All users of desktops, laptops, tablets, and mobile devices (whether Information Technologies & Services [ITS] tagged or untagged) must take care to protect confidential data. All devices tagged by ITS and used for WCMC purposes must be encrypted using an ITS-managed encryption solution unless otherwise exempted as defined in this policy. Users shall take care when accessing, storing, or transmitting confidential data on untagged devices, as described in this policy. All untagged removable storage drives, such as external hard drives or USB flash drives, must be encrypted if containing confidential data.
Reason for Policy
Encryption provides strong protection by making data inaccessible to those without proper access credentials. Additionally, encryption can exempt WCMC from reporting requirements in the event of a theft or loss under the Information Security Breach and Notification Act, and it meets many of the security standards defined under the HIPAA Security Rule.
Entities Affected by this Policy
Weill Cornell Medical College and Graduate School of Medical Sciences
Who Should Read this Policy
All individuals accessing, storing, sending, receiving, or transmitting any WCMC data.
Direct any questions about this policy, 11.06 - Device Encryption, to Brian Tschinkel, Information Security Officer, using one of the methods below:
- Office: (646) 962-2768
- Email: firstname.lastname@example.org
These definitions apply to terms as they are used in this policy.
- ITS - Information Technologies & Services Department
- WCMC - Weill Cornell Medical College
- PII - Personally identifiable information, as defined in GAO-08-536 Privacy Protection Alternatives, is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
- PHI - Protected health information, as defined in Title 45 CFR §160.103, is individually identifiable health information that is (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information (i) in education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by a covered entity in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.
- HIPAA - Health Insurance Portability and Accountability Act of 1996.
- confidential - As defined in ITS 11.03 - Data Classification, confidential data includes, without limitation, the following: PHI; PII; student records, including those protected under the Family Education Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g; financial data, including data covered under the Gramm-Leach-Bliley Act (GLBA) and the information pertaining to credit cards covered by the Payment Card Industry Data Security Standard (PCI DSS); employment records, including pay, benefits, personnel evaluations, and other staff records; research data involving human subjects that are subject to the Federal Policy for the Protection of Human Subjects (Common Rule) as defined in Title 45 CFR §46.101 et seq.; and research grants and related information, such as applications, contracts, study protocols (including those involving animals), intellectual property belonging to Weill Cornell Medical College, and other sensitive research data.
- tagged device - A device that is supported by ITS and is permitted to connect to the WCMC network and access selected WCMC services.
- encryption - A process which converts plain data into a coded form or cipher in order to prevent unauthorized access.
Encryption of Supported (Tagged) Devices
Encryption shall be provided, at no additional charge, for any tagged device used by WCMC faculty, staff, students, administrative officials or, in select cases, affiliates that is not otherwise exempted from this rule.
WCMC faculty, staff, students, and affiliates with encrypted devices who are terminating their relationship with the medical college must inform ITS or their department head prior to termination so that the encryption software and confidential data can be safely removed.
Encryption of Unsupported (Untagged) Devices
Users are responsible for safeguarding confidential data on untagged devices, such as those that are individually or personally owned but used for WCMC purposes. In situations where an individual needs to access WCMC confidential data from an untagged device, secure channels shall be used. Examples of known secure channels are ITS-supported VPN and WebVPN connections, Wi-Fi networks secured with a password (not in public cafés or hotels), the ITS virtual desktop and Citrix thin client access service, myDesktop (http://weill.cornell.edu/mydesktop), or Webmail. Users shall take caution to not download or save sensitive attachments or files on untagged devices. In extenuating circumstances where confidential data must be stored on untagged devices, the devices should be encrypted to ensure the confidentiality of the data. Users of untagged and unencrypted devices are responsible for safeguarding and securing WCMC confidential data.
ITS is available to assist and provide "best effort" support to encrypt untagged devices. Users are strongly encouraged to make an encrypted backup of the device data and verify it for accuracy and completeness.
Exemption Guidelines for Devices that Do Not Meet Encryption Standards
All desktops, laptops, tablets, and mobile devices, whether individually owned or distributed by ITS and accessing, storing, sending, or receiving confidential data, must be encrypted. Exemptions shall be considered in relatively unusual circumstances only when the following conditions are met:
- The device is demonstrated not to contain protected data at least annually and users attest that it will never be used for protected data;
- The device does not meet the minimum hardware requirements to support encryption or is known to be incompatible with a WCMC application;
- No practical encrypted alternative is available; and,
- A completed Request for Device Encryption Exemption form is submitted to ITS Support with approval from the user’s Department Administrator or Chair.
There is significant risk in not encrypting devices used to access WCMC data and a breach may result in regulatory sanctions and fines for the college and the individual responsible for the data.
Requesting Encryption for Untagged Devices
To have encryption enabled on an untagged desktop, laptop, tablet, or mobile device, users should:
- Backup all valuable data on their device, including email and documents. ITS can assist with this for supported devices but only a user can confirm that the backup is valid and adequate. Backups containing confidential data should be encrypted or stored on a secure server or in a locked cabinet.
- Fill out and submit the device encryption form. A member of the ITS Service Desk will contact you to arrange the installation.
- If not already done, sign into myPassword and complete the account setup process.
All devices tagged subsequent to the issuance of this policy will be encrypted by default unless one or more of the exception criteria are met.
Leaving WCMC/Removing Encryption
Users leaving WCMC must notify ITS in advance of leaving so any managed encryption software and confidential data can be safely removed. Contactsupport@med.cornell.edu to schedule the removal.
If the encryption software causes unforeseen problems, email@example.com for assistance.