Using ChromeOS or Chromebooks for UCSF business
Chromebooks are unique devices that, given their architecture both from a security and service standpoint, warrant appropriate consideration.
While Chromebooks use local encryption by default (although it is system level and not full-disk) and are architected against malware, there are challenges from a regulatory risk perspective.
The primary issue is that the all user created data is stored at Google, with whom UCSF does not have a BAA nor Data Security Agreement.
This presents the risk that UCSF data could be breached and UCSF would have no legal recourse.
Google apps and Gmail are not HIPAA-compliant for normal personal accounts and you should not use your Google/Gmail account for PHI or restricted data.
We look at ChromeOS use on a case-by-case basis, as there may be specific use cases where it would be permissible for fully public, non-internal/protected/confidential data. This would require an exception to the minimum security standard. ChromeOS, and almost all "cloud" storage services (Google Drive/Docs, Dropbox, iCloud, etc.) are not acceptable for use with restricted/confidential data.
Contact the IT Service Desk for a consultation.