Department of Medicine Leased Storage

The Department of Medicine IT offers several options for private or shared network storage, accessible from on- or off-campus. Full User accounts with our support includes 35 GB of private storage, backed up twice a day, and secured by Outpost domain username and passwords. Shared Storage options are available in 50 GB and 1 TB options. For more details see our IT services catalog: https://depts.washington.edu/domis/services

If you need help finding the storage option that works best for you or your group please contact the Department of Medicine IT Services.

Central File Storage for Users (U Drive)

Provides students, faculty, and staff with a place to store files that can be accessed from anywhere, on- or off-campus. Unfortunately the Central File Storage is not approved for the storage of HIPAA data or other PHI. More info: http://www.washington.edu/itconnect/wares/online-storage/u-drive-central-file-storage-for-users/

UW-IT Servers and Storage Spaces

UW-IT list of servers and storage options available to the University of Washington community. More info: http://depts.washington.edu/uwtscat/svcesincat/19

UW OneDrive for Business

The UW Microsoft Collaborative Applications (MCSA) provides online storage and collaboration options to all UW members. OneDrive for Business provides a cloud storage resource for HIPAA-protected and FERPA-protected data. Other services such as Office 365 Exchange and SharePoint Online are also covered by the UW MCSA agreement and may also be acceptable for HIPAA-protected information. Sharing of documents with external collaborators is possible by using sponsored NetIDs. Please note that this is different from the individual consumer version of OneDrive, which does not meet the security requirements for UW data storage.

DropBox & iCloud

DropBox, iCloud, and other free online services, while useful for personal purposes, should not be used for any reason within UW Medicine unless the appropriate contracts or legal agreements are in place. Data should be stored only on institutional servers and systems unless there is a compelling reason not to. Data stored on free cloud based storage is longer under institutional control and can be compromised. For more information on appropriate cloud storage within UW Medicine and the necessary legal agreements please see the cloud security page from UW Medicine IT Security: https://depts.washington.edu/uwmedsec/restricted/guidance/cloud-computing/

Doodle

Per UW Compliance:

Under current policy there is no restriction against using a polling calendar like Doodle as long as no confidential information is involved. (Examples of confidential information: personally identifiable information, protected health information, workforce records, student records, social security numbers, legally protected University records, selected research data, passwords.)
To further clarify personally identifiable information is defined as data or other information which is tied to, or which otherwise identifies, an individual or provides information about an individual in a way that is reasonably likely to enable identification of a specific person and make personal information about them known. Personal information includes, but is not limited to, information regarding a person's home or other personal address, social security number, driver's license, marital status, financial information, credit card numbers, bank accounts, parental status, sex, race, religion, political affiliation, personal assets, medical conditions, medical records or test results, home or other personal phone numbers, non-university address, employee number, personnel or student records and so on.

Catalyst Web Tools

The University of Washington’s Catalyst Web Tools are used throughout UW Medicine for a variety of purposes including quality assurance activities. However the Catalyst Web Tools are not HIPAA compliant. Since this web-based tool is not compliant with the regulation that helps protect electronic Protected Health Information (ePHI) that information may not be gathered, transmitted or stored on the Catalyst computing system.

If the compliance status of the Catalyst Web Tools changes in the future it may become a suitable tool for use ePHI. The UW Medicine IT Security web site (https://depts.washington.edu/uwmedsec/) will be updated with any change in status.

If you need to gather information for patient or family care activities, please contact the UW Medicine IT Services Help Desk at mcsos@uw.edu for help finding a secure tool to meet your needs.

Being Secure in the Cloud

Cloud computing and storage services can be very useful, but can also pose unique threats to the confidentiality of university data. The convenience of cloud resources can sometimes make them very attractive tools, however regardless of what tools are used, all university data must be adequately protected.

All Department of Medicine workforce members must follow both University and UW Medicine security policies for data classifications, access, and protections. At its most basic, these security requirements are defined by legal agreements between organizations. Those legal agreements establish how partner organizations will protect stored data and how the data can be accessed in the event of a public records audit or investigation of a potential security breach. Failure to adequately report incidents and corrective actions by the University or UW Medicine could result in significant fines for UW Medicine as well as large scale reputational damage.

UW Medicine is very specific regarding the appropriate access, use, and disclosure in regard to cloud resources. Their cloud computing guidance webpage lists approved cloud resources and the following statement:
“DO NOT ever send or store any University Business data, especially restricted or confidential information using a cloud service or application without establishing a contract with the vendor including appropriate legal agreements which may include a Business Associate Agreement (BAA) and a Data Security Agreement (DSA).
[…]
The only way to use any cloud application is to insure that the cloud application owner/vendor has signed a Business Associate and Data Security Agreement with the University prior to using it. All public cloud offerings are considered not suitable for UW Medicine business operations without these agreements in place.”

For more information about the different types of data classifications and protections please refer to the UW PASS Council’s data classifications webpage, which applies to all UW workforce members. The Confidential Data Risk Guide published by the Office of the CISO is also a good resource and provides guidance to all UW workforce members about the appropriate use of several online resources. Additionally, the UW Medicine Electronic Data Policy summarizes existing University policies as they apply to the use and protection of electronic data, and applies to all electronic data related to UW Medicine business. If you need more specific guidance regarding the appropriate use a cloud resource feel free to directly contact UW Medicine IT Security. Their About Us webpage has several ways to contact them.

For additional guidance regarding data security please see the Department of Medicine Data Stewardship webpage, which provides helpful summarization of University and UW Medicine polices and provides additional information and resources.