The IT Security Awareness Quiz link is at the end of the article. Everyone who completes the quiz is entered to win one of six $50 Amazon Gift Cards.

Regulations are the unsung heroes that ensure organizations operate with fairness, safety, and security.  Existing on both the state and federal levels, regulations protect everything from the purity of our drinking water to the prevention of child exploitation. As society faces mounting risks in various sectors, regulations must meet growing needs to shield us from these dangers. The explosive growth of technology has increased risks to our data's security and privacy, prompting a surge in regulations aimed at safeguarding this valuable asset. UCSF is subject to many of these regulations, which include the following:

Health Insurance Portability and Accountability Act (HIPAA):

• A federal law requiring national standards for electronic health care transactions and code sets. The HIPAA Privacy Rule sets national standards for the definition and protection of individually identifiable protected health information (PHI) and requires access to PHI to be based on the principles of “need to know” and “minimum necessary, where only the patient information needed to do one’s job function is made available.   The HIPAA Security Rule includes specific required or addressable Administrative, Physical, and Technical Safeguards to protect the confidentiality, integrity, and availability of electronic PHI. These safeguards include controls such as workforce training, workstation security, access control and authorization, transmission controls, and facility access controls.  Alternatively, the HIPAA Privacy Rule sets national standards for how healthcare providers and other covered entities can use and share PHI in all formats, ensuring patients have control over their medical information.
• UCSF, as a HIPAA-covered entity, must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule and must maintain written security policies and procedures and written records of required actions, activities, or assessments.
• The HITECH legislation of 2009 was designed to further expand on the notions of privacy and security from HIPAA originally, explicitly defining requirements and increased expectations not only of the Covered Entity, but also their 3^rd party business associates.  HITECH expanded on areas such as breach notification, increased responsibilities and accountabilities of business associates, compliance & enforcement, incentives for a move towards electronic medical records, etc.  

Family Educational Rights and Privacy Act (FERPA)

• FERPA is a federal law that protects the privacy of student records. Restricting the disclosure of information from learners' education records and providing learners the right to inspect and review education records, seek amendment of education records, and control the disclosure of education records.
• FERPA compliance is important because failure to comply might mean a loss of federal funding, learner privacy is put at risk, and public scrutiny of privacy practices and the mishandling of sensitive information have high levels of visibility.
• Examples of inadvertent disclosure of learner records include: posting grades publicly if linked to a learner ID, name, or other identifier; requiring learners to post homework assignments or projects in a publicly accessible online forum or social media space; circulating class rosters that include learner photographs or ID numbers; and storing learner information with a cloud service that is not under contract with the University.
• The UCSF Office of the Registrar provides more information about FERPA, including campus processes, policies, and forms.

Payment Card Industry Data Security Standard (PCI DSS):

• PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.
• Applies to all entities, regardless of size, that process, store, transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE).
• Failure to comply with the PCI DSS can result in:
  • Large fines, civil fees, and audit costs
  • A loss of trust, reputation, and payment card acceptance privileges for the University
  • Notifications to all customers affected
  • Additional costly and continual PCI DSS reporting requirements

General Data Protection Regulation (GDPR):

• A European Union privacy law that governs the use of personally identifiable information and grants certain legal rights to people in the European Economic Area (EEA) whose personal data is being collected and processed.
• Imposes legal responsibilities on the entities that control or process personal data, even if the entity resides outside the EEA.
• Privacy rights for individuals include: the right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes; the right to make informed decisions regarding the use and disclosure of the data; the right to access the data; and the right to have the data returned or deleted.
• Units or areas at UCSF likely to be impacted by GDPR include admissions, learners, research, employment, fundraising, and targeted clinical care. For more information about GDPR, contact the UCSF Privacy Office.

California Security Breach Information Act (SB-1386):

• Requires organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised.
• Data covered by SB-1386 includes: first and last names, or first initial and last name, in combination with one or more of the following: social security number; driver license number or CA identification card number; financial account number or credit/debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; or health insurance information.

UC Policies 

UC has developed IT security policies that address the requirements of these regulations. Fundamental among these policies is the systemwide BFB-IS-3: Electronic Information Security. IS-3 follows a standards and risk-based approach to information security to ensure that UC meets industry, government, and regulatory requirements while properly scoping controls and making appropriate investment decisions. It addresses legal requirements associated with HIPAA, PCI-DSS, and other state and federal regulations and includes requirements needed to qualify for certain grants essential to UC research funding (NIST 800-171). IS-3 establishes the minimum set of information security requirements, identifies ownership of risks and their mitigation, and delineates non-compliance penalties. Note that among many other things, IS-3 makes each unit within a UC organization responsible for the Information Security Management Plan (ISMP) for Institutional Information and IT Resources they handle. 

Additional UC systemwide IT policies include  IS-12 Continuity Planning and Disaster Recovery and the UC Electronic Communications Policy.

Each UC campus further delineates its security requirements through its own location-specific implementation via local policies. UCSF IT non-Med Center policies are available on the Campus Administrative Policies page under the 650 series. Chief among them is 650-16 Information Security and Confidentiality. Its purpose is to provide the information necessary to comply with federal and state laws and regulations and university policy governing the security and confidentiality of electronic information. It includes many addendums but the most relevant are UCSF Roles and Responsibilities for Securing Electronic Information (Addendum A), which is a great place to start to understand your role as it relates to IT security at UCSF; UCSF Minimum Security Standards for Electronic Information Resources (Addendum B), which details required security controls for all devices that connect to the UCSF network; and UCSF Data Classification Standard (Addendum F), which system and business owners must use to identify the required protection level for any UCSF data they own and/or manage.

Additionally, the UCSF Medical Center provides further guidance for information management.  To view these policies, you must log in to MyAccess and then:

1. Go to https://ucsfonline.sharepoint.com/sites/ucsfpolicies/Shared%20Documents/Forms/AllItems.aspx?viewpath=%2Fsites%2Fucsfpolicies%2FShared%20Documents%2FForms%2FAllItems%2Easpx
2. Click on “UCSF Medical Administrative Policies” in the document list to go to https://powerdms.com/home
3. Enter the key “UCSFMed Cen”
4. Click on the “UCSF Medical Center”
5. Click on the folder “UCSF Org-wide Administrative Policies”
6. Click on folder “5. Information Management”

Cyberattacks and data breaches against high-profile institutions have become more prevalent and impactful. In response, UCSF launched the IS-3 and the Campus IT Operating Model (ITOM) Programs to standardize our core operational IT processes, increase our compliance with UC policy, and decrease our institutional risk exposure to cyber threats. We have been maturing the offerings from UCSF central IT that aid in compliance to encourage wider adoption. Some technical controls being implemented are required across the organization, while others are simply a matter of good IT practice and diligence. The end goal is a secure environment that protects our IT assets, our data assets, and our people from bad actors who are actively working to exploit our systems for whatever reason.

Take the quiz on Regulations and Policy. The prize for passing the quiz is one entry in a drawing for one of six $50 Amazon gift cards.