Securing Your PC
Stanford University policy requires all laptops and desktops used on the Stanford network be encrypted. Further, all laptops and desktops that may be used to interact with PHI and other High or Moderate Risk data by SoM staff and affiliates must be encrypted using methods approved by the School of Medicine. These requirements apply to all computers, whether Stanford-owned or personally-owned.
To make sure you are meeting the security requirements, choose your set of instructions below, based on what kinds of data you use in your work.
(For definitions of High, Moderate, and Low Risk Data, consult the Data Classification chart.)
Note: We recommend that everyone be using Windows 10, since most older systems have passed the point where Microsoft is providing security updates, or are approaching swiftly.
Step-by-step directions and installer files are available below so that users can install the required software themselves. For some computers, there may be a risk of data loss if there are problems during the encryption process. If you would like assistance with encrypting your computer, you can contact your departmental IT staff or reach out to IRT.
Complete Data & Device Attestation
The School will be using the information you submit in the Data and Device Attestation to deploy the various aspects of the Data Security Program. It is therefore imperative that your attestation accurately reflect your use of data and your devices at all times. Please only report the Stanford-owned and personally-owned devices that you use for school business; you do not need to report devices owned by SHC or LPCH. You can update your information anytime by visiting the Attestation Survey »
Install BigFix
You are required to have the BigFix patch management software installed on all encrypted computers used for Stanford business, including personally-owned computers. BigFix should not be installed on computers owned by SHC or LPCH. BigFix will be automatically installed as part of the SWDE installer, but to speed up the process, you can install it beforehand, using the BigFix Installation guide »
Complete Data Identification Survey
This survey helps identify the specific computer(s) you use for Stanford business, and the types of data stored locally on each machine. It will be delivered to you via a BigFix pop-up screen, or as part of the SWDE installer process. You can update your answers for each computer's survey through the BigFix dashboard on that computer. For more info, see BigFix Dashboard »
Install CrashPlan (for data backup)
The University very strongly recommends that all Stanford data stored on encrypted desktop and laptop computers be backed up before the encryption process begins. It is not required to use either the University or SoM instances of CrashPlan. The School of Medicine provides free access to the SoM CrashPlan instance to SoM-affiliates. For install directions, see CrashPlan Guide »
Verify CrashPlan Completion
It is of vital importance that you fully complete the backup of your computer. Failure to complete this step before proceeding may cause irreparable damage to your machine.
A. Open the CrashPlan application
Under Windows: Right-click on the CrashPlan icon in the system tray in the lower-right of the screen and select "Show Application", or run CrashPlan from the Start menu.
Once CrashPlan begins the back up, it scans the total number of files on your machine before proceeding with its initial backup, which may take several days to complete.
B. Check Progress Bar
As the backup proceeds, the progress bar under the Backup tab will indicate how far along you are in the process. Before encrypting your computer, you should make sure all of the files initially scanned by CrashPlan have been backed up.
Note: CrashPlan is constantly backing up your files while you work. Since it cannot backup any documents that you may currently have open and be working on, the progress bar may not show the backup as being 100% complete, though all of the files initially scanned by CrashPlan have been backed up.
Check Disk Health
Once backup is complete, a series of tests will need to be run on your hard drive to be sure it is ready for encryption. This check will look for problems with your disk and data using diagnostic tools available natively within the operating system of your PC.
Overview
The Disk Health test will look for problems with your disk and data using diagnostic tools available natively within the operating system of your machine. If a problem is found you should not proceed to the encryption step and you should call the IRT Service Desk at 650-725-8000 for assistance. This step can take anywhere from 15 minutes to several hours to complete and you may notice some degradation of performance while it is running.
A. Launch disk checking tool
Windows includes a disk checking tool called CHKDSK which is similar to the "scandisk" tool from older versions of Windows. This application scans your hard drives for errors such as lost sectors, bad sectors and corruption.
Open the Computer option from the start menu, which will display all of the drives available to scan on your PC:
B. Right-click on the drive you wish to scan for errors and select Properties
C. Click the Tools menu, then Check Now under the error-checking section.
C. Select Scan Option
You have several options within the check disk tool. It is always recommended you leave the "automatically fix file system errors" box checked, as this repairs and problems found. If you want to perform a deeper scan, tick "scan for and attempt recovery of bad sectors". This second option takes longer, but is worth doing if you suspect a drive problem. Once you are configured, click Start:
C. Schedule a scan if needed
If you try to check a disk that is currently in use, you will receive a message asking if you wish to schedule a scan. Accepting this will perform the scan next time you restart your PC.
Install Stanford Whole Disk Encryption
When you run the SWDE installer, it first checks your computer to make sure certain requirements are met, such as having BigFix and Sophos Anti-Virus software installed. You will need to fix, or let the installer fix, any items that are flagged before continuing with the installation.
Once your computer has been authorized to install encryption, you will be presented with the options that are available for your computer.
