Information Privacy and Security Policies

Below are some Stanford-enforced policies regarding information security, for the School of Medicine and for the University in general:

The updated School of Medicine Data Security policy further increases computing security across campus. The SoM now requires most Windows XP devices to be eliminated, as Microsoft ceased support on April 8, 2014*. The Data Security Policy also now mandates encryption of all computers used for Stanford business by faculty, staff, residents, fellows and students. All personal, shared and multi-user computers must be encrypted, no matter what kinds of data the users access. Further, all mobile devices (tablets, phones, etc.) used by individuals who may access or receive High, Moderate, or Low Risk data must be enrolled in Stanford's Mobile Device Management (MDM) program.

All faculty, staff, students, residents and fellows are required to complete an attestation process declaring their access to PHI and other High Risk data and that their computers and mobile devices are compliant with this policy. To complete the attestation process, to find out whether your devices are compliant, and to read all the details of the policy, visit med.stanford.edu/datasecurity.

* While exceptions can be approved for devices with specific, critical, scientific software or applications, controls must be implemented to compensate for the risk of leaving these devices in use.

Any computer or device on the School of Medicine network that is posing a threat to other computers or network resources may have its network access disabled until the problem is addressed.  Threats include: signs of malware infection, system compromise, attempts to exploit vulnerabilities on other systems, excessive use of network bandwidth, or other malicious network activity. Compromised systems will generally need to be rebuilt with a new installation of the operating system and updated security patches before their network access can be re-enabled.

IRT owns, controls and supports the School of Medicine network. The Network Access group enforces a list of security policies and standards in order to keep the network secure and operational.

The Administration Guide (http://adminguide.stanford.edu) is the University's official administration policy manual. Chapter 6, Computing, specifically defines your responsibilities regarding network and computer utilization, information security, chatrooms and electronic commerce. Read on for summaries of each section; click the links to download the entire policy as a PDF.

Section 1, Administrative Computing Systems, outlines the hierarchy of administrators and users of an academic computing system—any computerized system that uses administrative information at Stanford—and identifies "ownership, development and management responsibilities."

Section 2, Computer and Network Usage Policy, lays out guidelines for users of Stanford's computers, networks and information on the proper use of information technologies, including:

• Users are bound to respect copyright law and licenses
• Users are bound to respect the integrity of information resources, both hardware and software
• Users are prohibited from seeking to gain unauthorized access to resources
• Users must respect the rights of other computer users, and neither violate their privacy nor broadcast inappropriate content
• University information resources must not be used for political, commercial or personal use except when in compliance with laws and University policies

Section 3, Information Security, states the requirements for the protection of Stanford's information assets, and the principles of information security (the following is quoted from the Guide):

1. Information Resource Availability — The information resources of the University, including the network, the hardware, the software, the facilities, the infrastructure and any other such resources, are available to support the teaching, learning, research or administrative roles for which they are designated.
2. Information Integrity — The information used in the pursuit of teaching, learning, research or administration can be trusted to correctly reflect the reality it represents.
3. Information Confidentiality — The ability to access or modify information is provided only to authorized users for authorized purposes.
4. Support of Academic Pursuits — The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives.
5. Access to Information — The value of information as an institutional resource increases through its appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.

Section Three also outlines the University's Data Classification Guidelines, the responsibilities of each person with regards to information security, and includes a list of University security resources.

Section 4, Identification and Authentication Systems, discusses University policy regarding SUNet IDs, Stanford ID cards, Kerberos and other forms of ID; and recommendations and guidelines for computer systems requiring ID or authentication.

Section 6, Chat Rooms and Other Forums, states that any websites, chats or other forums that include discussions and contributions, if connected to the stanford.edu or stanford.org domains, must be related to legitimate University activities, and be subject to the University Terms of Use.

Section 7, Information Security Incident Response, describes the procedures to be followed when a computer security incident is discovered, or when High or Moderate Risk Data may have been inappropriately accessed. This policy outlines the procedures for decision-making regarding emergency actions taken for the protection of Stanford's information resources from accidental or intentional unauthorized access, disclosure or damage. For a more detailed outline of this section, also see Reporting an Incident.

SUMCnet is a highly specialized network that was created to provide a secure environment for users who need access to clinical applications from the School of Medicine to Stanford Hospital and Clinics (SHC) and the Lucille Packard Children’s Hospital (LPCH).  All desktop computers (servers are prohibited) must meet specific requirements before they are allowed to connect to SUMCnet.  Desktops not in compliance will be removed from the SUMCnet.

Specific information regarding the desktop security requirements can be found on the SUMCnet page.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 mandating specific requirements for protected health information (PHI).  Stanford University has established policies to ensure compliance with the HIPAA regulations. HIPAA was enacted in order to:

Streamline medical insurance claims by eliminating paper

Help reduce fraud with insurance claims

Define privacy requirements for patients

Define security requirements for electronic health information

Define patients' rights

Additional information regarding HIPAA at Stanford can be found at:  http://hipaa.stanford.edu.