Email Share
Close
E-mail It

Harvard Public Health NOW

April 25, 2008

Harvard Presses Policy on Protecting Confidential Information

Do any of these scenarios sound familiar? Hopefully not, because they are examples of situations that could compromise confidential information ...

  • You're out sick and you call your office mates with your email password so that they can check your account.
  • You're dashing out for lunch, leaving on your desk paperwork with employees' Social Security numbers exposed.
  • You're late for a meeting and leave a copy of the office's purchasing "P" card in the photocopier.
  • You're working over the weekend and have downloaded grant applications onto your personally owned home computer.

Computerthumb (computer.jpg) The University has developed an "Enterprise Information Security Policy" to protect confidential and high-risk information from falling into the wrong hands and to help Harvard members understand their responsibilities. HSPH Information Technology has mounted a campaign at the School to raise awareness of the effort.

The policy applies to everyone at Harvard who works with Harvard confidential information, to vendors who contract with Harvard to work with Harvard confidential information, and to computers and physical environments that support their work.

Harvard defines confidential information as including "information about a person or an entity that, if disclosed, could reasonably be expected to place either the person or the entity at risk, or be damaging to financial standing, employability, or reputation. In addition to any University penalties, inappropriate disclosure or misuse of confidential information may, in some cases, lead to criminal or civil liability."

"Every Harvard employee is required to protect confidential and high-risk information," explained Taso Markatos, assistant dean for Information Technology. "Efforts to raise awareness of the Enterprise Information Security Policy are intended to help people understand their responsibilities and identify the resources to help them."

Examples of high-risk information, whether in electronic or paper formats, include:

  • Social Security numbers
  • Credit card and debit card numbers
  • Driver's license numbers
  • State identification numbers
  • Passport and visa numbers
  • Biometric information, such as iris scans
  • Financial account numbers, such as bank account numbers

A key part of the policy involves the storage of high-risk, confidential information. According to the policy, no member of the Harvard community and no vendor to Harvard is permitted to store such information — other than their own — in any way relating to Harvard or Harvard-sponsored activities locally on any individual user computer or on a portable storage device, such as a laptop. Servers storing high-risk confidential information must be protected.

In addition, non-electronic records, such as paper files, containing high-risk confidential information must be kept in secure, locked containers.

The implications of the policy are manifold. For example, confidential information must be kept encrypted when sent over networks; must be kept encrypted on any computer not located at Harvard; and cannot be stored on any computer not owned and managed by Harvard.

Emails sent from an HSPH GroupWise account to another HSPH GroupWise account are encrypted, but emails sent to other Harvard email accounts or to other email service providers are not encrypted. These messages must not contain confidential information without the use of encryption, said Markatos. HSPH Information Technology will be site licensing an encryption solution for the entire School in the very near future.

What are some of the steps Harvard employees need to take?

  • Use ID logins unique to you
  • Do not share passwords, even between staff member and supervisor, or assistant and faculty member
  • Use password-enabled screen savers so that computers become inaccessible to non-authorized users during inactivity
  • Encrypt USB keys
  • Apply security patches and use anti-virus software
  • Lock filing cabinets and office doors when not in the room
  • Use software that locks out people who repeatedly fail to login
  • Use data-shredding, locked bins around HSPH to dispose of sensitive papers
  • Understand and adhere to FERPA rules that affect student-related information.
  • Include security riders in vendor contracts
  • Secure web-based surveys
  • Require employee confidentiality agreements
  • Assess who already has access to confidential information and determine if such access is truly required
  • Educate others at HSPH about the policy
  • Adhere to PCI Data Security Standard for accepting credit cards.

For more information on how to implement these steps and other aspects of the policy at HSPH, contact Markatos at taso_markatos@harvard.edu or Stephen Riccardi at steve_riccardi@harvard.edu.

Any security breaches should be reported immediately to the Office of the General Counsel by calling 617-495-1280.

This article does not describe in full the Enterprise Information Security Policy nor the requirements Harvard employees must fulfill.