Policy

In order to protect the security and integrity of WCMC data, as well as to comply with applicable state and federal laws and regulations, all WCMC data must be classified as either Confidential, Internal Use Only, or Unrestricted. Managers and administrators of information technology resources are responsible for this classification.

Entities Affected By This Policy

The Weill Cornell Medical College and Graduate School of Medical Sciences

• Responsible Executives: WCMC Chief Information Officer
• Responsible Department: Information Technologies and Services
• Dates: Issued: Interim, October 1st, 2007. Final Issuance: January 31st, 2008
• Contact: Information Technologies and Services

Reason for Policy

Information technology and data constitute valuable WCMC assets. Depending on their classification, these assets are additionally subject to state and federal regulation. This policy is designed to provide a launching point for facilitating compliance with these regulations and adherence to commonly accepted security best-practices.

Principles

1. The following definitions must be adhered to when determining classification:
1. Confidential: This includes data protected by state and/or federal law against unauthorized use, disclosure, modification, destruction. Confidential data includes, without limitation, the following:
1. Patient billing or medical records (in any electronic form, including but not limited to: databases, spreadsheets, audio/video recordings, transcripts, etc.), including data covered by the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA)
2. Student records, including those protected under the Family Education Rights and Privacy Act (FERPA)
3. Financial data, including data covered under the Gramm-Leach-Bliley Act (GLBA) and credit card numbers
4. Employment records, including pay, benefits, personnel evaluations, and other staff records
5. Research data involving human subjects that are subject to the Common Rule (Federal Policy for the Protection of Human Subjects, 46 CFR 101 et seq)
6. Social Security Numbers
2. Internal Use Only: This includes information that requires protection from unauthorized use, disclosure, modification, and/or destruction, but is not subject to any of the items listed in the Confidential definition above. Internal Use Only data includes:
1. Data related to Weill Cornell Medical College operations, finances, legal matters, audits, or other activities of a sensitive nature
2. Data related to donors or potential donors
3. Information security data, including passwords, and other data associated with security-related incidents occurring at the college
4. Internal WCMC data, the distribution of which is limited by intention of the author, owner, or administrator
3. Unrestricted: This includes data that can be disclosed to any individual or entity inside or outside of WCMC. Security measures may or may not be needed to control the dissemination of this type of data. Examples include:
1. Data on public WCMC web sites
2. Press releases
2. Departments should carefully assign the appropriate data classification category for their data.
3. Systems or applications that create, receive, store, or transmit Confidential data (hereafter referred to as 'Confidential Systems') must, without exclusion, adhere to the following WCMC policies:
• 12.1 Integrity Policy
• 12.2 Physical Security Policy
• 12.3 Authentication and Authorization Policy
• 12.4 Administrative Security Policy

Download Official Policy (PDF)