Policies

Computing Services at the Icahn School of Medicine at Mount Sinai (ISMMS) maintains a number of policies around the use of various computing technologies to best facilitate the usage of school-supported resources.

Email is provided to assist and facilitate communications at the Icahn School of Medicine. It is provided for official business use in the course of assigned duties. All messages are ISMMS records. The School reserves the right to access and disclose all messages sent over its electronic mail system.

In the course of their duties, systems operators and managers may monitor use of the email system or review the contents of stored email records. Inappropriate use may result in loss of access privileges and disciplinary action up to and including dismissal. This includes, but is not limited to:

  • Unauthorized attempts to access another's email account
  • Transmission of sensitive or proprietary information to unauthorized persons or organizations
  • Transmission of obscene or harassing messages to any other individual
  • Transmission of offensive material, solicitations, or proselytization for commercial ventures, religious or political causes, or other non-job-related solicitations
  • Any illegal or unethical activity or any activity which could adversely affect ISMMS.

The Mount Sinai Health System reserves the right to disclose any electronic mail messages to law enforcement officials without prior notice to any employees who may have sent or received such messages.

Access to the Internet is provided as a communications tool and information resource to facilitate the performance of job-related functions. This policy applies to any Internet service accessed on or from a Mount Sinai facility, provided by Mount Sinai, accessed using Mount Sinai computer equipment, or used in a manner that identifies the individual with Mount Sinai.

Inappropriate use of the Internet may result in loss of access privileges and disciplinary action up to and including dismissal. Employees are prohibited from using Mount Sinai provider Internet services in connection with any of the following activities:

  • Engaging in illegal, fraudulent, or malicious conduct
  • Working on behalf of organizations without any professional or business affiliation with Mount Sinai
  • Sending, receiving, or storing offensive, obscene, or defamatory materials
  • Obtaining unauthorized access to any computer system
  • Using another individual's account or identity without explicit written authorization
  • Attempting to test circumvent or defeat security or crediting systems of Mount Sinai or any other organization without prior authorization from Information Management Systems and Services/Security and Corporate Data Administration (IMSS/SACDA)
  • Any use or activity that impedes Mount Sinai operations

The Health System reserves the right to review any information, files, or communications sent, stored, or received on its computer systems.

HR Policy #13.5

The Icahn School of Medicine expects that all persons who make any use of ISMMS computing hardware, software, networking services, or any property related or ancillary to the use of these facilities, will abide by the following policy statement:

The School’s information technology resources are provided in the hope that the entire ISMMS community will use them in a spirit of mutual cooperation. Resources are limited and must be shared. Everyone will benefit if all computer users avoid any activities which cause problems for others who use the same systems.

All hardware, software, and related services supplied by the Icahn School of Medicine are for the sole purpose of supplementing and reinforcing the School's goals as set forth in the student and faculty handbooks and other mission statements of ISMMS; see the Student Handbook and the Faculty Handbook. It is a specific violation to give account passwords to individuals who are not the owners of such accounts, or to obtain passwords to, or use of, accounts other than one's own.

We expect that no one will use hardware, software, or services without authorization to do so. Copying software is a violation of federal copyright law. Individuals may not extend their use of the facilities described above for any purpose beyond their intended use, or beyond those activities sanctioned in school policy statements. In particular, no one may use them:

  • For personal profit or gain
  • To harass, threaten, or otherwise invade the privacy of others
  • To initiate or forward e-mail chain letters
  • To cause breaches of computer, network, or telecommunications security systems
  • To initiate activities which unduly consume computing or network resources
  • To transmit sensitive or proprietary information to unauthorized persons or parties

Individuals who violate the aims of this policy will be subject to disciplinary action or to referral to law enforcement authorities without prior notification to those who have sent or received such messages. Academic Computing personnel are authorized to monitor suspected violations and to examine items stored on any school storage medium by individuals suspected of violating this policy.

By clicking "Accept" on the registration page, you signify that you have read and will abide by the terms of the Icahn School of Medicine Network Usage Policy. You must accept this policy to use the network.

HR Policy #13.6

View Mount Sinai Health System Social Media Guidelines.

