Policy update: Any unencrypted devices storing sensitive information must be approved

A recent revision to UMHS Policy 01-04-502, Security of Portable Electronic Devices and Removable Media, will help the health system better align with security requirements to protect our patient’s sensitive information.

Protecting information is vital in supporting our mission of providing the highest quality of care to our patients who place their trust in us and it is our responsibility to ensure we have taken all the necessary steps to secure their information.

Therefore, all devices that store sensitive information must be encrypted. This includes all removable media or portable electronic devices used to store, transfer or access sensitive information.  Such devices include both personally and institutionally owned:

• Laptops

• Smartphones

• Tablets

• Media players

• USB flash drives

• External disk drives

• Memory cards (SD cards)

• CDs, DVDs and other electronic, magnetic or optical storage media

For information on how to ensure your device is secured to meet this policy visit the HITS Knowledgebase.

If your device cannot be encrypted and other secure storage solutions cannot meet your business need, an exception request must be submitted. The exception will be reviewed by the UMHS Chief Information Security Officer and the UMHS Compliance Office and if your request is approved, additional steps may still need to be taken to secure the sensitive information. To submit an exception request, complete the 01-04-502 Exception Request Form.

The changes to the policy will take effect Feb. 1. All devices without an exception in place will be in violation of this policy after this date.

Need more information? See this Compliance Office tip sheet for more information about the encryption policy and its background. And see the HITS Knowledgebase for details on how to secure portable electronic devices and removable media.

Thank you for your cooperation in keeping our patient information secure!