Policies & Regulations

Any computer or device on the School of Medicine network that is posing a threat to other computers or network resources may have its network access disabled until the problem is addressed.  Threats include: signs of malware infection, system compromise, attempts to exploit vulnerabilities on other systems, excessive use of network bandwidth, or other malicious network activity. Compromised systems may need to be rebuilt with a new installation of the operating system and updated security patches before network access can be re-enabled.

If you suspect your device or server has been compromised, see Reporting a Security Incident.

UIT Networking manages the School of Medicine network. The University Administrative Guide Section 6.2.1 describes the network use policy.

Some School of Medicine network policies vary from those applicable in other departments on campus.

• Departmental network switches/hubs or other network appliances are not permitted.  If you need additional network connections, new TSOs should be requested from IT Services and paid for by the requesting department.  This request can be submitted by the departmental IT Contact (individuals who are authorized to place Order IT requests).

• All devices used on the network must be registered for both wired and/or wireless network access, and must utilize the campus DHCP servers to obtain an address.  (Wired fixed addresses are reserved but still must be requested via DHCP; roaming and wireless addresses are dynamically assigned.)

• For security protection and network support, all network or station wiring from endpoint locations must terminate in a telecommunications IDF.

• Each device should have a separate NetDB record.

• Printers should not be connected via wireless, they should be plugged in to a wired network connection.

• TDS Information Security manages and approves all firewall rules for SoM clients, at all University locations.  There are special networks for servers, appliances and other devices that may have preconfigured firewall permissions.  To request new rules, please open a Service Now ticket, with the name of the system that needs an exception set, the IP address, and the specific ports/protocols you need open for this system.
  
• Security for SoM servers is managed in SUSI (Stanford University System Inventory).  For firewall rule changes for servers, please file a Service Now ticket, confirming that it's been inventoried; also let us know the name of the system in question, the IP address, specific ports you need open, and who/what needs access to the server.
• Note that firewall rules will be eliminated if: 1) your computer hasn't been seen on the network for more than 90 days, or 2) if your IP address is not in NetDB.
  

More on firewalls here

Stanford's regulated data must not be transmitted without encryption.  To prevent inadvertently sending sensitive data in an insecure manner, automatic forwarding of @stanford.edu email accounts to non-Stanford email must not be enabled for individuals who may access or receive High Risk data.  Automatic forwarding to @stanfordhealthcare.org, @stanfordmed.org, or @stanfordchildrens.org can be approved. 

The capability will be disabled for individuals who attest Yes in AMIE.

Note, forwarding an individual message that includes High Risk data can be done using Stanford's secure: email.  (Add secure: anywhere in the subject line.)
Forwarding individual messages without sensitive data does not require the secure: flag.

The Administration Guide (http://adminguide.stanford.edu) is the University's official administration policy manual. Chapter 6, Computing, specifically defines your responsibilities regarding network and computer utilization, information security, chatrooms and electronic commerce. 

SUMCnet is a highly specialized network that was created to provide a secure environment for users who need access to clinical applications from the School of Medicine to Stanford Hospital and Clinics (SHC) and the Lucille Packard Children’s Hospital (LPCH).  All desktop computers (servers are prohibited) must meet specific requirements before they are allowed to connect to SUMCnet.  Desktops not in compliance will be removed from the SUMCnet.

While SUMCnet is being phased out in favor of alternative network processes, until that transition if fully complete, there are still devices on SUMCnet.

• $50K - $1.5 million per violation
• Additional fines if the covered entity has been out of compliance for multiple years
• Resolution agreement with the OCR (Office for Civil Rights) — could involve additional training, policies, and oversight by an independent monitor/auditor for a period of up to two years

• $50K - $250K
• Imprisonment: 1 - 10 years

• Hospitals have a 5-business-day incident reporting window - so you MUST immediately notify us of any suspected incidents
• Confidentiality of Medical Information Act (CMIA) - institutions must notify CA residents of breaches of SSNs, medical and insurance information
• Fines and penalties: up to $250K per violation and apply to individuals as well as health care providers  - could affect your professional license
• Imprisonment up to 10 years

• Various staff/faculty sanctions, up to and including loss of privileges and termination of employment
• The University Administrative Guide has more information on the policies and regulations that have been developed at Stanford.  Particularly relevant are: Section 1.6 – Privacy Policies and Section 6.3 – Security Policies
  
• To report a suspected or definite data breach, including a lost or stolen mobile device, open an incident with the University Privacy Office: privacy@stanford.edu or https://privacy.stanford.edu.