Policies & Regulations

Why You Need to Secure Your Information

Stanford's data protection policies are here to help you: they're in place in order to comply with various federal and state regulations. In the case of an unauthorized data breach, not only the University but you personally can be held liable, and are therefore subject to the responsibilities and penalties at all levels:

Governmental Regulations

The University Privacy Office maintains current information on governmental and regulatory policies, including HIPAA, FERPA, GDPR, PCI and other State of California regulations.

University and School of Medicine Policies

Compromised System Policy

Any computer or device on the School of Medicine network that is posing a threat to other computers or network resources may have its network access disabled until the problem is addressed. Threats include: signs of malware infection, system compromise, attempts to exploit vulnerabilities on other systems, excessive use of network bandwidth, or other malicious network activity. Compromised systems may need to be rebuilt with a new installation of the operating system and updated security patches before network access can be re-enabled.

If you suspect your device or server has been compromised, see Reporting a Security Incident.

External USB Drives

Sensitive information must be transferred securely. If other secure options are not feasible and external USB media must be used, that media must be encrypted. For individuals whose role will require them to handle or transmit High Risk data at some point in their time at Stanford, all computers used for Stanford work will need to have an agent installed to prevent inadvertently copying data from the computer to an unencrypted drive.

More info on external drives

SoM Network Security Policies

UIT Networking manages the School of Medicine network. The University Administrative Guide Section 6.2.1 describes the network use policy.

Some School of Medicine network policies vary from those applicable in other departments on campus.

• Departmental network switches/hubs or other network appliances are not permitted. If you need additional network connections, new TSOs should be requested from IT Services and paid for by the requesting department. This request can be submitted by the departmental IT Contact (individuals who are authorized to place Order IT requests).

• All devices used on the network must be registered for both wired and/or wireless network access, and must utilize the campus DHCP servers to obtain an address. (Wired fixed addresses are reserved but still must be requested via DHCP; roaming and wireless addresses are dynamically assigned.)

• For security protection and network support, all network or station wiring from endpoint locations must terminate in a telecommunications IDF.

• Each device should have a separate NetDB record.

• Printers should not be connected via wireless, they should be plugged in to a wired network connection.

SoM Firewall Management

TDS Information Security manages and approves all firewall rules for SoM clients, at all University locations. There are special networks for servers, appliances and other devices that may have preconfigured firewall permissions. To request new rules, please open a Service Now ticket, with the name of the system that needs an exception set, the IP address, and the specific ports/protocols you need open for this system.
Security for SoM servers is managed in SUSI (Stanford University System Inventory). For firewall rule changes for servers, please file a Service Now ticket, confirming that it's been inventoried; also let us know the name of the system in question, the IP address, specific ports you need open, and who/what needs access to the server.
Note that firewall rules will be eliminated if: 1) your computer hasn't been seen on the network for more than 90 days, or 2) if your IP address is not in NetDB.

More on firewalls here

Automatic email forwarding

Stanford's regulated data must not be transmitted without encryption. To prevent inadvertently sending sensitive data in an insecure manner, automatic forwarding of @stanford.edu email accounts to non-Stanford email must not be enabled for individuals who may access or receive High Risk data. Automatic forwarding to @stanfordhealthcare.org, @stanfordmed.org, or @stanfordchildrens.org can be approved.

The capability will be disabled for individuals who attest Yes in AMIE.

Note, forwarding an individual message that includes High Risk data can be done using Stanford's secure: email. (Add secure: anywhere in the subject line.)
Forwarding individual messages without sensitive data does not require the secure: flag.

Administrative Guide Memos

SUMCnet Policies

SUMCnet is a highly specialized network that was created to provide a secure environment for users who need access to clinical applications from the School of Medicine to Stanford Hospital and Clinics (SHC) and the Lucille Packard Children’s Hospital (LPCH). All desktop computers (servers are prohibited) must meet specific requirements before they are allowed to connect to SUMCnet. Desktops not in compliance will be removed from the SUMCnet.

While SUMCnet is being phased out in favor of alternative network processes, until that transition if fully complete, there are still devices on SUMCnet.

Potential Penalties

HIPAA/HITECH Penalties

Civil Penalties

$50K - $1.5 million per violation
Additional fines if the covered entity has been out of compliance for multiple years
Resolution agreement with the OCR (Office for Civil Rights) — could involve additional training, policies, and oversight by an independent monitor/auditor for a period of up to two years

Criminal Penalties

$50K - $250K
Imprisonment: 1 - 10 years

CA State Privacy and Security Laws

Hospitals have a 5-business-day incident reporting window - so you MUST immediately notify us of any suspected incidents
Confidentiality of Medical Information Act (CMIA) - institutions must notify CA residents of breaches of SSNs, medical and insurance information
Fines and penalties: up to $250K per violation and apply to individuals as well as health care providers - could affect your professional license
Imprisonment up to 10 years

Stanford Disciplinary Actions

Various staff/faculty sanctions, up to and including loss of privileges and termination of employment
The University Administrative Guide has more information on the policies and regulations that have been developed at Stanford. Particularly relevant are: Section 1.6 – Privacy Policies and Section 6.3 – Security Policies
To report a suspected or definite data breach, including a lost or stolen mobile device, open an incident with the University Privacy Office: privacy@stanford.edu or https://privacy.stanford.edu.

Additional Recommendations

Risk Classifications and Minimum Security Standards

Stanford's Risk Classifications for its information resources provides a framework to determine the risk of information resources. Based on these risk categories, Minimum Security Standards have been established for:

Endpoints
Servers
Applications
Software-as-a-Service, Platform-as-a-Service
Infrastructure-as-a-Service & Containerized Solutions

Be aware of the 18 HIPAA Identifiers so you can be sure you can know whether your data is de-identified.

Learn more about anonymizing research data so that it meets HIPAA regulations.

University Information Privacy & Security Quick Reference Guide

QUESTIONS?

If you have questions or need assistance, call 650-725-8000 (M-F 7a-6p) or submit a help ticket at tdshelp.stanford.edu.

Find a doctor

Clinics & Services

Research Resources

Professional Training

Education Resources