Security for Special Affiliations

Regulated data needs rigorous protections even with non-standard affiliations

At the School of Medicine, laptops, desktops, and mobile devices used for Stanford work must comply with the University security standards.  This applies for both Personally-owned and University-purchased devices. 

Due to the sensitive nature of much of the work being done in the School, the encryption policies apply to all devices used for Stanford work.   

There are a number of affiliations of personnel beyond faculty and staff.  Requirements for data security vary based on the expected risk of data handled by  these individuals.

Residents/Fellows/GME

As a resident/fellow who will work with PHI, you must attest Yes that you may work with or receive High Risk data. 

When you attest to the devices you use for work, do not include SHC workstations that you use.  If you ONLY use SHC workstations and no other personally-owned or SoM department-owned computers, you can attest to zero devices and still submit the survey.

If you have a personal device that cannot meet the University security requirements, you must not use it for any Stanford work and you should not attest to it.

Students in MD/MSTP/MSPA degree programs

Students in these programs must attest YES that they will access or receive High Risk data, even if they are not actively working with clinical information.  Their attestation should remain Yes as long as they are enrolled, it should not be changed even if they are stepping out of the curriculum to obtain another degree, etc.

Attestation and information security compliance are a professional expectation; failure to correctly attest and/or have all devices encrypted by the stated deadlines will result at minimum in notification to the student's E4C mentor and escalated to the CP3 and their advising dean.

ACF, Clinician Educators, sponsored affiliates

ACF Emeritus excluded

ACFs with Stanford-owned equipment included in AMIE

ACF with no Stanford-owned equipment and only use Hospital portal not in AMIE but should still follow guidance  

Full sponsorship with Stanford equipment

Are there any equipment stipends?

Standardized patients?

 

System Admins and Individuals with Privileged Access to Computers with High Risk data

Researchers who work with regulated data must attest Yes even if they do not work with clinical patients.

Additionally, even if you do not directly work with clinical data, if you have remote administrative access to systems that store High Risk data, you must attest Yes in AMIE.  This would include system administrators and other IT professionalls who support these systems.

Departmental Staff and Administrators with Access to Personally-Identifiable information for students, staff & faculty

Departmental administrators and staff who have access to regulated information for faculty, staff, and students must attest Yes in AMIE. 

High Risk data is not just PHI but also includes

  • Social security numbers
  • credit card numbers
  • financial account numbers
  • driver's license numbers
  • passport/visa numbers
  • as well as donor contact information.

For further assistance, you can file a help ticket, call us at 725-8000 (option 4), or visit one of the four Tech Bar locations (see https://med.stanford.edu/irt/personal-computing/tech-bar.html)