Patient Information Security

UMass Chan is required by federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) to ensure that Protected Health Information (PHI) is only accessed by authorized individuals. Medical School students are responsible for the secure handling and storage of any confidential patient information that they may access as part of their studies. The following guidelines provide practical steps that you can take which will ensure that any confidential patient information that you are exposed to remains secure:

Minimum Use: The best way to ensure that patient information is protected is to not transcribe or acquire it in the first place. There should never be any reason to store patient information on any computer or portable device (laptop, thumb drive, etc). If you must work with sensitive data, take steps to anonymize patient information before storing it on a laptop or computer. By simply removing key identifiers such as name, address, date of birth and telephone number, you can retain data that is meaningful to your studies or research but is not identifiable to a specific individual.

Physical Security: Always be aware of your surroundings when discussing or working with confidential information. Remember to lock your screen if you step away from your laptop and only leave your laptop unattended in a trusted and secure (locked room, locked drawer, secured via a cable lock) environment. Never leave your laptop in a visible location inside a parked car such as on the floor or the front or back seat. “Smash and grab” thieves are on the lockout for computer bags and backpacks that can easily be seen by walking by the vehicle. Try to lock your laptop in the trunk of your car or if there is not a trunk, position it in such a way that isn’t obvious to thieves. When traveling, never leave your laptop unattended and never check your laptop as luggage; always keep your laptop with you as carry-on luggage. Understand the specific laws which regulate the transport of computing devices (specifically with encryption) into foreign countries.

Passwords: Ensure that your laptop is protected with a strong password. Your password should be something that is easy to remember but hard to guess. Passwords should be at least 8 characters long with a combination of lower case, upper case and numbers. Consider using a pass-phrase (ILike@pplePie!) while incorporating multiple construction parameters. Never “cache” passwords in your browser for easy retrieval; this would make them vulnerable if your laptop was lost or stolen.

Encryption: UMass Chan IT can provide encryption software for student or personally owned laptops that meet Medical School specifications. Contact the Help Desk if you do not have encryption software installed. Once encryption software has been installed, do not remove it and contact the Help Desk to have it reinstalled if your laptop is re-imaged.

Other Security Software: Anti-virus and Geotracking software must be installed (again the Help Desk can assist) to ensure that student laptops are properly protected and traceable if lost or stolen.

Email: Do not send confidential information via email. If it is necessary to transmit patient information to an authorized recipient, please contact the Help Desk for instructions to encrypt the message.

Back-ups and Portable Media: It is always a good idea to backup important files in the event that your laptop crashes. If you must store confidential information, ensure that your backup is encrypted. Never store unencrypted confidential information on any portable media device (such as a CD or a thumb drive).

Report Security Incidents: It is imperative that you immediately report to the Help Desk any instance of a lost or stolen laptop or computing device that is used in the course of your time at UMass Chan. If the incident happens after hours or over the weekend, contact Campus Police (508-856-3296).