Overview
If your machine is not capable of encryption using one of these methods recommended by the School of Medicine, or you have any questions about the encryption process, please contact the IT Support staff for assistance in upgrading.
If your computer is already encrypted with one of the School's standard methods, you do not need to take any further action at this time. This will be registered in BigFix and your machine will be recorded as fully compliant with the data security policy.
If a computer is currently encrypted with a different method, it does not need to be re-encrypted at this time. If you wish to switch to SWDE, which involves software built into your operating system, IRT can help you uninstall older encryption software first, such as Macafee Endpoint or PGP.
Encryption will be installed using Stanford's SWDE ("suede") Installer. To provide the highest level of privacy protection for High and Moderate Risk data, the installation process includes setting vital configuration options designed to protect your computer. You will be notified of any changes to settings during the process and will have the option of canceling if you'd like to ask any questions about them.
As part of this, an encryption key will be stored which can be used to access your data if you forget your password. Stanford will store this key securely and it will be only be used in accordance with University privacy policies to restore data at your direction, as part of a legitimate investigation, or as compelled by legal process.
For a general overview of what SWDE does, and what to expect, see: Getting Started With SWDE »
For a full list of operations performed by the installer, see: PC Requirements »
BitLocker Encryption Requirements
- Windows 10
- The Trusted Platform Module (TPM) version 1.2 or higher must be installed. It must also be enabled and activated (or turned on). Contact your local IT support if you want to enable BitLocker but need assistance with enabling and activating the TPM.
- You must be logged in as an administrator.
- You must have access to a printer to print the recovery key.
To find out the version of Windows you are running:
- Click the Start button.
- In the Search box, type winver.
- If the version displayed is not one of the versions listed above, your system is not compatible with SWDE; see the Essential Stanford Software page for information about upgrading.
A. Download Stanford Whole Disk Encryption
B. Install Whole Disk Encryption
1. Run Windows Update to make sure you have the latest security updates.
2. Run the SWDE Installer, and follow along with the step-by-step instructions at: SWDE for Windows »
C. Logging in
Enabling BitLocker will change the way you log in to your system. You need to enter your PIN at every startup, prior to entering your password. This is designed to provide an additional layer of security for your data.
D. Changing your PIN or regenerating a copy of your recovery key
Once you have created your PIN, you can change it in the BitLocker Drive Encryption control panel You can also regenerate a new copy of your recovery key if you lose the printed copy.
1. Click Start, click Control Panel, click System and Security (if the control panel items are listed by category), and then click BitLocker Drive Encryption
2. In the BitLocker Drive Encryption control panel, click Manage BitLocker
3. Follow the instructions on the screen.
Verify your Encryption Completion
You can verify whether a computer is backed up and encrypted by looking at the AMIE (Am I Encrypted?) compliance tool. For a computer to report its status correctly, BigFix must be installed and functioning properly and you will need to have completed a Device Identification Survey for that machine. See: AMIE compliance tool »
Remove Personal Data from CrashPlan Backup
Should you wish to exclude personal files or directories from your backups, you can do so from within the CrashPlan application after the initial backup and encryption process is completed. Files excluded in this manner will be automatically purged from the backup archive.
A. Overview
By default, the School of Medicine CrashPlan backup service will back up the contents of all local drives in the host computer. This includes all user files, applications, and other data. This is the safest policy in the event of a system failure, as anything that was on the machine can be restored from the backup server.
Some people may be uncomfortable storing personal information on a computer that backs up to the School's backup servers, though the School of Medicine will only access such information as necessary to restore a system at the user's direction, as part of a legitimate investigation, or as compelled by legal process.
Should you wish to exclude individual files or directories from your backups, you can do so from within the CrashPlan application. Files excluded in this manner will be automatically purged from the backup archive. Any personal data so identified that had been previously backed up will be automatically and permanently deleted from the backup system but will remain on the computer.
All Stanford data must remain on the computer and be available for back up.
B. Open the CrashPlan application
Under Windows: Right-click on the CrashPlan icon in the system tray in the lower-right of the screen and select "Show Application", or run CrashPlan from the Start menu.
C. Go to Files Section
In the Backup tab of the CrashPlan application there will be a section titled "Files" - this lists all the backup sources. By default, it will include the "C" drive on Windows machines. It may also include other drives or directories if there are multiple internal drives attached to the computer.
D. Click the "Change" button to bring up the Change File Selection dialog box
- You may un-check any files or folders that you do not want to back up.
- Click "Save" to save your changes.
- Warning: All Stanford data must be backed up - only use this function to exclude personal data that you do not want backed up.
If you don't access High or Moderate Risk Data with your PC, there are fewer Stanford-mandated security requirements. The steps are fairly simple to complete and are mostly automated through the installers. In some cases, additional assistance from an IT specialist may be required.
