11.08 - Use of Email
Special Notice Regarding the Timing of this Policy
Due to the significant effect this policy may have on the workflow of faculty, staff, and students of Weill Cornell Medical College, the provisions within become active according to the following timeline:
- Confidential data no longer allowed in email without exception: 9/2011
- Automatic email forwarding no longer allowed without exception: 7/2012
Weill Cornell Medical College (WCMC) provides email service to faculty, staff, students, and affiliates for the purpose of furthering the mission of education, research, and patient care and for conducting general college business. While incidental and occasional personal use of email is permissible, personal communications and data transmitted or stored on WCMC information technology resources (such as email) are treated as business communications, and are subject to automated surveillance by security systems managed by the Information Technologies and Services Department. Automated email surveillance systems identify data that appear malicious in nature (e.g. viruses, spyware) or contain confidential information (e.g. patient health information, social security numbers) for further investigation. WCMC community members should not expect that personal communications will remain private and/or confidential. While the college permits generally unhindered use of its information technology resources, those who use WCMC information technology resources do not acquire, and should not expect, a right of privacy
Data considered by WCMC to be Confidential in nature may only be included in email if that email is solely addressed to other WCMC or NewYork Presbyterian Hospital (NYP) faculty, staff, or students whose email addresses end in either @med.cornell.edu or @nyp.org. Exceptions can be made for approved outside recipients with encrypted email connections. Contact ITS for more information on how to request approval for outside recipients.
Except in cases approved by WCMC Human Resources or Legal Counsel, automated email forwarding is not allowed for any WCMC faculty, staff, student, or affiliate. The following email domains will be approved: nyp.org, cornell.edu, mskcc.org, columbia.edu and rockefeller.edu.
Weill Cornell Medical College (WCMC) email accounts (accounts that end in @med.cornell.edu) are provided to individuals solely for their own use. Except in cases approved by WCMC Human Resources or Legal Counsel, these email accounts are not transferrable to other users. Access to WCMC's email system confers certain responsibilities. As an account holder, you may not:
- Share your email password with anyone, including ITS. ITS personnel will never ask you for your password.
- Use email to harass others.
- Falsify email accounts to send out email as another person.
- Flood people with email in an attempt to disrupt their service.
- Accept credit card numbers sent in email for payment purposes.
Community members (faculty, staff, students, researchers, etc.) who have been given WCMC email accounts are expected to use those accounts for all WCMC-related matters. It is not appropriate to use personal email accounts (gmail, Yahoo, Hotmail, etc.) for work-related communications.
Exchange Attachment Policy: In order to align WCMC with other major email systems such as Gmail and Yahoo! Mail, ITS is initiating a policy that will limit the size of all outgoing and incoming email messages, including attachments to 25MB (25,600kb). Users have experienced problems sending larger email to foreign systems that cannot receive large attachments without receiving feedback that the receiving system rejected the message. By aligning WCMC with the industry common practice there should be fewer lost emails. For now, ITS will continue to send and received large attachments. However, we STRONGLY advise use of WCMC's free File Transfer Service (https://transfer.med.cornell.edu) for all emails larger than 25MB. In early 2013, messages larger than this will be rejected and will result in either an error message from your email client or a non-delivery notice (NDR).
Reason for Policy
It is unlawful to send email containing confidential information to potentially insecure email systems. WCMC and NYP mail systems are managed by the Information Technologies and Services Department (ITS) and comply with appropriate security standards. WCMC cannot guarantee outside systems are similarly protected. Automated forwarding to outside email systems (such as gmail or Hotmail) eliminates an opportunity to review messages before sending them to an outside mail system. Without this review, messages containing confidential information may be inadvertently sent to insecure mail system. To remove this institutional risk, WCMC has chosen to ban the use of automated email forwarding.
It is understood that WCMC users need a way to securely send data to parties outside of WCMC and NYP. Please see the 'Procedures' section below for more information on this topic.
Entities Affected By This Policy
The Weill Cornell Medical College and Graduate School of Medical Sciences
- Responsible Executives: WCMC Chief Information Officer
- Responsible Department: Information Technologies and Services
- Dates: Interim Issued: 12/15/2010 Final Issuance: 6/30/2011
- Contact: Information Technologies and Services
Certain information such as patient health information, personnel data, or financial records are confidential and must be treated with extreme care to avoid inappropriate disclosure with possible attendant fines or mandated notifications.
A complete list of all data considered confidential by WCMC is available here: http://weill.cornell.edu/its/policy/security/11-3-data-classification.html.
To minimize the risk of improper disclosure:
- Do not send confidential information to non-WCMC or NYP email addresses (email addresses that do not end in @med.cornell.edu or @nyp.org).
- Do not automatically forward your WCMC email to a non-WCMC account such as gmail, or Hotmail.
- Do not send medical information to patients via email. If patients wish to receive their information electronically they may set up a secure account using Weill Cornell Connect (see below).
- WCMC offers a service called Transfer.med that gives users a secure and convenient web-based solution for transferring large files (see below)
- WCMC community members wishing to communicate electronically with patients may do so using the Weill Cornell Connect service. More information about how to use Weill Cornell Connect is available here: https://mychart.med.cornell.edu/mychart/.
Secure File Transfer
- WCMC community members wishing to securely exchange files with external (non-WCMC or NYP community members) should use the Transfer.med secure file transfer system. More information about the Transfer.med service is available here: http://weill.cornell.edu/its/computing/filesharing/transfer/.
- Users can log into this service here: https://transfer.med.cornell.edu/courier/1000@/mail_user_login.html?.