Changes are coming to the management of UCís information technology (IT) infrastructure and information systems, according to a panel of health information technology experts at the College of Medicine.
The panel spoke about those changes and new university policies regarding data protection before a packed house Tuesday, April 29, in MSB E-351. A videotape of the session is posted online
The discussion, begun by John Hutton, MD, associate dean for information services at the College of Medicine, was held to help faculty and staff understand the new policies and their role in securing "restricted data.Ē
Restricted Data and UC
For the College of Medicine, the most pertinent forms of restricted data include protected health information (PHI), data from research involving human subjects, personal identity information and student transcripts.
That data is covered by a variety of national and state laws and regulations, including the federal Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. Under HIPAA, violations or breaches of restricted data can lead to both administrative fines and criminal penalties.
Thatís why, said Hutton, "itís very good to keep in mind all the different categories of data that must be protected. The universityís policies were developed to ensure the university in aggregate complies with a number of different laws.Ē
Hutton specified that new data protection policies apply only to UC data maintained on university systemsódata maintained on UC Health or Cincinnati Childrenís Hospital Medical Center systems is governed by those organizations.
Complying with Protection Policies
To assist with compliance of the new policies, the College of Medicine has posted a checklist
for departments and a contact sheet that tells where to obtain help for specific issues.
Overall, says Neil Holsing, associate dean for operations and finance, the college is designated as owner of the systems housing restricted data, with departments acting as custodians of the data itself.
Departmental responsibilities include compiling a list of individuals with access to PHI and require faculty, staff, students and trainees complete HIPAA training. Training modules are anticipated to be available online within four to six weeks.
"Departments should be aware of the policies and understand whatís necessary for them to be compliant,Ē he said, "but the good news is that a lot of things are going to be automated for you by UCIT or the COM IT group.Ē
From the college-level, COM IT will ensure that all technology with access to PHI (including desktop and laptop computers, smartphones, flashdrives and servers) have physically and technologically secure configurations.
According to IT coordinators Jesse Featherree and Kent Norton, that security comes with changes to the collegeís data center and its desktop support policies.
Currently, all servers and data storage devices are being relocated to the data center in room G-95 of the Medical Sciences Building, to be managed to by the COM Systems Services team. From G-95, Systems Services will be able to control physical access to the servers and utilize video surveillance, fire suppression and power source management for added protection.
Changes also will be made to the administrative privileges governing employee computers. Under the new system, centrally managed software will automatically administer updates, patches and latest versions of commonly used software to UC-managed computers. Departments with specific software needs or lab devices that require local administrative control are advised to contact the help desk.
What Can You Do?
Faculty, staff and students are asked to assist with data protection by regularly updating their computers and storing the majority of their data on protected and regularly backed-up servers, not on a personally owned device. COM IT can assist with encrypting tablets and other mobile devices, and ensure that employee smartphones have a secure exchange connection to access UC email.
Finally, employees are also asked to use remote access to work on their computer from home, instead of sending data through email or third-party systems like DropBox.
To close the discussion, Brett Harnett, MS-IS, director for the Center for Health Informatics, introduced the centerís new iCREW interface, which allows researchers to search for secure, de-identified data from the Clinical Research Enterprise Warehouse.
Overall, for anyone unsure of the policies or with questions about upcoming changes, Holsing urged them to email firstname.lastname@example.org, email@example.com, or call 513-556-HELP.
"All of us will experience change with these new policies, but we will try to make it as easy as possible,Ē he added. "We ask for your cooperation and we ask that you provide feedback as well. Donít hesitate to contact usólet us be a consultant to you.Ē