Frequently Asked Questions
Who do I contact if I have questions or need help?
Where do I find the University of Tennessee (UT) Information Technology policies?
Where do I find the UTHSC security and privacy policies?
Is IRB approval for my research sufficient to begin my research with human subject data?
Who is responsible for vulnerability scanning of my desktop/laptop?
What is meant by the principle of least privilege?
Who is responsible for keeping my Operating System and my applications up to date and patched?
Who is responsible for the anti-malware software and keeping it up to date?
Can I send data or information with a classification rating of 3 in any area via email?
Can I communicate with my research subjects via email?
Answers
Who do I contact if I have questions or need help?
Contact the UTHSC Information Security team for more information by sending an email to: security@uthsc.edu. Also, additional information can be found at the security site.
Where do I find the University of Tennessee (UT) Information Technology policies?
The UT Policies can be found at PolicyTech, then click on ‘System-wide’ and you will see an expanded menu that includes the Information Technology policies.Where do I find the UTHSC security and privacy policies?
The UTHSC security and privacy policies can also be found at PolicyTech. Click on "UT - Health Science Center" then expand the folders for what you need.
Is IRB approval for my research sufficient to begin my research with human subject data?
While IRB approval is minimally required, providers of human subject data, such as registries, as well as some federal agencies have specific data use requirements and allowances. Without explicit approval from these agencies or their data governance boards, the human subject data may not be available to start the research.Who is responsible for vulnerability scanning of my desktop/laptop?
The UTHSC IT department scans the network at regular intervals. Your computer system must allow credentialed or agent-based scanning to examine your system. Contact UTHSC Office of Cybersecurity to ensure your system is regularly and correctly being scanned.What is meant by the principle of least privilege?
The principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) means that giving a user account or process only has those privileges which are essential to perform its intended function. For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked.Who is responsible for keeping my Operating System and my applications up to date and patched?
The UTHSC IT department has automated mechanisms in place to update computer systems at regular intervals. Your UTHSC computer system must allow these updates to be applied. If automated updates and patches are not possible, you are responsible and will be held accountable for keeping your system current and patched. Contact UTHSC IT to ensure mechanisms are in place ensuring your system is kept up to date.Who is responsible for the anti-malware software and keeping it up to date?
The UTHSC IT department has invested in anti-malware software and other mechanisms. UTHSC computer systems are required to have this software installed, if your system is connected to the UTHSC network. You are responsible and will be held accountable for ensuring the software is not disabled or otherwise crippled.I have a database with data or information with a classification rating of 3 in any area, do I need to encrypt the database?
The requirement is that data must be protected at rest using encryption if the confideniality ranking is a C-3. In case it is not possible to encrypt the storage media (e.g. a hard drive), the database stored on that storage media MUST be encrypted. To add additional protection, we recommend that even when the storage media is encrypted, the database is encrypted as well.Can I use the Office 365 OneDrive for Business or Office 365 SharePoint to store data or information with a classification rating of 3 in any area?
Yes, Office 365 OneDrive for Business and Office 365 SharePoint encrypt the data and protect these data at rest. In addition, uploading/downloading data to and from these cloud-based Office 365 environments is encrypted, protecting these data in transit. Also, the University of Tennessee has a Business Associate Agreement with Microsoft, as is required by Federal law in case of Protected Health Information. These safeguards are augmented by the UTHSC requirement to use two factor authentication for Office 365. These layers of protections reduce the risk to an acceptable level.Can I use my personal OneDrive to store data or information with a classification rating of 3 in any area?
NO, storing data or information with a classification rating of 3 in any area on a personally owned OneDrive is not allowed.Can I use any other cloud storage service to store data or information with a classification rating of 3 in any area?
NO, storing data or information with a classification rating of 3 in any area in any personally owned cloud storage device other than OneDrive for Business is not allowed. Departmental and/or College owned cloud storage devices must have explicit documented approval by UTHSC Information Security.Can I send data or information with a classification rating of 3 in any area via email?
Yes, provided the email is encrypted. Encrypted email may be used by UTHSC workforce members to transmit data or information with a classification rating of 3 in any area including Protected Health Information (PHI) and other data with a high classification rating.
Note: Keep in mind that when communicated securely by email, both the sender and recipient(s) have a professional Need-to-Know the PHI shared and when the amount of PHI shared is limited to what is minimally necessary to accomplish the task.
Can I communicate with my research subjects via email?
When communicating with patients and/or research subjects, we encourage the use of the patient portal associated with the specific hospital or clinic. When it is necessary to use email, ensure that encryption is used when communication PHI or other data with a high classification rating (i.e., the data must be encrypted in transit).
Note: The IRBs and/or certain research protocols may require extra safeguards when e-mailing PHI or other Confidential Data (i.e., the data must be encrypted in transit). Make sure to contact the applicable IRB or the sponsoring agency for additional requirements.