Overview

The Icahn School of Medicine at Mount Sinai (ISMMS) expects that all persons who use school computing hardware, software, networking services, or any property related or ancillary to the use of these facilities will abide by the following policy statement:

School information technology resources are provided with the expectation that the school community will use them in a spirit of mutual cooperation. Resources are limited and must be shared. Everyone will benefit if users avoid activities that cause problems for others who use the same system.

Any access to or sharing of protected or confidential information must comply with Mount Sinai Health System policies, including the Health Insurance Portability and Accountability Act (HIPAA), the Family Education Rights and Privacy Act (FERPA), and the appropriate use of technology guidelines defined in this document.  Health System policies can be found in the PolicyTech link below.  Remember that compliance begins by being aware whether your communication could contain protected or other confidential data and by taking the appropriate steps to secure such content. Your responsibilities within the Mount Sinai Health System extend to a variety of other forms of daily communication, including public areas, telephone use, texting, and social media technologies.

All hardware, software, and related services are supplied by the school for the sole purpose of supplementing and reinforcing the school’s educational, research, and clinical goals as set forth in the student and faculty handbooks and other mission statements of the school. These documents may be found (and not limited to) these locations:

ISMMS medical and graduate student handbooks
https://icahn.mssm.edu/education/students/handbook-policies

ISMMS faculty handbook
https://icahn.mssm.edu/about/faculty-resources/handbook

HIPAA responsibilities and regulations
https://icahn.mssm.edu/research/pphs/researcher/hipaa

Social media guidelines
https://icahn.mssm.edu/about/faculty-resources/handbook/institutional/social-media

Health System and ISMMS policies
https://mshs.policytech.com

Use of Hardware and Software

We expect that all students, faculty, and employees will use only the provided hardware, software, or services which they are authorized to use.

All hardware devices using school or hospital email, file, or collaboration services, including personal laptops, must be encrypted, while Mobile Device Management (MDM) must be enabled for personal smartphones. Thumb drives or any storage devices that contain protected health information (PHI) or other confidential information must also be encrypted. For more information or support, please contact the Academic IT Support Center (ASCIT@mssm.edu).

Individuals may not extend their use of the resources described for any purpose beyond their intended use or beyond those activities sanctioned in school policy statements.

In particular, no one may use hardware and software:

  • To acquire personal profit or gain
  • To harass, threaten, or otherwise invade the privacy of others
  • To initiate or forward email chain letters
  • To cause breaches or disruptions of computer, network, or telecommunications systems
  • To initiate activities which unduly consume computing or network resources
  • To transmit sensitive or proprietary information to unauthorized persons or parties

It is a specific violation of these guidelines to provide account passwords to individuals who are not the owners of the accounts or to obtain passwords to or use others’ accounts.

It is against this policy to copy or reproduce any licensed software or media, except as expressly permitted by the license. Unauthorized use or distribution of software, media, or digital content is a violation of this policy.

End-users, departments, and institutes are strictly prohibited from engaging in any form of re-selling or re-marketing of our core enterprise technology services, including but not limited to, networks, or subscriptions, whether to users within our institution Mount Sinai or externally. "Re-selling" encompasses any unauthorized transfer, rental, or sale of services via payment or fund number transfers, while "re-marketing" includes altering or rebranding services for resale or redistribution purposes, either by individuals, departments, or institutes.

Individuals who violate the aims of this policy will be subject to disciplinary action or to referral to law enforcement authorities without prior notification of those who have sent or received such messages. ISMMS IT personnel are authorized to monitor suspected violations and to examine items stored on any school storage medium by individuals suspected of violating this policy.

Web and Data Storage

Access to the Internet is provided as a communications tool and an information resource to facilitate the performance of job- or academic-related functions. This policy applies to any Internet service accessed on or from a Mount Sinai Health System facility, provided by the school, accessed using school-owned equipment, or used in a manner that identifies the individual with the ISMMS or Mount Sinai Health System. The Mount Sinai Health System reserves the right to review any information, files, or communications sent, stored, or received on its computer systems.

