Use of Mobile Device and Removable Media Policy1
Why is this policy being put in place?
Mobile devices, because of their very mobility, are at high risk of being lost or stolen. There have been several instances of laptop thefts with significant amounts of patient personal or restricted health information on them. Striving to achieve the highest possible level of patient privacy, it is necessary to protect information on mobile devices.
Who does the policy apply to?
This policy applies to all faculty, staff, employees, students, and trainees of the Ronald Reagan UCLA Medical Center, the Santa Monica UCLA Medical Center and Orthopaedic Hospital, the Resnick Neuropsychiatric Hospital at UCLA, the Faculty Practice Group, all ambulatory clinics and the David Geffen School of Medicine at UCLA.
Non-UCLA visiting researchers would fall outside the scope of the policy and would not need to encrypt devices they bring with them before using them with A/V equipment for giving seminar presentations.
Why does the policy apply to all University business, not just business that involves personal health information or restricted information?
In cases where laptops or USB flash drives have been lost, the owners were often unaware that personal or restricted information had been stored on their devices. Even if e-mail is accessed via the web, there may be PHI or restricted information in a small number of e-mails; copies of the e-mails and/or attachments may be cached and easily retrievable in the event the device is not encrypted and password protected. Consequently the safest thing is to encrypt them. This will also protect your own personal information in the event of loss or theft and is generally good electronic media hygiene.
What is considered University business?
"University business" means any activity associated with the performance of one's duties as any employee, trainee, or volunteer, at any time of day or from any location. University business includes but is not limited to note-taking, reviewing and drafting documents and presentations, accessing University e-mail through any method, documenting medical services, and recording or storing research data.
Please note the following are considered University business:
- Completing HBS timesheets on a mobile device is University business and requires encryption.
- Calling or texting for University business requires encryption.
The following are not considered University business:
- Accessing "At Your Service" or the Fidelity Net Benefits web site from a mobile device is personal business, not University business, and does not require encryption.
- Calling using your personal phone to tell your boss you are sick is personal business, not University business, and does not require encryption.
Does the policy apply to my desktop computer?
No. While it is definitely a good idea to have desktop computers password protected and encrypted, the policy does not apply, because the risk of theft or loss is significantly lower than with mobile devices, and there is considerable effort necessary to mitigate the high risk with mobile devices.
Do I need to encrypt my device if the only University work I do on it is check e-mail or call patients?
Yes. Patient identifiers could be included in phone contact information and phone calls can easily lead to texting and other business use. Also, in cases where laptops or USB flash drives have been lost, the owners were often unaware that personal or restricted information had been stored on their devices. Even if e-mail is accessed via the web, there may be PHI or restricted information in a small number of e-mails; copies of the e-mails and/or attachments may be cached and easily retrievable in the event the device is not encrypted and password protected. Consequently the safest thing is to encrypt them. This will also protect your own personal information in the event of loss or theft and is generally good electronic media hygiene.
Does the policy apply to non-exempt employees?
Yes. The policy applies to non-exempt employees. Many of them are using mobile devices while at work, which places them at the same risk for loss as exempt employees. Non-exempt employees should always obtain prior authorization from their supervisors before working from home or other remote locations.
What is the deadline for encrypting devices?
The new encryption policy is already in effect. All devices used for University business should be encrypted.
What happens if I do not encrypt my personal devices?
You are not required to encrypt your personal devices if you do not use your devices for University business. Failure to follow any provisions of the policy may result in disciplinary action, up to and including termination. (See: HS Policy No. 9461, "Privacy and Information Security Sanctions.")
What is encryption?
"Encryption" is the conversion of electric data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. While encryption requires a password or other means to decrypt the information, a password on a device does not mean the device is encrypted.
Which devices must be encrypted?
Any mobile device or removable media that is used for University business must be encrypted. This includes, but is not limited to, laptops, cellphones, tablets, external hard drives, and USB flash drives.
How do I know if my laptop is encrypted?
