Using ChromeOS or Chromebooks for UCSF business

Patrick Phelan's picture

Chromebooks are unique devices that, given their architecture both from a security and service standpoint, warrant appropriate consideration.

While Chromebooks use local encryption by default (although it is system level and not full-disk) and are architected against malware, there are challenges from a regulatory risk perspective.

The primary issue is that the all user created data is stored at Google, with whom UCSF does not have a BAA nor Data Security Agreement.

This presents the risk that UCSF data could be breached and UCSF would have no legal recourse. 

Google apps and Gmail are not HIPAA-compliant for normal personal accounts and you should not use your Google/Gmail account for PHI or restricted data.

We look at ChromeOS use on a case-by-case basis, as there may be specific use cases where it would be permissible for fully public, non-internal/protected/confidential data. This would require an exception to the minimum security standard.  ChromeOS, and almost all "cloud" storage services (Google Drive/Docs, Dropbox, iCloud, etc.) are not acceptable for use with restricted/confidential data.

Contact the IT Service Desk for a consultation.