[an error occurred while processing this directive]
Data Security Program

Digital Device Security at the School of Medicine

The School of Medicine is dedicated to encrypting all Stanford-owned computers used by Stanford employees who work at the school, and to encrypting all Stanford-owned or personally-owned computers and mobile devices used by Stanford employees and affiliates who work with High Risk Data (previously Restricted or Prohibited Data). (As of May 31, 2015, all computers on the Stanford network should be encrypted as well.)

MDM is a set of configuration and management tools for mobile devices, which automatically enables encryption and strong password protection. It also supports the ability to remotely erase a device if it is lost or stolen.

Stanford provides MDM for iOS and Android (OS 4.0 and above) devices. Other mobile devices should not be used for any Stanford work.

Given the particular risk and frequency of loss/theft of smartphones and tablet computers, and the requirement to investigate each loss when the device is not encrypted, the School of Medicine requires that MDM be installed on all Stanford-owned and personally-owned devices.

All Stanford-owned, SoM tablets or other mobile devices that use the Stanford Network OR are used by individuals who access High Risk data (including Protected Health Information) must have a Restricted MDM profile, and not a Basic profile. If you currently have a Basic profile set up for a device, the only way to get a Restricted profile is to unenroll and then re-enroll the device.

If you have installed MDM (AirWatch) through SHC or LPCH, you will need to re-enroll in the Stanford University MDM and go through a second step to ensure you can still access your Hospital email and/or calendar. There are instructions for this process here.

To install MDM on iOS devices (iOS 5 and above) or Android (OS 4.0 and above), see: MDM page.

The School of Medicine has created a tool called AMIE ("Am I Encrypted?") that will allow you to understand your compliance with the School of Medicine data security policies. The tool displays the information you supplied in your attestation and the compliance status of each of your mobile devices and computers. It also provides instructions to take actions to correct any issues that are detected. Please visit this site to see your current status: https://med.stanford.edu/datasecurity/amie/

AMIE

Data security remains a critical priority for the School of Medicine. As per Randy Livingston's campus-wide emails of January 15, 2014, all of Stanford will be increasing our overall data security by eliminating the use of Windows XP and by encrypting all University-owned computers — encryption is also required on personally-owned computers used on the Stanford network. Additionally, all mobile devices used by individuals who access Stanford data will need to enroll those devices in MDM.

Effective immediately, as a step toward encrypting all devices at the School of Medicine, all newly purchased computers at the School must be encrypted using Stanford's sanctioned whole disk encryption (SWDE).

No. MDM will not back up the data on your mobile device.

Encryption is a technique that makes data technically inaccessible to those without valid permissions. You need to encrypt in order to comply with the University policy and legal requirements. Encryption protects you and Stanford in the event that your device is lost or stolen.

All iOS devices (5.x or later) and Android devices running OS 4.0 and above. Other devices (including older versions of Android) are not eligible and must not be used to access Stanford resources if you have attested to accessing High Risk data.

Older iPhones or Android devices should be replaced, or no longer used for any Stanford work (i.e. configured to NOT use the Mail app to access Stanford e-mail, or even used to access webmail, etc.).

If MDM is not available for a device, it must not be used to store or access High Risk data.

All SoM devices enrolled in MDM must have a Restricted MDM profile, and not a Basic profile. If you currently have a Basic profile set up for a device, the only way to get a Restricted profile is to unenroll and then re-enroll the device.

No. Having your device encrypted does not impact sharing techniques. That said, only secure sharing technologies (Secure Email, MedSecureSend) should be used for PHI, since encryption alone only ensures that your data is secure at rest on your device, not in transit.

No, there's no impact on applications. On a SmartPhone or Tablet, encryption is entirely transparent.

Yes. Your actual data are not altered by the encryption process: they are just made inaccessible to those without valid permissions.