Data Storage Guide - Where to store your data
How to use this guide
This guide defines the data sensitivity level in terms of color. Match the color of the type of data with the service name that corresponds to the data sensitivity approved by the service. If your project has multiple classifications of data, choose the service that supports your most restricted classification. For example, Surgery’s network storage is approved for Restricted Data (PHI) and that approval extends to all other data classifications.
Color Table:
Restricted Data (Red) | Sensitive Data (Yellow) | Internal and/or Public Data (Green) | Use with Extra Precautions (Blue) | Unsupported but In Development (Grey)
Service Name | Description | Recommended For | Data Protection and Security | Notes |
Surgery Network / LAN | Internally hosted and controlled data volumes. Data is encrypted at rest and physically secure.
Users access the data via lettered drives (F:\ etc.) on managed workstations and via our secure Citrix services for remote access.
| Fast storage and retrieval, internal sharing with other Dept. of Surgery employees, and long-term storage of all types of data including PHI. | Data backed up daily and supplemental tape backups stored offsite for a minimum of 7 years.
File salvage allows recovery of accidental deletions with the help of Surgery IT staff.
Users have unique accounts that allow them to only access data for which they have been authorized. | Access internally on a Department of Surgery computer with Surgery credentials.
Access externally using the campus VPN (Global Protect) on a Surgery supported computer. Requires additional configuration by Surgery IT staff.
Alternate external access is Surgery Remote (https://remote.surgery.wisc.edu) or through a supported Remote Desktop connection. |
Restricted Drive | 5TBs of UW-Madison provided data storage for PIs. Managed by campus and permissions controlled by UW-Madison NetID
This is the version of Research Drive that supports PHI. | Long term bulk storage of data including PHI.
| Data stored on Research Drive is automatically backed up daily and replicated offsite for additional data protection. Snapshots are taken once a day and kept for 14 days and then weekly snapshots are kept for an additional five weeks. | Please consult with Surgery IT prior to requesting the service. The request is a joint venture between the Requestor, Surgery IT, and the Office of Cybersecurity.
For additional details, see Restricted Drive FAQ |
UW-Madison funded file storage and collaboration service to store PHI. It is available for UW–Madison staff to share PHI data with collaborators when a departmental solution is not available. The amount of data storage available is less than 50GB. | Store and share small PHI data sets with approved internal and external collaborators. | High security settings and tracking done by your local IT Department preventing outside entities from accessing your PHI. | Please consult with Surgery IT prior to requesting the service. The request is a joint venture between the Requestor, their IT department, and the Office of Cybersecurity. |
Service Name | Description | Recommended For | Data Protection and Security | Notes |
ELN (Electronic Lab Notebook)* | UW-Madison provided Lab Archives notebook. | High-availability data across multiple devices via web-friendly interface. | PHI compliant when secured through Office of Cybersecurity. | ELN service description. |
Research Drive | 5TBs of UW Madison-provided data storage for PIs. Managed by campus and permissions controlled by UW Madison NetID | It is suited for a variety of research purposes, including backup, archive, storage for data inputs/outputs of research computing.
Share data with anyone on or off campus using campus-managed permissions. | Security features based on the NIST Cybersecurity framework including off-site backups, encryption and monitoring by the Cybersecurity Operations Center. | Please consult with Surgery IT prior to requesting the service. The request is a joint venture between the Requestor, Surgery IT, and the Office of Cybersecurity.
For additional details, see Research Drive FAQ. |
Sharepoint* | SharePoint is a web-based collaborative platform that integrates with Microsoft Office software. Up to 2TBs of storage per site. | For team and division file storage, collaborative file editing, lists, and document libraries. | Data protected on Microsoft’s storage platform. Deleted files remain in site Recycle Bin for up to 60 days. | Accessible via browser, desktop client, tablet, and mobile devices with NetID login. |
OneDrive | OneDrive is a cloud-based hosting service operated by Microsoft. It allows users to store up to 2TB of data in the cloud. Files can be synced to a PC and accessed from a web browser later. | Users can share public data with other non-UW users. | Files stored in OneDrive are only visible to you unless you decide to share them. | Accessible via browser, desktop client, tablet, and mobile devices with NetID login. |
Service Name | Description | Recommended For | Data Protection and Security | Notes |
Box | With Box users can store and share documents, photos, research materials and other files for collaboration. Box also allows users to simultaneously edit Microsoft Office documents. | Share or store public data with a max capacity of 50 GB. Great for collaborating. |
| Accessible via browser, desktop client, tablet, and mobile devices with NetID login.
|
G Suite (Google) | G Suite is a collection of cloud-based productivity apps and collaborative tools. These apps include Google Drive, Docs, Sheets, Hangouts Meet, Hangouts Chat, and more. | Unlimited data storage for public data. | Should not be used by users interacting with electronic PHI protected by HIPAA regulations.
| Accessible via browser, tablet, and mobile devices with NetID login. |
Portable Devices | See Portable Devices section below. |
|
|
|
Affiliates (AWS, GCP, Azure, SSCC) | These are in development and will appear in future iterations of this document. |
|
|
|
Not supported | Dropbox, iCloud, Personal Cloud Storage services |
|
| These services are not licensed through UW-Madison and Surgery IT is unable to support them. |
* Additional security controls are required to make this service PHI compliant. See the service’s notes section or contact Surgery IT for more details.
STORING AND ENCRYPTING PHI ON A PORTABLE DEVICE
Only use USB drives that provide built-in hardware encryption. Contact Surgery Help for more information about encrypted portable drives and where to get one.
Any portable device that will store PHI must be registered and managed by Surgery IT.
Mobile Devices (e.g. iPhone, iPad) used to access any UW data (including Office365 email) must be secured with at least a PIN lock to encrypt the device.
PORTABLE DEVICES – Laptops, tablets, smartphones
Portable devices, such as laptops make it easy to conduct work outside of the UW-Madison, but it is important to observe the risks and consequences of using these devices. For this reason, please take the following precautions:
All portable devices used for School of Medicine purposes must be approved and registered with Surgery IT and must be safeguarded from theft.
Any loss or theft of a device must be reported immediately to Surgery IT or HIPAA Security Officer.
All computers used for School of Medicine purposes must be managed and security-configured by Surgery IT.
No portable devices used for School of Medicine business purposes may be shared with anyone unauthorized to access PHI, including family members.
When you no longer need the portable device for work purposes, please contact Surgery IT for proper disposal or removal of data.
PLEASE AVOID STORING DATA IN THESE LOCATIONS
Technology makes accessing storage services very easy. And, as the data classification becomes more restricted, the data storage service for that data may require more steps to access. We understand that these extra steps add to workflows. However, to ensure our compliance with the data we are authorized to access and store, please avoid storing data in these locations:
Local drive (C:\), Desktop or in the “My Documents” folder – These locations are not regularly backed up and could result in data loss.
Dropbox, iCloud, or any other third-party cloud-based service.
Unsecured, unencrypted portable devices.
REFERENCES
Tools for Exchanging and/or Storing Protected Health Information (PHI) from UW-Madison campus Office of Compliance.
UW Madison data classification - https://kb.wisc.edu/59205
Data classification from Research: https://research.wisc.edu/data-security-management-and-retention/
UW-Madison - IT - Non-UW-Madison Applications and Services Guidelines - https://kb.wisc.edu/itpolicy/cio-non-uw-services-guidelines
Last Reviewed: 2/1/2021