From student records and personnel files to research material and patient histories, the University of Utah and University of Utah Health are entrusted with a lot of personal data. While much of that information might be necessary to learn, work, innovate or receive treatment here, U community members should be familiar with their privacy rights and how the university safeguards their personal information.
In truth, data security at an institution of higher education and system of hospitals and clinics is extremely complex, with multiple groups responsible for data management, information security and more. They’re all united, however, in the U’s commitment to your privacy—one it reaffirms this Data Privacy Day (Jan. 28).
“Privacy is a big deal. Our students, staff, faculty and patients take that seriously. They share information with us that they don't want known outside the university, and it's incumbent upon us to do the best we can to ensure that we keep that trust,” said Trevor Long, associate director for the Governance, Risk & Compliance (GRC) team in the U’s Information Security Office (ISO).
Chris Keller, information privacy manager for the Information Privacy Office at U of U Health, echoed that, noting that privacy is a priority for the university and its staff because data breaches, big or small, have real consequences.
“Even if the [exposed] information seems trivial, it really impacts how people look at their doctor or how they look at a health care organization,” which can potentially affect their health or quality of care, Keller said.
From a technical standpoint, the ISO and U of U Health’s Information Privacy Office help ensure your privacy through data security measures, compliance and education initiatives. Here’s an overview of what that looks like.
Defense-in-depth
Long said we live in an era when it’s not if, but when, there will be a data security incident—as evidenced by the 2020 news cycle.
“The real issue is how the organization is prepared to handle incidents—what's called defense-in-depth, where you have multiple layers of security and you're actively doing the best you can [to prevent and respond to breaches],” he said.
The ISO shoulders most of that responsibility, protecting the U community through a number of measures, which include but are not limited to monitoring the U's network; notifying users of suspicious activity; responding to and investigating cybersecurity incidents; conducting penetration testing; performing risk analyses; deploying new security tools.
Keller noted that the U continually improves its defenses.
“We learn from every incident,” he said. “Our most recent incident involved email so now we have two-factor authentication. … And it works. We haven't seen those types of incidents since then.”
Some information security measures students, faculty, and staff can use include two-factor authentication, the virtual private network, antivirus software and secure cloud storage (such as the university instance of Box).
Regulatory requirements
A number of federal, state, and local laws exist to protect your privacy and personal data. It’s the U’s job to observe and follow them.
Some laws, such as the Health Insurance Portability and Accountability Act (HIPAA) for patients and the Family Educational Rights and Privacy Act (FERPA) for students, provide strict guidance about how to handle those data types. Meanwhile, many states, like Utah, are actively reviewing their current codes regarding privacy and information security, Long said.
Under HIPAA, for example, U of U Health must retain patient information for six years and safeguard it for a lifetime, up to 50 years after someone dies, Keller said. The health system also must provide a Notice of Privacy Practices the first time someone visits one of its providers and when any changes are made to the notice. Recently, the Privacy Office updated the document to ensure patients can clearly understand their rights, Keller said.
“It's user-friendly. It answers questions, and it lets people know what they can opt-out of, what they can opt-in for, relating to their health information.”
He added that his office also has updated the Patient Privacy website, “so patients can find any of our documents there, but they can also reach out to us. They can report a concern and they can ask us questions, all from our website.”
The U also has its own regulations, including policies and rules that govern information security and data encryption and classification across the entire university. For instance, donor information is considered restricted data, which must be protected from unauthorized access or disclosure at all times.
The ISO-GRC team and the Privacy Office handle compliance issues, such as alignment with university regulations and control frameworks set by industry leaders.
“It's my team's job, and that of the Privacy Office, to ensure that policies are upheld and that if people don't follow them, then the ISO-GRC team takes some action so they and the university realign with those policies,” Long said.
Education and outreach
ISO-GRC and Privacy Office staff also handle information security education, training and outreach, such as Security Champs and HIPAA Champions, groups of campus and hospital IT professionals that share information security and privacy best practices in their departments, colleges, offices, research groups, and centers.
Working with the Security Champs, Long said, makes it easier to approach departments about their responsibility to protect certain data types. When they ask whether that information needs to be collected, “that's usually an eye-opener for a lot of departments,” he said, noting that once people become aware of the risk level, they won't resolve any issues.
The Privacy Office and its HIPAA Champions, likewise, meet with clinical staff and medical and dental students to discuss cybersecurity best practices.
“We talk about digital hygiene, just cleaning old information out,” Keller said, indicating that our individual behavior can be a risk or strength to the university.
What you can do
While the U makes great efforts to protect your personal data, you can own your privacy by managing your information and making informed decisions about who receives your data.
You are responsible for your data, Long said. So it’s OK to question how it’s collected, used, stored and protected.
“For instance, if a U department [other than the Registrar] asks for personal data, ask what it will be used for, how long will it be stored, where will it be stored, why it’s absolutely necessary to collect that personal data, who will be responsible for protecting the data and who will provide oversight and review so that boundaries are not overstepped,” he said. “For example, you might say, ‘Why are you asking for my social security number when I can give you my uNID?’”
University resources
Data Privacy Day
This Data Privacy Day (Jan. 28), the Information Security Office is sharing a few resources to help you understand how your data is collected, used and shared so you can better manage your personal information and make informed decisions about who receives your data.
Visit the Data Privacy Day website to access these topics and more:
- The price of your personal data
- How to decode privacy policies
- Tips: how to own your privacy