Access: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Availability: A measure of the level of accessibility and usability of an information system. Availability also includes the likelihood that the system (hardware, software, and data) will survive a disaster, and can be brought back up quickly for emergency and/or normal operations.

Confidentiality: Confidentiality indicates the restricted and unrestricted attributes regarding the access to and use of information, as required by state and federal laws and regulations, University policy, contract or convention. The degree of confidentiality afforded to different types of information will vary. Medical records, employment/personnel records, records relating to UCSF's business and finances, physician-patient communications, attorney-client communications, and intellectual property related records are among those thought to be considered confidential.

Confidential and Personal Data: Confidential and personal data includes staff, faculty and student information that resides in local electronic files or in the ad-hoc Campus Personnel and Payroll Oracle databases. Examples of this information include:

Academic Evaluations, Letters of Recommendation, Physical Condition, Psychological Condition, Performance Evaluations, Corrective Actions, Current rate of pay, Citizenship, Social Security Number, Home Address, Home Telephone Number, Income Tax Withholding, Spouses or Other Relatives Names.

Derived from UCOP's Legal Requirements on Privacy and of Access to Information. More information at http://www.ucop.edu/ucophome/policies/bfb/rmp8toc.html

Contingency plan: Management policy and procedures designed to maintain and restore business operations, including computer operations, possibly at an alternate location, in the event of system failures, emergencies, or disaster.

Data Integrity: The property that data or information has not been altered or destroyed in an unauthorized manner.

Device: PC, laptop, PDA, text pagers, cell phones, cell phones with camera, digital cameras, home computers, all dictation devices(Go MD)

Division Administrator: The division administrator has the delegated authority from the department administrator to handle all administrative tasks for the division.

The division administrator is ultimately responsible, but can delegate authority to other group administrators at their digression.

DOM IT Services: Department of Medicine Information Technology Services group

Financial Data: Financial data includes any departmental, staff, faculty or student financial information/transactions that reside in local electronic files or in the ad-hoc Campus Financial Oracle databases.

HIPAA Data: HIPAA security regulations require that all protected health information (PHI) have adequate security protections and that the university maintain documentation of risk assessment, monitoring, and other security parameters for PHI stored electronically (45 CFR Part 164). Protected or personal health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

Individual: The person who is the subject of protected health information.

Information Systems Security Incident: An information systems security incident is any event, suspected event, or discovery of a vulnerability that could pose a threat to the confidentiality, integrity, or availability of supporting systems, applications, or information.

Such an incident can pose actual or potentially harmful effects on a computer system. The types of activity that are widely recognized as harmful include but are not limited to:

• Attempts (either failed or successful) to gain unauthorized access to (or use of) an information system or the data stored on the system.
• Unwanted disruption or denial of service.
• Unauthorized changes to system hardware, firmware, or software, including adding malicious code such as viruses and worms.
• Detection of the above-named symptoms such as altered or damaged files, virus infection messages appearing during start-up, or inability to log in, and more.

Media: CD, floppy disk, memory sticks, jazz and zip disk, removable storage devices

OLHD: Online Help Desk . DOM IT Services Computer Support Database

Protected Health Information: Individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or is transmitted or maintained in any other form or medium. This excludes the individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, records described at 20 U.S.C. 1232g(a)(4)(B)(iv) of the Social Security Act, and employment records held by a covered entity in its role as employer.

A good list of identifiers and guidelines for what is and is not PHI can be found on the Human Research Protection Program web site.

Research-related Health Information (RHI): The University of California's HIPAA Task Force has coined the term "Research-related Health Information" (RHI) to clarify the types of data used in research that would be person-identifiable but would not be considered PHI.

Risk: A combination of, 1) the likelihood that a particular vulnerability in an DOM information system will be intentionally or unintentionally exploited by a threat resulting in loss of confidentiality, integrity, or availability, and 2) the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability could have on Department of Medicine operations, assets, or individuals (including privacy) should the exploitation occur.

Risk Assessment: A key component of risk management that involves identification of: 1) threats and vulnerabilities, and 2) the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability could have on organization operations (including functions, image or reputation), organization assets, or individuals (including privacy) should there be a threat exploitation of information system vulnerabilities.

Risk Management: A process of identifying, controlling, and mitigating risks that includes: risk assessment, cost benefit analysis, and selection, implementation, testing, and evaluation of security controls.

SB1386 Data: UCSF complies with the provisions of California Privacy Legislation, California Senate Bill 1386 (SB1386), requiring notification to California residents regarding any breach to the security of a computing system where there is a reasonable belief that an unauthorized person has acquired their unencrypted personal information.

SB1386 covers the unauthorized disclosure of any of the following identifiers in combination with an individual.s first name or first initial and last name:

• Social Security Number
• Driver license number or California identification card number
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

More information can be found at: http://security.ucsf.edu

Sensitive Data: Sensitive data in regards to this procedures is defined as confidential, personal and financial data including all data protected by HIPAA and SB1386.

Sensitive Information: This includes Electronic Protected Health Information (ePHI) as well as other private personal information such as payroll records and other confidential files.

Strong Password: A strong password is made up of a combination of upper- and lower-case letters and non-alphanumeric characters like the asterisk, exclamation point, dollar sign or percent sign, and involve combining words and characters into a password that can.t be found in the dictionary or hacker's guide.

Threat: Any circumstance or event with the potential to intentionally or unintentionally exploit a specific vulnerability in an information system, resulting in a loss of confidentiality, integrity, or availability.

Threat Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger and/or exploit a vulnerability.

Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

User: A person or entity with authorized access.

Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system's security policy.

Workforce: All faculty, staff, students, trainees, volunteers, and business associates who access restricted or confidential information during the course of their duties.