Complete Data & Device Attestation
The School will be using the information you submit in the Data and Device Attestation to deploy the various aspects of the Data Security Program. It is therefore imperative that your attestation accurately reflect your use of data and your devices at all times. Please only report the Stanford-owned and personally-owned devices that you use for school business; you do not need to report devices owned by SHC or LPCH. You can update your information at any time by visiting the Attestation Survey »
Encryption
You must encrypt your computer if:
- 1. Your computer is owned by Stanford (whether or not you use it to access High or Moderate Risk data).
- 2. You personally own your computer, and you use it on the Stanford network.
If neither of the above is true, you can still make use of Stanford's SWDE encryption for your own security, but it is not required.
For encryption help and a complete walkthrough, visit the Stanford SWDE page »
If your computer is indeed not used to access High or Moderate Risk data, you may choose to use the VLRE installer instead; it is similar to SWDE, but does not require the use of BigFix. Stanford will still have a record of your encryption status, but without BigFix you are left to update your security patches and such on your own.
For VLRE help and a walkthrough, visit the Stanford VLRE page »
Backups
Using CrashPlan for secure, automated backups is highly recommended, though not required. For Stanford Medicine faculty, staff, students, and affiliates, it's even a free service. Sign up for CrashPlan here »
Verify your Computer's Compliance
You can verify whether a computer is backed up and encrypted by looking at the AMIE (Am I Encrypted?) compliance tool. For a computer to report its status correctly, BigFix must be installed and functioning properly and you will need to have completed a Device Identification Survey for that machine. See: AMIE compliance tool »
Remove Personal Data from CrashPlan Backup
Should you wish to exclude personal files or directories from your backups, you can do so from within the CrashPlan application after the initial backup and encryption process is completed. Files excluded in this manner will be automatically purged from the backup archive.
A. Overview
By default, the School of Medicine CrashPlan backup service will back up the contents of all local drives in the host computer. This includes all user files, applications, and other data. This is the safest policy in the event of a system failure, as anything that was on the machine can be restored from the backup server.
Some people may be uncomfortable storing personal information on a computer that backs up to the School's backup servers, though the School of Medicine will only access such information as necessary to restore a system at the user's direction, as part of a legitimate investigation, or as compelled by legal process.
Should you wish to exclude individual files or directories from your backups, you can do so from within the CrashPlan application. Files excluded in this manner will be automatically purged from the backup archive. Any personal data so identified that had been previously backed up will be automatically and permanently deleted from the backup system but will remain on the computer.
All Stanford data must remain on the computer and be available for backup.
B. Open the CrashPlan application
Under Windows: Right-click on the CrashPlan icon in the system tray in the lower-right of the screen and select "Show Application", or run CrashPlan from the Start menu.
C. Go to Files Section
In the Backup tab of the CrashPlan application there will be a section titled "Files" - this lists all the backup sources. By default, it will include the "C" drive on Windows machines. It may also include other drives or directories if there are multiple internal drives attached to the computer.
D. Click the "Change" button to bring up the Change File Selection dialog box
- You may un-check any files or folders that you do not want to back up.
- Click "Save" to save your changes.
- Warning: All Stanford data must be backed up - only use this function to exclude personal data that you do not want backed up.
Frequently Asked Questions
Stanford School of Medicine data security policy states that anyone who attests to working with Stanford's High or Moderate Risk data (including PHI) must bring all computers and mobile devices used for Stanford work, whether Stanford owned or personally owned, into compliance with the school's data security policy.
Even though is it is possible to access EPIC, CERNER and other tools through secure portals, a machine that is owned by an individual or by Stanford that is used regularly for Stanford work has a high likelihood of storing Stanford's PHI either now or in the future and the potential consequences if that data is compromised are severe. It is very common for an individual computer user to not be fully aware of all the data that is stored, even temporarily, on their devices but that can be discovered upon investigation. The School has established this policy to protect patients, the Institution and individual faculty, students and staff. the machine has declared it may be used to access PHI.
In recognition that the computing environment at the School of Medicine is complex, formal exceptions can be granted on a case-by-base basis for devices that perform functions that might be impacted by encryption. This would include computers running specialized lab equipment, real-time research data collection and other special cases. All devices must be appropriately secured but IRT's security team will work to determine alternative methods for these cases. To apply for an exception, please see the Exceptions Request Form.
If you have personal data on a computer that you do not want backed up to the School's CrashPlan system, you have the following options:
1. Remove your personal data from the computer before the CrashPlan backup proceeds. All Stanford data must remain on the computer and be available for backup.
2. Remove any personal data captured by the CrashPlan system after the backup and encryption of your computer has completed.
The CrashPlan application on your computer will allow you to identify any personal data that you do not want captured during subsequent backups. Any information so identified that had been previously backed up will be automatically and permanently deleted from the CrashPlan system, but will remain on the computer. All Stanford data must remain on the computer and be available for back up.
Directions on how to remove personal data from the CrashPlan system is available in the Backup FAQs »
Encryption is a technique that makes data technically inaccessible to those without valid permissions. You need to encrypt in order to comply with the School of Medicine policy and legal requirements. Encryption protects you and Stanford in the event that your device is lost or stolen.
