Email and collaboration technologies, including Google Apps for Education, are provided to assist and facilitate scholarly communication and collaboration. These technologies are provided for official business and educational use in the course of assigned duties. The school reserves the right to access and disclose all messages sent over its electronic mail systems for the purposes of monitoring security breaches and investigating inappropriate usage as defined in this policy. The Mount Sinai Health System is obligated to comply with legal subpoenas, court orders, and similar lawful requests from external regulators or authorities.
Inappropriate use of email and/or collaboration technology may result in loss of access privileges and disciplinary action up to and including dismissal. Inappropriate use includes but is not limited to:
Unauthorized attempts to access others’ email accounts
Transmission of protected and/or confidential information to unauthorized persons or other organizations
Transmission of obscene or harassing messages to any other individual
Transmission of offensive material, solicitations, or proselytization for commercial ventures, religious or political causes, or other non-job-related solicitations
Any illegal, unethical, or other activity that could adversely affect the Mount Sinai Health System
Access to the Internet is provided as a communications tool and an information resource to facilitate the performance of job- or academic-related functions. This policy applies to any Internet service accessed on or from a Mount Sinai Health System facility, provided by the school, accessed using school-owned equipment, or used in a manner that identifies the individual with the ISMMS or Mount Sinai Health System. The Mount Sinai Health System reserves the right to review any information, files, or communications sent, stored, or received on its computer systems.
Inappropriate use of the Internet may result in loss of access privileges and in disciplinary action up to and including dismissal. Students, faculty, and employees are prohibited from using Mount Sinai Health System-provided Internet services in connection with any of the following activities:
Engaging in illegal, fraudulent, or malicious conduct
Working on behalf of organizations without a professional or business affiliation with the Mount Sinai Health System
Sending, receiving, or storing offensive, obscene, or defamatory materials
Obtaining unauthorized access to any computer system
Using another individual’s account or identity without explicit, written authorization
Attempting to test, circumvent, or defeat the security or crediting systems of the Mount Sinai Health System or any other organization without prior authorization from Information Management Systems and Services/Security and Corporate Data Administration (IMSS/SACDA) or ISMMS IT
Any use or activity that impedes Mount Sinai Health System operations
Users of school-provided cloud services, such as Google Apps for Education and Box.com, have the ability to share files with colleagues within or outside the Mount Sinai Health System for academic collaboration purposes. Students, faculty, and employees must not, under any circumstances, share unencrypted files containing PHI or other confidential information with colleagues outside the Mount Sinai Health System. As mentioned, compliance begins by being aware of the data that one is generating and by following appropriate steps to secure such content if it contains protected or other confidential information.
All hardware devices, including students' own devices and personal laptops, on which school email, file, or collaboration services are used must be encrypted. AirWatch MDM must be enabled for personal smartphones. Thumb drives or any storage devices that contain PHI data must also be encrypted. For more information or support, students should contact the Academic IT Support Center (1.212.241.7091, email: ASCIT@mssm.edu). Students, faculty, and employees are responsible for ensuring that their devices are password enabled and encrypted.
The key points of the above policies are as follows:
Students may use only an ISMMS email account to communicate protected or confidential information. Emails containing PHI, financial information, or other confidential ISMMS information and/or social security numbers may not be sent or redirected to non-ISMMS email accounts.
The minimum necessary amount of PHI should be disclosed via email. When at all possible, student should use the Medical Record number, rather than the patient name, as the patient identifier.
Messages that leave the Mount Sinai Health System network and contain PHI or other confidential information must be encrypted using the ISMMS IT-approved solution described as follows.
Messages sent within the Mount Sinai Health System network are automatically encrypted.
Encryption will not prevent misdirection or unintended forwarding of a previous string of emails. Extreme caution must be exercised to prevent such risks. Students should be aware of their generated content.
All students, faculty, and employees should use only the provided hardware, software, or services which they are authorized to use.
All hardware devices using school or hospital email, file, or collaboration services, including personal laptops, must be encrypted, while ActiveSync must be installed and enabled for personal smartphones. Thumb drives or any storage devices that contain protected health information (PHI) or other confidential information must also be encrypted. For more information or support, please contact the Academic IT Support Center (1.212.241.7091, email: ASCIT@mssm.edu).
Individuals may not extend their use of the resources described for any purpose beyond their intended use or beyond those activities sanctioned in school policy statements.
In particular, no one may use hardware and software:
To acquire personal profit or gain
To harass, threaten, or otherwise invade the privacy of others
To initiate or forward email chain letters
To cause breaches or disruptions of computer, network, or telecommunications systems
To initiate activities which unduly consume computing or network resources
To transmit sensitive or proprietary information to unauthorized persons or parties
It is a specific violation of these guidelines to provide account passwords to individuals who are not the owners of the accounts or to obtain passwords to or use others’ accounts.
It is against this policy to copy or reproduce any licensed software or media, except as expressly permitted by the license. Unauthorized use or distribution of software, media, or digital content is a violation of this policy.
Individuals who violate the aims of this policy will be subject to disciplinary action or to referral to law enforcement authorities without prior notification of those who have sent or received such messages. ISMMS IT personnel are authorized to monitor suspected violations and to examine items stored on any school storage medium by individuals suspected of violating this policy.
ISMMS expects that all persons who use school computing hardware, software, networking services, or any property related or ancillary to the use of these facilities will abide by the following policy statement:
School information technology resources are provided with the expectation that the school community will use them in a spirit of mutual cooperation. Resources are limited and must be shared. Everyone will benefit if users avoid activities that cause problems for others who use the same system.
Any access to or sharing of protected or confidential information must comply with Mount Sinai Health System policies, including HIPAA, the Family Education Rights and Privacy Act, and the appropriate use of technology guidelines defined in this document. Remember that compliance begins by being aware whether your communication could contain protected or other confidential data and by taking the appropriate steps to secure such content. Your responsibilities within the Mount Sinai Health System extend to a variety of other forms of daily communication, including public areas, telephone use, texting, and social media technologies.
All hardware, software, and related services are supplied by the school for the sole purpose of supplementing and reinforcing the school’s educational, research, and clinical goals as set forth in the student and faculty handbooks and other mission statements of the school. These documents may be found elsewhere.
In addition to ensuring that one's device is encrypted, students must select an email encryption option if sending PHI or other confidential information to an external recipient.
To activating the email encryption option:
Microsoft Exchange users should include the word [secure] within square brackets in the subject line of the message. The recipient will be asked to self-enroll when the message is opened. The secure send mechanism can be used in any email client (e.g., Outlook, Outlook Web Access, smartphone).
Google Apps users should install the Virtru add-on to the browser and/or device (go to for instructions). When composing a message, select the “Virtru Protection is on” option.
ISMMS systems, including email, are intended for official business use. Inappropriate use may result in disciplinary actions and loss of access privileges. Unsolicited mass emailing of materials not related to school business is considered spam and may result in the loss of access privileges.
Students should remember to take care when opening attachments or following links contained in email messages. Students should verify with the sender of the message if receiving an unexpected attachment or an email that contains suspicious links. Students should be especially cautious of emails that have been quarantined. Unless one is expecting a quarantined message, students should not release the email.
Students should also take care with any messages that ask you to provide private information (e.g., birthdays, social security number, credit card numbers, user account passwords). These messages might actually be phishing attempts by persons pretending to be from legitimate companies or organizations. When in doubt, students should contact the party requesting the information for confirmation. Users should not rely on the contact information contained in the email but use the contact information typically found on the company website or on the back of a bank or credit card.