Information Security and Privacy - July Tip
The New Health Sciences Encryption Policy
The following is a quick break-down of the new encryption policy and answers to some of the most frequently asked questions:
Encryption Policy:
· All Health Sciences Center department/units need to maintain an accurate and up-to-date inventory of University owned IT assets.
· All University owned laptops (within the HIPAA covered entity) are required to be whole-disk encrypted (WDE) no later than August 1, 2012.
· All USB thumb drives or other mass USB storage devices used in the course of University business must be encrypted no later than August of 2012.
· Encryption is also required for personal computers and electronic backup media used to conduct University business.
· Network transmission of electronic protected health information (PHI) must be encrypted if that data leaves the Health Science Center’s network. (Be careful when forwarding email.)
· Encryption on Mobile “Slate” Devices/Smart Phones (iPads and similar devices, iPhones, Android Phones, Blackberry, etc.) will not be required at this time; however, the devices must be protected with a passcode. If the device is lost or stolen, the user of the device should contact the Help Desk immediately at 587-6000 to assist with remotely wiping the device.
Encryption Policy FAQs:
1. What does "owned by the University" mean?
Owned by the University means the device was purchased with University funds or grant monies, donated to the University, or obtained by the University - regardless of how much the device costs.
2. I understand that only departments within the HIPAA covered entity are required to encrypt their laptops, USB drives, and personal computers. How do I know if I am in the HIPAA covered entity?
Most departments within Health Sciences are within the HIPAA covered entity. If you are unsure, you can e-mail ispo@lists.utah.edu and we'll let you know.
3. What is required by the August 2012 deadline?
All University owned laptops and all USB drives must be encrypted regardless of their intended use and the data that resides upon them AND department managers must verify these devices are encrypted.
4. Where can I obtain an encrypted USB drive?
They can be obtained from http://uuhsc.utah.edu/asset/ or a local computer reseller.
5. What about faculty who have to deliver presentations via a USB drive at conferences? Won't the encrypted USB drive cause some added inconvenience?
Yes, it will cause some added inconvenience, but the inconvenience is much less than a breach would be for our patients and organization.
6. What if people bring personal USB drives to work for non-work purposes (such as completing their homework)?
We do not recommend permitting the use of USB thumb drives to be used for non-work related purposes. Any USB thumb drive that is plugged into a University computer must be encrypted.
7. Do people have to encrypt personal computers if they only access Citrix (aka "Application's Portal" or "Citrix Access Gateway") or "remote in" via RDP?
No, personal computers do not have to be encrypted if they only use Citrix or RDP to connect to the University's network.
8. Do people have to encrypt personal computers if they only use the VPN?
Yes. The VPN allows for opening and caching of files on personal computers, so devices that utilize the VPN must be encrypted.
9. What IT assets must be inventoried?
Departments should inventory desktops, notebooks, laptops, servers, network devices, printers, monitors, and any smartphones owned by the University. The inventory should include device type, serial # (if it has one), make, model, last known location, and user. It must be robust enough to identify assets that are missing (lost, stolen, etc.). The inventory should be audited on a routine basis to ensure all assets are accounted for.
10. For a copy of the Health Science Encryption policy, please go to: http://intranet.uuhsc.utah.edu/standards/HSC/HSC%20Encryption%20Policy.pdf.
For more FAQs and encryption information, see: http://www.secureit.utah.edu/computer/encryption/index.html 
