Information Technology Services Information Security Procedure Effective Date: February 9, 2004 Reviewed Dates: 10/2005; 05/2007; 10/2010

Information Security Plan Gramm Leach Bliley Compliance HIPAA Compliance PCI Compliance
1. Basis for Plan University of Nebraska Medical Center (UNMC) is committed to protecting data and information covered under federal regulations. Workforce members and business associates handle a variety of proprietary information which includes, but may not be limited to: Protected Health Information (PHI) as defined by HIPAA Student Education Records as defined by FERPA Protected Student Financial Information (PSFI) as defined by GLBA Employee data Research data Business Plans Financial Data

It is the policy of the University of Nebraska Medical Center (UNMC) to comply with all applicable federal, state, local regulations and University policies and procedures governing information security. These regulations and guidelines include, but may not be limited to: 2.0. PLAN This Information Security Plan (Plan) describes UNMCs safeguards to protect proprietary data and information. These safeguards are provided to: Ensure the confidentiality of data Ensure the integrity of data
Page 1 of 6
Z:\HIPAA\Policy and Procedure Implementation\UNMC HIPAA-related P&P\Information Security Plan\UNMCInformationSecurityPlan-Sept2010.docx

Health Insurance Portability and Accountability Act of 1996 (HIPAA) (See the definitions of privacy and information security below) Family Educational Rights and Privacy Act (FERPA) Nebraska Free Flow of Information Act ( 20-144, 20-145, 20-146, 20-147 Nebraska Rev. Statutes 84-712, 84-712.01, 84-712.02, 84-712.03, 84-712.04, 84-712.05, 84-712.06, 84-712.07, 84-712.08, 84-712.09 Gramm-Leach-Bliley Act (GLBA) American Recovery and Reinvestment Act of 2009 (ARRA) Patient Protections and Affordable Care Act (PPACA) Board of Regents Bylaws Board of Regents Policies Executive Memorandum No. 16, Responsible Use of Information Resources, Technology and Networks Executive Memorandum No. 26, Information Security Plan UNMC Policy No. 8000, Compliance UNMC Policy No. 6045, Privacy, Confidentiality and Information Security UNMC Policy No. 6051, Computer Use and Information Security Policy Information Technology Resources Information Technology Services Policies and Procedures

Ensure the availability of data Protect against anticipated threats or hazards to the security or integrity of the information.

2.1. GLBA Applicability UNMC recognizes that the privacy of student educational records is protected under FERPA. Safeguarding of student educational records and student financial information is protected under GLBA. This plan applies to all protected student financial information with the exception of that information which has been identified as directory information under FERPA. The University, as published in the Student Handbook has designated directory information to include: Student Name Local Address Academic College Telephone Listings Date and place of birth Enrollment Status Honors and awards received This plan applies to degree seeking students. It does not apply to continuing education students. Continuing education students would not be in receipt of a financial service. The areas which regularly work with the student protected data and information within UNMC are: Note: UNMC Human Resources and Payroll have the minimum data necessary to support the employment and payroll functions. No other protected student financial information is utilized within these departments. UNMC Library does not obtain any protected student financial information in order to perform its functions. 2.2. HIPAA Applicability Please refer to the HIPAA Compliance Plan. 2.3. Identification and Assessment of Risks to Proprietary Information UNMC recognizes that it has both internal and external risks. Under the direction of the Information Security Plan Coordinator, UNMC will periodically perform a formal risk assessment of the environment. Based upon this risk assessment, a risk management process is implemented.
Page 2 of 6
Z:\HIPAA\Policy and Procedure Implementation\UNMC HIPAA-related P&P\Information Security Plan\UNMCInformationSecurityPlan-Sept2010.docx

Major field of study Dates of attendance Degrees Most recent previous educational agency or institution attended Participation in officially recognized activities and sport Weight and height of members of athletic teams

Academic Records Financial Aid Information Technology Services (ITS) College of Dentistry, Student Services College of Medicine, Student Services College of Medicine, Allied Health, Student Services College of Nursing, Student Services College of Pharmacy, Student Services College of Public Health, Student Services Graduate College

