3.12: Policies and Resources for Device Encryption, Security and Use

Since all Stanford Medicine students will at some point in their training access Protected Health Information (PHI), they should always attest Yes to “may access or receive High Risk data,” and all devices used for Stanford work (even just email) must be appropriately encrypted and fully compliant with School of Medicine data security standards. This applies to all Stanford Medicine students at all times, whether or not they are currently accessing or storing PHI, even if stepping out of the curriculum to obtain another degree. 

Attestation and data security compliance by stated deadlines are a professional expectation. If attestation and encryption is not completed following a notification reminder, the student will be referred to the Committee on Performance, Promotion and Professionalism (CP3) and their Advising Dean.  

Personal Responsibility

Legally, you are personally and fiscally responsible for any information disclosure from your computer or mobile devices, whether accidental or not. TDS Information Security Services is here to help you protect yourself: encryption is a one-time, necessary step you can take now to prevent problems in the future.

Data Classification: What Data Must Be Encrypted?

Stanford University has classified information assets into categories to determine which security precautions must be taken to protect it against unauthorized access. Data may be classified as High, Moderate or Low Risk. Common types of High Risk data include:

  • Protected Health Information (PHI)
  • Health insurance policy ID numbers
  • Social security numbers
  • Credit card numbers
  • Financial account numbers
  • Export controlled information under U.S. laws
  • Driver’s license numbers
  • Passport and visa numbers
  • Donor contact information and non-public gift information

The School of Medicine Data Security Policy requires the encryption of all computers and mobile devices used for Stanford work by an individual who might access Protected Health Information (PHI) or other High Risk data. This applies to both Stanford-owned and personally-owned equipment.

For additional information, see the University risk classification standards and encryption requirements.

Because personal computing devices are becoming more and more portable-laptops, smart phones, thumb drives, etc.-securing the sensitive information stored on those devices is more important than ever. Based on government regulations, individuals may be held personally and fiscally liable in the event of information disclosure. Students are expected to review and follow the policies outlined below:

Mobile Device Management

If you have an iOS or Android device that you use for Stanford work, there's an easy way to set up and maintain proper security practices on your device with Stanford’s Mobile Device Management (MDM) apps. The applications are free to install, and automatically configure your device to be optimized for the Stanford environment—from email settings to security settings. Visit the link provided above for more information about MDM at Stanford.

Stanford School of Medicine Course Content Access and Appropriate Use Policy

Stanford students may only use Stanford University School of Medicine course materials as intended for curriculum and course-related purposes. These materials are copyrighted by the University or others. Access to this content is for personal academic study and review purposes only. Unless otherwise stated in writing, students may not share, distribute, modify, transmit, reuse, sell, or disseminate any of this content.

High Risk Data and HIPAA Compliance

Students must ensure all devices used for Stanford work fully comply with Stanford’s data security requirements and HIPAA guidelines. As medical students are expected to interact with High Risk data (such as PHI), all devices must be verifiably encrypted. The University’s BigFix application is used to report the encryption status of laptops and desktops regularly. MDM (AirWatch) is used to report the encryption status of mobile devices. Additional requirements include ensuring a password is set and that all backups are encrypted.

Stanford University Computer and Network Usage Policy

Students must respect software copyrights and licenses, respect the integrity of computer-based information resources, refrain from seeking to gain or permitting others to gain unauthorized access, including by sharing passwords, and respect the rights of other computer users.

Stanford Medicine Bring Your Own Device Policy

Stanford Medicine is a “Bring Your Own Device (BYOD)” campus.  What does this mean for you?

  • In preclerkship courses, you will use your own device for online quizzes and exams, and potentially other classroom activities.  You will be asked to install secure browsers on your device at the beginning of the year for examinations.
  • In clerkship courses, you will use your own device for shelf exams. Instructions will be provided to install the NBME secure browser on your device prior to the exam.

The School of Medicine EdTech and AV Tech teams provide support for required courses and clerkships during examinations to ensure a smooth experience.  Please visit BYOD at Stanford Medicine for the latest details on system recommendations. If you have any questions, please contact EdTech at medcanvas@stanford.edu.

See sections 3.3 and 3.15 for additional information

updated August 2023