This content is viewable by Everyone
Using ChromeOS or Chromebooks for UCSF Business
- Service Category: Security
- Owner Team: IT Security
-
Service:IT Security Outreach and Training
When (and why) NOT to use Chromebooks and ChromeOS
Chromebooks
Chromebooks are unique devices that, considering their architecture from both a security and a service standpoint, warrant caution in using them for UCSF business.
Chromebooks use local encryption by default (although it is system-level and not full-disk) and are architected against malware. However, there are challenges from a regulatory risk perspective.
The primary issue is that user-created data is stored at Google, with which UCSF does not have a BAA or Data Security Agreement. This presents the risk that UCSF data could be breached, and UCSF would have no legal recourse.
Google apps and Gmail are not HIPAA-compliant for normal personal accounts. You should not use your Google/Gmail account for PHI, sensitive data or restricted data.
ChromeOS
We look at ChromeOS use on a case-by-case basis. In general, ChromeOS and almost all "cloud" storage services (e.g., Google Drive/Docs, Dropbox, iCloud) are not acceptable for use with restricted or confidential data.
However, there may be specific-use cases when it would be permissible to use ChromeOS with fully public, non-internal and protected confidential data. This would require an exception to the minimum security standard.
Contact the IT Service Desk at 415-514-4100 for a consultation.