UNMC ITS Network/Technical Services actively participates and monitors advisory groups such as Educause Security Institute, the Internet2 Security Working Group, and Federal Computer Incident Response Center of the Department of Homeland Security, and vendor sites such as Microsoft, Symantec, McAfee and SANS for identification of new risks. UNMC ITS Network/Technical Services meets to review the current industry threats and current issues. New systems and changes to the environment are also reviewed from a security perspective to identify tasks which should be addressed to better secure the environment. An Information Security Incident Reporting and Response Plan has been developed to rapidly respond to any identified risk. The Incident Response Team has been trained and is ready to handle issues as they arise. In addition, an Emergency Response Center has been established from which the emergency can be managed. UNMC has an external audit performed to determine vulnerabilities from the Internet. This report is thoroughly reviewed and plans to remove weaknesses are developed and implemented. UNMC plans to continue this audit process. 2.4. Information Security Plan Coordinator The HIPAA Information Security Officer also serves as the Information Security Plan Coordinator for the campus. 2.5. Policies and Procedures UNMC has developed policies and procedures to ensure a complete Information Security Program exists on campus. In a decentralized environment, it is very important that all system administrators and information custodians be fully informed of their responsibilities to maintain the security of the network environment and the data for which they are responsible. The Information Security Office has an audit process in place to ensure compliance with policies and procedures. 2.6. Workforce Management and Training All UNMC departments conform to the Privacy, Confidentiality and Information Security Policy (Policy 6045). Human Resources has implemented policies and procedures to ensure that reference checks are performed for all positions which handle covered data prior to the employment offer. Particular attention is paid to any information which may reflect upon a workforce members ability and aptitude to treat covered data and information in a confidential manner. The first line of defense for information security is the end user of computer and information systems. In recognition of this defense, UNMC requires all workforce members to sign the Statement of Understanding annually. This document mandates that the workforce member read and agree to comply with all policies and procedures relating to the use of computer systems within UNMC. The workforce receives initial HIPAA training. Specific Security Policy and Procedure training is provided to system administrators and information custodians. An ongoing security awareness education program is in place via periodic articles in UNMC Today, Web page information, presentations to faculty meetings, administrators meetings and other venues as appropriate. Training workforce members who handle protected student financial information is provided by the hiring department. The department may utilize the Information Security Officer and Human Resources in developing the training program. In accordance with UNMC Policy 6045, all departments are required to develop department policies and procedures regarding confidential information. All students also must complete HIPAA training and must sign the confidentiality agreement. If a student does not complete this training, he/she will not be allowed to attend classes, clinics, or register for future classes

Page 3 of 6
Z:\HIPAA\Policy and Procedure Implementation\UNMC HIPAA-related P&P\Information Security Plan\UNMCInformationSecurityPlan-Sept2010.docx

All information residing on Affiliated Covered Entity computer devices must be periodically backed-up. The workforce is highly encouraged to store their data on network file servers. ITS ensures that network file servers are backed up. Backup files are stored offsite. If an employee chooses to store data on a local device, the employee is responsible for ensuring there is a backup copy. All backups should be clearly labeled (marked) and stored in a secure location. Academic Services and Financial Aid ensure that appropriate copies of all documents containing protected student financial information are kept in a secure manner. Academic Services scans the paper record, copies it to a CD and the CD is stored offsite. Financial Aid stores all of its paper documents in fireproof file cabinets. 2.7. Information Systems Access to proprietary information shall follow the need to know guideline. Only those workforce members who have a business or academic need to know the information shall have permission to utilize the data. Each workforce member is assigned a user name and password and is trained on developing a secure password. Passwords must be changed according to Password Security Procedure. The network design is such that appropriate safeguards have been implemented to minimize risks from the external environment. A strong technical perimeter has been established to ensure that no direct access from the Internet is allowed to the Internal (Trusted) Area of the network. A DMZ and border have been established as layers of security. Covered data is placed in the network trusted area and is available through trusted applications or VPN connection. UNMC has implemented the use of a student number as an identifier in place of social security number. 2.8. Management of System Failures UNMC has developed written plans and procedures to detect and respond to computer failures and outages. The policy to support handling of failures and outages has been distributed to the UNMC community via training to management personnel (train the trainer concept), system administrators, and articles in UNMC Today. UNMC network services has designed the network to support the mission of the Affiliated Covered Entity. The network must have: High Performance Reliability Redundancy 7 x 24 Availability Minimal downtime

