Requirements and procedures are in support of governing Columbia University Information Technology Policies and CUIMC Information Security Procedures.
Encryption is the conversion of data into a format that is not readable or understandable without proper credentials. It provides extra security in cases where electronic information has been accidentally or purposely and maliciously disclosed. Most encryption software uses a strong password for credentials to authorize that data can be decrypted, or made readable again.
Encryption plays a very important role at CUIMC in providing adequate protection of data including PHI and PII. Not using encryption when required can lead to severe sanctions for the individual, department and institution.
Requirements
Encryption of equipment and media
- All workforce laptop computers accessing or storing sensitive data must use encryption that supports pre-boot authentication.
- All workforce desktop computers accessing or storing sensitive data must use encryption that supports pre-boot authentication.
- Encryption exceptions can be made by workforce members who attest that they are not used to access or store confidential or sensitive data. Workforce members must still provide ownership information to IT and must attest that their end points do not contain or access confidential or sensitive data.
- Personally owned laptops and desktops that are used for business purposes (including connecting to institutional email) require encryption that supports pre-boot authentication if they access or store confidential or sensitive data. This includes student computers.
- Mobile devices and removable media accessing or storing sensitive data must be encrypted, through either software or hardware mechanisms.
- This includes phones, tablets, USB keys, external drives, SD cards, backup tapes, DVDs and CDs, and other storage media.
- Phones and tablets that are configured for CUIMC email are automatically set to use encryption and a passcode with auto-lock.
Encryption methods and use
The following requirements apply to any systems that transmit, store and process sensitive data (including PHI and PII). We also highly recommend that encryption be used to safeguard internal or official use only data, or on any systems connecting to University resources.
- Strong passwords must be used for encryption. When a password is used to encrypt or decrypt data, it must meet the requirements for a strong password.
- Do not send a password or decryption key in the same medium as the encrypted file(s). This is insecure and can allow anyone who may accidentally or maliciously intercept the message to view the information you intended to protect. Sanctioned methods are by phone call or text message. NOTE: Do not encrypt or password protect attachments to CUIMC email messages, instead use Secure Email which protects the entire message and any attachments.
- Encrypt for separation of duties when access controls are not granular enough. Files on shared storage used by others that do not have authorization to view sensitive or data (including administrators who may need to move or otherwise work with the data) should have encryption set to provide appropriate protection.
- Encryption technologies must be based on standard algorithms with a minimum 256 bit cipher key. Approved Encryption methods fulfill this requirement; be sure that any setup or use verifies that a 256 bit cipher is selected as some may default to a lower level. Please see the full text of the current Columbia University Registration and Protection of Endpoints Policy for more details on required encryption technologies.
- Pre-boot authentication (PBA). It is the responsibility of the user/owner to ensure that pre-boot authentication is working on their device(s) when required. Pre-boot authentication adds a layer of security to a computer as it starts up, before the operating system loads.
Sanctions
- Departments will be fined for any loss of confidential or sensitive data, and can be fined for failure to comply with Columbia University policies.
- Employees can be terminated, or appointments may not be renewed, if CUIMC policies are violated.
- Examples of policy violations that can result in sanctions include: failure to encrypt confidential or sensitive data on an endpoint device or failure to register an information system, regardless of whether it contains confidential or sensitive data.