School of Medicine Encryption Requirements
The School of Medicine and Stanford University require that all computers and mobile devices which may be used to interact with High or Moderate Risk (previously Restricted or Prohibited) data, including Protected Health Information (PHI), must be protected according to established guidelines. The Data Security Program was established in the fall of 2012 to bring all School of Medicine devices into compliance with this policy.
Data security is a critical issue for the School of Medicine, and adherence to these policies is your personal responsibility—and legally, you are personally liable. As per the Data Security Policy, failure to ensure that your computers and mobile devices meet the necessary standards will result in restrictions on your access to Stanford systems, followed by escalating consequences, up to and including termination and legal action. Please protect both yourself and the School by taking the data security requirements seriously, and following the necessary steps to protect your information.
Exceptions to Encryption Requirements
In some circumstances, the ability to bring a particular system into compliance may not be possible. If you feel that your computer which runs specialized research equipment or applications cannot meet data security requirements, please apply for an exception. When applying, please provide as much detailed information as possible. IRT Information Security will review the request and respond as soon as possible. Should your request be approved, there will likely be requirements to implement specific technical controls, in order to minimize the risks to your computer on the network.
Click here to apply for an exception.
Full information about the policy, along with frequently asked questions and definitions of PHI, restricted and prohibited data can be found at https://med.stanford.edu/datasecurity.
If you have questions about security, encryption, or anything else, file a help ticket with IRT Security.