3.12: Policies and Resources for Device Encryption, Security and Use

As all medical students will at some point in their MD program training access Protected Health Information (PHI), they should consistently attest to storing restricted data on all devices, and have their devices appropriately encrypted and fully compliant with School of Medicine data security standards. This applies to all MD program students, whether or not they are actively working with PHI (e.g., during parts of the MD curriculum that do not involve clinical work, when stepping out of the curriculum to obtain another degree, etc.).

Attestation and data security compliance are a professional expectation; failure to correctly attest and/or have all devices encrypted by stated deadlines. If attestation and encryption is not completed following a notification reminder, the student will  be referred to the Committee on Performance, Promotion and Professionalism (CP3) and their Advising Dean.  

Personal Responsibility

Legally, you are personally and fiscally responsible for any information disclosure from your computer or mobile devices, whether accidental or not. IRT Security is here to help you protect yourself: encryption is a one-time, necessary step you can take now to prevent problems in the future.

Data Classification: What Data Must Be Encrypted?

Stanford University has classified information assets into categories to determine which security precautions must be taken to protect it against unauthorized access. Data may be classified as High, Moderate or Low Risk. Common types of High Risk data include:

  • Protected Health Information (PHI)
  • Health insurance policy ID numbers
  • Social security numbers
  • Credit card numbers
  • Financial account numbers
  • Export controlled information under U.S. laws
  • Driver’s license numbers
  • Passport and visa numbers
  • Donor contact information and non-public gift information

 

For every School of Medicine affiliate who might use or store this type of data, every device used for Stanford work (even if only for email) must be verifiably encrypted. If you have a device that cannot meet the encryption requirements, it must not be used for Stanford work. This applies to both Stanford-owed as well as personally-owned devices.

For more information on the University risk classification standards, please visit https://uit.stanford.edu/guide/riskclassifications.

For more information on encryption requirements visit http://med.stanford.edu/irt/security/encryption-main.html.

Because personal computing devices are becoming more and more portable-laptops, smart phones, USM thumb drives, etc.-securing the sensitive information stored on those devices is more important than ever. Based on government regulations, individuals may be held personally and fiscally liable in the event of information disclosure. Students are expected to review and follow the policies outlined below:

Mobile Device Management

If you have an iOS or Android device that you use for Stanford work, there's an easy way to set up and maintain proper security practices on your device. Stanford uses the application AirWatch to provide Mobile Device Management (MDM). The application is free to install, and automatically configures your device to be optimized for the Stanford environment—from email settings to security settings. Visit the link provided above for more information about MDM at Stanford.

Stanford School of Medicine Course Content Access and Appropriate Use Policy

Stanford students may only use Stanford University School of Medicine course materials as intended for curriculum and course-related purposes. These materials are copyrighted by the University or others. Access to this content is for personal academic study and review purposes only. Unless otherwise stated in writing, students may not share, distribute, modify, transmit, reuse, sell, or disseminate any of this content.

High Risk Data and HIPAA Compliance

Students must ensure all devices used for Stanford work fully comply with Stanford’s security requirements and HIPAA guidelines. As medical students are expected to interact with High Risk data (such as PHI), all devices must be verifiably encrypted. The University’s BigFix application is used to report the encryption status of laptops and desktops regularly. MDM (AirWatch) is used to report the encryption status of mobile devices. Additional requirements include ensuring a password is set and that all backups are encrypted.

Stanford University Computer and Network Usage Policy

Students must respect copyrights and licenses, respect the integrity of computer-based information resources and refrain from seeking to gain unauthorized access, and respect the rights of other information resource users.

Stanford Medicine Bring Your Own Device Policy

Stanford Medicine will begin the transition towards becoming a “Bring Your Own Device (BYOD)” campus.  What does this mean for you?

  • In preclerkship courses, you will use your own device for online quizzes and exams, and potentially other classroom activities.  You will be asked to install a secure lockdown browser on your device at the beginning of the year for examinations.
  • In clerkship courses, you will have the choice of using your own device or a Stanford-provided device for NBME exams.  If you choose your own device, instructions will be provided to install the NBME secure browser on your device prior to the exam.

 

The School of Medicine EdTech team will provide support before and during examinations to ensure a smooth experience.  Please visit BYOD at Stanford Medicine for the latest details on system requirements and Stanford Medicine’s transition to BYOD. If you have any questions, please contact EdTech at edtech-support@stanford.edu.

See sections 3.3 and 3.15 for additional information

updated August 2019