Frequently asked questions

What is encryption?

• Encryption converts data into an unreadable format to prevent unwanted access.  
• In order to convert it back to a readable format, it needs to be unlocked with a key. 
  • This is similar to a safe deposit box where you might store your valuables: A thief would not be able to open the box without the key. 
     
• Some users believe that a username and password are sufficient to protect their data.
  • Unfortunately, this is akin to placing a gate across a road when others can simply can drive around it. 
     
• Although a username and password work to a certain extent, they don't rise to the level needed to protect sensitive data.

When do I need to encrypt my electronic devices (e.g., laptops, iPads, cell phones)?

• You need to encrypt all your devices, whether UCSF-owned or personal, if you use them for any UCSF purpose or to access any UCSF information. 
• Remember: Encryption is the only safe method when Protected Health Information (PHI) or Personally Identifiable Information (PII) is involved. 

What is PHI?

• Protected Health Information (PHI) is health information paired with anything that identifies a patient (e.g., name, MRN, SSN, photo, phone number, address). 
• The 18 personal identifiers defined by HIPAA are listed on page 28 of the UCSF Privacy and Confidentiality Handbook: http://tiny.ucsf.edu/9AVKzb.

What is PII?

• Personally Identifiable Information (PII) is an individual’s first name (or first initial) and last name in combination with any one or more of the following data elements, when either the name or the data element(s) are not encrypted:
  • Social security number
  • Driver’s license number or California Identification Card number
  • Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account
  • Medical information
  • Health insurance information
  • Email address

Is password protection enough to secure my device?

• Password protection activates encryption on iPhones and iPads, but it's not sufficient to secure the data within any other device, such as a desktop or laptop computer. 
  • For these devices, encryption must be installed.

How do I encrypt my device?

• The process to encrypt a device depends on whether it's a UCSF device or a non-UCSF or personal device.
  • If you have a UCSF device, contact the IT Service Desk at 415-514-4100 or [email protected] to request encryption installation.
  • If you’re using a non-UCSF or personal device, review the encryption installation instructions provided on the UCSF IT website How to Encrypt Your Computer.

I need additional guidance to encrypt my personal device.  Whom can I contact?

• If you have a problem with encrypting your device, don’t try to solve it alone. 
• Contact the IT Service Desk at 415-514-4100 or [email protected]. 

​​​​​Is there a way an individual can personally determine if a device is encrypted?

• iPhone or iPad: You can presume it's already encrypted if you are connected to UCSF email using the mail client, as the settings are automatically pushed down and enabled.
• Android 3.x or newer: You can presume it's already encrypted if you are prompted to enter an encryption key or PIN every time you power on the device (black screen).
  • This happens before you see your home screen password prompt.  Encryption instructions.
• Computer: Review How to Determine your Computer Encryption Status.
• If you still have questions, contact the IT Service Desk at 415-514-4100 or [email protected] to request a consultation with Field Services or IT Security.

If I require a passcode to unlock my iPhone or iPad, does that mean the device is encrypted?

• Yes. As long as it’s passcode-protected, the device is encrypted. 
• However, you must also verify that the UCSF security policy settings are enabled to ensure that:
  • The screen has a passcode lock.
  • The device has a session timeout.
  • You have the ability to remotely wipe the device is enabled, should it be lost or stolen. 
  • These settings are automatically pushed down to the device (iPhones and iPads only) if it’s connected to UCSF email using the mail client.
    • Enabling only password protection does not encrypt desktop computers, laptops or other mobile devices.
• To verify that the UCSF security policy settings are enabled:
  • Go to Settings.
  • Go to Mail, Contacts, Calendars.
  • Ensure that the UCSF Exchange Server is listed.
    • (Note: It may be listed with another name, depending on how you named the UCSF account, but most people should have it listed as UCSF.)

What if my personal device is unable to be encrypted?

• If your personal device cannot be encrypted:
  • Do not access your UCSF email with it.
  • Do not save PHI or PII on it. 
• If you need to access UCSF email remotely, contact your manager to request a UCSF device.

How can I work remotely if my UCSF laptop is broken/being repaired? 

• Contact your manager to determine if IT has a loaner device available for you. 
• If you need to use a personal device to access the UCSF network or your UCSF email, you must first ensure that it's encrypted. 
  • Review the encryption installation instructions provided on the UCSF IT website http://tiny.ucsf.edu/9bTkaB.

I previously used my personal laptop a few times to access my UCSF email or to store PHI.  However, I no longer use it for UCSF purposes, and I don’t want to encrypt it.  What should I do?

• You must remove the PHI from the device and cleanse the remaining free space using an appropriate tool. 
  • Simply deleting a file is like removing the table of contents from a book: You may not know where a chapter begins, but you (or anyone else) can still flip to any page and read the full contents.  
     
• Contact the IT Service Desk at 415-514-4100 or [email protected] to learn how to ensure that you've completely removed any UCSF data or PHI from the device. 

If I’m traveling, am I allowed to check my UCSF email from the hotel computer? 

• No. Use of public devices for UCSF business is not allowed. 
  • This is because you cannot confirm that you're meeting the UCSF Minimum Security Standards on public devices or workstations (e.g., at hotels, airports, conferences, internet cafes, coffee shops).
• If you anticipate needing to check your UCSF email remotely, consider enabling UCSF email on your encrypted smartphone or tablet.

If I’m using a device provided by UCSF for UCSF work purposes, can I assume it’s encrypted?

• If your device is supported by the UCSF central IT team, it should already be encrypted. 
  • For computers, check here. 
• If you're still unsure, open a ticket with the IT Service Desk at [email protected] and ask them to review your device encryption status.

What are Epic Haiku and Canto?  Are they safe?

• Haiku and Canto are mobile applications used to access APeX from mobile devices (e.g., iPhone, iPad, Android). 
• They have been approved as safe for clinical use by UCSF Audit Services and an external security firm. 
• Before you can use Haiku or Canto, you must enroll and configure Microsoft Intune to receive the security policy settings to your iPhone, iPad or Android device. 
  • For additional details, go to http://apex/technology/files/Haiku_Canto_Release_Physicians.pdf.

Still have questions?

For answers to questions not found in these FAQs, contact your manager, the Privacy Office or the IT Service Desk. 

• UCSF Privacy Office: 415-353-2750 or https://hipaa.ucsf.edu/
• UCSF IT Service Desk: 415-514-4100 or [email protected]
• UCSF Privacy and Confidentiality Handbook: http://tiny.ucsf.edu/9AVKzb