You can check if your laptop is encrypted by following instructions that can be found here (Macintosh) or here (Windows). You must have your laptop's encryption status verified by clicking here. It is your responsibility to ensure that your laptop is encrypted and verified.
How can I easily encrypt my laptop?
I have a UCLA-issued laptop? Isn't it already encrypted?
Your UCLA-issued laptop may not necessarily be encrypted. You must have your laptop's encryption status verified by clicking here. It is your responsibility to ensure that your laptop is encrypted and verified.
How long does the process take?
Depending on the size and speed of your hard drive and how many files are stored, encryption can take from 45 minutes to two days. It is highly recommended that you scan your disk and back up files before encrypting your computer which may add a few hours to the entire process.
Will my laptop “slow down” as a result of encryption?
Encryption may affect the functionality or speed of a laptop device if it is an older model. Newer laptops have minimal, if any, performance issues due to encryption. AirWatch does not decrease the functionality of mobile devices.
Will the Health Sciences be able to monitor my activity if I encrypt my personal device?
No, encryption only protects data against unauthorized access. It does not allow the organization to track a device user’s activities.
What do I need to do to make my laptop compliant?
For a laptop to be considered fully compliant by the University, it must meet five criteria:
- Software Patch Updates
- Anti-Malware Software
- Host-based Firewall Software
- Password-protected Screen Saver
What encryption level is required?
For all removable media, UCLA Health Sciences requires full-disk encryption using Advanced Encryption Standard (AES) with a key length of at least 128 bits (usually abbreviated AES-128) for non-government work. Government work usually requires a minimum AES 256-bit encryption and FIPS 140-2 compliance.
UCLA Health Sciences recommends the following encryption methods:
- Laptops: FileVault (Macintosh), BitLocker (Windows), PGP (Macintosh and Windows), and Check Point (Macintosh and Windows)
- External Hard Drives: FileVault (Macintosh) and BitLocker (Windows)
- USB Flash Drives: Please only use a USB Flash Drive if it is absolutely necessary and if necessary, please ensure it is a FIPS 140-2 Level 3 compliant flash drive. Please click here to view the list of USB Flash Drives that are approved and recommended by UCLA Health Sciences.
- Smartphones/Tablets: Most smartphones and tablets have native encryption software that AirWatch will enable upon enrollment
What is FIPS 140?
If a manufacturer says that the encryption for a device is FIPS 140 validated, the device meets all the requirements of Federal Information Processing Standard 140 for cryptography. There are different levels of FIPS 140 security with FIPS 140-2 usually being the level required for government work.
Do my devices need to use FIPS 140 validated encryption?
While using devices with FIPS 140 validated encryption provides assurance that the encryption is secure and is recommended, unless you have contracts or grants that require a specific level of FIPS 140 validation, it is not required.
What is the difference between hardware and software encryption?
Devices with hardware encryption include a processor on the device to perform the encryption/decryption as files are copied, which provides faster transfer rates. Devices with software encryption rely on your computer to do the encryption and may require local software installation, which can make them harder to use on computers that do not belong to you.
Where are users expected to send pictures of encrypted mobile devices to demonstrate compliance?
- Laptops/External Hard Drives: Instead of sending pictures, please use the self-encryption verification tool here or bring your device to any of the Encryption Fairs for verification. Verification at the fair takes about ten minutes.
- Smartphones/Tablets: It is sufficient to have AirWatch downloaded and enrolled on your smartphone/tablet to provide proof of compliance.
Do SD cards need to be encrypted?
SD cards should be encrypted when possible (SD cards in Android devices can be encrypted with the device). If it is not possible to encrypt your SD card, please do not store any University business on the SD card and keep it in a secure, locked location.
I forgot my PGP WDE passphrase, what should I do?
Call the MITS Service Desk 4HELP (310-794-4357 http://helpdesk.mednet.ucla.edu/) or your local departmental IT staff/CSC. The MITS Service Desk is available 24/7/365 and can provide a temporary unlock code. They will need to verify your identity, so be sure to check with your CSC to make sure your info and secret word are in the MITS database
Are there any issues with upgrading my Macintosh or Windows operating system?
