Date of Last Review 7/2/08
SME: Director of Management Information Systems

Portable Device Agreement (Stewards Responsibility)

Laptop Computers – These computers, also sometimes described as a portable computer, due to their ease of transport and higher rate of theft, are also required to include the following additional restrictions. These restrictions apply to laptops which have been provided using University funds of any kind, including laptops purchased under a leasing contract.

Portable Devices – (PDAs, Flash Drives, Smart Phones and portable hard drives) Because these devices are small and can easily be lost or stolen, confidential or protected data should never be stored unencrypted on a portable device. If sensitive data must be stored on such a device, the following precautions should be taken:

A flash drive that supports encryption such as IronKey, Corsair Padlock, or Kingston DataTraveler Secure
The device should not be left unattended
If the device must be left unattended:
All doors leading to the device should be locked
The device should be left in a locked drawer if possible, with the key in the owner's possession at all times

Non-University provided or personal laptops must adhere to all UTHSC-H Information Security Standards. Sensitive data is not permitted to be stored on personally owned laptops or portable devices not purchased with UT funds.

1) Full Disk Encryption (FDE) – University faculty and staff are required to encrypt UTHSC-H provided     laptop hard drives using whole or full disk encryption (FDE). FDE will be accomplished via software that     meets UTHSC-H Acceptable Encryption Policy.

    Policy Definition

    Sensitive or Proprietary Data - No exceptions are allowed for any laptop which contains or accesses     sensitive, confidential or proprietary data could be compromised in the event of loss or theft.

    In cognizance of FDE, storage and use of sensitive, confidential or proprietary data should be considered     temporary and transient in nature. The most prudent policy, even when using encryption technologies, is     not to store confidential or sensitive data on a laptop computer.

    The use of proprietary encryption algorithms is not permitted or considered a viable substitute for     University standard cryptosystems for any purpose.

2) Physical Security. All laptop computer stewards are responsible for taking reasonable and prudent     measures to ensure the physical security of the equipment. When left unattended in an unsecured area, the     equipment must be physically secured using a locking mechanism. While in transit or stored offsite,     stewards must take reasonable and prudent measures to ensure security of equipment against loss or     theft.

3) Secured Area. An area where access is limited to specific authorized University personnel whose access     is provided by both lock and key, card reader and/or dedicated security personnel. All visitors must be     accompanied by authorized personnel while present in these areas.

4) Patient Health Information (PHI) Data. Inform Health Information Management (HIM) if electronic PHI     is going to be stored on a UT laptop, UT portable device or leaving UT-HCPC premises. Sensitive data     is not permitted on non UT laptops or portable devices. Stewards of the data need to ensure they are the     only ones who have access to the data and share the data only on a need to know basis. Inform HIM of     any violations that occur against this policy.

    Stewards of the data need to ensure they are the only ones who have access to the data and share the     data only on a need to know basis.

    Inform HIM of any violations that occur against this policy.

  _______________________________________
    Steward’s Signature (I have read the above agreement and will comply with policy)

   _______________________________________
    Date

 

Director of MIS
UT-HCPC

Related standards

Texas Administrative Code Chapter 202.77

The Joint Commission : Management of Information
                                         HIPAA