This content is viewable by Everyone


Follow UC Policies to Meet Regulatory Requirements

The link to the IT Security Awareness Quiz is at the end of the article. Everyone who completes the quiz is entered to win one of six $50 Amazon Gift Cards.

Regulations help ensure organizations act fairly, safely, and securely and are instrumental in everything from keeping drinking water safe to preventing the exploitation of children in the workplace. Regulations tend to increase in scope whenever risks posed to society or individuals are mounting in a particular area or industry. In recent years, due to the enormous growth in the use of technology and risks to its associated data, regulations that protect the security and privacy of data are on the rise.

UCSF is subject to many of these regulations, including the following:

Health Insurance Portability and Accountability Act (HIPAA):

  • A federal law that requires the adoption of national standards for electronic health care transactions and code sets. The HIPAA Privacy Rule sets national standards for the definition of and protection of individually identifiable protected health information (PHI) and requires access to PHI to be based on the principles of “need to know” and the “minimum necessary rule,” limiting access, use and disclosure of patient information to only that needed to perform a job function.
  • The HIPAA Security Rule includes specific required or addressable Administrative, Physical, and Technical Safeguards to protect the confidentiality, integrity, and availability of electronic PHI. These safeguards include controls such as workforce training, workstation security, access control and authorization, transmission controls, and facility access controls.
  • A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule and must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities, or assessments.
  • HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured PHI is breached “without unreasonable delay”. If the breach involves the unsecured PHI of more than 500 individuals, a covered entity must notify a prominent media outlet serving the state or jurisdiction in which the breach occurred, in addition to notifying HHS. Fines can range from $100 to $1,500,000 per violation.

Family Educational Rights and Privacy Act (FERPA)

FERPA restricts the disclosure of information from students’ education records and provides students the right to: inspect and review education records; seek amendment of education records; and control the disclosure of education records.

  • FERPA compliance is important because: failure to comply can lead to a loss of federal funding; student privacy is important, and we have an ethical obligation to protect it; and public scrutiny of privacy practices and handling of sensitive information is high.
  • Examples of inadvertent disclosure of student records include: posting grades publicly if linked to a student ID, name, or other identifier; requiring students to post homework assignments or projects in a publicly accessible online forum or social media space; circulating class rosters that include student photographs or ID numbers; and storing student information with a cloud service that is not under contract with the University.
  • The UCSF Office of the Registrar provides more information about FERPA, including a campus processes, policies, and forms.

Payment Card Industry Data Security Standard (PCI DSS):

  • PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.
  • Applies to all entities, regardless of size, that process, store, transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE).
  • Failure to comply with the PCI DSS can result in:
    • Large fines, civil fees, and audit costs
    • A loss of trust, reputation, and payment card acceptance privileges for the University
    • Notifications to all customers affected
    • Additional costly and continual PCI DSS reporting requirements

General Data Protection Regulation (GDPR):

  • A European Union privacy law that governs the use of personally identifiable information and grants certain legal rights to people in the European Economic Area (EEA) whose personal data is being collected and processed.
  • Imposes legal responsibilities on the entities that control or process personal data, even if the entity resides outside the EEA.
  • Privacy rights for individuals include: the right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes; the right to make informed decisions regarding the use and disclosure of the data; the right to access the data; and the right to have the data returned or deleted.
  • Units or areas at UCSF that are likely to be impacted by GDPR include: Admissions, Students, Research, Employment, Fundraising, and Targeted Clinical Care. For more information about GDPR, contact the UCSF Privacy Office.

California Security Breach Information Act (SB-1386):

  • Requires organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised.
  • Data covered by SB-1386 includes: first and last names, or first initial and last name, in combination with one or more of the following: social security number; driver license number or CA identification card number; financial account number or credit/debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; or health insurance information.

UC has developed IT security policies that address the requirements of these regulations. Fundamental among these policies is the systemwide BFB-IS-3: Electronic Information Security. IS-3 follows both a standards and risk-based approach to information security to ensure that UC meets industry, government, and regulatory requirements while also properly scoping controls and making appropriate investment decisions. It addresses legal requirements associated with HIPAA, PCI-DSS, and other state and federal regulations and includes requirements needed to qualify for certain grants that are essential to UC research funding (NIST 800-171). IS-3 establishes the minimum set of information security requirements, identifies ownership of risks and their mitigation, and delineates the penalties for non-compliance. Note that among many other things, IS-3 makes each unit within a UC organization responsible for the Information Security Management Plan (ISMP) for Institutional Information and IT Resources they handle. Unit managers should review IS-3 in detail to ensure they are meeting their responsibilities.

Additional UC systemwide IT policies include  IS-12 Continuity Planning and Disaster Recovery and the UC Electronic Communications Policy.

Each UC campus further delineates its security requirements through its own local policies. UCSF IT policies are available at the Campus Administrative Policies page under the 650 series. Chief among them is 650-16 Information Security and Confidentiality. Its purpose is to provide the information necessary to comply with federal and state laws and regulations and university policy governing the security and confidentiality of electronic information. It includes many addendums but most relevant are: UCSF Roles and Responsibilities for Securing Electronic Information (Addendum A), which is a great place to start to understand your role as it relates to IT security at UCSF; UCSF Minimum Security Standards for Electronic Information Resources (Addendum B), which details required security controls for all devices that connect to the UCSF network; and UCSF Data Classification Standard (Addendum F), which system and business owners must use to identify the required protection level for any UCSF data they own and/or manage.

With the news of new cyber-attacks against high profile institutions appearing weekly, everyone is on edge and asking the question, "Who is next?"  In response to a significant security incident, UCSF launched an initiative dubbed the IS-3 Program, which, combined with our IT transformation efforts, is aimed at standardizing our core operational IT processes and increasing our compliance with UC policy and decreasing our institutional risk exposure to cyber threats. We have been maturing the offerings from UCSF central IT that aid in compliance in hopes that these tools will be adopted broadly. Some technical controls being implemented are required across the organization, while others are aimed at making the process of abiding by policy easier. The end goal is a secure environment that protects our assets (and our people) from bad actors who are actively working to exploit our systems for their personal gain.

Take the quiz on Regulations and Policy. The prize for passing the quiz is one entry in a drawing for one of six $50 Amazon gift cards.