Data Security Program

Privacy Policy

The School of Medicine Data Security Policy requires the following of all School of Medicine faculty, staff, students, residents, and fellows (in accordance with Stanford's Endpoint Compliance Rules):

BigFix

The School of Medicine Data Security Policy requires the installation of BigFix, Stanford's computer and security management tool, on all laptops and desktops used for School of Medicine business, if the user may access Restricted or Prohibited data (such as PHI). This includes Stanford-owned computers, personally-owned computers and VM machines used by these individuals.

Encryption

The Data Security Policy requires enterprise verifiable encryption of all Stanford-owned computers as well as personally-owned computers that access or receive Stanford Restricted or Prohibited data.

Enterprise Backup

The School of Medicine offers but does not require enterprise backup of all computers and mobile devices used for Stanford business by any Stanford affiliate (faculty, staff, residents, postdocs and students).

Data & Device Attestation

All faculty, staff, students, residents, fellows and affiliates are required to complete an attestation process declaring their access to PHI and other Restricted or Prohibited data and are responsible for the required compliance of their computers and mobile devices with this policy.

Mobile Device Management (MDM)

Mobile Device Management technology (MDM) automatically enables encryption and strong password protection on mobile devices, and it supports the ability to remotely erase a device if it is lost or stolen. Given the particular risk of loss or theft of smartphones and tablet computers, and the requirement to investigate each loss when the device is not encrypted, the School of Medicine requires that MDM be installed on all Stanford-owned mobile devices and personally-owned devices used by individuals who may access Protected Health Information (PHI) or other Restricted or Prohibited data.

Currently University MDM is available for iOS and for some Android devices. If MDM is not available for a device, it must not be used to store or access Protected Health Information (PHI) or other Restricted or Prohibited data.

Privacy and Security Protections for The Removal and Transport of Protected Health Information

The purpose of this policy is to set forth controls related to removal of Protected Health Information (PHI) or Personal Information (PI) from the medical center and transport of medical information within the medical center. This policy does not replace IT Security policies for protection of electronic patient information including requirements related to emailing patient information.

Leaving Stanford?
What you need to do

If you have been using a Stanford-owned device, it must be turned into your supervisor who may access or pass along the data used in the course of your work. These data will remain encrypted. If you have been using a personally-owned device, you should turn your Stanford data over to your supervisor and remove it from your device. It is absolutely essential that you take full personal responsibility and invest the time to thoroughly cleanse your personal computing devices prior to your departure.

IRT