Policy Statement

All Information Technologies & Services (ITS) tagged laptops must be encrypted using the ITS – managed encryption system. Encryption shall be provided, at no additional charge, for any ITS-tagged laptop used by Weill Cornell Medical College (WCMC) faculty, staff, students, administrative officials or, in select cases, affiliates. Non ITS – tagged laptops, such as those that are individually or personally owned but used for WCMC purposes may also be considered for encryption at no additional charge. See Appendix A for more information on encrypting individually or personally owned laptops.

Laptops that do not meet standards for encryption may be exempted from this policy. See Appendix B for exemption specifications.

WCMC faculty, staff, students, and affiliates with encrypted laptops who are terminating their relationship with the medical college must inform ITS or their department head prior to termination so that the encryption software can be safely removed. For more information, see the Leaving WCMC/Removing PGP procedure below.

Entities Affected By This Policy

The Weill Cornell Medical College and Graduate School of Medical Sciences

• Responsible Executives: WCMC Chief Information Officer
• Responsible Department: Information Technologies and Services
• Dates: Interim Issued: 7/15/2008. Final Issuance
• Contact: Information Technologies and Services

Reason for Policy

Encryption provides strong protection by making data inaccessible to those without proper access credentials. Additionally, encryption exempts WCMC from reporting requirements in the event of a theft or loss under the Information Security Breach and Notification Act, and it meets many of the security standards defined under the HIPAA Security Rule.

Procedures

Requesting PGP Installation

To have PGP installed, users must:

1. Backup all valuable data on their laptop, including email and documents
2. Fill out and submit the laptop encryption form. A member of the ITS Service Desk will contact you to arrange the installation.
3. If not already done, sign into myPassword and complete the account setup process.

All laptops tagged subsequent to the issuance of this policy will be encrypted by default unless the user does not approve or one or more of the exception criteria is met.

Leaving WCMC/Removing PGP

1. Users leaving WCMC must notify ITS in advance of leaving so the encryption software can be safely removed. Users leaving without notifying ITS will incur a $150 departmental charge. Contact support@med.cornell.edu to schedule the removal.
2. If the PGP encryption software causes unforeseen problems it can be removed. Contact support@med.cornell.edu to discuss problems with the software and, if necessary, to schedule removing it.

Appendix A
Selection Criteria for Encrypting Non ITS – Tagged Laptops

A non ITS – tagged laptops can also be encrypted for no cost if it is regularly used to store, send, or receive WCMC or WCMC-related Confidential data such as social security numbers, credit card numbers, bank account numbers, patient health information, patient research information, etc. This determination will be made on a case by case basis. Users wishing to encrypt non ITS – tagged laptops should fill out and submit the laptop encryption form.

Appendix B
Exemption Guidelines for Laptops That Do Not Meet Encryption Standards

By default, all ITS-tagged laptops, regardless of what data they store, send, or receive, should be encrypted. Exemptions shall be considered on a case by case basis. Exceptions will be made where:

• The laptop operating system is incompatible with the encryption system
• Applications running on the laptop are incompatible with the encryption system
• Unacceptable system or application slowdown is caused by the encryption system
• The encryption system causes other problems or possible issues resulting in unacceptable system behavior.

If none of the issues above are identified, or if no other issues that would cause undue hardship or difficulty for the user of the laptop can be identified, the laptop must be encrypted using ITS-managed encryption software.

Download Official Interim Policy (PDF)