Follow UCSF Policies to Comply with Critical State, Federal, and International Regulations
The link to the IT Security Awarenesss Quiz is at the end of the article. Everyone who takes the quiz wins a prize!
Regulations help ensure organizations act fairly, safely, and securely and are instrumental in everything from keeping drinking water safe to preventing the exploitation of children in the workplace. Regulations tend to increase in scope whenever risks posed to society or individuals are mounting in a particular area or industry. In recent years, due to the enormous growth in the use of technology and risks to its associated data, regulations that protect the security and privacy of data are on the rise. UCSF is subject to many of these regulations, including the following:
- A federal law that requires the adoption of national standards for electronic health care transactions and code sets. The HIPAA Privacy Rule sets national standards for the definition of and protection of individually identifiable protected health information (PHI) and requires access to PHI to be based on the principles of “need to know” and the “minimum necessary rule,” limiting access, use and disclosure of patient information to only that needed to perform a job function.
- The HIPAA Security Rule includes specific required or addressable Administrative, Physical, and Technical Safeguards to protect the confidentiality, integrity, and availability of electronic PHI. These safeguards include controls such as workforce training, workstation security, access control and authorization, transmission controls, and facility access controls.
- A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule and must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
- HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured PHI is breached “without unreasonable delay”. If the breach involves the unsecured PHI of more than 500 individuals, a covered entity must notify a prominent media outlet serving the state or jurisdiction in which the breach occurred, in addition to notifying HHS. Fines can range from $100 to $1,500,000 per violation.
- FERPA restricts the disclosure of information from students’ education records and provides students the right to: inspect and review education records; seek amendment of education records; and control the disclosure of education records.
- FERPA compliance is important because: failure to comply can lead to a loss of federal funding; student privacy is important and we have an ethical obligation to protect it; and public scrutiny of privacy practices and handling of sensitive information is high.
- Examples of inadvertent disclosure of student records include: posting grades publicly if linked to a student ID, name, or other identifier; requiring students to post homework assignments or projects in a publicly accessible online forum or social media space; circulating class rosters that include student photographs or ID numbers; and storing student information with a cloud service that is not under contract with the University.
- The UCSF Office of the Registrar provides more information about FERPA, including key concepts for faculty and staff.
- PCI DSS provides a baseline of technical and operational requirements designed to protect account data.
- Applies to all entities, of any size, that process, store, or transmit cardholder data and/or sensitive authentication data.
- Failure to comply with the PCI DSS can result in:
- Large fines and fees assessed by each card brand
- Civil fees and audit costs
- A loss of reputation and payment card privileges for the University
- Notifications to all customers affected
- Additional costly, ongoing PCI DSS reporting requirements
- A new European Union privacy law that governs the use of personally identifiable information and grants certain legal rights to people in the European Economic Area (EEA) whose personal data is being collected and processed.
- Imposes legal responsibilities on the entities that control or process personal data, even if the entity resides outside the EEA.
- Privacy rights for individuals include: the right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes; the right to make informed decisions regarding the use and disclosure of the data; the right to access the data; and the right to have the data returned or deleted.
- Units or areas at UCSF that are likely to be impacted by GDPR include: Admissions, Students, Research, Employment, Fundraising, and Targeted Clinical Care. For more information about GDPR, contact the UCSF Privacy Office.
- Requires organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised.
- Data covered by SB-1386 includes: first and last names, or first initial and last name, in combination with one or more of the following: social security number; driver license number or CA identification card number; financial account number or credit/debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; or health insurance information.
UC has developed IT security policies that address the requirements of these regulations. Fundamental among these policies is the systemwide BFB-IS-3: Electronic Information Security. IS-3 follows both a standards- and risk-based approach to information security to ensure that UC meets industry, government, and regulatory requirements while also properly scoping controls and making appropriate investment decisions. It addresses legal requirements associated with HIPAA, PCI-DSS, and other state and federal regulations and includes requirements needed to qualify for certain grants that are essential to UC research funding (NIST 800-171). IS-3 establishes the minimum set of information security requirements, identifies ownership of risks and their mitigation, and delineates the penalties for non-compliance. Note that among many other things, IS-3 makes each unit within a UC organization responsible for the Information Security Management Plan (ISMP) for Institutional Information and IT Resources they handle. Unit managers should review IS-3 in detail to ensure they are meeting their responsibilities.
Each UC campus further delineates its security requirements through its own local policies. UCSF IT policies are available at the Campus Administrative Policies page under the 650 series. Chief among them is 650-16 Information Security and Confidentiality. Its purpose is to provide the information necessary to comply with federal and state laws and regulations and university policy governing the security and confidentiality of electronic information. It includes many addendums but most relevant are: UCSF Roles and Responsibilities for Securing Electronic Information (Addendum A), which is a great place to start to understand your role as it relates to IT security at UCSF; UCSF Minimum Security Standards for Electronic Information Resources (Addendum B), which details required security controls for all devices that connect to the UCSF network; and UCSF Data Classification Standard (Addendum F), which system and business owners must use to identify the required protection level for any UCSF data they own and/or manage.
Take the quiz on Regulations and Policy. Everyone who passes wins a prize!! This month's prize is a pot holder to remind you that IT security policies help you plan your recipe for great cybersecurity.
One person will also be selected for the grand prize: a PacSafe.Com secure backpack