HSC IT Policies, Standards, & Guidelines
in addition to the existing HSC Policies, Standards, & Guidelines, Health Science Center accounts are subject to University-Wide IT Policies, Standards, & Guidelines. As new University IT Policies and Standards are approved, they will replace the individual campus Policies, Standards, and Guidelines below to create system consistency.
Protecting university and student information and the systems that collect, process, and maintain this information is of critical importance to the University of Oklahoma. The University is committed to reviewing information security policies and standards to address changes in laws or regulations, audit findings, or university strategic plans or initiatives. The Norman campus Chief Information Security Officer (CISO) is responsible for coordinating the development, approval and dissemination of Information Security policies, standards, and guidelines.
As new University IT Policies and Standards are approved, they will replace the individual campus policies below to create system consistency.
Health Science Center accounts are subject to University-Wide IT Policies, Standards, & Guidelines, in addition to the existing OUHSC Policies, Standards, & Guidelines.
Portable Device Security, Secure Emails, & Research EDC Portals
Secure Email is a security technology product available to OUHSC campus faculty, staff, and students, for use in the secure transmission of data via email. Secure Email allows OUHSC users to encrypt Information sent to recipients outside the campus email system.
- For more information on how to send a secure email and the steps required by your recipient to retrieve secure email, see the knowledgebase article: What is Secure Email?
- OUHSC IT has also established encrypted channels for the secure transmission of email between the OUHSC email system and business partner email systems. For a list of those business partners with secure channels see Secure Email and TLS.
Secure Email will help safeguard the confidentiality and integrity of Sensitive Data sent between OUHSC and outside agencies or persons. These technologies use encryption to protect Sensitive Data from unauthorized access. HIPAA requires that sensitive data, such as PHI, that is sent outside the University electronically be encrypted. Other laws and regulations, such as those regarding student information and research, have similar requirements.
Note that current University policies may also govern Secure Email use, including:
- Consent for Electronic Communications Form
- Email Transmission and Use Policy- 2017
- Definition of Sensitive Data-2014
- Gramm-Leach-Bliley Act (GLBA) Requirements - Ensure that email messages containing confidential information are kept secure when transmitted over an unprotected link.
PLEASE NOTE: For OU Physicians’ Oklahoma City employees – OU Physicians’ OKC Centricity EMR application includes an integrated Secure Messaging solution for electronic patient care communication involving PHI, allowing tracking and relating secured message documentation to the patient’s electronic health record. OUP Centricity EMR Secure Messaging policy provides more detail about communications that should only be conducted via Centricity EMR Secure Messaging by authorized system users. Questions related to the OU Physicians OKC policy may be directed to OUP OKC Medical Records at 405-271-8001, extension number 46947. Centricity EMR user questions related to application navigation or training may be directed to OUP-EMR (HSC) or 405-271-3131, option 1.
For questions regarding HIPAA, please call 405-271-2511.
"Secure Mobile" Encryption FAQ
These Frequently Asked Questions (FAQ) are designed to address general questions from faculty, staff, and students about membership in "Secure Mobile" for OUHSC Exchange.
Membership in "Secure Mobile" is free to faculty, staff, and students at OUHSC.
Baseline security settings such as encryption can protect you or your department from a data breach with potential fines of $1.5 million per incident, criminal jail time of up to 10 years as well as civil liability. State and Federal laws (Data breach notification, HIPAA, HITECH, etc.) require the protection of certain data and hold individuals as well as organizations responsible for implementing security to protect data from unauthorized access in the event of theft or loss of a device containing certain classes of sensitive data.
The Federal government and the State of Oklahoma considers properly encrypted data as “secure.” Encryption is a safeguard that prevents a reportable data breach when an encrypted mobile device is lost or stolen.
Q1: What type of mobile device and operating system should I use to meet the government standard to "secure" data?
A: Several popular smartphone and tablet device cryptographic modules are validated to comply with the Federal Information Processing Standard (FIPS 140-2) for encryption. Refer to the table below:
|Apple||iPhone, Touch, iPad||iOS 8.0 or later|
|Rim||Blackberry Devices||Blackberry OS 10.3 or later|
Galaxy Tablet or Note
|Android 4.1 or later|
Android KitKat 4.4.1 or later
|Windows Phone (single-user mode)||Microsoft Windows Phone (ARMv7 Thumb-2)|
|Microsoft Windows Phone 8.1 BitLocker and above|
Q2: What can I do if I have a device which is not validated to meet the government standard for encryption?
