Data/Record Storage and Security

Data/record security is critical. You should insure that all hard copy and electronic data is securely stored to prevent unauthorized access, disclosure, or loss. Hard copy records should be stored in a manner that limits access to only authorized individuals. For example, filing cabinets/areas should be locked and placed in secured/locked rooms.

  • Electronic data should be saved on a device that has the appropriate security safeguards such as unique identification of authorized users, password protection, encryption, automated operating system patch (bug fix) management, anti-virus controls, firewall configuration, and scheduled and automatic backups to protect against data loss or theft (http://privacy.ufl.edu/privacy/information-privacy-facts/). Researchers possess a strong sense of ownership for their data and consequently often manage their own computers.   Security controls necessary for computers can be very intimidating or bothersome, but we know that no one wants to be in the same position as this well-intended researcher:

Names, addresses and SSNs of 600,000 citizens from the state of California were exposed to a hacker who hacked a researcher-in-residence’s computer at UC Berkeley.  http://msnbc.msn.com/id/6328575/

  • Laptops, Personal Digital Assistants, removable hard drives, “jump” or “thumb” drives, CDs, DVDs and other portable devices and removable media are very convenient to ensure your data is always at your fingertips.  External hard drives are a cost effective and convenient way to back up your data. However all of these devices require encryption solutions if used to store Restricted or Sensitive data (e.g. identifiable health information).  If you need help understanding why, read on:

Names, addresses, medical record numbers and SSNs of 130,000 patients went missing when a hospital employee’s “thumb drive” (small storage drive the size of a pack of gum that plugs into a computer’s USB port) went missing.  The records could be read by Adobe Acrobat Reader and were not encrypted. http://starbulletin.com/2005/10/21/news/story05.html

  • The UF HSC Security Program for the Information and Computing Environment (SPICE) has created and identified several resources to help you secure your research computers.  You can discover all of the resources available from the SPICE Brochure.  More specifically:
  • All HSC departments have an Information Security Administrator (ISA) and an Information Security Manager (ISM) who are familiar with the security rules and resources available.  Find your Unit ISA and ISM by browsing here: UF Information Technology.
  • The HSC has published user friendly and readable one page security guidelines (SPICE EduGuides) on specific Security topics like Laptop, PDA, Removable Media, Password, Malicious Software Prevention and others.
  • Lastly, the VA also has additional, strict information security standards, such as prohibiting the use of any USB memory devices (you may not use external hard drives or jump drives, even if encrypted).