New to Stanford

Compliance with the policy requires the following actions:

All SoM Community Members

1. Data & Device Attestation

Everyone at the School of Medicine will be asked to complete a Data & Device Attestation to identify whether you are exposed to High Risk data (previously Restricted or Prohibited Data) and the kinds of devices you use. Please only report the Stanford- and personally-owned devices that you use for school business. You do not need to report devices owned by SHC or LPCH. Go to Data & Device Attestation Survey »

2. Mobile Device Management

All mobile devices used by individuals who attest to having access to High, Moderate, or Low Risk data must be enrolled in Stanford's Mobile Device Management service. See: MDM Installation guide

All SoM devices enrolled in MDM must have a Restricted MDM profile, and not a Basic profile. If you currently have a Basic profile set up for a device, the only way to get a Restricted profile is to unenroll and re-enroll the device.

MDM support iOS and Android (version 4.0 and above) devices. Devices that cannot support must not be used for Stanford work by individuals who attest to accessing High, Moderate, or Low Risk data. To enroll an eligible Android or iOS device in MDM, visit mdm.stanford.edu from the browser on the device.

3. BigFix Security Management

BigFix, Stanford's computer and security management tool, must be installed on all Stanford- and personally-owned laptops and desktops (and VMs) that may be used by individuals who have access to High Risk data (previously Restricted or Prohibited Data). Any device you use to access the hospitals' EPIC systems are subject to the University Data Security policy and must be fully compliant with all University security requirements. BigFix, however, should not be installed on computers owned by SHC or LPCH. See: BigFix Installation guide »

BigFix is automatically included when using the University's encryption tool SWDE (pronounced "suede"). Individuals who do not have access to High Risk data are not required to use BigFix but are still required to be verifiably encrypted - the University's new tool VLRE (pronounced "velour") can provide acceptable encryption verification without using BigFix. The VLRE tool will require users to provide the update and patching responsibilities independently of the centrally managed BigFix.

4. Device Identification Survey

Through a BigFix pop-up screen, you will be delivered the Device Identification Survey to identify the specific computers you use for Stanford business.

Select this option to access the University's Device Enrollment tool from a machine that does not have BigFix.

Stanford employees who work at the School of Medicine

5. Encryption

All computers and laptops used by Stanford employees for school business must be encrypted using Stanford's sanctioned whole disk encryption solutions. Those with access to High Risk data must use SWDE; those who do not access or receive High Risk data may use either SWDE or VLRE. This encryption requirement applies to all Stanford-owned computers and also to personally-owned computers on the Stanford network - even if you just use them to read Stanford email.

Windows XP is not an approved operating system at Stanford. Devices that cannot meet the data security requirements should be upgraded or replaced. Older systems that manage specialized research equipment or applications can apply for a Data Security Exception. Approved exceptions will be migrated to a special network with increased security to compensate for the risks of continuing to use an unsupported operating system on the network.

Any Stanford affiliate (faculty, students, staff, postdocs) who works with High Risk Data

6. Encryption

All laptops and desktops (whether Stanford- or personally owned) that store or access High Risk data (previously Restricted or Prohibited data) must be encrypted using Stanford Whole Disk Encryption (SWDE). This includes all computers used to access the hospitals' EPIC systems. See: Installation FAQs »

Machines older than 3 years have often had problems with encryption. If your computer is too old to be encrypted, or you are having issues with the encryption process, you should work with your Department to identify or provide an encrypted computer for use in your Stanford work.

Windows XP is not an approved operating system.

7. Attestation of Compliance

You will be asked to complete an Attestation of Compliance certifying your compliance with the SoM Data Security Policy. Go to Data & Device Attestation Survey »

Select Your Device to Get Started

MAC

PC

Mobile Devices

Other Devices

Why is data security important?

The Stanford University School of Medicine takes seriously our responsibility to protect patient privacy. Every time a patient provides us with information about their health, they are entrusting us to protect the confidentiality of this most personal of information. In an electronic world, protecting this information comes with its challenges, yet we at Stanford have all the technological solutions we need to be worthy of every patient’s trust. The goal of the Stanford Data Security Program is to ensure all faculty, staff, students, postdocs, residents and other Stanford affiliates at the school follow the security precautions required by University policy and federal law.

What is High Risk Data (previously Restricted or Prohibited data)?

Federal law requires strict security precautions for certain kinds of information to protect against unauthorized access. Stanford refers to this legally-protected information as High Risk Data. Examples include: Protected Health Information (PHI), Social Security Numbers, and financial account numbers. For more information about High Risk Data and Stanford policy, see http://dataclass.stanford.edu/.

What is the Policy?

Stanford University requires SWDE encryption of all computers used for Stanford work by employees and affiliates who have access to High Risk data.

For employees with NO access to High Risk data, either SWDE or VLRE encryption is required for all computers used for Stanford work on the Stanford network.

The School strongly encourages and supports backup of all devices used store our community's work at Stanford even if this does not include Restricted or Prohibited data. While backup is not required, backing up your device is strongly recommended prior to encryption. Further information on the School of Medicine's free CrashPlan offering, you can sign up at https://med.stanford.edu/datasecurity/crashplan.html

Read the full policy »

Exceptions?

In recognition that the computing environment at the School of Medicine is complex, devices may be excepted from this policy which are used to manage specialized research applications or equipment, where upgrade or replacement is not possible or prohibitively expensive. Additional categories include Linux machines, RAID arrays or computers that are not on the network and have no requirement to electronically transfer any data to another system. It is critically important that these devices and their data are safeguarded, especially when they are at a greater risk due to dated operating systems. If you are concerned or would like assistance to ensure the security of these devices and data, please contact the IRT Security office to determine alternative methods for these cases. To apply for an exception, please see the Exception Request Form.