Applicable To:
Duke Health
Duke University
Version 1.3
Authority
Duke University Chief Information Security Officer
Duke Health Chief Information Security Officer
Determining the Nature of the Data
Questions to Consider
Are you storing Sensitive data elements (for example, ePHI, Social Security Numbers, DMCA, PCI DSS or FERPA data)? See the Duke Data Classification Standard for the definitions of Sensitive, Restricted, and Public data.
Use of Duke Services
Selecting a Duke Service Depending on Data Classification
The following chart outlines which Duke services meet the minimum security requirements for use with Sensitive, Restricted and Public data. (Staff can also use the SecureIt decision tree tool.) Duke faculty, students and staff should be aware that there may be institutional, legal, regulatory and contractual obligations that require the use of specific storage options. For example:
- ITAR and PCI-related data always require Security Office consultation before use.
- FERPA: Consult with the Registrar’s Office.
- FISMA: SOM GovCloud is required.
- Veterans Administration: PACE is required storage. REDCap is not allowed.
- Social Security Numbers: Collection requires an institutional exception.
- GDPR: Consult with the Privacy Office for allowable options.
- Duke Health non-consented identifiable clinical research data: Per DOCR Policy, PACE is required storage.
All users of the solutions and services that store Duke data must adhere to the following:
- Use only for the approved intended use.
- Store only the information you need or plan to use.
- Provide access only to authorized or approved individuals; remove access immediately when no longer need.
- Do not provide public or broad access to data without institutional approval.
- Retain data only as long as it is needed, or in accordance with Duke retention requirements.
Legend: ✓ = yes; – = no
|
Service |
Available to: |
Public Data |
Restricted Data |
Sensitive Data |
|---|---|---|---|---|
|
Duke OIT CIFS/NFS Home Drive Service Duke OIT & Departmental File Shares |
Duke University |
✓ |
✓ |
– |
|
Duke University Protected Network Duke University Protected Research Data Network (PRDN) |
Duke University |
– |
✓ |
✓ |
|
Duke Compute Cluster (DCC) |
Duke University |
✓ |
✓ |
– |
|
DHTS Home Drive Service |
Duke Health |
✓ |
✓ |
– |
|
Duke Health Network Storage |
Duke Health |
✓ |
✓ |
✓ |
|
Duke Health CITRIX VDI |
Duke Health |
✓ |
✓ |
– |
|
Duke Health Protected Analytics Compute Environment (PACE) |
Duke Health |
– |
✓ |
✓ |
|
Duke University SharePoint Duke Health SharePoint |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke University Tableau Instance Duke Health Tableau Instance |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke DOCR REDCap |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke’s Wiki |
Duke University Duke Health |
✓ |
✓ |
– |
|
Sites @ Duke |
Duke University Duke Health |
✓ |
✓ |
– |
Use of Cloud Services
Selecting a Cloud Service Depending on Data Classification
The following chart outlines which Duke services are appropriate for use with Sensitive, Restricted and Public data.
|
Service |
Available to: |
Public Data |
Restricted Data |
Sensitive Data |
|---|---|---|---|---|
|
Duke’s Box Service1 |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke's Qualtrics Service |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke's Microsoft OneDrive Service1 |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke's Microsoft Teams2 |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke's Jabber |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke's Zoom 3 |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke's Zoom Telehealth3 |
Duke Health |
✓ |
✓ |
✓ |
|
Duke's WebEx 3 |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke University Adobe Sign 4 Duke Health Adobe Sign 4 |
Duke University Duke Health |
✓ |
✓ |
✓ |
|
Duke University Adobe Creative Cloud/Acrobat Pro Duke Health Adobe Creative Cloud/Acrobat Pro |
Duke University Duke Health |
✓ |
✓ |
– |
|
Cloud tenants (including Amazon Web Services, Azure, Google Cloud Platform) |
Duke University Duke Health |
✓ |
– |
– |
| Duke's Panopto | Duke University | ✓ | ✓ | – |
1 No ITAR or PCI related data may be stored on Box or Microsoft Office 365. For additional details see: https://box.duke.edu/security-and-usage/
2 If the Team will be used to share Sensitive Data, the Team must be set to Private not Public.
3 For Duke Health, only Duke Zoom Telehealth may be used for clinical purposes to see patients or exchange Protected Health Information (PHI). Duke Zoom (non-Telehealth) and Duke's WebEx may be used for classes and meetings. Any meeting with the possibility of PHI may not be recorded. Sensitive information may be discussed during a live Zoom meeting when recording is not in use but should not be recorded, typed into a chat session or otherwise stored within Zoom.
4 Specific guidelines exist for the use of Adobe Sign. For more see General Information and License Restrictions. Note: All Health side access for Adobe Sign must be approved and provisioned by DHTS Web Services.
Use of Other Cloud Services (Personal Use)
Selecting a Cloud Service Depending on Data Classification
The following chart outlines outside cloud services appropriate for personal use. In general, these services are not approved for official Duke use without consultation with the Duke security offices and/or privacy offices.
|
Service |
Available to: |
Public Data |
Restricted Data |
Sensitive Data |
|---|---|---|---|---|
|
Apple iCloud |
Personal |
✓ |
– |
– |
|
Personal Box Account |
Personal |
✓ |
– |
– |
|
Personal OneDrive Account |
Personal |
✓ |
– |
– |
|
DropBox |
Personal |
✓ |
– |
– |
|
Google Apps (including Gmail) |
Personal |
✓ |
– |
– |
|
Facebook (including Workplace) |
Personal |
✓ |
– |
– |
|
Slack |
Personal |
✓ |
– |
– |
Document Type: Policy
Last Reviewed: 11/2023