For Epic Cheers go-live support, please contact NYP IS at
nypres.service-now.com/nyp-portal
or 212-746-4357
Effective Date: July 15, 2008
Last Reviewed: March 12, 2025
Approval Date: June 17, 2025
Encryption provides strong protection by making data inaccessible to those without proper access credentials. Additionally, encryption can exempt Weill Cornell Medicine (WCM) from reporting requirements in the event of a theft or loss under the New York State Information Security Breach and Notification Act, and it meets many of the security standards defined under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
This policy applies to all WCM and WCM-Qatar Workforce Members who utilize WCM information technology resources and those responsible for managing and safeguarding WCM data.
All Workforce Members must take care to protect High Risk data on their laptops, desktops, smartphones, tablets, and removable storage devices. All devices owned by WCM must be encrypted, and devices not owned by WCM but used for WCM purposes must adhere to the appropriate safeguards defined in this policy to protect High Risk data. All removable storage drives, such as external hard drives or USB flash drives, must be encrypted if containing High Risk data. Any variances to this policy must meet the requirements defined in WCM Policy ITS-500.20 – Variances.
Encryption: Refer to the process of converting information into a coded format to prevent unauthorized access.
High Risk Data: Refer to WCM Policy ITS-500.03 – Data Classification.
Workforce Members: Any faculty, staff, students, volunteers, trainees, and other persons whose conduct, in the performance of work for WCM, is under the direction and control of WCM, whether or not they are paid by WCM.
Encryption shall be provided, at no additional charge, for all institutionally owned devices use by WCM Workforce Members that are not otherwise exempted from this rule.
Pursuant to WCM Policy ITS-500.10 – Device Minimum Security Requirements, Workforce Members are responsible for safeguarding WCM data on devices not owned or issued by WCM. Such devices may include personally owned devices, individual devices owned by another institution, or publicly available devices such as those in a library, café, or hotel business center.
Workforce Members must ensure whole-disk encryption is enabled on their personally owned devices or individual devices owned by another institution if they will be using the devices to access or store High Risk data. These devices must also be registered with ITS in the High Risk Attestation.
Devices available for public use, such as those in a library, café, or hotel business center, will often not support encryption and must only be used temporarily for WCM purposes and must never be used to process or store high-risk data. Individuals are responsible for taking appropriate precautions to ensure WCM data is not saved locally or accessible by others.
ITS is available to assist and provide “best effort” support to encrypt devices not owned by WCM. Devices owned by another institution, such as those which are owned by affiliates of WCM, should utilize the encryption software approved by that institution’s IT department. Individuals are strongly encouraged to make a backup of the personal data on their device and verify it for accuracy and completeness before seeking assistance from ITS to encrypt their device for WCM purposes.
High Risk data stored on removable storage devices must be encrypted. Examples of removable storage devices include, but are not limited to, flash drives, external hard drives, memory cards, and optical discs. Strong hardware- or software-based encryption algorithms such as the Advanced Encryption Standard (AES) with at least 256-bit keys should be used. Examples of compliant encryption software for removable storage devices include but are not limited to, Apple FileVault, Microsoft BitLocker, LUKS (for Linux systems), and VeraCrypt (open source). When encrypted removable storage devices are used to share High Risk data, the encryption password must be shared separately and in a secure manner, such as encrypted email.
There is significant risk in not encrypting devices used to access WCM data, and a breach may result in regulatory sanctions and fines for the college and the individual responsible for the data. Variances shall be considered in relatively unusual circumstances and must meet the requirements defined in WCM Policy ITS-500.20 – Variances.
Upon leaving WCM, individuals with devices owned by WCM must turn their devices into their supervisor. These devices will remain encrypted and will be securely repurposed or reprovisioned. Individuals with devices not owned by WCM which have been used for WCM purposes must inform ITS and their supervisor prior to termination so that WCM data can be removed; the devices can then be decrypted.
All WCM Workforce Members are responsible for adhering to this policy. Failure to comply will be evaluated on a case-by-case basis and could lead to corrective action, up to and including termination, consistent with other relevant WCM and University Policies. Instances of non-compliance that potentially involve a lapse of professionalism may lead to engagement of the Office of Professionalism for evaluation and intervention.
Direct any questions about this policy, 500.06 – Device Encryption, to the Office of the Chief Information Security Officer, using one of the methods below:
Office: (646) 962-3609
Email: ciso@med.cornell.edu
This policy was reviewed and approved by:
