Policy Statement

All Information Technologies & Services (ITS) tagged laptops must be encrypted using the ITS – managed encryption system. Encryption shall be provided, at no additional charge, for any ITS-tagged laptop used by Weill Cornell Medical College (WCMC) faculty, staff, students, administrative officials or, in select cases, affiliates. Non ITS – tagged laptops, such as those that are individually or personally owned but used for WCMC purposes may also be considered for encryption at no additional charge. See Appendix A for more information on encrypting individually or personally owned laptops.

WCMC faculty, staff, students, and affiliates with encrypted laptops who are terminating their relationship with the medical college must inform ITS or their department head prior to termination so that the encryption software can be safely removed. For more information, see the Leaving WCMC/Removing PGP procedure below.

Entities Affected By This Policy

The Weill Cornell Medical College and Graduate School of Medical Sciences

• Responsible Executives: WCMC Chief Information Officer
• Responsible Department: Information Technologies and Services
• Dates: Interim Issued: 7/15/2008. Last Update: 4/24/2012
• Contact: Information Technologies and Services

Reason for Policy

Encryption provides strong protection by making data inaccessible to those without proper access credentials. Additionally, encryption exempts WCMC from reporting requirements in the event of a theft or loss under the Information Security Breach and Notification Act, and it meets many of the security standards defined under the HIPAA Security Rule.

Procedures

Requesting Encryption for Laptops

To have encryption enabled on a computer, users must:

1. Backup all valuable data on their laptop, including email and documents
2. Fill out and submit the laptop encryption form. A member of the ITS Service Desk will contact you to arrange the installation.
3. If not already done, sign into myPassword and complete the account setup process.

All laptops tagged subsequent to the issuance of this policy will be encrypted by default unless the user does not approve or one or more of the exception criteria is met.

Leaving WCMC/Removing Encryption

1. Users leaving WCMC must notify ITS in advance of leaving so the encryption software can be safely removed. Users leaving without notifying ITS will incur a $150 departmental charge. Contact support@med.cornell.edu to schedule the removal.
2. If the encryption software causes unforeseen problems, contact support@med.cornell.edu for assistance.

Appendix A
Selection Criteria for Encrypting Non ITS – Tagged Laptops

Laptops that are not tagged by ITS can also be encrypted for no cost if it is regularly used to store, send, or receive WCMC or WCMC – related Confidential data such as Social Security Numbers, credit card numbers, bank account numbers, Protected Health Information, patient research information, etc. This determination will be made on a case by case basis. Users wishing to encrypt non ITS – tagged laptops should fill out and submit the laptop encryption form.

Appendix B
Exemption Guidelines for Laptops That Do Not Meet Encryption Standards

By default, all ITS-tagged laptops, regardless of what data they store, send, or receive, should be encrypted. Exemptions shall be considered on a case by case basis. There is significant risk in not encrypting laptops and may result in regulatory sanctions and fines for the college and the individual responsible for the data. Contact Timothy Chen, Security Compliance Manager at tic2004@med.cornell.edu for additional information.