Search & Secure Initiative FAQ

Q: What type of information is considered sensitive?

A: Categories of sensitive information can include, but are not limited to:

  • Social security numbers, partial social security numbers (last 4 digits)
  •  Protected health information (PHI) as defined by HIPAA
  • Student records and prospective student records (see http://www.registrar.emory.edu/students/ferpa.html for more information)
  • Credit/debit card numbers, P-Card numbers, and other PCI cardholder data
  • Financial aid information
  • Bank account numbers
  • Information protected by non-disclosure agreements (NDAs) or other third party data that Emory is legally or contractually obligated to protect (Note: the security provisions contained in NDAs and contractual agreements may vary significantly, so robust security measures may not be required in all situations.)
  • Law enforcement and investigative records

When reviewing your records and workplace, be sure to look carefully at the following types of records as they may contain some of the sensitive data types noted above. These include, but are not limited to:

  • Clinical records
  • Donor and alumni records
  • Research information related to sponsorship, funding, and human subjects
  • Employee related data (HR forms, insurance information, etc.)

There may be other types of data not listed here that are considered sensitive. In general Emory is concerned with data types that could lead to identity theft, are governed by state, federal, or industry regulation, or information that we're contractually, legally, or ethically obligated to protect.

Q: Is information like donor and alumni records, employee related data, and research information always considered sensitive?

A: No, not always. However, there may be sensitive data types recorded with this information. This could include an employee's SSN on an HR action form, personally identifiable information related to human subject research, etc. The presence of these data types can increase the sensitivity of the information.

Q: What are the deadlines for the different deliverables of the search and secure process?

A: There are three main phases to this effort. Phase one is divided into two parts, securing electronic media, and securing paper media. All units are encourage to complete phase one for both electronic and paper media as soon as possible, however, more time has been allotted to securing paper media. Please note that your unit may require that deliverables be turned in earlier than the dates noted below. Make sure that you are following your unit's instructions for deadlines.

Phase 1:

Deadline June 18th

Physically secure any unencrypted electronic media containing sensitive information, as well as complete and return media inventories and attestation forms for electronic media containing sensitive information.

Deadline July 16th 

Physically secure any paper media containing sensitive information, as well as complete and return media inventories and attestation forms for paper media containing sensitive information

Phase 2:

Deadline September 24th

Send a single consolidated Media Remediation Plan for your business unit (in Excel format) to Brad Sanford (brad.sanford@emory.edu)

Deadline October 22nd

After completing all remediation activities for each item in the Media Remediation Plan spreadsheet, update the “Date Completed” column and send a single consolidated Media Remediation Plan for your business unit (in Excel format) to Brad Sanford (brad.sanford@emory.edu).  

Q: Where can I find copies of the forms to be used for the search and secure initiative?

A: You can find copies of the forms at the links below. Note that your division may request that you use a specific customized form rather than the templates below.

Q: There is a server in my work area with sensitive information stored on it. What should I do with it?

A: Ultimately the server will need to be moved to a more secure location. This could be a locally managed, access controlled, server room, an Emory data center, or the server could be virtualized.

Q: I have a desktop or laptop computer with sensitive information on it. What should I do to protect it?

A: You can move the sensitive data to a more secure location, such as a managed file server or Emory's Trusted Storage offering, and then delete it from your computer. The other option is to encrypt the data. According to Emory's disk encryption policy, you must encrypt laptops that store any restricted data records (see the disk encryption policy for more information about restricted and confidential data types). However, we recommend that ALL laptops be encrypted. Any desktop computer with 500 or more restricted data records must also be encrypted by policy. Encryption is recommended for desktops that contain 1-500 restricted records, or more than 500 confidential records. More information about disk encryption can be found here.

Q: I've got a lot of old data (paper records, backup tapes, DVDs, etc.) that I don't need anymore. How can I get rid of them?

A: First, do not throw these items away. Paper records should be shredded with a cross-cut shredder. These shredders can usually also destroy CDs/DVDs and floppy disks. Other types of media, such as old backup tapes will need to be physically destroyed. Hard drives can be securely erased, or physically destroyed. Emory will soon be announcing a data destruction day where we will make services available to you to properly dispose of old media. Stay tuned for more details.

Q: What is a "secure location"?

A: Examples of a secure location include: 

1. Desk drawers, file cabinets, or safes that are:

  • Locked 24 hours a day when not in use
  • Accessible only by individuals who are authorized to access the data
  • Are of sufficient quality and strength to prevent being opened by brute force
  • Not readily removable from their location

2. Storage rooms, closets, and offices that are:

  • Locked 24 hours a day when not in use
  • Accessible only by individuals who are authorized to access the data
  • Are of sufficient construction quality, design, and strength to prevent being accessed by brute force. Walls should be of solid construction, and the room should not be vulnerable to intrusion through the walls, from under the floor, or through the ceiling.

3. Server Rooms that:

  • Are locked 24 hours a day
  • Are accessible only by individuals who have been authorized
  • Are of sufficient construction quality, design, and strength to prevent being access by brute force. Walls should be of solid construction, and the room should not be vulnerable to intrusion through the walls, from under the floor, or through the ceiling.
  • Have a documented physical access security plan which includes:
    • Procedures on how to apply for access
    • A list of authorized approvers for access requests
    • Procedures for validating/verifying access requests
    • Procedures for allowing facility maintenance, documenting maintenance performed, and saving maintenance logs until no longer required.
    • Procedures for requesting, authorizing, and approving visitor access, including the requirement that visitors be escorted or monitored (e.g. via video) at all times.   
    • Mechanisms for logging all access to the facility
    • Have appropriate environmental controls

4. Items attached to sturdy immovable objects via cable locks (like a laptop connected to a desk) may also be considered physically secure. 

Conversely, areas that do not meet this criteria would not be considered secure.

Q: What should be done with smart devices (smart phones, tablets, etc.) that have sensitive information stored on them?

A: All smart devices that store sensitive data must comply with Emory's Smart Device Security Policy.

Q: How should patient files that are taken offsite for review by physicians be secured?

A: While onsite all patient files should be stored in areas that are designated as secure storage locations. While offsite, these files should be kept in the physical possession of the physician at all times. If the files are taken home by the physician, they should be locked in a secure location (such as a lockable filing cabinet) while they aren’t being reviewed.

Q: I already have sensitive data stored on a file server, but I understand that Emory has a more secure "trusted storage" option available. Do I need to move this data to trusted storage as part of the search and secure initiative?

A: Not at this time. The focus of this effort is primarily concerned with the kinds of unsecured media that could readily be lost or stolen. However, moving the data to trusted storage should be a consideration in the future. For certain types of data, such as ePHI, Emory's trusted storage solution implements many of the requirements necessary to comply with HIPAA regulations.

Q: How do I know if any of the sensitive data that I or my department has should be kept?

A: Some information must be kept for a specific period of time. Please see Emory's Records and Information Management page for more information. 

Q: What is the scope of the search and secure effort in locations that aren’t primarily Emory owned and occupied (Grady, CHOA, VA, etc.)?

A: The scope of the search and secure effort in these areas is limited to spaces that are specifically designated for Emory use. Examples may include: An Emory research lab located in the VA hospital, or a suite of offices used by the School of Medicine at Grady. The scope of the effort does not extend to non-Emory occupied spaces.

Q: I have some technical questions that I need answered, who should I contact?

A: You may contact your local support provider, or e-mail security@emory.edu.