A: Make sure you update your device and the operating system so that both are validated to comply with the government standard for encryption. Refer to Q1 above.
Q1: Is the SD card in the android devices encrypted when the EAS policy is pushed to the device? If so, how do you use that card on other devices, i.e., computers, TVs, etc.?
A: At this time, external media such as an SD card is not encrypted.
Q2: Will the TouchID function continue to work on the iPhone with Secure Mobile policies?
A: Yes, the TouchID function will continue to work on the iPhone after Secure Mobile policies are applied.
A1: Membership in “Secure Mobile” provides automated configuration of baseline security settings on mobile devices (iPhones, iPads, Androids, etc.) that synchronize with the OUHSC Exchange server. These security safeguards applied to a Federal Information Processing Standards validated (FIPS 140-2) device provide the enhanced data privacy and security required to “secure” data stored on the device. “Secure” data is protected against unauthorized access when the device is lost or stolen. All these safeguards can combine to provide a safe harbor from breach notification laws and associated penalties.
Q2: What are the "Secure Mobile" baseline security settings for mobile devices connecting to Exchange?
A: Baseline Device Security Settings are listed below.
- Device Passcode – A passcode setting of at least four (4) numbers or letters will be set. Smartphone users will be responsible for setting and remembering their device passcode. OUHSC technical support will not be able to recover a forgotten passcode on a Smartphone. The user may have to reset their device to factory defaults and lose all locally stored data if they forget their passcode and have not backed up their data.
- Encryption of data stored on the device- An industry-standard encryption mechanism must be implemented for all data stored locally on the device, including removable media and backups.
- Password-Protected Screen Saver - Password-protected screen saver will be configured to automatically lock the screen after a maximum of fifteen (15) minutes of inactivity and will require a passcode to unlock the device.
- Local data wipe for failed login attempts– A setting that implements a local data wipe after 10 failed authentication attempts.
Q3: How can the baseline security settings protect information on my mobile device?
A: Baseline security settings such as a device passcode and encryption protect information on your mobile device by preventing unauthorized access when your device is lost or stolen.
When your device is locked and your password is secret, no one else is able to access your information or applications. Only the individual who knows the device passcode is able to access locally stored data and applications on your locked device.
This measure is necessary to ensure the highest level of protection for University information, including but not limited to patient information, and to meet regulatory requirements for mitigating the risks to the University and its employees should a mobile device be lost or stolen.
Many people receive sensitive or protected information in their University e-mail, and that information will be copied to their mobile device if it synchronized with Exchange. That is why baseline security settings are required for mobile devices that synchronize University data with Exchange.
Q1: Do I have to enroll in Secure Mobile?
A: Smartphones and mobile devices used for University business must be enrolled in Secure Mobile. Secure Mobile enrollment is automated on mobile devices by establishing an ActiveSync connection with the OUHSC Exchange server (webmail.ouhsc.edu) for email synchronization.
Q2: How do I enroll in "Secure Mobile"?
A: As of August 4, 2015, all OUHSC Exchange email user accounts were enrolled in "Secure Mobile". "Secure Mobile" policies are applied to mobile devices when the user configures their device to synchronize with the OUHSC Exchange email server. If you are configuring a new device to synchronize with Exchange, see Q2 below.
Q3: What should I do to prepare my device for "Secure Mobile?
- Backup your device so that you will be able to restore any locally stored data if a factory reset is required.
- How should I backup my iPhone?
- Review Apple's support article on iPhone backup and choose the iTunes backup method with encryption. See note below.
- Note: OUHSC does not recommend using iCloud for backups. It is possible that you have sensitive University data on your phone, such as HIPAA “Protected Health Information” or student data that requires special protection and should NOT be stored on iCloud. Additionally, iCloud Backup does not back up music, movies, and TV shows that you did not purchase from the iTunes Store or any podcasts, audiobooks, or photos that you originally synced from your computer.
- For other types of mobile devices, follow the owner's manual instructions on how to backup your device.
