Encryption Frequently Asked Questions (FAQs)

Marc Lowe's picture


1.      What is encryption?

Encryption converts data into an unreadable format.  In order to convert it back to an intelligible format, it needs to be unlocked with the secret key.  This is similar to a safe where you might store your valuables.  A thief would not be able to breach the safe without the combination lock (or key for encryption).  While some feel just a username and password is sufficient, this would be akin to placing a gate across a road when you simply can drive around it.  It works, but not to the level necessary to protect sensitive data.

2.      When do I need to encrypt my electronic devices (e.g., laptops, iPads, cell phones, etc)?

You need to encrypt all of these devices, whether UCSF-owned or personal, if used for any UCSF purpose or to access any UCSF information.  Remember, encryption is the only safe method when Protected Health Information (PHI) or Personally Identifiable Information (PII) is involved. 

3.      What is PHI?

Protected Health Information (PHI) is health information, paired with anything that identifies a patient (e.g., name, MRN, SSN, photo, phone number, address).  The 18 personal identifiers (defined by HIPAA) are listed on Page 28 of the UCSF Privacy and Confidentiality Handbook:

4.      What is PII?

Personally Identifiable Information (PII) is an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social security number
  • Driver’s license number or California Identification Card number
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Medical information
  • Health insurance information
  • Email address

5.      Is password protection enough to secure my device?

Passcode protection activates encryption on iPhones and iPads.  However, it is not enough to secure the data within any other device, such as a desktop or laptop computer.  For these devices, encryption must be installed.

6.      How do I encrypt my device?

The process to encrypt a device depends on whether the device is a UCSF device or a non-UCSF / personal device.

  • If you have a UCSF device, contact the IT Service Desk at (415) 514-4100 to request encryption installation
  • If you’re using a non-UCSF / personal device, review the encryption installation instructions provided on the UCSF IT website: How to Encrypt Your Computer

7.      I need additional guidance to encrypt my personal device.  Who can I contact?

If you have a problem with encrypting your device, don’t try to solve it alone.  Contact the IT Service Desk at (415) 514-4100. 


8.  Is there a way that an individual can determine themselves if a device is encrypted?

  • iPhone or iPad: You can presume it is already encrypted if you are connected to UCSF email using the mail client, as the settings are automatically pushed down and enabled.
  • Android 3.x or newer: You can presume it is already encrypted if you are prompted to enter an encryption key or PIN every time you power on the device (black screen). This happens before you see your home screen password prompt.  Encryption instructions.
  • Computer: How to Determine your Computer Encryption Status
  • Contact the IT Service Desk at (415) 514-4100 and request a consultation with Field Services or IT Security if you have any questions.

9.  If I require a passcode to unlock my iPhone and/or iPad, does that mean the device is encrypted?

Yes, as long as it’s passcode-protected, the device is encrypted.  However, you must also verify the UCSF security policy settings are enabled to ensure the screen has a passcode lock, device has a session timeout, and ability to remotely wipe the device is enabled, should it be lost or stolen.  These settings are automatically pushed down to the device if it’s connected to UCSF email using the mail client, which can be verified by doing the following:

  • Go to Settings
  • Go to Mail, Contacts, Calendars
  • Ensure the UCSF Exchange Server is listed (Note: It may be listed as another name, depending on how you named the UCSF account, but most people should have it listed as UCSF)

Please note: This applies to iPhones and iPads only.  Only enabling password-protection does not encrypt desktop computers, laptops or other mobile devices.

10.  What if my personal device is unable to be encrypted?

If your personal device cannot be encrypted, do not access your UCSF email with it and do not save PHI or PII on it.  If you need to access UCSF email remotely, contact your manager to request a UCSF device.

11.  How can I work remotely if my UCSF laptop is broken/being repaired? 

Contact your manager to determine if IT has a loaner device available for you.  If you need to use a personal device to access the UCSF network or your UCSF email, you must first ensure it is encrypted.  Review the encryption installation instructions provided on the UCSF IT website:

12.  I previously used my personal laptop a few times to access my UCSF email and/or store PHI.  However, I no longer use it for UCSF purposes and I don’t want to encrypt it.  What should I do?

PHI must be removed from the device and the remaining free space must be cleansed using an appropriate tool.  Just deleting a file is like removing the table of contents to a book.  You may not know where the chapter begins but you can still randomly flip to a page and read the full contents.  Contact the IT Service Desk to determine how to ensure any UCSF data and/or PHI is removed. 

13.  If I’m traveling, am I allowed to check my UCSF email from the hotel computer? 

No.  As confirmation of the UCSF Minimum Security Standards on public devices / workstations found in hotels, airports, conferences, Internet cafes, coffee shops, etc. cannot be determined, use of these devices for UCSF business is not allowed.  If you anticipate needing to check your UCSF email remotely, consider enabling UCSF email on your encrypted smartphone or tablet.

14.  If I’m using a device provided by UCSF for UCSF work purposes, can I assume it’s encrypted?

If your device is supported by the UCSF central IT team, it should be encrypted.  For computers, check here.  If unsure, open a ticket with the IT Service Desk and request IT Security to review your device encryption status.

15.  What is Haiku and Canto?  Are they safe?

Haiku and Canto are mobile applications used to access APeX from a mobile device (e.g., iPhone, iPad, Android).  They have been approved as safe for clinical use by UCSF Audit Services and an external security firm.  You must connect to UCSF Exchange ActiveSync to receive the security policy settings to your iPhone, iPad, or Android device prior to using Haiku or Canto.  For additional detail: http://apex/technology/files/Haiku_Canto_Release_Physicians.pdf

For outstanding questions not answered in these FAQs, contact your manager, the Privacy Office or the IT Service Desk.