Reducing Your Risk: Handling Stanford Information
Stanford's Information Classification Policy
As of May 2015, a new set of classifications has been established and is now in effect for Stanford data: High Risk, Moderate Risk, and Low Risk. The former framework - Prohibited, Restricted, Confidential, and Unrestricted - will be phased out by January 2016.
For each level, Stanford defines who is allowed to access the information, how that information should be stored, and what security precautions you should take to protect it.
Please review the University's official Risk Classifications for the complete definitions, or see Secure Computing's data handling FAQ to answer your questions about handling specific types of information.
Regulations and Laws
Stanford's data protection policies are here to help you: they're in place in order to comply with various federal and state regulations. In case of an unauthorized data breach, not only the University but you personally can be held liable, and are therefore subject to the following daunting list of responsibilities and penalties at all levels:
Federal Laws:
- HIPAA/HITECH Civil Penalties:
- $50K - $1.5 million per violation
- Additional fines if the covered entity has been out of compliance for multiple years
- Resolution agreement with the OCR (Office for Civil Rights) — could involve additional training, policies, and oversight by an independent monitor/auditor for a period of up to two years
- HIPAA/HITECH Criminal Penalties:
- $50K - $250K
- Imprisonment: 1 - 10 years
CA State Privacy & Security Laws:
- Hospitals have a 5-business-day incident reporting window - so you MUST immediately notify us of any suspected incidents
- Confidentiality of Medical Information Act (CMIA) - institutions must notify CA residents of breaches of SSNs, medical and insurance information
- Fines and penalties: up to $250K per violation and apply to individuals as well as health care providers - could affect your professional license
- Imprisonment up to 10 years
Stanford's Disciplinary Actions:
- Various staff/faculty sanctions — up to and including loss of privileges and termination of employment
For more information on the regulations that affect our information, and the policies Stanford has developed for properly dealing with that information, see our page on Stanford's collected computing policies.
In the event of a suspected or definite data breach, including a lost or stolen mobile device, contact the Stanford Privacy Office: privacy@stanford.edu or https://acp.stanford.edu/privacy/privacy-office.
Your Computer and Other Devices
Think about how you access Stanford information, what devices you use, and what protections you have in place. If you access Stanford information with any of your devices, even if it's just by checking your email, the Stanford Medicine Data Security Program requires that device to be protected in the following ways:
- Desktop: Encryption
- Laptop: Encryption
- Smartphone
- If it's an iPhone, use MDM.
- If it's a Blackberry, the only supported secure solution is to set up an Exchange Mailbox/enroll in the Stanford Blackberry Enterprise Server.
- If it's an Android, make sure you're using a passphrase to lock it. Androids are not approved for Moderate or High Risk Stanford Information.
- Tablet
- If it's an iPad, use MDM
- If it's another type of tablet, make sure you:
- Use a password to keep it locked.
- Enable encryption, if possible.
- If it can't be encrypted and password protected, it CANNOT be used to access or store Moderate or High Risk Stanford Information
Where to Store Information
Travel Light
- Try your best to limit the amount of Moderate or High Risk information on your laptop or desktop; only carry around what you absolutely need, and delete the rest.
Protect Portable Information
- If you MUST transport sensitive information, use a pre-encrypted USB memory stick or external drive.
- Keep pre-encrypted memory sticks handy, so they're available when you need them. Develop the habit of only using encrypted USB devices.
- Instead of carrying the information from place to place, consider sending it securely with MedSecureSend or Secure Email.
Secure Storage Options
Stanford Secure File Storage is now available to all Stanford users at a cost of 10 cents/GB. Secure File Storage protects Restricted and Confidential Data on behalf of University faculty and staff, accessible from desktop and laptop computers. Read about Secure File Storage on the ITS website.
For backups, you can set up CrashPlan, which is a free, automatic backup system that stores its data in the secure campus data center. CrashPlan is approved for all levels of sensitive Stanford information and is HIPAA-compliant.
Sending Information Securely
- MedSecureSend: Allows you to send large files securely both within and outside of Stanford. You can create your own account. Please note: For added security, full-service sending accounts expire after 30 days; if you haven't used the service in more than 30 days, you must create a new account to send another file.
- Stanford Secure Email: Stanford has a secure email tool, IRONPORT. To ensure that email is sent securely to anywhere, you can send a regular email from Zimbra, and simply include SECURE: in the subject line. Non-Stanford recipients will have to register before they can "pick up" their secure mail.
Collecting Information For Studies
RedCap: Do you use spreadsheets? Need to gather information or create a database? RedCap can meet your needs securely — redcap.stanford.edu. Some important features:
- The server is located in the secure School of Medicine data center
- HIPAA-compliant; approved for storing PHI
- Can be accessed through the internet
- Easy to use; technical support available
- Eliminates the need for spreadsheets
QUICK LINKS
RESOURCES
IRT Information Security Services:
File a HelpSU Request
ITS Website: itservices.stanford.edu
IRT Service Desk: 5-8000