Inappropriate use of the Internet may result in loss of access privileges and in disciplinary action up to and including dismissal. Students, faculty, and employees are prohibited from using Mount Sinai Health System-provided Internet services including, but not limited, to any of the following activities:

  • Engaging in illegal, fraudulent, or malicious conduct
  • Working on behalf of organizations without a professional or business affiliation with the Mount Sinai Health System
  • Sending, receiving, or storing offensive, obscene, or defamatory materials
  • Obtaining unauthorized access to any computer system
  • Using another individual’s account or identity
  • Attempting to test, circumvent, or defeat the security or crediting systems of the Mount Sinai Health System or any other organization without prior authorization from Information Management Systems and Services/Security and Corporate Data Administration (IMSS/SACDA) or ISMMS IT
  • Any use or activity that impedes Mount Sinai Health System operations

Cloud Storage

Users of school-provided cloud services, including but not limited to Google Apps for Education and Microsoft 365, have the ability to share files with colleagues within or outside the Mount Sinai Health System for academic collaboration purposes. Students, faculty, and employees must not, under any circumstances, share unencrypted files containing PHI or other confidential information with colleagues outside the Mount Sinai Health System. As mentioned, compliance begins by being aware of the data that you are generating and by following appropriate steps to secure such content if it contains protected or other confidential information.

Email and Collaboration Technology Usage

Email and collaboration technologies, including Google Apps for Education and Microsoft 365, are provided to assist and facilitate scholarly communication and collaboration. These technologies are provided for official business and educational use in the course of assigned duties. The school reserves the right to access and disclose all messages sent over its electronic mail systems for the purposes of monitoring security breaches and investigating inappropriate usage as defined in this policy. The Mount Sinai Health System and ISMMS are obligated to comply with legal subpoenas, court orders, and similar lawful requests from external regulators or authorities.

If you have been issued an ISMMS email account, it must be used to conduct all business for the institution. An ISMMS managed email account must be used to communicate protected or confidential information. Emails containing PHI, financial information, or other confidential ISMMS information and/or social security numbers may not be sent or redirected to non- ISMMS email account.

Inappropriate use of email and/or collaboration technology may result in loss of access privileges and disciplinary action up to and including dismissal. Inappropriate use includes but is not limited to:

  • Unauthorized attempts to access others’ email accounts
  • Transmission of protected and/or confidential information to unauthorized persons or other organizations
  • Transmission of obscene or harassing messages to any other individual
  • Transmission of offensive material, solicitations, or proselytization for commercial ventures, religious or political causes, or other non-job related solicitations
  • Any illegal, unethical, or other activity that could adversely affect the Mount Sinai Health System

Protected Health Information, FERPA, and Other Confidential Information

All hardware devices, including bring your own devices and personal laptops, on which school email, file, or collaboration services are used must be encrypted. MDM must be enabled for personal smartphones. Thumb drives or any storage devices that contain PHI data must also be encrypted. For more information or support, please contact the Academic IT Support Center (ASCIT@mssm.edu). Students, faculty, and employees are responsible for ensuring that their devices are password enabled and encrypted.

The key points of the above policies are as follows:

  • You may use only your ISMMS email account to communicate protected or confidential information. Emails containing PHI, financial information, or other confidential ISMMS information and/or social security numbers may not be sent or redirected to non-ISMMS email
  • The minimum necessary amount of PHI should be disclosed via When at all possible, use the Medical Record number, rather than the patient name, as the patient identifier.
  • Messages that leave the Mount Sinai Health System network and contain PHI or other confidential information must be encrypted using the ISMMS IT-approved solution described as follows.
  • Messages sent within the Mount Sinai Health System network are automatically Extreme caution must be exercised to prevent such risks. Be aware of the content that you generate.

Secure Messaging and Encryption

In addition to ensuring that your device is encrypted (see above), you must select an email encryption option if you are sending PHI or other confidential information to an external recipient.

Activating the email encryption option:

  • For Microsoft Exchange users, include the word [secure] within square brackets in the subject line of the message. The recipient will be asked to self-enroll when the message is opened. The secure send mechanism can be used in any email client (e.g., Outlook, Outlook Web Access, smartphone).
  • For Microsoft Exchange Users, provisions have been made to ensure that all messages to certain recipients are encrypted using a mechanism called TLS. For example, messages sent to Astra Zeneca, McKesson and some academic medical facilities have been configured to auto-encrypt so it is not necessary to manually activate encryption.
  • The email system will automatically flag messages that are sent to external parties which contain confidential information but were not encrypted and will send an email to the sender.

