Encrypting your computers and mobile devices is the most critical protection for your personal and Stanford data. If your device is ever lost or stolen, "whole disk encryption" will prevent anyone else from accessing your data.
Native encryption is required for all devices on the Stanford network or used for Stanford work. In the School of Medicine, an AMIE attestation that confirms you may access or receive High Risk data means that every computer or mobile device you use for Stanford work must be fully and verifiably encrypted, regardless of whether you use it on the Stanford network or not.
The University minimum security standards describe the additional minimum standards you must apply to devices used on the Stanford network or for Stanford work.
Whether your compliance is managed by AMIE or My Devices, you will be notified when you may have a compliance issue. Resolving these issues will ensure no actions will be taken to limit your access to Stanford resources.
Security Stanford's information assets is a critical priority to protect the University, Stanford patients and study participants, and You. University policy requires that all computers and devices used for Stanford business or on the Stanford network must be verifiably encrypted. Devices which may access High Risk Data must all be verifiably encrypted (using SWDE or MDM), even if they aren't used on the Stanford network.
Although is it is possible to access EPIC and other tools through secure portals, a computer that is owned by an individual or by Stanford that is used regularly for Stanford work may indeed store Stanford's High Risk data, possibly without your being aware it is there, even if only temporarily. The potential consequences are severe, should that data ever be compromised. As this data can be discovered upon investigation, the University has established this policy to protect patients, the University, and individual faculty, students and staff.
No. The University minimum security standards for endpoints call for backing up user data at least daily. While this does not nean you must use the University solution, the School of Medicine provides—at no cost—a centrally-managed access to Code42 (formerly CrashPlan) for School of Medicine affiliates who wish to use it.
Please be sure that if you are conducting your own backups of devices that may store or access Stanford data, the backups must also be encrypted. (We recommend an encrypted drive such as the Apricorn Padlock.)
The school's automated process leverages the BigFix patch management software to seamlessly handle the complexity of each step of the installation.
1. Data Backup - On each computer with the BigFix software installed, you will receive a pop-up window alerting you that the process to back up your computer is about to begin. You will be able to defer the backup process for a period of time until you are ready to proceed.
During the actual backup, you can use the computer normally. A message will appear letting you know when it is complete. Expected times vary from hours to days.
Note: If you have personal information stored on a computer that you do not want to have backed up, you have two options for excluding this data from the backup process. For more info, see FAQ on data backup.
2. Disk Health Check - Once backup is complete, a series of tests will be run on your hard drive to be sure it is ready for encryption. This check will look for problems with your disk and data using diagnostic tools available natively within the operating system of your machine. This step can take anywhere from 15 minutes to several hours to complete and you may notice some degradation of performance while it is running.
If a problem is found the encryption step will not proceed. An IT specialist will contact you to assist with any required repairs.
3. Encryption - Following the completion of your computer's backup, you will receive another BigFix window alerting you that the process to encrypt your computer is about to begin. Once again, you will have the option to defer this process for a period of time until you are ready.
You may use your computer normally during the encryption process. If you shut down your computer or it enters "sleep" mode, the encryption will resume when your computer becomes active again.
To finish the encryption process, you will be prompted to restart the computer.
Note: You may notice some slowness during the encryption process. Once completed, most people report no perceptible difference in computer performance.
The BigFix security management tool is a small software program that enables the enterprise management of software updates and provides a central mechanism for verifying compliance with School of Medicine policies. This is critical since a wide variety of data is used at the School of Medicine that carry legal requirements for rigorous protections and the consequences of not being able to definitively prove that protections are in place can have severe consequences. In the case of Protected Health Information, for example, HIPAA requires that proof of encryption be provided in the event a computer is lost or stolen. BigFix can provide such proof.
To support the need for auditing and rigorous data management, Stanford University policy requires BigFix on all laptop, desktop computers and VM machines used for Stanford business used by individuals who may access High Risk data. This includes both Stanford-owned and personally-owned computers that may store Stanford data.
BigFix will have no measurable impact on the performance of your computer.
BigFix must be installed on all laptops and desktops used to store access High Risk data. This includes Stanford-owned computers and personally-owned computers. If you use a Stanford or personally owned device to access the hospitals' Epic and Cerner systems, it is subject to the University Data Security policy and must have the required security suite. BigFix, however, should NOT be installed on computers owned by SHC or LPCH.
You can easily verify whether BigFix is installed on your computer by looking for the BigFix icon. On Windows, the icon will appear in the Windows task tray. On Mac, the icon will appear in the top nav bar.
There may be times when the BigFix icon may not appear on your computer though the software is installed. In these cases you can also verify installation by looking in your computer's Applications folder.
On your hard drive, navigate to Applications > Utilities > Activity Monitor.
Be sure that All Processes is selected at the top of the window, sort by "Process Name", and look for the BESAgent (BigFix Enterprise Suite agent) in the list of processes.
If you don't see the BESAgent listed, please install BigFix.
Open the Windows Task Manager by pressing CTRL + ALT + DELETE and clicking the Task Manager button.
Click the Processes tab and look for BESClient.exe in the list of processes.
If you don't see BESClient.exe listed, please proceed to Install BigFix.
Encryption is a technique that makes data technically inaccessible to those without valid permissions. University policy requires that all computers and devices used by Stanford employees for Stanford business must be verifiably encrypted.
University policy also requires that all devices used by individuals with access to High Risk Data must be SWDE-encrypted. This includes not only Stanford-owned computers but also personally-owned and mobile devices that are attested to by these individuals. Using High Risk Data comes with personal accountability, so encrypting your data provides protection for both you and the University in the unfortunate event that your device is lost or stolen. While central backup up to the School of Medicine CrashPlan server is not a requirement, it is highly recommended for the protection and recovery of your data after such an event.
The School of Medicine has created a tool called AMIE ("Am I Encrypted?") that will allow you to understand your compliance with the School of Medicine data security policies. The tool displays the information you supplied in your attestation and the BigFix, backup and encryption status of each of your computers. It also provides instructions to take actions to correct any issues that are detected. Please note that for a computer to report its status correctly, BigFix must be functioning properly and you will need to have completed the Device Identification Survey, which will appear as a BigFix popup on that machine.
MDM is a set of configuration and management tools for mobile devices that automatically enables encryption and strong password protection. It also supports the ability to remotely erase a device if it is lost or stolen.
Given the particular risk of loss or theft of smartphones and tablet computers, and the requirement to investigate each loss when the device is not encrypted, the School of Medicine requires that MDM be installed on all Stanford-owned and personally-owned devices used by individuals who can access High Risk data for Stanford work.
All SoM devices with MDM must have a Restricted MDM profile, and not a Basic profile, regardless of whether you work with High Risk data or not. If you currently have a Basic profile set up for a device, the only way to get a Restricted profile is to unenroll and re-enroll the device.
Currently the University has an available MDM solution for iOS devices and most Android devices.
Devices that cannot be enrolled in MDM should not be used for Stanford work by individuals who attest Yes to working with High Risk data. Any smartphone or tablet that might store Stanford data must have MDM installed.
Directions for installing MDM on iOS devices and most Android devices are available here. Any device that cannot be enrolled in MDM must not be used to store or access High Risk data (including in email.)