electronic data must be stored on a computing device with security controls sufficient for the protection of and by the class of the data.

Data Access (DA)

All user access to electronic data will be based on the "principle of least privilege".

Requirement: (DA-1) Access to electronic data must only be provided according to a user's job function. System Owners must ensure that user access is limited by job function and appropriate data access is granted based on the principle of least privilege.

Requirement: (DA-2) All workforce members that approve access for users must document the users access privileges that they approve.

Physical Security (PS)

All data that is not otherwise encrypted must be physically secured.

Requirement: (PS-1) Data centers and other areas where operational computer equipment with data is maintained or stored must be secured. Physical access controls and records must be maintained.

Data Removal (DR)

Person(s) who remove electronic data from its originating computing system are responsible for its confidentiality and integrity.

Requirement: (DR-1) Electronic data that is classified as Restricted or Confidential cannot be taken out of UW Medicine facilities without the workforce member's manager's approval (i.e. - supervisor, director, chair, dean, president).

Data in Transit (DT)

Electronic data in transit (e.g., email, "cloud" services, copying to removable media, text messaging, etc.) must be managed in a manner that prevents inappropriate access, data loss, or alteration. No matter what method is employed to transfer data from one place to another, these requirements must be followed.

Requirement: (DT-1) All Restricted and Confidential electronic data in transit must be encrypted or otherwise physically secured in a manner that prevents its theft or inappropriate use. This includes computing system to computing system communications via shared public networks.

For guidance on how to securely use UW email, please see our Email Guidance.

When possible, verification of receipt of the Restricted or Confidential information should be provided by the data recipient.

Data Backup (DB)

Electronic data is vulnerable to many different threats that may make it unusable. The computing devices that store the data may also become inaccessible at times when the data is needed.

Requirement: (DB-1) All electronic data must be backed up at a frequency that meets the business need for that data.

Requirement: (DB-2) All systems designed to retain electronic data must have operational and/or electronic procedures to support emergency mode operations should the electronic data become unavailable or in case of loss. Data retained on backup electronic media must be tested for use and integrity on a regular basis.

Data Disposal (DD)

Electronic data accumulates on computing devices and electronic storage media the longer they are in service. Much of the data used for job functions is considered Restricted or Confidential and may not be used by the next workforce member receiving that computing device.

Requirement: (DD-1) All Restricted and Confidential electronic data must be electronically erased, removed, or physically destroyed from all computing devices prior to recycling, reuse or reassignment in a manner which does not allow for its restoration with readily available resources.

Data Retention (DRT)

Many regulatory requirements and policies stipulate that data must be retained for a specific period of time for audit and record keeping.

Requirement: (DRT-1) Electronic data must be retained in accordance with its classification and type. Legal mandates and subpoenas for data will supersede local requirements should they be in conflict.

Data Integrity (DI)

In order for electronic data to be used properly for its intended purpose it must not be accidentally or inadvertently altered from its usable state.

Requirement: (DI-1) All electronic data must be checked for unauthorized changes according to its classification. Data with a higher criticality and classification must be verified in a manner consistent with its use and criticality.

Requirement: (DI-2) All electronic data must have safeguards in place to mitigate the possibility of unauthorized data alteration.

Policy Approval

This policy was signed and approved by:

  • Dr. James S. Fine, Chief Information Security Officer, UW Medicine
  • Johnese Spisso, Chief Health System Officer, UW Medicine & Vice President for Medical Affairs, University of Washington