Spam and Inappropriate Use of Messaging Tools

ISMMS systems, including email, are intended for official business use. Inappropriate use may result in disciplinary actions and loss of access privileges. Unsolicited mass emailing of materials not related to school business is considered spam and may result in the loss of access privileges.

Student Privacy, Secure Email, and Phishing

Please remember to take care when opening attachments or following links contained in email messages. Verify with the sender of the message if you receive an unexpected attachment or an email that contains suspicious links. Be especially cautious of emails that have been quarantined. Unless a quarantined message is correspondence that you are expecting, do not release the email.

Please also take care with any messages that ask you to provide private information (e.g., birthdays, social security number, credit card numbers, user account passwords). These messages might actually be phishing attempts by persons pretending to be from legitimate companies or organizations. If you have any doubts, contact the party requesting the information for confirmation. Users should not rely on the contact information contained in the email but use the contact information typically found on the company website or on the back of a bank or credit card.

Accessibility

All ISMMS electronic and information technologies must be accessible to all individuals who wish to access them. Accessibility must be addressed in connection with the procurement, development, implementation, and ongoing maintenance for all existing and new electronic and information technology acquisitions.

Any information and technology including, but not limited to, computers and ancillary equipment, instructional materials, software, videos, multimedia, telecommunications, or web-based content or products, developed, procured, maintained, or used in carrying out ISMMS activities must be compliant with The Rehabilitation Act of 1973 as amended; the Americans with Disabilities Act of 1990, as amended, and other related local, state, and federal laws, and Mount Sinai policies.

Compliance means a person with a disability must be able to acquire the same information, engage in the same interactions, and enjoy the same services as a person without a disability, and be able to do so in an equally effective manner, with substantially equivalent ease of use. The person with a disability must be able to obtain the information and services as timely, fully, equally, and independently as a person without a disability.

Use of Artificial Intelligence (AI) Tools

Allowable Use:

  • Data that is publicly available or information can be used freely in AI Tools 
  • In all cases, use should be consistent with the Appropriate Use Policy.

Prohibited Use:

  • AI Tools of any sort may not be used for any activity that would be illegal, fraudulent or a violation of any state or federal law, or ISMMS or Mount Sinai Health System policies.
  • Any use of ChatGPT or similar AI Tools cannot use any personal, confidential, proprietary, or otherwise sensitive information unless a contract is in place that specifically protects such ISMMS /Mount Sinai data from being used by training models or otherwise isolates ISMMS/Mount Sinai data into a separate instance that is not accessible by parties external to ISMMS/Mount Sinai. In general, student records subject to FERPA, health information subject to HIPAA, proprietary information, and any other information must not be used with AI Tools. 
  • Similarly, ChatGPT or similar AI Tools must not be used to generate output that would be considered non-public. Examples include, but are not limited to, generating proprietary or unpublished research; legal analysis or advice; recruitment, personnel or disciplinary decision making; completion of academic work in a manner not allowed by the instructor; creation of non-public instructional materials; plagiarized materials; and grading. 
  • The company that owns ChatGPT, OpenAI ,explicitly forbids the use of ChatGPT and their other products for certain categories of activity, including fraud and illegal activities. This list of items can be found in their usage policy.

Attestation

I understand that by receiving ISMMS network and Internet access to email and library resources, I agree to abide by all institutional policies related to use of the ISMMS systems to access the Internet, email, and all other computer and network resources.

I acknowledge receipt of these policies and understand that they might be changed, and I will abide by these changes as reflected on the ISMMS website or received via other forms of communication.

I understand that I am responsible for all actions performed from my computer account. I further understand that, in the course of my work, I may be given or otherwise gain access to confidential or privileged information related to this or other institutions, ISMMS students or employees, or other individuals or groups. I will respect the confidentiality of all information to which I have access and neither divulge information without appropriate consent nor seek to obtain access to confidential information to which I am not entitled.

For more information or support, please contact the Academic IT Support Center (ASCIT@mssm.edu)