Encryption

Overview

Encryption is a technique that uses mathematical calculations and shared secrets to encode information so that only authorized people can read it. The Medical Center uses encryption as a tool to protect highly sensitive data in the event that a device accessing that data is lost, stolen, or compromised.

Purpose

The Medical Center restricts the devices and media types on which highly sensitive data can be stored and the manner in which highly sensitive data can be accessed and transmitted. To ensure that sensitive data is protected in certain high-risk situations, the Medical Center authorizes the encryption standards described by this document. These minimum standards prescribe the information-encoding techniques that are secure enough to thwart unauthorized decryption attempts.

Scope

This standard applies to UVa Medical Center employees and customers and to any data deemed sensitive or protected that is processed or accessed by authorized Medical Center devices.

Description

Encryption Standards

Highly sensitive data is defined by University Policy IRM-003 to include personal information that can lead to identity theft if exposed and health information that reveals an individual’s health condition or history of health services use  (also see Medical Center Policy No. 0245: Minimum Necessary Use and Disclosure of Protected Health Information).

Sensitive Data and Individual-Use Devices

Highly sensitive data is not to be stored on individual-use electronic devices; this includes desktops, laptops, tablets, PDAs, smart phones, cell phones, and memory or storage devices such as USB thumb drives. Highly sensitive data required for an approved Medical Center purpose must be stored on a server secured by Health Information and Technology (HIT).  Highly sensitive data found on individual-use electronic devices must be securely deleted.

Exceptions: 

  • Users must obtain written approval from the Vice President or the CEO of the Medical Center to store highly sensitive data on an individual-use device. 
  • The device must use 256-bit or higher encryption technology to encode information stored on its hard drive, and the device must adhere to additional requirements as outlined in University of Virginia Policy IRM 003: Data Protection of University Information and Health System Policy IT-002 Use of Electronic Information and Systems.  
  • Employees must adhere to the terms and conditions of the UVA Electronic Access Agreement, UVA HIT Online Access Request form, UVA Virtual Private Network (VPN) requirements, and other agreements authorizing access to and use of highly sensitive data.

Encryption of Stored Highly Sensitive Data

Since 5/30/16, individual-use electronic devices authorized for wired or wireless use inside the Secure Clinical Subnet (SCSN) must use 256-bit encryption or higher technology to protect all disk locations and files. As noted above, further written approval is required to store highly sensitive data on these individual-use devices. 

Communication, Movement, and Transfer of Highly Sensitive Data

Medical Center computing users are responsible for highly sensitive data while it is in their custody on any individual-use electronic device (see Assigned Security Responsibility). Users are required to follow all University and Medical Center policies, standards, guidelines, and procedures regarding the safeguarding of highly sensitive data (see Protecting Sensitive Data and Medical Center Policy 0227: Protection of Electronic Information and Information Systems).

Use of USB memory and storage devices on UVA, Medical Center, and individually owned electronic devices must be performed as authorized in accordance with Health System policies, procedures, and standards (see the HIT Security Dell Data Protection Encryption guide). Likewise, use of Internet- and cloud-based storage must be performed as authorized by Health System policies, procedures, and standards (see the HIT Secure Cloud Storage Guide).

Because temporary files may be created, no highly sensitive data should be stored, transported, or accessed from any publicly-shared devices (airport kiosks, public Wi-Fi, conferences, seminars, home computers used by family members, etc.) unless the data is encrypted using 256-bit or higher encryption technology and accessible only by the authorized user. Access and transfer of highly sensitive data over the Internet must use an authorized Virtual Private Network (VPN) tunnel or similar encrypted communications technology (see the HIT Virtual Private Network document).

Email communications between individuals and applications within the Secure Clinical Subnet (SCSN) are not required to use encryption (see Medical Center Policy No. 0193: Electronic Mail). Email communication devices such as Smartphones/Personal Digital Assistant (PDAs) must be authorized and encrypted in order to access the email system.

Questions or requests concerning methods for transferring or storing highly sensitive data can be directed to the HIT Help Desk at 434-924-5334.

Document Supporting Resources