The School of Medicine Data Security Policy requires the following of all School of Medicine faculty, staff, students, residents, and fellows (in accordance with Stanford's Endpoint Compliance Rules):
The School of Medicine Data Security Policy requires the installation of BigFix, Stanford's computer and security management tool, on all laptops and desktops used for School of Medicine business, if the user may access Restricted or Prohibited data (such as PHI). This includes Stanford-owned computers, personally-owned computers and VM machines used by these individuals.
The Data Security Policy requires enterprise verifiable encryption of all Stanford-owned computers as well as personally-owned computers that access or receive Stanford Restricted or Prohibited data.
The School of Medicine offers but does not require enterprise backup of all computers and mobile devices used for Stanford business by any Stanford affiliate (faculty, staff, residents, postdocs and students).
Data & Device Attestation
All faculty, staff, students, residents, fellows and affiliates are required to complete an attestation process declaring their access to PHI and other Restricted or Prohibited data and are responsible for the required compliance of their computers and mobile devices with this policy.
Mobile Device Management (MDM)
Mobile Device Management technology (MDM) automatically enables encryption and strong password protection on mobile devices, and it supports the ability to remotely erase a device if it is lost or stolen. Given the particular risk of loss or theft of smartphones and tablet computers, and the requirement to investigate each loss when the device is not encrypted, the School of Medicine requires that MDM be installed on all Stanford-owned mobile devices and personally-owned devices used by individuals who may access Protected Health Information (PHI) or other Restricted or Prohibited data.
Currently University MDM is available for iOS and for some Android devices. If MDM is not available for a device, it must not be used to store or access Protected Health Information (PHI) or other Restricted or Prohibited data.