Data Security @ Stanford Medicine
As of May 2015, University IT announced a new set of classifications for Stanford data and systems: High Risk, Moderate Risk, and Low Risk. The Prohibited, Restricted, Confidential, and Unrestricted framework will be phased out by January 2016. Going forward, please use the new High/Moderate/Low Risk designations.
Additionally, University IT has published Minimum Security Standards for Endpoints, Servers, and Applications. The School of Medicine is establishing dates by which we plan to be aligned with these standards based on the risk level of the data.
About the School of Medicine Implementation of Stanford University Security Requirements
The School of Medicine is committed to providing and maintaining a secure computing environment to protect the personal data we are trusted with and to enable the important work toward our missions to flourish.
The IT staff members in the School of Medicine are happy to help you meet these requirements - please don't hesitate to ask for assistance or clarification.
Note: Per the August 5, 2014 communication from CISO Michael Duff, the University confirmed the goal to verifiably encrypt all devices by May 31, 2015. "Devices" include University-owned and personally-owned laptops and desktops used by all Stanford personnel* on the Stanford campus network. The Ad Hoc Faculty Committee on IT Privacy confirmed the importance of encrypting employee computers used for Stanford activities.
* The School of Medicine includes faculty, staff, postdoctoral fellows, clinical fellows, students and affiliates in this population.
The School of Medicine data security elements are summarized here (and detailed below the table):
|Action||Individual Attests Yes to HIGH-RISK Data||Individual Attests No to HIGH-RISK Data|
|Data Security Attestation||Required for all School of Medicine affiliates||Required for all School of Medicine affiliates|
|Encryption of Stanford-owned Laptops/Desktops regardless of the user*||SWDE Required||Either SWDE or VLRE Required|
Encryption of Personally-owned Laptops/Desktops used for Stanford-related work*
|SWDE Required||Either SWDE or VLRE Required for devices used on the Stanford network. If not used on the Stanford network, encryption is not required.|
|MDM for mobile devices||MDM required||MDM required for devices used on Stanford campus networks|
|Backups of Laptops/Desktops||All backups must be encrypted. Backup is strongly recommended prior to encryption.||Encrypted backup is strongly recommended prior to encryption.|
|Automatic forwarding of @stanford.edu email account||Must not auto-forward to anything other than @stanfordmed.org, @stanfordhealthcare.org, or @stanfordchildrens.org addresses.||May auto-forward email account|
|Unsupported operating systems (such as Windows XP) running critical research applications or hardware||Must be upgraded, replaced or granted a security exception *||Must be upgraded, replaced or granted a security exception *|
* A Data Security Exception can be requested for devices that cannot meet the data security requirements but which are critical to the operation of critical research applications or equipment. Exceptions can be requested at https://med.stanford.edu/datasecurity/exceptions/
Data Security Attestation
- All users who may access High-Risk Data.
- All shared and multi-user machines which may be used to access High-Risk Data.
- Only users who will never access or receive High Risk Data are eligible to use VLRE.
Mobile Device Management
Eliminating WindowsXP and Other Unsupported Operating Systems
Proper Removal of Stanford Information
Security Policy Exceptions
See All FAQs »
Information security is a critical priority for the School of Medicine and Stanford University at large. Stanford University policy states that all Stanford-owned computers and devices will need to be verifiably encrypted. This also applies to personally-owned computers and devices which either may store or access High-Risk Data or which are used on the Stanford network.
All Stanford-purchased computers at the School must be encrypted using Stanford's sanctioned whole disk encryption prior to be placed into operation. All iOS and Android devices must be enrolled in MDM. Devices that are not capable of enrolling in MDM must not be used to store or access High or Moderate Risk Data and cannot be used on the Stanford network.
Graduate students have either of two cases for their personally-owned computers:
University data security policy states that anyone who attests to working with Stanford's High or Moderate Risk Data, including Stanford electronic PHI, must encrypt all computers and mobile devices used for Stanford work using the Stanford Whole Disk Encryption (SWDE) service for computers or MDM for mobile devices. This requirement applies to both Stanford-owned and personally-owned devices.
Even though is it is possible to access EPIC and other tools through secure portals, a machine that is used regularly for Stanford work has a high likelihood of storing Stanford's electronic PHI either now or in the future and the potential consequences if that data is compromised are severe. It is very common for an individual computer user to not be fully aware of all the data that is stored, even temporarily, on their devices but that can be discovered upon investigation. The University has established this policy to protect patients, the Institution and individual faculty, students and staff.
I will never work with Stanford High or Moderate Risk Data. Do I really need to encrypt my personally-owned computer? »
If you will never interact with High or Moderate Risk Data and do not use your personal computer on the regular Stanford campus network, your personally-owned computer is not required to be encrypted. This includes:
You may want to encrypt your machine for the protection of your data, but you do not need to use the Stanford encryption programs to do this.
For most individuals at the school, these services can be deployed automatically to your computer via the BigFix management tool. Some installations may require the additional assistance of an IT staff person. See: http://encrypt.stanford.edu »
Many clients have successfully installed backup and encryption tools by starting with the specific instructions available below.
If you would like assistance with the data security or backup tools, please work with your departmental IT support. Contact the IRT Service Desk at 650-725-8000 or at https://irthelp.stanford.edu for assistance in identifying your support options or to arrange for an appointment to meet with an IRT service team member.
You can amend your response to the Data & Device Attestation simply by going back to the survey link and resubmitting your answers; your original response will be overwritten. Go to: Data & Device Attestation
Please only report the Stanford and personally owned devices that you use for School of Medicine business. You do not need to attest for devices owned by SHC or LPCH.
Note: this attestation is different from the Device Identification Survey, which will appear as a popup on each of your computers that have BigFix installed.
The Device Identification survey for a computer can be accessed through the BigFix dashboard on that computer.
1. To access the dashboard, click on the BigFix icon.
On Windows, the icon will appear in
the Windows task tray.
On Mac, the icon will appear in the top nav bar.
2. To access the Device Identification survey, click on the Offers tab in BigFix dashboard. Then click on the option that reads: I want to change the information I registered for this machine; this will open up a detailed description of this offer.
3. Accept the offer by clicking on the link that appears at the end of the offer description. A Big Fix popup window offering this survey should appear shortly. There are some cases where the window may be delayed.
As a warning measure, the school has begun temporarily blocking the SUNet IDs of individuals with non-compliant IOS mobile devices. To unblock your ID and regain access to Stanford systems, simply acknowledge that you need to install a Restricted MDM profile on your IOS device by clicking the green "I Understand" button on the Security Block page.
To ensure you are not blocked in the future, please install a Restricted MDM profile on the device in question by browsing to https://mdm.stanford.edu