Endpoint Security Campaign
In October, CUMC experienced a breach of Protected Health Information (PHI) and Personally Identifiable Information (PII) after an unencrypted workstation was stolen from a secured office. Over 500 SSNs and 5000 medical records were exposed. In response, Dr. Goldman mandated that all endpoint devices be appropriately secured and encrypted. Please note that all policies below include personal devices.
We thank you in advance for your help ensuring the smooth implementation and strict enforcement of the policies outlined below.
On December 3rd 2012, CUMC IT launched a campaign consisting of:
- Discovery of all endpoint devices, both personal and those provided by CUMC (e.g., laptops, smart phones, tablets, mobile devices, desktop computers and workstations)
- Encryption of all endpoint devices that contain confidential or sensitive data including PHI or PII
- Verifying encryption through annual attestation to ensure compliance of endpoint devices
The online Confidential Data Attestation form is now available.
- Updating pertinent policies on an ongoing basis
Please review the following policies reflecting the institution's updated security posture. Related information within Information Security's HIPAA site and the IT Policies, Procedures and Guidelines at CUMC area of the CUMC IT website have been updated as well.
1. CUMC Workstation Use Policy
See Information Security's HIPAA Security Project Policies page for the full Workstation Use and Security text in PDF format.
2. CUMC Information Security - Backup Devices and Media Controls Policy
- All workforce laptops containing confidential or sensitive data must use encryption with pre-boot authentication.
- Shared workstations are excepted from using pre-boot authentication only.
- Encryption exceptions can be made by workforce members who attest that they are not used to access or store confidential or sensitive data. Workforce members must still provide ownership information to IT and must attest that their end points do not contain or access confidential or sensitive data. This can be done via the online Confidential Data Attestation form.
- Personally owned laptops and desktops that are used for business purposes (including connecting to institutional email) require encryption with pre-boot authentication if they access or store confidential or sensitive data. This includes student computers.
- Mobile devices and removable media accessing or storing confidential or sensitive data must be encrypted, through either software or hardware mechanisms.
- This includes phones, tablets, USB keys, external drives, SD cards, backup tapes, DVDs and CDs, and other storage media.
- Phones and tablets that are configured for CUMC IT Exchange email
are automatically enforced to use encryption and a passcode with auto-lock.
See the HIPAA Security Project Policies page for the full Information Security: Backup, Device and Media Controls text in PDF format.
- All removable media (e.g. USB flash drives, external hard drives, backup tapes, CDs, DVDs, etc.) that store or access confidential or sensitive data must be encrypted.
- This can be done through either software or hardware mechanisms.
3. Sanctions Policy
Major changes to the sanctions policy were made to assure more stringent enforcement.
4. CUMC Email Policy
- Departments will be fined for any loss of confidential or sensitive data, and can be fined for failure to comply with Columbia University policies.
- Employees can be terminated, or appointments may not be renewed, if CUMC policies are violated.
- Examples of policy violations that can result in sanctions include: failure to encrypt confidential or sensitive data on an endpoint device or failure to register an information system, regardless of whether it contains confidential or sensitive data.
- All email services will be consolidated into the centrally managed CUMC Exchange email system; no departmental email servers will be permitted after 2013.
- columbia.edu addresses will be converted to cumc.columbia.edu. The columbia.edu email address will be maintained and can still be used to receive email.
- All mobile devices that access central CUMC email solutions will be managed via the central mobile management platform.
- The University's LionMail email service, offered by CUIT, will not be used since it does not comply with HIPAA regulations.
Some of the initiatives conducted throughout this campaign are outlined below, others may be instituted as needed.
USB Drive Swap Program
Beginning February 6th, 2013, CUMC IT will offer faculty and staff a free hardware encrypted flash drive in exchange for unencrypted flash drive(s) to help minimize the risks associated with storing confidential or secure data on this convenient, portable format. Full details are on the USB Drive Swap Program page.
CUMC IT User Walkup Service
From December 3rd to February 28th, free laptop encryption via the CUMC IT Service Desk on the 2nd floor of Hammer was offered. This period is now over, we appreciate the cooperation of those who participated. If you still require encryption assistance please contact us at 5-Help (212-305-4357), option 5. Normal support fees and requirements will apply.
Links to Policies and Other Documentation: