As all medical students will at some point in their MD program training access Protected Health Information (PHI), they should consistently attest to storing restricted data on all devices, and have their devices appropriately encrypted and fully compliant with School of Medicine data security standards. This applies to all MD program students, whether or not they are actively working with PHI (e.g., during parts of the MD curriculum that do not involve clinical work, when stepping out of the curriculum to obtain another degree, etc.).
Attestation and data security compliance are a professional expectation; failure to correctly attest and/or have all devices encrypted by stated deadlines will result at a minimum in a notification to a student’s Educators-4-CARE mentor. If attestation and encryption is still not completed following such a notification, the student may be referred to the Committee on Performance, Promotion and Professionalism (CP3) and their Advising Dean.
Legally, you are personally and fiscally responsible for any information disclosure from your computer or mobile devices, whether accidental or not. IRT Security is here to help you protect yourself: encryption is a one-time, necessary step you can take now to prevent problems in the future.
Data Classification: What Data Must Be Encrypted?
Stanford University has classified information assets into categories to determine which security precautions must be taken to protect it against unauthorized access. Data may be classified as High, Moderate or Low Risk. Common types of High Risk data include:
- Protected Health Information (PHI)
- Health insurance policy ID numbers
- Social security numbers
- Credit card numbers
- Financial account numbers
- Export controlled information under U.S. laws
- Driver’s license numbers
- Passport and visa numbers
- Donor contact information and non-public gift information
For every School of Medicine affiliate who might use or store this type of data, every device used for Stanford work (even if only for email) must be verifiably encrypted. If you have a device that cannot meet the encryption requirements, it must not be used for Stanford work. This applies to both Stanford-owed as well as personally-owned devices.
For more information on the University risk classification standards, please visit https://uit.stanford.edu/guide/riskclassifications.
For more information on encryption requirements visit http://med.stanford.edu/irt/security/encryption-main.html.
Because personal computing devices are becoming more and more portable-laptops, smart phones, USM thumb drives, etc.-securing the sensitive information stored on those devices is more important than ever. Based on government regulations, individuals may be held personally and fiscally liable in the event of information disclosure. Students are expected to review and follow the policies outlined below:
Mobile Device Management
If you have an iOS or Android device that you use for Stanford work, there's an easy way to set up and maintain proper security practices on your device. Stanford uses the application AirWatch to provide Mobile Device Management (MDM). The application is free to install, and automatically configures your device to be optimized for the Stanford environment—from email settings to security settings. Visit the link provided above for more information about MDM at Stanford.
Stanford School of Medicine Course Content Access and Appropriate Use Policy
Stanford students may only use Stanford University School of Medicine course materials as intended for curriculum and course-related purposes. These materials are copyrighted by the University or others. Access to this content is for personal academic study and review purposes only. Unless otherwise stated in writing, students may not share, distribute, modify, transmit, reuse, sell, or disseminate any of this content.
High Risk Data and HIPAA Compliance
Students must ensure all devices used for Stanford work fully comply with Stanford’s security requirements and HIPAA guidelines. As medical students are expected to interact with High Risk data (such as PHI), all devices must be verifiably encrypted. The University’s BigFix application is used to report the encryption status of laptops and desktops regularly. MDM (AirWatch) is used to report the encryption status of mobile devices. Additional requirements include ensuring a password is set and that all backups are encrypted.
Stanford University Computer and Network Usage Policy
Students must respect copyrights and licenses, respect the integrity of computer-based information resources and refrain from seeking to gain unauthorized access, and respect the rights of other information resource users.
Stanford Issued iPads Policy and Procedures
- Students who were provided with iPads upon matriculation must abide by the following expectations and guidelines:
- The iPad is Stanford property and will only be available to students while they are enrolled at Stanford School of Medicine (SOM).
- Students must use this device in a responsible manner and in accordance with University policies.
- Students should have no expectation of privacy regarding the device or its contents.
- Students must return the iPad to SOM when requested. iPad priviliges may be rescinded prior to graduation in cases where students are found not to have followed policies and guidelines for appropriate use of the device.
- Students must take appropriate steps to protect the iPad and data against loss or theft, e.g. not leaving iPads in public places, not checking iPads in luggage, and not leaving iPads in vehicles unless the vehicle is locked and the iPad is hidden from view.
- Students must immediately report the loss, damage or theft of an iPad to the School of Medicine Educations, Program & Services staff.
- Students must protect the data on the iPad with a password and follow all other security requirements.
- Students must accept financial responsibility for the loss or theft of the device and the disclosure of information resulting from failure to take appropriate steps to protect the iPad. Students may not jailbreak or otherwise tamper with the iPad operating system.
- Students must frequently make encrypted backup copies of iPad content in the case of loss or data corruption.
- Students may not store personal health information (PHI) on the iPad. If students choose to access EPIC or other patient record databases, they must do so in alignment with HIPAA compliance guidelines and hospital policies regarding iPad and other mobile device use. If use of the iPad should compromise the security of patient records in any way, students must be prepared to accept full responsibility for the breach, including responsibility for any financial penalties incurred.
- Policies and guidelines around appropriate use of iPads may vary among clerkships and hospital sites. Therefore, students must review and follow the policies and guidelines set by each clerkship director and by each hospital site. The privilege of using the iPad may be rescinded at any time. Students who do not follow policies and guidelines for appropriate iPad use may be asked to return the device prior to completing the clerkship rotation.
See sections 3.3 and 3.15 for additional information.
updated August 2017