Data Stewardship Training

Data stewardship refers to our responsibility to safeguard data (electronic or paper) that is entrusted to us, or that we use or access. This includes both confidential and restricted information, for example:

• Individual financial information (e.g., credit card and bank account numbers)
• Other personal information (e.g., social security #, home address, personal contact information, performance reviews)
• Individual Student Records – protected by FERPA
• Proprietary information, such as intellectual property or trade secrets
• Protected Health Information (PHI) – protected by HIPAA

All School of Medicine employees are personally, professionally, ethically and legally responsible for our actions. When confidential and restricted information is lost, stolen, or otherwise compromised there are significant consequences for all individuals involved, including the individual, School and University. Data stewardship is necessary to maintain UW Medicine’s reputation, uphold the trust placed in us, and prevent harm.

For your convenience the Department of Medicine has prepared a handout to highlight some of the most important things to know. This is intended as a brief guide. Additional information is available below and on the UW Medicine IT Security website.
Data Stewardship Most Important Points (PDF)

Securing My Devices

A good rule of thumb is that any device used for work needs to be:

1. Password protected
2. Encrypted

This applies desktops, laptops, phones, tablets, thumb drives, and other portable storage devices. Devices that are personally owned must also be secured if it is used to perform work functions.

To assist with these encryption and security requirements users are encouraged to participate in the security of their devices.

• Securing and Encrypting Android – coming soon
• Securing and Encrypting iOS – coming soon
• Securing and Encrypting Windows devices – coming soon
• Securing and Encrypting Mac OS – coming soon

Portable storage devices must also be encrypted and password protected. For assistance in setting up encryption on your thumb drive or portable storage please visit one of the Department of Medicine IT Kiosk’s, the kiosk schedule is located here. If you cannot make it to a kiosk event please feel free to contact us for individual help.

For help with securing any of your other devices please stop by any of the kiosk events listed on the calendar or contact our helpdesk.

What is a Breach?

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of any data that could potentially be used to identify an individual, including students, staff, faculty or any other member of the UW community. For a better understanding of what is considered identifiable information please see WA state law RCW 42.56.590.

In the event of a loss or theft the event must be reported, and at that time an internal audit will take place by UW Medicine. If they find that the device was appropriately secured (must be both encrypted and password protected) then there is no breach and the investigation usually stops there.

To report a possible breach contact UW Medicine IT at 206-543-7012 or mcsos@uw.edu.

For members in the Department of Medicine incidents should also be reported Walt Morrison at 206-616-4726 or wmorrison@medicine.washington.edu.

For members of other departments incidents should be reported to their department management for coordination with UW Medicine Compliance.

For detailed steps on reporting a stolen computer please review the Lost or Stolen Devices procedure for the Department of Medicine. This procedure should be applied to any work devices or personal devices that are used for work purposes. Other departments are welcome to use this as a template however the contacts would change to reflect your respective department personnel.

Guidance Tips

• Maintain an inventory of all devices including laptops, desktops, tablets and phones that are used by you and your direct reports
• Keep computers behind locked doors (stolen laptops are the #1 reason for breaches)
• Encrypt all computers and storage devices
• Encryption is only as strong as its password – UW security policy requires strong passwords
• Compute in place using Remote Desktop when possible instead of transporting the data on USB drives
• Use Department of Medicine IT, we will address and support all Data Stewardship needs as part of our services
• Don’t be responsible for data you don’t need – delete anything sensitive; better yet don’t copy it in the first place
• Cloud storage is generally unsafe, only use approved services or institutionally owned servers to store data
• Use de-identified information if possible
• Don’t respond to emails or websites asking for your passwords
• If the context of the email doesn’t make sense, delete the message or call the sender to verify the legitimacy

Guidance Tools

• PCISA Discussion Tool
• PCISA form for all employees (part of on-boarding/annual review)
• IT Policy Handout
• Data Stewardship Presentation – Brief or .ppt version
• Data Stewardship Presentation – Workshop or .ppt version
• UW Medicine IT Security Training on Data Stewardship