Policy Number: 179
Responsibilities for the Use of Digital IDs
I. POLICY AND GENERAL STATEMENT
The use of networked electronic resources to securely transact business and exchange information among known parties often requires that the physical identities of individuals be strongly authenticated and that certain information exchanges be strongly encrypted. Digital IDs, i.e. cryptographic credentials, that are each uniquely associated with and solely controlled by a specific individual are a corner stone in the provision of secure, trusted services among networked resources. Digital IDs permit users to:
- create a digital signature that uniquely authenticates his or her identity affixed to a specific electronic document or transaction and ensures the integrity of the signed item,
- encrypt information that can be accessed only by the intended confidants, and
- access restricted resources requiring strong authentication prior to authorization.
All patient information, some student and human resource information is classified as confidential at The University of Texas Health Science Center at Houston ("university") and must be digitally signed and encrypted for transmission using a digital ID to ensure that the message is sent and received only by intended confidants and cannot be altered or viewed during transmission. This policy applies to all confidential electronic communications that are sent over the Internet or other electronic network that is acceptable to the university, for which the identity of the sender or the contents of the message must be authenticated.
Employees, students or contractors are required to obtain a digital ID if they:
- transmit or receive confidential information across the internal university network or public network;
- must digitally sign electronic documents;
- require access to restricted resources requiring strong authentication.
A digital ID consists of a private/public key pair in which the public key is certified by a university approved certification authority ("CA").
Digital ID Obligations:
- A digital signature created using a digital ID is the user's legal signature. Therefore, users are legally responsible for its use.
- The digital ID password must never be written down and must not be the same password as those used to gain access to other information resources.
- The digital ID password MUST NOT be forgotten. Consequences of forgetting the digital ID password:
- the user's digital ID is lost forever;
- anything encrypted by a lost digital ID can NEVER be accessed again;
- the user can no longer access restricted resources requiring their digital IDs; and
- the user must obtain a new university digital ID.
- Faculty and staff having encrypted information must decrypt information in order to satisfy statutory obligations under the provisions of the Texas Public Information Act ("TPIA"). Failure to comply with this requirement will result in disciplinary action and/or criminal sanctions.
- See HOOP Policy 180 Email and Internet Usage for other obligations.
Prerequisites to Obtaining a Digital ID:
- An individual must be a registered student, faculty, staff member or an officially affiliated "guest" of the university.
- An E-mail address of an individual must be of the form email@example.com.
- An individual must have a university identification badge.
- An individual must have a government issued picture ID (i.e., Texas drivers license, U.S. passport, etc.)
- An individual must have a personal computer connected to the Internet as well as a web browser - Microsoft Internet Explorer 6.0 or later.
To obtain a digital ID, access http://www.uth.tmc.edu/netcenter/middleware/digital-id/index.html.
Safeguarding Digital IDs:
Storage and Transfer of Digital IDs - Digital IDs are stored on your personal computer in your "Personal Security Environment (PSE)" and/or on an E-Token. If the digital ID is stored in a computer's PSE, you must export your certified key set onto a flexible disk or other storage if you wish to use it in the PSE on another computer. This storage media containing the digital ID must be stored by you in a locked physical location not accessible to anyone else.
Using Digital IDs:
- Digital IDs must be used to digitally sign and encrypt e-mail messages that transmit confidential information.
- Digital IDs can be used to access restricted resources if access management for the resource requires a digital ID for authentication.
- Digital IDs can be used when entering information into web forms online that require a digital ID for authentication and/or digital signatures.
- Digital IDs can be used to digitally sign PDF documents, Word documents and Excel spreadsheets to ensure information integrity and/or accountability.