When (and why) NOT to use Chromebooks and ChromeOS

Chromebooks

Chromebooks are unique devices that, considering their architecture from both a security and a service standpoint, warrant caution in using them for UCSF business.

Chromebooks use local encryption by default (although it is system-level and not full-disk) and are architected against malware. However, there are challenges from a regulatory risk perspective.

The primary issue is that user-created data is stored at Google, with which UCSF does not have a BAA or Data Security Agreement. This presents the risk that UCSF data could be breached, and UCSF would have no legal recourse. 

Google apps and Gmail are not HIPAA-compliant for normal personal accounts. You should not use your Google/Gmail account for PHI, sensitive data or restricted data.

ChromeOS

We look at ChromeOS use on a case-by-case basis. In general, ChromeOS and almost all "cloud" storage services (e.g., Google Drive/Docs, Dropbox, iCloud) are not acceptable for use with restricted or confidential data.

However, there may be specific-use cases when it would be permissible to use ChromeOS with fully public, non-internal and protected confidential data. This would require an exception to the minimum security standard.  

Contact the IT Service Desk at 415-514-4100 for a consultation.