What is data stewardship?

Data stewardship is your responsibility to protect data (electronic or paper) that you use or access. For example:

  • Individual financial information (e.g., credit card and bank account numbers)
  • Personal information (e.g., social security #, home address, personal contact information, performance reviews)
  • Individual Student Records – protected by the Family Educational Rights and Privacy Act (FERPA)
  • Proprietary information, such as intellectual property or trade secrets
  • Protected Health Information (PHI) – protected by the Health Insurance Portability and Accountability Act (HIPAA)

You are personally, professionally, ethically and legally responsible for your actions. When confidential and restricted information is lost, stolen, or otherwise compromised there are significant consequences for UW Medicine and all individuals involved.

Encryption and password protection

  • Devices used for work purposes that can move need to be encrypted and password protected. This includes laptops, phones, tablets, thumb drives, and other portable storage devices.
  • Devices that are personally owned must also be secured, if they are used to perform work functions
  • The Department of Medicine IT Services has self-guidance instructions for encryption

Key principles of data stewardship

Data thrift

  • Don’t be responsible for data you don’t need – delete anything sensitive; better yet don’t copy it in the first place
  • Use internal systems (e.g. ORCA or Epic patient lists) to track information
  • Use institutionally owned servers to store data
  • Use de-identified information if possible

Physical security

  • Keep paper and physical documents in a safe place
  • Keep computers behind locked doors (stolen laptops are the #1 reason for breaches)
  • Keep mobile devices close at hand
  • Keep flash drives and other external drives close at hand

Encrypted storage

  • All desktops, laptops, cell phones, tablets and flash drives used must be encrypted (including personal cell phones and tablets that are used for work)
  • Encryption is only as strong as its password – UW security policy requires a strong password
  • “Cloud” storage is generally unsafe

Phishing and viruses

  • The easiest way to breach a secure system is to ask someone to give you the password; the second easiest is to try a password you got from somewhere else
  • Don’t respond to emails or websites asking for your passwords
  • If suspicious, check security certificate in browser
  • Keep operating systems and anti-virus software up to date

Data classifications

To help clarify the minimum requirements for UW data security, three categories of data have been defined: Public, Restricted, and Confidential.

  • Public: Information that is published for public use or has been approved for general access. Risk level: Low
  • Restricted: Information that is circulated on a need-to-know basis or sensitive enough to warrant careful management and protection to safeguard its integrity and availability, as well as appropriate access, use, and disclosure. Risk level: Medium
  • Confidential: Information that is very sensitive in nature and typically subject to federal or state regulations. Unauthorized disclosure of this information could seriously and adversely impact the University or the interests of individuals and organizations associated with the University. Risk level: High

Breach reporting

A breach is defined as "the unauthorized acquisition, access, use, or disclosure of unsecured protected health information (PHI)." In the event of a loss or theft, the event must be reported, and at that time an internal audit will take place by UW Medicine.

If they find that the device was secured with encryption and password protection then there is no breach and the investigation usually stops there.

If there is a breach then the event escalates to the full HIPAA reporting cascade, which includes:

  • Notification to UW Medicine Compliance
  • Notification to department leadership
  • Notification to the Office for Civil Rights
  • All individuals affected must be notified; if more than 10 lack addresses, public notice on web
  • If more than 500 affected, the media must be informed

To report a possible breach contact UW Medicine IT at 206-221-7012 or mcsos@uw.edu.

For members in the Department of Medicine incidents should also be reported Walt Morrison at 206-616-4726 or wmorrison@medicine.washington.edu.

For members of other departments incidents should be reported to department management for coordination with UW Medicine Compliance.

Lost or stolen device

If a work device has been lost or stolen, please contact Walt Morrison.