TAMU-Health Spirion Sensitive Data Manager

Texas A&M University, inclusive of Texas A&M Health, is required under Security Categorization (RA-2), to scan university-owned devices for sensitive information to prevent data loss using a data loss prevention (DLP) method. Texas A&M University has selected Spirion Sensitive Data Manager to perform scanning. When sensitive information is discovered, you will be notified by Health Information Technology (Health IT) professionals with instructions for removing or isolating the data.

Commonly Scanned Devices

• Computers and servers managed by Health IT
• Flash drives and external hard drives connected to computers managed by Health IT
• Recycle bins on computers managed by Health IT

Types of Scanned Data

• Social Security Numbers
• Health Data, including Electronic Protected Health Information (ePHI), such as Explanations of Benefits (EOBs), lab results or insurance paperwork
• Critical Data
• Confidential Data
• University-Internal Data

Preventing Data Loss or Exposure

• Encrypt sensitive information on both your computer and external drives; see the System and Communication Protection Control Cryptographic Protection (SC-13) for more information or contact the Health Technology Care Team to learn about encryption options for your university-owned device(s)
• Do not use retail, off-the-shelf removable drives; instead use encrypted departmental fileshares or secure cloud storage services, such as STAR – Amazon AWS, Microsoft SharePoint, Teams or OneDrive
• Disconnect and lock in a secure location any external drives that contain sensitive information when not in use, even if encrypted
• Remove sensitive information as soon as it is no longer needed, according to appropriate retention policies
• Empty your recycle bin since deleted files can still be recovered
• Never access university-related critical or confidential data from devices not managed by Health IT

If Potentially Sensitive Information is Identified

If Spirion identifies sensitive information on your device(s), you will be notified via email by Health IT. You have the following options:

• Delete the data, including emptying your recycling bin
• If the data is your personal information or that of your immediate family, it is strongly recommended that you remove all personal information from the university-owned device(s)
• If the data was incorrectly identified as sensitive information, you should report the data as a false positive; it will be classified accordingly and will not be flagged again
• If the data has been properly identified and is needed for legitimate business purposes, it should be secured and encrypted

Support Information

If you have any questions about Spirion Sensitive Data Manager, please contact health-endpoint-mgmt@tamu.edu.