- How should I backup my iPhone?
- Upgrade your device operating system to the latest version. (This is currently a recommendation, not a requirement).
- Make sure your device is fully charged, and you plug it into a power source during the encryption process.
Q4: How will I know my Exchange account is a member of "Secure Mobile"?
A: When your Exchange account is made a member of the "Secure Mobile" group, the next time your mobile device synchronizes with Exchange, the new baseline security settings will be applied.
If your device has a missing security setting, such as a passcode, you will be prompted to set up a passcode on your device. You will have a window of 60 minutes to cancel the dialog and do other things.
After that 60 minutes is up, the only thing you will be able to do on the device is set a new passcode. Once this setting is in place, you will notice the option to turn off the setting is not available (greyed out).
Q1: Can I choose my own device password/passcode?
A: Smartphone users will be responsible for setting and remembering their device passcode. Exchange does not have the capability of recovering forgotten passcodes for mobile devices.
Q2: What if I want a longer or more complex passcode on my device?
A: You can choose any passcode length or complexity that your mobile device supports.
Q3: What happens if I forget my password?
A: If you forget your mobile device passcode, follow the manufacturer's instructions to reset the device to the original factory settings. Resetting to factory settings deletes all locally stored data and will require restoring from a previously made backup to recover the data.
Q4: What happens when your OUHSC network/email password has to be changed?
A: If you change your OUHSC network/email password, your mobile device should prompt you to change the Exchange account password to match your new password. You can perform this manually through your device email settings. The “Secure Mobile” group membership does not affect Exchange email password settings.
Q1: If we use our personal phone for University business and move forward with this level of protection, will it affect the way any of our personal apps (Facebook, etc.) perform?
A: Exchange ActiveSync security settings for "Secure Mobile" do not affect device application settings.
Q1: Will these Exchange ActiveSync policies allow an IT administrator to view activity on my device?
A: No, security settings from Exchange do not provide additional monitoring features or capabilities for an IT administrator.
In fact, since the settings enable device encryption, only the individual who knows the device passcode is able to access locally stored data. So your locally stored data is protected from unauthorized access if the device is locked.
Q2: Will "Secure Mobile" Exchange ActiveSync settings allow IT to track the location of my device?
A: No, "Secure Mobile" ActiveSync settings do not enable GPS or other options that can be used to track the location of a mobile device.
Users may choose to enable GPS and applications such as "Find My iPhone" that use GPS to track device location. GPS location data and tracking applications are not available to nor supported by OUHSC IT.
Q1: What about the remote wipe capability? Should I remote wipe my device if it is lost or stolen?
A: Remote wiping a device after it is lost or stolen does not meet the government requirement to “secure” data on the device. There is no guarantee that the remote wipe command will be successful in wiping the data. Issuing the remote wipe command is up to the individual user.
Q1: How can I remove the security settings from my device when I leave the University?
A: After you delete the OUHSC Exchange email account from your device, you can change any of the security settings and can decrypt your device.
Removing the OUHSC Exchange account from your device will also delete the Exchange data such as email, calendar, contacts, notes, tasks, etc. Be sure you remove any manually stored University data from your device when you leave the University.
Q1: What if I want a shorter “Autolock” than 15 minutes on my device?
A: Apple has set the maximum timeout for “Autolock” on an iPhone to 5 minutes, while an iPad can be set to 15 minutes. This is an Apple setting that cannot be changed by Exchange settings.
Q1: How long does it take to encrypt my mobile device?
A: For iOS devices like iPhones and iPad, the encryption process occurs immediately once the password and baseline security policies are applied.
For other device types, it usually takes about 1-3 hours to encrypt the device depending upon the size of the storage. Be sure you have your Android device fully charged or plugged into the charger during the encryption process.
Q2: Will my mobile act differently after it has been encrypted?
A: On most devices that have been manufactured since 2012, you should not notice any differences after encryption is applied. Older devices may run slower after encryption is applied.
Some iPhone users have reported that personal ringtones associated with contacts will need to be re-enabled after the baseline Exchange security settings are applied.
Need more help?
Find information on getting connected to the internet, account questions, changing passwords, getting virus and security information, secure messaging, secure file transfer, and other security-related tips and services.