Yes. All major upgrades with PGP require that you first decrypt the hard drive, upgrade, and then re- encrypt. Please contact your local IT staff for assistance with upgrades.
FileVault 2 and BitLocker do not require that you decrypt your drive before upgrading.
If I copy data to an external hard drive, USB drive, or file share, will it be encrypted?
No. You will need to use an encrypted external device if copying data.
If I use automated software to back up my laptop, will the backups be encrypted?
No. Any data accessed by applications will be transparently decrypted before use. If the backups contain University business, then be sure to encrypt the backup media or files.
If my device has University business and is lost or stolen, will any notifications need to be done if it was encrypted?
Yes if any mobile device (laptop, USB flash drive, external hard drive, phone, or tablet) is stolen or missing, user must immediately notify his/her department administrator and the Office of Compliance Services – Privacy and Information Security (PrivacyInfoSec@mednet.ucla.edu)
Will encryption cause problems with any of the applications I use?
Encryption should cause no software problems and should be transparent to the general user.
I will be leaving UCLA and have permission to take my laptop. Do I need to get it decrypted?
You may contact your IT support group to have your laptop decrypted if it was encrypted using PGP. If a native solution (BitLocker or FileVault) was used to encrypt your laptop, it does not need to be decrypted.
How do I let other people share my laptop if it was encrypted with PGP? How should they login?
You can add additional authorized users in the PGP desktop interface.
USB Flash Drives
Am I allowed to use USB Flash Drives?
UCLA Health Sciences asks you to only use a USB flash drive when absolutely necessary. Please use other file sharing and file storage solutions such as Tansfer.Mednet and Microsoft OneDrive. If you must use a flash drive, it must be encrypted.
I have a USB flash drive that I only use to save PowerPoint lectures, does is it still need to be encrypted?
Yes. You will still need to replace it with an encrypted flash drive even if you do not store PHI or restricted information on it.
What USB flash drives are recommended?
You may purchase a compliant drive online or through one of UCLA's approved vendors. Click here to view the list of USB Flash Drives that are approved and recommended by UCLA Health Sciences.
Can I install AirWatch at home?
Yes. You may install and enroll in AirWatch from home by following these instructions.
Please note if you have an Android phone, you will need to encrypt it on your own before enrolling in AirWatch. Before you encrypt, please remember to:
- Back up your phone's data to your computer first and
- Make sure your phone is at least at 80% charge (we recommend you leave your phone plugged in to AC power during the encryption process)
What is AirWatch?
AirWatch is a Mobile Device Management (MDM) agent that allows you to access your Mednet Exchange email and calendar securely from your smartphone/tablet and also ensures the device is encrypted, has a passcode and has not been jailbroken.
I have a UCLA-issued smartphone and/or tablet? Isn't it already encrypted?
All smartphones and tablets that are setup with the AirWatch service are encrypted. It is your responsibility to ensure that your smartphone and/or tablet has AirWatch installed and enrolled. If your smartphone or tablet does not have Airwatch installed and enrolled, it cannot be used for University business. Contact your Computer Support Coordinator (CSC) or the ISS Customer Care Center (x7CARE) if you are unsure if AirWatch is installed on your smartphone or tablet.
Can AirWatch be used to view my personal information?
No. AirWatch cannot be used to access texts, personal emails, photos, or any other personal information on your device. AirWatch collects only the following information from your device to aid in device identification and troubleshooting: user name, Mednet AD User ID, Mednet AD email address (if applicable), Mednet Wi-Fi certificate, operating system, model, display model, last time device checked in with AirWatch, enrollment status, if it has been jailbroken, encryption status, current carrier, home carrier, International Mobile Equipment Identity (IMEI) number, and phone number. This information will be viewed only when necessary to resolve problems for a specific device.