Skip UCSF navigation|About accessibility UCSF University of California, San Francisco
About UCSF
Search UCSF
UCSF Medical Center
End of UCSF navigation
Skip breadcrumbs navigationUCSF which contains School of Pharmacy which contains PharmD Degree Program which contains Information for Current Students which contains Computer Services which contains Information Security
School of Pharmacy
Computer Services
Overview |
Computer Labs |
Wireless |
VPN |
Internet |
E-mail |
LISTSERV |
E-mail Policy |
Using Drug References |
Security |
Information Security
Recycling |

End of section-level navigation

Information Security

This page describes what students should know about information security at UCSF. The information below has been simplified somewhat so that it is easier to understand as an introduction to these issues.

Federal and state laws and University policy indicate that

Confidential data must be stored, delivered, and removed securely.

but this is much easier said than done.

Information security:

These issues are very complicated but also very important for you to understand.

When you haven't been assured that confidential data is being stored, delivered, or removed securely, ask questions.

We encourage you to ask questions of your co-workers and your information technology providers not just now at UCSF but also throughout your entire career as a health care professional.

Why bother?

Protecting confidential data is important and in your best interest because:

  1. It's ethical: Patients and research participants usually don't want your data about them shared with anyone in a way that associates names or personal identifiers with specific data.
  2. It's less expensive: You can be held personally liable for fines of up to US$250,000 per violation.
  3. It's less trouble:
    1. Would you want a misdemeanor to appear on the criminal background check required for your next job?
    2. Would you want the licensing board to be notified of your recent failure to protect confidential data?
    3. Are you prepared to spend up to 10 years in prison?

Once again:

Confidential data must be stored, delivered, and removed securely.

Stored securely

  1. On a desktop or laptop computer:
    1. Windows laptops must have antivirus, antispyware, firewall, and a password. Mac laptops must have antivirus, firewall, and a password. UCSF provides antivirus and antispyware software at no cost to the UCSF community. (Follow the steps at Computer Security.)
    2. Ideally desktops and laptops should also have full disk encryption, but this is difficult to set up and administer, and UCSF does not yet have the resources to make this easily available to students. Instead, use encryption tools called TrueCrypt (Mac, Windows, Linux) and Apple FileVault (Mac only). TrueCrypt is free, and FileVault is included with all modern Macs. Mac users can also use encrypted disk images. All of these are relatively easy to use. Unfortunately, UCSF does not have the resources to help you use or resolve problems with these encryption tools. (Search Google to learn more, and contact the vendor for more help.)
  2. For mobile devices, BlackBerry and Windows Mobile users must enable encryption and have a password. (See your user manual or contact your service provider for help.) Windows Mobile users must have antivirus. All other mobile device users must not store confidential data at all. This includes iPhone and Palm. These devices are not secure, despite what the vendor might claim. (Even the iPhone 3 GS.)
  3. For cds, dvds, USB drives, etc., use TrueCrypt (described above) to create an encrypted volume in which you can store confidential data.
  4. The backup of your data must be stored securely as well, ideally encrypted. If you're not sure if it is, ask the provider of your backup solution.

Delivered securely

  1. Never send unencrypted confidential data in email -- regular email is not secure. To send messages securely from your UCSF email account, add Secure: (Secure colon space) to the beginning of your subject line. This tells the system to deliver your message in a secure manner involving encryption. (This feature is specific to UCSF email and does not work when you send mail from other mail services. Also, this feature is not compatible with LISTSERV mailing lists -- don't use this feature with messages to LISTSERV addresses.)
  2. Don't forward your UCSF email -- Don't use Gmail, Yahoo! Mail, or any other external email service to check your UCSF email. Don't forward your UCSF email to any outside mail service. If a colleague of yours happens to send unencrypted confidential data to your UCSF email account, checking or forwarding email in this manner exposes that confidential data to other parties.

  3. When using mobile devices -- Checking UCSF email on mobile devices is statistically riskier than on non-mobile devices because they are more easily lost and stolen. You cannot predict when a colleague might send unencrypted confidential data to your email account, and you cannot predict when your phone will be lost or stolen.

    1. Safest: Avoid doing so if you can -- this is the safest action to take.
    2. Almost-certainly-safe: Use the device's web browser to check UCSF email at http://exchange.ucsf.edu and to configure your browser to empty its cache upon exiting. Webmail will always connect securely by default when you use a modern web browser.
    3. Somewhat-safe: Download messages to your device using recommended methods. For Windows Mobile, iPhone, and Palm, this means using ActiveSync. For Windows Mobile and BlackBerry, this means enabling encryption. Even these recommended methods cannot guarantee that confidential data will remain secure -- they only increase the likelihood.
    4. Unsafe: Any checking of UCSF email on mobile devices in scenarios other than described above is considered high risk.

Removed securely

When confidential data is deleted from a computer, mobile device, USB drive, or portable hard drive, the data typically remains but the file system has been marked to tell the operating system that the data is no longer there. The data appears to have been deleted but someone with the right access, knowledge, and tools can restore the data, sometimes very easily. To remove confidential data securely, you must either use secure erase methods or you must physically destroy the hardware storing the data. To learn more, see column 2 at Computer Recycling.

Related information

Questions?

Contact your program's administration office or UCSF Customer Support (415/514-4100, Option 2).

Shortcut to This Page

To reach this page quickly or share it with others, use pharmacy.ucsf.edu/go/infosecurity, which redirects to a longer URL.

Go To: Computer Services