In order to meet the design criteria, UNMC has implemented two data centers (one is lights out and one is staffed), installed Uninterruptible Power Supplies to support the server farms, network closets, and installed network monitoring tools to alert potential component failures. The UNMC Data Center also has redundant power receiving electrical power from two different power plants. 2.9. Selection of Appropriate Service Providers Vendors who perform a service on behalf of UNMC who must utilize Protected Health Information (PHI) in order to perform their duties must comply with UNMC Policy No. 8009, Contract Policy. Vendors who perform a service on behalf of UNMC who must access Protected Student Financial Information (PFSI) in order to perform their duties must sign the GLB Act contract addendum.

Page 4 of 6
Z:\HIPAA\Policy and Procedure Implementation\UNMC HIPAA-related P&P\Information Security Plan\UNMCInformationSecurityPlan-Sept2010.docx

2.10.

Continuing Evaluation and Adjustment

This Information Security Plan will be subject to periodic review and adjustment based upon the risk assessment, changes in technology, and internal or external threats to information security. 3. Definitions 3.1. Affiliated Covered Entity (ACE) means legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current Nebraska Medical ACE member are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. 3.2. DMZ or Demilitarized Zone is a network that is separated from an organizations internal protected network and logically sits between the organization and the unsecured public network. A DMZ usually has special security measures implemented and is used to provide the public presence of an organizations information technology. 3.3. File server is any system that provides or shares resources (files, drives, printing, applications, etc.) with any other system. 3.4. Information Custodians are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact. 3.5. Information security is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss. 3.6. Information technology resources include voice, video, data and network facilities and services and are intended for use in completing UNMCs mission. Their use is governed by Executive Memorandum No. 16, all applicable UNMC policies (see especially Policy No. 6051, Computer Use and Information Security), Information Technology Services policies and procedures and applicable federal, state and local laws. 3.7. Privacy is defined as the right of individuals to keep information about them from being disclosed. 3.8. Proprietary information refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, patient records, employee records and student records. 3.9. Employee records refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University. 3.10. Student education records means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by UNMC, The Nebraska Medical Center, UNMC Physicians and UDA. (NOTE: the HIPAA privacy regulation does not apply to education records covered by FERPA.) 3.11. Protected Student Financial Information (PSFI) is information that UNMC has obtained from a student in the process of offering a financial product or service, or such information provided to UNMC by another financial institution. Offering a financial product o service includes offering student loans to students, receiving tax information from a students parent when offering a financial aid package and other financial services. Example of student financial information include addresses, phone numbers, bank and credit account numbers, income and credit histories, and social security numbers in both paper and electronic format. 3.12. Protected Health Information (PHI) is individually identifiable health information. Health information means any information, whether oral or recorded in any medium, that: is created or received by UNMC; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Page 5 of 6
Z:\HIPAA\Policy and Procedure Implementation\UNMC HIPAA-related P&P\Information Security Plan\UNMCInformationSecurityPlan-Sept2010.docx

Records containing PHI, in any form, are the property of UNMC. The PHI contained in the record is the property of the individual who is the subject of the record. 3.13. System Administrators are people responsible for configuring and maintaining the hardware and operating software of systems. 3.14. Trusted Network is defined to be all UNMC/The Nebraska Medical Center/UNMC PHYSICIANS/UDA owned or managed internal data communication networks without incoming direct public access. 3.15. Workforce refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.

4. Authorities and Administration 4.1. Information Security Officer

Page 6 of 6
Z:\HIPAA\Policy and Procedure Implementation\UNMC HIPAA-related P&P\Information Security Plan\UNMCInformationSecurityPlan-Sept2010.docx