Electronic devices with sensitive JHU info must be protected

If you have sensitive or confidential information related in any way to Johns Hopkins on your electronic devices—whether they belong to the university or to you personally—it must be protected.

On Oct. 26, Robert Lieberman, provost and senior vice president for academic affairs, and Daniel Ennis, senior vice president for finance and administration, reached out to the Johns Hopkins community to explain in detail the university's policy on protecting sensitive or confidential personal information and the procedures that must be followed by faculty, staff, students, and trainees.

The text of the email sent by Lieberman and Ennis is as follows:

We have all seen news reports about breaches of sensitive or confidential personal information at academic institutions. Johns Hopkins University has, unfortunately, faced these issues as well. The public and the government expect that we use password protection and encryption to ensure the safety of personally identifiable information (PII) and protected health information (PHI). This information includes that related to research study participants, students, patients, staff, faculty, or other individuals.

The university has a policy that requires every device used by a faculty or staff member, student, or trainee for university-related business that contains sensitive or confidential personal information be password protected and encrypted. This includes desktop computers, laptops, mobile phones, iPads, other digital readers, and local or departmental servers. Of importance, this policy applies to both university equipment and devices that are personally bought and owned.

Given the threat and the realization of breaches of personal information, we are increasing our ongoing efforts to enforce the university's policy, which may be found at: http://www.it.johnshopkins.edu/policies/itpolicies.html. Every device that could potentially contain PII/PHI must be managed and approved for use by your departmental IT administrator or IT@JH before any actual PII/PHI can be stored on it. It is your responsibility to ensure that your devices are encrypted and password-protected.

If any of your devices contain PHI/PII and are currently unencrypted—or if you are not sure if your information is properly secured—you should talk to your departmental IT administrator or email IT@JH (encryption@jhu.edu) about your devices and the appropriate encryption tools. Because each person has a different degree of familiarity with technology, a website has been created for your use. Please see http://it.jhu.edu/encryption/ to get access to additional information about IT security.

We are grateful for your ongoing commitment to properly steward and secure all sensitive and confidential information with which we are entrusted.

Tagged work tools