Endpoint Security Campaign
In October 2012, CUMC experienced a breach of Protected Health Information (PHI) and Personally Identifiable Information (PII) after an unencrypted workstation was stolen from a secured office. Over 500 SSNs and 5000 medical records were exposed. In response, Dr. Goldman mandated that all endpoint devices be appropriately secured and encrypted. Please note that all policies below include personal devices.
We thank you in advance for your help ensuring the smooth implementation and strict enforcement of the policies outlined below.
On December 3rd 2012, CUMC IT launched a campaign consisting of:
- Discovery of all endpoint devices, both personal and those provided by CUMC (e.g., laptops, smart phones, tablets, mobile devices, desktop computers and workstations).
- Encryption of all endpoint devices that contain confidential or sensitive data including PHI or PII
- Verifying encryption through annual attestation to ensure compliance of endpoint devices via an online Data Attestation form.
- Updating pertinent policies on an ongoing basis.
1. CUMC Workstation Use Policy
Please review the following policies reflecting the institution's updated security posture. Related information within Information Security's pages and the IT Procedures and Guidelines at CUMC area of the CUMC IT website have been updated as well.
2. CUMC Information Security - Backup Devices and Media Controls Policy
- All workforce laptop computers accessing or storing sensitive data must use encryption that supports pre-boot authentication.
- All workforce desktop computers accessing or storing sensitive data must use encryption that supports pre-boot authentication.
- Encryption exceptions can be made by workforce members who attest that they are not used to access or store confidential or sensitive data. Workforce members must still provide ownership information to IT and must attest that their end points do not contain or access confidential or sensitive data.
- Personally owned laptops and desktops that are used for business purposes (including connecting to institutional email) require encryption that supports pre-boot authentication if they access or store confidential or sensitive data. This includes student computers.
3. Sanctions Policy
Major changes to the sanctions policy were made to assure more stringent enforcement.
4. CUMC Email Policy
- Departments will be fined for any loss of confidential or sensitive data, and can be fined for failure to comply with Columbia University policies.
- Employees can be terminated, or appointments may not be renewed, if CUMC policies are violated.
- Examples of policy violations that can result in sanctions include: failure to encrypt confidential or sensitive data on an endpoint device or failure to register an information system, regardless of whether it contains confidential or sensitive data.
- All email services will be consolidated into the centrally managed CUMC Exchange email system; no departmental email servers will be permitted after 2013.
- columbia.edu addresses will be converted to cumc.columbia.edu. The columbia.edu email address will be maintained and can still be used to receive email.
- All mobile devices that access central CUMC email solutions will be managed via the central mobile management platform.
- The University's LionMail email service, offered by CUIT, will not be used since it does not comply with HIPAA regulations.
Some of the initiatives conducted throughout this campaign are outlined below, others may be instituted as needed.
USB Drive Swap Program
CUMC IT had been offering faculty and staff a free hardware encrypted flash drive in exchange for unencrypted flash drive(s) to help minimize the risks associated with storing confidential or secure data on this convenient, portable format. This period is over, please see Approved Encryption for help with obtaining an encrypted USB drive.
CUMC IT User Walkup Service
From December 3rd to February 28th 2013, free laptop encryption via the CUMC IT Service Desk on the 2nd floor of Hammer was offered. This period is now over, we appreciate the cooperation of those who participated. If you still require encryption assistance please contact us at 5-Help (212-305-4357), option 5. Normal support fees and requirements will apply.