Security Guidelines for Users

This web page is intended to provide an overview for how faculty, staff, and affiliates of the MPOG should securely handle protected health information (PHI) for all patient care, quality improvement, and research activities.

User Guidelines

Our reputation is at stake:

It is important that everyone using PHI understand the consequences if they do not take the specific precautions outlined here.  One stolen unencrypted laptop containing PHI constitutes a breach, forcing you to publically disclose the breach to patients, possibly on the website, and the mass media.
Nearly every medical center has had an incident involving loss of a patient dataset containing PHI.  The risk is focused on data and files that contain PHI for hundreds, if not thousands, of patients.  The typical scenario involves a file used for patient care (billing), quality improvement, or research purposes including patient identifiers.  Files are stored on a workstation, laptop, or device which is lost, stolen, or otherwise compromised.  Although the patient data may never actually be released publicly, the healthcare facility is required to report publicly and contact each patient if the data was not secured to reasonable safeguards.  Those safeguards, if followed, make it virtually impossible to unlock the patient PHI.  If the safeguards are followed and the device is lost, there is no need to contact report the data loss.

Security Practices

  • Make sure you encrypt your hard drive.
    • Please see Instructions for Encrypting Computers below.
  • Always install an up-to-date antivirus program.
  • Always have a strong password system password set up on your computer.
  • Automatic login is not acceptable.  You need to enter your password every time your computer starts up.
  • Even though you may be using a file sharing service, we still recommend you encrypt all the files that contain PHI.

    Directions for Encrypting Microsoft Files:

    Step One:  Open the document you with to password protect.

    Step Two: Click the ‘File’ tab and then click on the ‘Info’ option.  On the right menu click on the ‘Protect Document’ button under ‘Permissions,’ and then select the ‘Encrypt with Password’ option.

    Enrcyption

    Step 3: When the ‘Encrypt Document’ dialog box appears, set a password for your document and click ‘OK’ button.

    Encryption

    Then a ‘Confirm Password’ dialog will appear, reenter your password and click ‘OK’ button.

    Step 4: After setting password to protect your Word document, click “Save” or press Ctrl+S to save the document. Now your word document is password protected. You’ll see the following message “A password is required to open this document” under “Permissions.”

    Encryption

  • All files from MPOG will be sent via the University of Michigan file sharing system called MiShare.
  • The MiShare infrastructure provides a method for UMHS personnel and non-UMHS partners and researchers to securely transfer files, including files that contain ePHI, protected research data of other sensitive information.  All files are encrypted while being uploaded or downloaded and are encrypted while they are on the MiShare server.
  • All files are retrievable for 4 days.
  • To access the MiShare system click on the following link: https://mishare.med.umich.edu/:

Sending Files through MiShare

UMHS Personnel:
  • Under ‘Level-2 Sign On’
    1. Enter Unique Name
    2. Log in with Level-2
    3. Click on ‘Packages’ on the left side of the screen
    4. Click on ‘Send Package’ located midway down the page on the left
    5. The system does not automatically populate address; you will have to type in the person’s full e-mail address.  Once you have sent someone a package, they will be saved in your list.
    6. Choose a file (you can add up to 20 files)
    7. Click on upload to add the file to the list (you will have to click this for each file you add)
    8. You can choose to receive a delivery receipt or prevent ‘reply all’ at the bottom
    9. Sent the item
Business/Research Partners:
  • Click on ‘Send Files to UMHS Personnel’
    1. You will need the recipient’s e-mail address
    2. Enter your e-mail address
    3. Enter the CAPTCHA (or blurry security word)
    4. Upload/Download the Wizard (Java).  The Wizard is only needed if you want to enable the program to upload multiple files at once. We recommend you ‘Disable the Wizard.’
    5. Enter your e-mail address in the ‘From’ section and add a ‘Subject’ and ‘Message’ in the appropriate sections.
    6. Click on ‘Choose a File’
      1. Please note, you can only upload one file at a time and you will need to click on the ‘Upload’ button each time you choose a file.
    7. Click on Send once all files are uploaded
    8. You will get a message indicating a “Sent package with ID ‘########’ OK.”  This indicates your files were sent.

Receiving Files through MiShare

UMHS Personnel:
  • The recipient will be directed to the MiShare site and will be required to login using their Level-2 password to access the file.
Business/Research Partners:
  • Business /Research partners receiving files will be sent two e-mails.
    1. The first will be an e-mail notifying them an account was set up in their name with a temporary password (you will be required to change the password the first time you sign on).
    2. The second e-mail will contain the requested document.
  • First rule of data security:  Never e-mail files with PHI.
  • Second rule of data security:  Never e-mail files with PHI — E-mail is not a secure means of transmitting PHI.
  • PHI may never be stored or transmitted on a portable USB flash drive or portable hard drive. The number one cause of disclosure of PHI reported by the US Center of Medicaid and Medicare is data stored on stolen or lost portable devices.
  • Do not save files on a public workstation.  Make sure you have them on a secure machine.
  • Do not share data with statistical staff.  They do not need it do perform their activity.
  • Do not put PHI on Dropbox, Google Docs or any other online sites.  Please use MiShare (see directions above).
  • Do not sure file folder encryption in place of hard drive encryption, they are not equivalent.
    • File/folder encryption: Form of disc encryption where individual files or directories are encrypted.  This does not typically encrypt file system metadata, such as the directory structure, file names, sizes or modification stamps.  This can be a problem if the metadata needs to be kept confidential.
    • Hard Drive encryption: Data on an encrypted hard drive cannot be read by anyone who does not have access to the appropriate key or password.  All levels of the data on the computer are protected. 
    • Click on the link that best matches your needs below:
      • How can you tell which version of Windows you are using?
        • Right click on ‘My Computer’ icon and choose properties.
        • The window that opens should indicate which version of Windows you are using.
    How to secure a Windows 7 Computer

    This requires either Windows 7 Ultimate or Enterprise edition.  If you have another version, it needs to be upgraded for security purposes.  Upgrading your system will not erase or modify your existing data.

    1. Open up the start menu and then open the control panel:

    A screenshot of the Windows 7 start menu with the link the control panel highlighted

    2. Search for ‘BitLocker’ in the search field.  Click on ‘Protect your computer by encrypting data on your disk:’

    A screenshot of the search results for 'bitlocker' in Windows 7 control panel

    3. Turn on BitLocker.  Depending on a number of factors, this may take up to 1 – 2 hours:

    A screenshot of the Bitlocker management screen in Windows 7 control panel

    A common set of errors involve the Trusted Platform Module (TPM) chip. Most computers should have this chip built in.  You may need to activate this chip in the BIOS.  For users not familiar with BIOS setup, please consult your computer manual.

    If you do not have a TPM chip, we would strongly recommend obtaining a newer workstation.  If this is not possible, Credant encryption software may be an alternative.

    For more detailed information on the technology referenced above, navigate to the Microsoft documentation on BitLocker and TPM, including information on turning TPM on and off.

    How to Secure a Macintosh Computer

    Lion Operating System: Please refer to the Apple support article HT4790

    Older Operating Systems: Go to ‘System Preferences’ and open the ‘Security’ panel. We strongly recommend upgrading to the Lion OS as the encryption level in Lion’s version of File Vault is significantly stronger than early versions and much more difficult to hack.

Additional Security Practices:

MPOG has put two important security practices in place to ensure data security:

  1. Citrix MPOG Application for Research Data Cleaning: The MPOG Application Suite is available for user remotely using the Citrix receiver. MPOG’s central repository is kept within a high-security data center owned by the University of Michigan. All researchers will VPN into the University of Michigan system to access the data cleaning tool.  This will require the researchers to obtain University of Michigan Level 1 and Level 2 passwords to access the tool.
  2. Statistical Virtual Server: MPOG has also set up a statistical virtual server that also resides at the University of Michigan. The statistical server has been equipped with all of the most commonly used statistical programs. This way the data will continue to reside at the University of Michigan while the statistical team runs their code.  This will also require the team to obtain University of Michigan Level 1 and 2 passwords.  Please note, the statistical staff should not copy, paste, or transfer any data off the MPOG virtual server.

Potential Penalties of Mismanaging PHI:

  • Ending up on the evening news (not in a good way).  Here is an example:
  • Public reporting of breaches by U.S. Department of Health and Human Services:
  • Financial penalties to your institution (up to $1.5 million)
  • Personal civil/legal penalties

Further Information on PHI Security:

For any inquiries please email