CHM IT - Policies and Procedures
Contents
- Access Control
- Data Privacy
- Cybersecurity and Risk Policy
- Collection of Personal Identity Information via Email
- Endpoint Management and Security
- IT Incident Reporting and Response
- Printing
- Use of Non-campus Wireless Devices
- Asset Reporting
- Institutional Data
- Study-related Data
- Media and Device Disposal and Reuse
- Password Policy
- Firewall Policy
- Voice/Telephone Policy
- Acceptable Use
- Annual CHM Account Access Audit
- Operating System and Hardware Aging Policy
- Backup
- Removal of ePHI Before Reusing Electronic Media
- Physical Safeguards of CHM (Theft Prevention)
- Identification and Documentation of Security Incidents
- Risk Analysis Review
- Disaster Recovery and ePHI
- Personal Computing Devices Policy
Access Control
Per UW-Madison’s IT Policy here: https://policy.wisc.edu/library/UW-501
All UW–Madison units that maintain or operate electronic services secured by access controls must configure those applications or systems to:
-
Use institutionally managed access control services as suitable services become available; and
-
Comply with the appropriate use standards for the institutionally managed credentials.
CHM utilizes the campus NetID system for access control. Computers, servers, and services inside of CHM’s purview are connected to the campus active directory and the campus’ two-factor authentication system where appropriate.
Access to CHM’s virtual drives are controlled via campus manifest groups. IT staff always has control to add or remove members, and access control of “owned” folders (i.e. folders that belong to a certain study or group) will be in the hands of the PIs or admins of those groups. Only UW-managed computers (managed desktops or laptops) may access CHM's virtual drives. Personal devices - even those connected to the VPN - are not allowed to connect to these drives.
More Information: [Link for document 132248 is unavailable at this time]
Data Privacy
Data classifications follows the Campus IT policy here: https://policy.wisc.edu/library/UW-504
Whenever possible, CHM IT limits our access to data that is owned or stored by users, unless an official inquiry is made from CHM admin staff or the overarching campus IT staff.
All data classified as HIPAA is only stored on HIPAA-approved storage locations. Users are discouraged from storing any data locally on any managed machines, and are given access to DoIT-approved networked storage space. All data on this space is actively backed up via the campus Bucky Backup system.
Cybersecurity & Risk Policy
CHM follows the Campus IT policy here: https://policy.wisc.edu/library/UW-503
CHM IT utilizes access control via the campus NetID credentials to minimize any unauthorized access to systems or data. Our environment is periodically scanned by Campus IT to find any vulnerabilities (see: https://policy.wisc.edu/library/UW-518), and CHM IT maintains a security-focused approach to deploying and configuring all software, endpoints, and services.
Collection of Personal Identity Information Via Email
CHM follows the Campus IT policy here: https://policy.wisc.edu/library/UW-502
Endpoint Management and Security
Per the Campus IT policy here: https://policy.wisc.edu/library/UW-526
All of our endpoints - desktops and laptops - are managed. Windows-based desktop endpoints are joined to Campus AD and are managed via group policy and SCCM/MECM. Windows-based laptop endpoints and all Apple endpoints (desktop and laptop) are managed via VMWare Workspace One. Per campus policy, the Qualys endpoint manager is deployed to all of our endpoints. All Apple tables are set up via Apple Configurator and/or VMWare Workspace One.
Access to log in to machines is controlled via NetID manifest, which is reviewed yearly. Non-CHM-related NetIDs and guests cannot log in to machines.
All endpoints are (and must continue to be) protected by active virus scanning software. The specific software will be selected from campus-approved virus protection. Currently, for CHM, that is Windows Defender and Cisco AMP.
Windows: Group policy security objects and security baselines have been applied that conform to Microsoft’s MSFT 2004 security baseline. Endpoints are deployed via task sequence in SCCM such that all operating system deployments are identical. All endpoints are locally encrypted via Bitlocker with local firewalls turned on, minus any desktops that have exceptions granted due to software limitations. Machines download and install updates automatically.
