Laptop Encryption

Friday, May 4, 2018 - IT Security

Laptop Encryption Requirements Friday, May 4, 2018 - Information Security IMPORTANT PLEASE READ: The current laptop encryption policy, adopted in October 2013, states, “ALL laptops used for University business must be encrypted, regardless of who owns the laptop, or the operating system…” See Portable Computing Device Security at http://it.ouhsc.edu/policies/PortableDeviceSecurityPolicy.asp or by following the link under Related Materials on the right. Phase I to encrypt all University-owned MS Windows laptops started in 2013. Phase I, II and III are complete and have prevented several data breaches. However we continue to have data breaches from lost or stolen personally-owned MS Windows and Macintosh laptops. We must continue the process to encrypt ALL laptops used for University business—this includes personally-owned as well as University-owned laptops. 

The Mandatory Encryption Process: IMPORTANT---PLEASE READ 
All OUHSC students, residents, fellows, faculty and staff: All laptops used for University business must be encrypted by the department Tier 1. This includes personally-owned laptops with MS Windows or Macintosh operating systems. Details of the process has been provided to faculty and staff by their department Tier 1. 
***** Liability: It is incumbent upon all employees of the University to take steps to protect ALL University data on ALL laptops, thus ensuring sensitive and regulated data is protected. Under Federal law, employees may be held personally responsible for the loss of an unencrypted device that contains electronic Protected Health Information (ePHI), including large fines and up to 10 years imprisonment. HIPAA enforcement and penalties for the loss or theft of unencrypted ePHI are increasing. Millions of dollars in penalties have been assessed against health care organizations for the loss or theft of unencrypted devices. http://www.healthcareinfosecurity.com/another-big-fine-after-small-breach-a-5116. 
***** What Should You Do? University Data may NOT be stored on unencrypted laptops. University employees must take all required, reasonable, and prudent actions necessary to ensure the security and retention of ALL University data. University employees SHALL maintain up-to-date, device-appropriate security safeguards and follow the policies, standards, and guidance provided by the University, as well as comply with appropriate safeguards required by state and federal regulations. Incident reporting: All devices, including personally-owned devices, that access or maintain University data and that are lost, stolen, have been subject to unauthorized access, or otherwise compromised must be reported immediately to Campus Police, IT Security, and the HIPAA Privacy Official. 
***** Definitions University business: Work performed as part of an employee’s job responsibilities, or work performed on behalf of the University by faculty, staff, volunteers, students, other trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University. In the context of laptop use, University business includes the use of a laptop to access OUHSC email, non-public University systems, networks, or data in the performance of work for the University. Sensitive University data: Any information, which through loss, unauthorized access, or modification could adversely affect any of the missions of the University or the privacy of individuals. Some sensitive data is protected by law or regulation, while other data is determined to be sensitive by virtue of its importance to the mission of the University. Examples of sensitive data include medical and patient information, credit card numbers, Social Security numbers, financial records, student records, employee data, and research data.


University of Oklahoma HSC
http://news.ouhsc.edu/