The University of Puget Sound (Puget Sound) recognizes the critical need for privacy as it comes to Protected Health Information (PHI) and complies with Health Insurance Portability and Accountability Act (HIPAA). Drawing on industry best practices and the requirements of federal law, the university has implemented a series of multi-layered security controls to protect the integrity, reliability, and confidentiality of data.
A sample of key security controls in place:
- The university conducts a periodic risk assessment of information technology assets, defining risk level, potential impact, and probability.
- The university network is protected by firewalls and intrusion detection services. Rules on these devices and services are set to deny all traffic by default, and "allows" are written as exceptions. These devices are updated as appropriate through a change management process and evaluated to ensure the appropriate level of protection based on the sensitivity of the data.
- Servers are housed within a secured network operations center (NOC). The NOC has environmental controls (fire, water, temperature) and is accessible only by authorized personnel. In the event of a power outage, the NOC draws power from an uninterruptable power supply (UPS) and a backup generator.
- Servers are configured based on industry standard best practices. Only authorized, trained system administrators have administrative privileges. System administrators monitor security mailing lists and sites and update systems as appropriate. Servers are evaluated periodically, and any identified vulnerabilities are assessed and managed. PHI written to any server is scanned by host-based anti-virus software.
- Administrative privileges of information technology personnel are revoked upon termination from the university.
- Most university PHI is stored outside the institution either with the various insurance providers or health care delivery services. Should the university maintain PHI data, information is stored on the university’s Enterprise Resource Planning (ERP) system, a separate server infrastructure with limited access and additional security controls.
- To the extent that university PHI is transmitted electronically to insurance providers or business associates, data is stored in a compressed, encrypted file with a secure password before being sent. Daily backups are stored in a tiered structure for disaster recovery purposes and include local and off-site storage. Off-site data is encrypted to prevent compromise and can only be retrieved by authorized personnel.
- No access to data is granted without prior authorization from the appropriate representative in the department responsible for that data.
- Desktops and dedicated laptops are configured based on industry standard best practices. Machines are configured such that the file system and all stored data is encrypted. Machines have current anti-virus and anti-malware software with updated virus and malware definitions. Desktop authentication and access to network services are centrally managed. Patch maintenance is also centrally managed in order to update system security and provide application / system updates.
- Security policies are drafted by Technology Services staff and reviewed with various technology committees before being approved by the Chief Information Officer / Associate Vice President for Technology Services and the President’s Cabinet.