Endpoint Security Campaign
In October 2012, CUMC experienced a breach of Protected Health Information (PHI) and Personally Identifiable Information (PII) after an unencrypted workstation was stolen from a secured office. Over 500 SSNs and 5000 medical records were exposed. In response, Dr. Goldman mandated that all endpoint devices be appropriately secured and encrypted. Please note that all policies below include personal devices.
We thank you in advance for your help ensuring the smooth implementation and strict enforcement of the policies outlined below.
On December 3rd 2012, CUMC IT launched a campaign consisting of:
- Discovery of all endpoint devices, both personal and those provided by CUMC (e.g., laptops, smart phones, tablets, mobile devices, desktop computers and workstations).
- Encryption of all endpoint devices that contain confidential or sensitive data including PHI or PII
- Verifying encryption through annual attestation to ensure compliance of endpoint devices via the online Confidential Data Attestation form.
- Updating pertinent policies on an ongoing basis.
1. CUMC Workstation Use Policy
Please review the following policies reflecting the institution's updated security posture. Related information within Information Security's HIPAA site and the IT Policies, Procedures and Guidelines at CUMC area of the CUMC IT website have been updated as well.
2. CUMC Information Security - Backup Devices and Media Controls Policy
3. Sanctions Policy
Major changes to the sanctions policy were made to assure more stringent enforcement.
4. CUMC Email Policy
- Departments will be fined for any loss of confidential or sensitive data, and can be fined for failure to comply with Columbia University policies.
- Employees can be terminated, or appointments may not be renewed, if CUMC policies are violated.
- Examples of policy violations that can result in sanctions include: failure to encrypt confidential or sensitive data on an endpoint device or failure to register an information system, regardless of whether it contains confidential or sensitive data.
- All email services will be consolidated into the centrally managed CUMC Exchange email system; no departmental email servers will be permitted after 2013.
- columbia.edu addresses will be converted to cumc.columbia.edu. The columbia.edu email address will be maintained and can still be used to receive email.
- All mobile devices that access central CUMC email solutions will be managed via the central mobile management platform.
- The University's LionMail email service, offered by CUIT, will not be used since it does not comply with HIPAA regulations.
Some of the initiatives conducted throughout this campaign are outlined below, others may be instituted as needed.
USB Drive Swap Program
Beginning February 6th, 2013, CUMC IT will offer faculty and staff a free hardware encrypted flash drive in exchange for unencrypted flash drive(s) to help minimize the risks associated with storing confidential or secure data on this convenient, portable format. Full details are on the USB Drive Swap Program page.
CUMC IT User Walkup Service
From December 3rd to February 28th 2013, free laptop encryption via the CUMC IT Service Desk on the 2nd floor of Hammer was offered. This period is now over, we appreciate the cooperation of those who participated. If you still require encryption assistance please contact us at 5-Help (212-305-4357), option 5. Normal support fees and requirements will apply.
Links to Policies and Other Documentation: