The nature of being a higher education and research institution means that universities have a lot of information to manage—everything from grades and tuition payments, to employment records and research data. Protecting the confidentiality and integrity of the information we collect is essential and, in many cases, required by law.

Ironically, the tech that has transformed the way we work also means that data security and privacy are now more important considerations for researchers than ever. When people can access data on any device from any location, it’s much harder to ensure proper security precautions are being taken. In a remote work environment, that means device security is the key to data security.

University Owned, University Managed

The University is responsible for protecting the sensitive data it collects. Therefore, to prevent unauthorized access, devices that are used to access, work with, and store the data must adhere to strict security protocols and have the most up-to-date software. After all, if the device cannot be secured, then its access to the University's sensitive data cannot be secured either.

Only University-owned and managed computers should be used to store or access any sensitive University data or critical systems. A work computer that is centrally managed by your IT department or by Pitt IT’s device management service are guaranteed to have the latest security patches and updates, with all security settings enabled.

Why can’t you just use your own laptop at home? Because, if we’re being honest, we aren’t so careful with a personal device. We don’t always check for and install every security and software update as soon as it comes out. We sometimes turn off security settings that we find annoying. We sometimes let a spouse, child, or visitor use our computer. All of those are security risks, and violate the requirements for dealing with the highest-risk data, like HIPAA-protected information.

What Does “Sensitive Data” Mean?

Data can be put into three buckets: public, private, and restricted.

• Public data is intended for public disclosure, so the loss of confidentiality would have little to no adverse impact on Pitt. Much of this data is already easily available—for example, directory information or job postings. If you work with anonymous, non-sensitive research data that could be in a published paper, that’s public. Public data may be stored on your computer or in your cloud account, does not require encryption in transit, and has no specific access restrictions.
• Private data is generally internal to your department or the University. A confidentiality breach could negatively impact Pitt’s mission, safety, finances, or reputation. Examples include student records, employment applications, personnel files, salary information, contracts, internal correspondence, financial information, and moderate-risk intellectual property. Private data should be stored on Pitt owned/maintained devices or approved cloud accounts, requires encryption in transit, and can be accessed only by authorized Pitt personnel.
• Restricted data must be protected in accordance with legal or regulatory requirements (e.g. HIPAA, FERPA, and the like). The loss of confidentiality or accessibility of the data could have a severe impact on our mission, safety, finances, or reputation. This includes social security number, driver’s license number, bank or credit card number, protected health information, high-risk intellectual property, and identifiable sensitive research information. Restricted data may only be stored on a computer that is University-owned/maintained and is registered with Pitt IT. It requires encryption in transit, and access is limited and controlled by the relevant regulations.

Proceed with Care

So you work with private or restricted data … now what? If you have a University-owned and maintained computer, use it—and only it—when working with sensitive data. Connect to secure systems with PittNet VPN (Pulse Secure), don’t let others use the computer or reveal your password, and maintain good cybersecurity habits.

If you don’t have a University-owned and maintained computer at home, contact your IT department or Pitt IT. They can help you ensure a secure environment to keep your device and data safe and compliant with relevant laws and regulations.

Device security and data security go hand in hand. Make sure you are using a University-owned and maintained computer when you work with sensitive data so what’s private stays private!

-- By Karen Beaudway, Pitt IT Blogger