Apple: Configuration baselines have been applied that confirm to Apple’s baseline security. All endpoints are locally encrypted via Filevault with local firewalls turned on, minus any desktops that have exceptions granted due to software limitations. Machines download and install updates automatically.
All non-desktop machines are required to use the campus VPN service in order to access any restricted CHM resource (i.e. study drive, home drive, shared drive, research/restricted drive). ePHI should NOT be stored locally on any of these machines for any reason.
Any removable or external storage containing ePHI should be encrypted at all times with FileVault, Bitlocker, or a comparable alternative.
IT staff will conduct regular reviews of information system activity. Most of this will take place using alerting systems from our management software.
IT Incident Reporting and Response
CHM follows the Campus IT policy here: https://kb.wisc.edu/itpolicy/cio-incident-reporting-procedures
In summary - any IT incident must be immediately reported to the CHM IT/RSC team for triage. The IT staff will follow the campus IT policy above.
Printing
Printers are available in CHM-owned buildings and are open for use for any CHM staff. We ask that personal printing be kept to an absolute bare minimum, and we strongly encourage end users to consider whether the item in question actually needs to be printed.
Use of non-campus wireless devices
Devices that transmit or repeat a wireless signal outside of campus-approved and installed wireless devices (i.e. UWNet) are not allowed to be used inside of CHM buildings without prior authorization from the IT/RSC team.
Asset Reporting
CHM follows the Campus IT policy here: https://policy.wisc.edu/library/UW-527
IT staff will make a reasonable effort to update and maintain an active inventory list of all IT-related assets. IT-related assets at CHM are inventoried via one of three systems: SCCM (Windows desktops), Workspace One (Windows Laptops, Apple Desktops & Laptops), or SnipeIT (rentals/all of the above).
Institutional Data
CHM follows the Campus IT policy here: https://policy.wisc.edu/library/UW-523
Any and all institutional data will be kept in a shared network drive space (chm.drive.wisc.edu). Subfolder access may be controlled and restricted via manifest groups.
Study-related Data
Study-related data at CHM will be stored either on a corresponding study folder on the Waisman Brain Imaging environment, or on a corresponding study folder on DoIT Share/Research drive. All HIPAA data must be stored in HIPAA-approved storage areas, and no study data is to be stored locally on any machines.
All study-related data will be secured via manifest access control (in the case of CHM or research drive) or brain imaging-account related access control (set and controlled by Waisman Brain Imaging).
CHM follows the Campus IT policy on storage and encryption found here: https://policy.wisc.edu/library/UW-516
Media and Device Disposal and Reuse
CHM follows the Campus IT policy here: https://policy.wisc.edu/library/UW-505
Password Policy
CHM follows the Campus IT policy here: https://kb.wisc.edu/itpolicy/it-password-standard
NetID password policy is set on a campus-level, and any local passwords (i.e. root passwords for servers) comply with campus password complexity and uniqueness standards.
Firewall Policy
CHM follows the Campus IT policy here: https://policy.wisc.edu/library/UW-513
All firewalls are either local machine firewalls or campus firewalls.
Voice/Telephone Policy
CHM follows the Campus IT policy here: https://policy.wisc.edu/library/UW-521
Acceptable Use
CHM follows the Campus IT policy here:https://www.wisconsin.edu/regents/policies/acceptable-use-of-information-technology-resources/
Annual CHM Account Access Audit
Once per year, the CHM IT staff and/or owners of their respective data directories (i.e. study folders on restricted drive, shared folders on CHM drive, etc.) will review the members of their manifest access lists (https://manifest.services.wisc.edu/Groups) and remove any members who no longer have access to said directories.
Operating System and Hardware Aging Policy
All operating systems must be kept up-to-date at all times. If an operating system is no longer supported by its manufacturer (i.e. is no longer publishing regular security patches) or no longer supported by campus, IT or the user must immediately upgrade to a supported operating system or retire the hardware.
If a piece of hardware cannot run a currently supported (i.e. actively patched) operating system, it must be retired and its use must cease immediately, as such machines are an inherent security risk.
