COVID-19: Remote Work and Access to Research Data

Updated 5/22/2020; 2:15 pm - revision to FAQ#1; added new FAQ#6

How you work remotely with University data depends on the type of data. Please see the University’s Data Classification Policy.

If your research data is Research Health Information (RHI) or Protected Health Information (PHI), please follow these guidelines concerning working remotely and COVID -19. Please also review the FAQs below.

For more specific information about HIPAA-compliance ZOOM for Healthcare at CUIMC, click here.  ZOOM for Healthcare is available for non-CUIMC affiliates as well.  For more information about HIPAA-compliant Zoom for non-CUIMC Affiliates, click here.

There are two main principles to bear in mind ---researchers should (1) use measures to access information in a secure manner and (2) avoid saving or storing data on unencrypted, personal devices.

Be aware that when you work from home, you can unwittingly download data onto the C-Drive, including data such as PHI. In order to reduce the risk that might represent, researchers must use their devices with updated software patches and with anti-virus software, such as Malwarebytes, regularly. The University is offering a free license of Malwarebytes here: https://cuit.columbia.edu/malwarebytes.

The University enforces the use of VPN (Virtual Personal Network) software to make sure that all data is encrypted in transmission and that its central applications are not widely exposed to the internet. Most applications will not require VPN, but if you are unsure please reach out to your IT support team to find out.

For CUIT managed devices, you can use VPN by clicking onto the icon that looks like a little lock. It will provide a log-in window. Note that CUIT VPN services requires a CUIT Duo multifactor authentication (MFA) account. If you don't have one, please configure Duo MFA for your UNI. For additional information, visit the MFA FAQ page.

For personal, non-CUIT managed devices, you can download VPN access here.

If you are working remotely from outside the U.S., certain non-publicly available third party data may be subject to U.S. export control restrictions.  If you require access to third party data that is subject to confidentiality agreements, non-disclosure agreements, or other dissemination restrictions, please contact the Office of Research Compliance & Training (ORCT) at [email protected] to determine whether export control restrictions apply.

For more information about working remotely from outside the U.S., see FAQ Can I work remotely on a sponsored project from outside the U.S.?

University data is critical to the University and critical to our mission. There are ways to work with University data at home so long as you are adhering to our policies concerning information privacy and security, such as the Information Security Charter, Registration and Protection of Systems Policy, Registration and Protection of Endpoints Policy.

If it’s a CUIMC-IT managed laptop, it is already registered, however, you would have to validate that the device is properly configured by your department’s IT administrator. This can be done virtually. If  the desktop or laptop is not a CUIMC-IT managed device, there is no virtual solution for registering a personal device at this time. Unless your personal device is registered, you may not store PHI, RHI or PII on it.

Yes, as long as  (1) the server is a Columbia server managed by professional IT unit, such as CUIT, CUIMC IT, member group of the IT Leadership Council, or certified IT group (this is to ensure that it will meet the requirements of the University's Registration and Protection of Systems policy), and (2) you gain access to the data by using VPN (see FAQ How do I work remotely and protect research data other than RHI and PHI?).

If you have questions concerning changes you have made to your remote working environment, these changes could impact the security risk posture of that IT environment. Please contact an Information Security Office for an update to the existing IT Security Risk Review of the environment. 

Contact Details:

CUIMC Information Security Office – [email protected]

CUIT Information Security Office -- [email protected]