Skip to main content
Penn Information Systems & Computing Systems Home

Search form

System Status
  • Get Started
    • IT Staff
    • Faculty
    • Staff
    • Students
    • Alumni & Guests
    • ISC Staff
  • Services
    • — Services A to Z —
    • Accounts, Access & Security
      • Access Management Services
      • Active Directory
      • Identity Management Services
      • Information Security Services
    • Applications & Data Analytics
      • Application Development & Delivery
      • Data Analytics
        • Data Analytics at Penn
      • Integration Development & Delivery
    • Backup, Storage & Platforms
      • BackItUp
      • Cloud Solutions
      • Data Center & Colocation Solutions
      • Database & Application Platform Support & Consulting
      • Endpoint Management
      • Recovery Solutions
      • Storage
      • Virtual Desktop
      • Virtual Server Hosting
    • Community, Support & Learning
      • Classroom Technology Services
      • Desktop Engineering
      • IT Community Events
      • LinkedIn Learning
      • Tech Center
    • Consulting & Professional Services
      • Brokered Products
      • HireIT
      • Systems Support & Consulting
      • Technology Forecasting
    • Email, Calendaring & Collaboration
      • Classlists
      • Penn Email Routing
      • PennBox
      • PennNet Mailing Lists
      • PennO365
      • PennZoom
      • SMTP-Relay
      • Secure Share
    • Networks & Connectivity
      • Firewall Services
      • Network Design & Installation
      • PennNet
        • Network Names & Numbers
        • MAGPI (Penn's Internet2 Regional Optical Network)
      • PennNet Ethernet Ports
      • Wireless at Penn
    • Phone, TV & Video
      • Broadcasting Studio
      • Contact Center
      • Live Video Streaming
      • Penn Video Network
      • PennFlex Phone
      • PennNet Phone
      • Traditional Telephony
      • Video Content Management
      • Video Production
        • Producing Video Content
    • Web Hosting
      • Web Services
    • — Service Rates —
    • — Service Level Agreements —
  • Security
    • Office of Information Security
    • Security Services
    • Special Projects
    • Policies & Procedures
    • Training & Awareness
  • Collaborations
    • Computing Policies
    • Engaging Penn’s IT Community
    • Identity & Access Management
    • Penn IT Strategic Plan
    • Cloud First
    • Next Generation Unified Communications
    • Penn Bot
    • IT Advisory Groups
      • Common Solutions
      • IT Roundtable
      • Network Policy Committee
      • Penn Technology Investment Committee (PTIC)
        • About PTIC
        • The PTIC IT Development Fund
    • Special Interest Groups (SIGs)
      • Audio-Visual (AV-SIG)
      • Cloud Computing (Cloud-SIG)
      • Data Visualization (DataViz-SIG)
      • Developer SIG (Dev-SIG)
      • High-Performance Computing (HPC-SIG)
      • Instructional Technology SIG
      • Linux SIG
      • Macintosh Networking Group (MacNet)
      • Mobile Technologies (Mobile-SIG)
      • O365 Special Interest Group
      • PC Networking Group (PC-Net)
      • Project Partners SIG
      • Security SIG
      • Social Media SIG
      • Splunk Special Interest Group
      • Super User Group (SUG)
      • Web SIG
    • Technology Services Strategy Review Board
  • News
  • Events
  • About
    • Overview
    • Leadership & Groups
    • Purpose & Values
    • Strategic Goals
    • Recognition
    • Staff Profiles
    • Tech Jobs @ Penn
    • Contact Us
  • Hot Topics
  • Get IT Help
    • Help for Students
    • Help for Faculty & Staff
    • Help for Alumni
    • Help for Guests & Others
    • Resources for IT Staff

You are here

Home » Use of PennBox and Amazon Web Services

Use of PennBox and Amazon Web Services

The type of data posted to PennBox and Amazon depends on the level of data sensitivity based on Penn Data Risk Classification guidelines. 

Data Type Storage Allowed? Device Encryption Required?
Non-Confidential University Data YES NO
FERPA Data YES YES
HIPAA Data YES: See Terms Below YES
Human subject research data YES with IRB approval YES
Social Security Number  YES: See Terms below YES
Credit Card Data NO N/A
ITAR/EAR NO N/A
Other Confidential University Data* YES YES

 

Confidential University Data
  • Confidential University Data
  • HIPAA Terms of Use
  • Social Security Number Terms of Use
  • Questions or Concerns

Sensitive Personally Identifiable Information:  Information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to Penn. Examples may include, but are not limited to, Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information Penn has promised to keep confidential, and account passwords or encryption keys used to protect access to confidential University data.

Proprietary Information:  Data, information, or intellectual property in which the University has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to Penn. Examples may include but are not limited to, business planning, financial information, trade secrets, copyrighted material, and software, or comparable material from a third party when the University has agreed to keep such material confidential.

Other data:  Other data whose disclosure would cause significant harm to Penn or its constituents.

Penn has executed HIPAA-compliant Business Associate Agreements with the services named above. This ensures compliance with the contractual requirements set out under HIPAA. To meet additional HIPAA requirements, before putting HIPAA-regulated data on these services:

  1. Contact your Local Support Provider (LSP) to enable logging and monitoring and settings to run anti-malware scanning against the files
  2. Use only Penn-approved encrypted devices to access HIPAA Data on these services.  Note:  for any non-Penn recipients of HIPAA data, appropriate administrative, physical and technical safeguards must be in place including, at a minimum, encryption at rest.  
  3. Periodically review access permissions to ensure only HIPAA-authorized persons can access.
  4. For AWS, set up a separate account for HIPAA use, and enroll the account in the BAA.
  5. For AWS, use only HIPAA eligible services for data containing PHI.
  6. For AWS, ensure you are enrolled in Business or Enterprise level support.

Contact your Local Support Provider (“LSP”).  A Social Security Number (SSN) is particularly sensitive data that, if compromised, can cause harm to the individual and to Penn.  Please consider carefully whether you need full SSNs for any and all of your academic, research or business processes.  Using the last four digits or Penn ID as alternatives, as well as encryption, are effective ways to reduce such risks.  See Penn’s Social Security Number Policy at http://www.net.isc.upenn.edu/policy/approved/20071120-ssnpol.html.   

Contact ISC's Office of Information Security (security@isc.upenn.edu) or the Privacy Office (privacy@upenn.edu)

Visit ISC on LinkedIn

Print
InfoSec Home
Resources
  • Information Security Policies & Procedures
  • Penn Data Risk Classification 
  • PennBox
  • Key HIPAA Principles
  • Penn Medicine-HIPAA
Contact InfoSec
  • Computing Policies
  • Tech Jobs @ Penn
System Status

© 2023 THE UNIVERSITY OF PENNSYLVANIA — 3401 Walnut Street, Philadelphia, PA 19104 — Report accessibility issues and get help — For ISC Staff