Updates and migrations of major versions of operating systems (ex: Windows 7 to Windows 10) will be decided upon and implemented by IT via a timeline of their choosing, so long as that timeline doesn’t violate the “up-to-date” policy listed above.
All hardware (endpoints, etc.) at CHM will strive to be replaced on a five-year timeline. A yearly inventory will be performed with the admin staff that will list the hardware due for replacement and a replacement decision will be made at that time.
Backup
All CHM managed desktops and CHM shared drives utilize DoIT shared space and bucky backup to provide off-site, secure, HIPAA-approved backup solutions. Laptops and external drives are not backed up by default.
Bucky backup information and documentation can be found here: https://it.wisc.edu/services/backup-bucky-backup/
Removal of ePHI before reusing electronic media
Any computers or electronic media that contain ePHI shall be formatted (in the case of electronic media/external storage) or have their default shared user accounts deleted and recreated before re-use. Deletion of accounts will also remove any files (ePHI or otherwise) contained in the accounts.
HIPAA-related data shall not be stored (at rest) as a policy should not be stored on any physical device inside of CHM (i.e. external hard drive, flash drive, etc.). In the case of this storage being a necessity, said storage device is required to be stored in a locked room or cabinet when not in use.
Any machines that are to be disposed of shall live in a locked room (146) to prevent theft and/or unwanted access. UW SWAP will be in charge of removing the machines and erasing the hard drive(s) to prevent spread of ePHI.
Physical Safeguards of CHM (Theft Prevention)
CHM’s building is locked during and after business hours, with entry being provided by a current employee of CHM (in the case of a guest), or by electronic FOB entry which is managed by CHM HR. IT staff will make best-effort attempts to secure desktops via physical locks and cables, and keep any loose IT-related equipment secured in a locked IT storage room.
Identification and Documentation of Security Incidents
Any IT-related security incidents related to ePHI data, systems, and networking devices that are not discovered via routine scanning and/or log review must be immediately reported to a member of the CHM IT team via email (help@chm.wisc.edu). At that point, the IT team will review the incident and determine whether it constitutes an actual reportable security incident. If deemed so, the IT team will use the zendesk ticketing system to create and update a report log on the incident, as well as contact any campus-related entities who need to be involved with handling the incident (for example, Campus Information Security Team). After the event is resolved, the zendesk case will be turned into a PDF and retained on IT-related campus storage space for future review.
Risk Analysis Review
Upon occurrence of a significant event or change in CHM’s business organization or environment, or if environmental and operational changes are made that affect the security of ePHI, the IT team will conduct an accurate and thorough risk analysis using the HIPAA template. Should significant risks occur during this analysis, the IT team will meet and come up with a plan to mitigate the threats and vulnerabilities to ePHI identified through the risk analysis. The mitigation shall be put in place within 6 months of the analysis unless CHM’s management team decides on exemption for these risks.
Audit Logs and Retention
Audit information is gathered via management tools (SCCM & WSOne), and access to these tools is restricted to IT/RSC staff only. This audit info is stored on encrypted virtual servers in DoIT’s virtual server farm. Audit logs will be retained for the maximum time that each management tool (or the disk space of said management tool) allows.
Disaster Recovery and ePHI
All of our ePHI/HIPAA-related data are stored on hardware and servers that are A: offsite and B: either under DoIT control or under Waisman Brain Imaging control. As such, CHM does not maintain its own disaster recovery plan for data access, but instead relies on the plans of these departments.
In general, CHM’s environment should not be expected to be accessible during a natural or man-made disaster. None of our info is critical for health care needs.
Personal Computing Devices Policy
It is a violation of UW and HIPPA policy to directly connect to (mount) the CHM, Brain Imaging, study-related, or any other drives containing sensitive information using a personally-owned computing device.
-
- For example, using Microsoft Remote Desktop and WiscVPN on a personally-owned computing device to directly connect to (mount) the CHM shared drive is a violation of policy.
Peach is CHM's remote desktop server that you can use from your personal computer to access sensitive data/drives and do work remotely. See CHM IT - Connecting to Peach (Remote Desktop/Terminal Server) for more information.
Please contact help@chm.wisc.edu if you have any questions about any of these policies.