This content is viewable by Everyone
UC Policies to meet Regulatory Requirements
Author: Esther Silver
The link to the IT Security Awareness Quiz is at the end of the article.
A more recent version of this news article is available at https://it.ucsf.edu/news/uc-policies-meet-regulatory-requirements-0
Regulations help ensure organizations act fairly, safely, and securely and are instrumental in everything from keeping drinking water safe to preventing the exploitation of children in the workplace. Regulations tend to increase in scope whenever risks posed to society or individuals are mounting in a particular area or industry. In recent years, due to the enormous growth in the use of technology and risks to its associated data, regulations that protect the security and privacy of data are on the rise.
UCSF is subject to many of these regulations, including the following:
- A federal law that requires the adoption of national standards for electronic health care transactions and code sets. The HIPAA Privacy Rule sets national standards for the definition of and protection of individually identifiable protected health information (PHI) and requires access to PHI to be based on the principles of “need to know” and the “minimum necessary rule,” limiting access, use and disclosure of patient information to only that needed to perform a job function.
- The HIPAA Security Rule includes specific required or addressable Administrative, Physical, and Technical Safeguards to protect the confidentiality, integrity, and availability of electronic PHI. These safeguards include controls such as workforce training, workstation security, access control and authorization, transmission controls, and facility access controls.
- A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule and must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
- HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured PHI is breached “without unreasonable delay”. If the breach involves the unsecured PHI of more than 500 individuals, a covered entity must notify a prominent media outlet serving the state or jurisdiction in which the breach occurred, in addition to notifying HHS. Fines can range from $100 to $1,500,000 per violation.
- FERPA restricts the disclosure of information from students’ education records and provides students the right to: inspect and review education records; seek amendment of education records; and control the disclosure of education records.
- FERPA compliance is important because: failure to comply can lead to a loss of federal funding; student privacy is important and we have an ethical obligation to protect it; and public scrutiny of privacy practices and handling of sensitive information is high.
- Examples of inadvertent disclosure of student records include: posting grades publicly if linked to a student ID, name, or other identifier; requiring students to post homework assignments or projects in a publicly accessible online forum or social media space; circulating class rosters that include student photographs or ID numbers; and storing student information with a cloud service that is not under contract with the University.
- The UCSF Office of the Registrar provides more information about FERPA, including key concepts for faculty and staff.
- PCI DSS provides a baseline of technical and operational requirements designed to protect account data.
- Applies to all entities, of any size, that process, store, or transmit cardholder data and/or sensitive authentication data.
- Failure to comply with the PCI DSS can result in:
- Large fines and fees assessed by each card brand
- Civil fees and audit costs
- A loss of reputation and payment card privileges for the University
- Notifications to all customers affected
- Additional costly, ongoing PCI DSS reporting requirements
- A new European Union privacy law that governs the use of personally identifiable information and grants certain legal rights to people in the European Economic Area (EEA) whose personal data is being collected and processed.
- Imposes legal responsibilities on the entities that control or process personal data, even if the entity resides outside the EEA.
- Privacy rights for individuals include: the right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes; the right to make informed decisions regarding the use and disclosure of the data; the right to access the data; and the right to have the data returned or deleted.
- Units or areas at UCSF that are likely to be impacted by GDPR include: Admissions, Students, Research, Employment, Fundraising, and Targeted Clinical Care. For more information about GDPR, contact the UCSF Privacy Office.
- Requires organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised.
- Data covered by SB-1386 includes: first and last names, or first initial and last name, in combination with one or more of the following: social security number; driver license number or CA identification card number; financial account number or credit/debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; or health insurance information.
UC has developed IT security policies that address the requirements of these regulations. Fundamental among these policies is the systemwide BFB-IS-3: Electronic Information Security. IS-3 follows both a standards- and risk-based approach to information security to ensure that UC meets industry, government, and regulatory requirements while also properly scoping controls and making appropriate investment decisions. It addresses legal requirements associated with HIPAA, PCI-DSS, and other state and federal regulations and includes requirements needed to qualify for certain grants that are essential to UC research funding (NIST 800-171). IS-3 establishes the minimum set of information security requirements, identifies ownership of risks and their mitigation, and delineates the penalties for non-compliance. Note that among many other things, IS-3 makes each unit within a UC organization responsible for the Information Security Management Plan (ISMP) for Institutional Information and IT Resources they handle. Unit managers should review IS-3 in detail to ensure they are meeting their responsibilities.
Each UC campus further delineates its security requirements through its own local policies. UCSF IT policies are available at the Campus Administrative Policies page under the 650 series. Chief among them is 650-16 Information Security and Confidentiality. Its purpose is to provide the information necessary to comply with federal and state laws and regulations and university policy governing the security and confidentiality of electronic information. It includes many addendums but most relevant are: UCSF Roles and Responsibilities for Securing Electronic Information (Addendum A), which is a great place to start to understand your role as it relates to IT security at UCSF; UCSF Minimum Security Standards for Electronic Information Resources (Addendum B), which details required security controls for all devices that connect to the UCSF network; and UCSF Data Classification Standard (Addendum F), which system and business owners must use to identify the required protection level for any UCSF data they own and/or manage.
With the news of new cyber-attacks against high profile institutions appearing weekly, everyone is on edge and asking the question, "Who is next?" In January of this year, in response to a high-profile incident of our own, UCSF launched an initiative dubbed the IS-3 Program, which is aimed at increasing our compliance with UC policy regarding cyber security hygiene while decreasing our institutional risk exposure to cyber threats. The program consists of 22 projects ranging from the assignment of formal risk management responsibility throughout the organization to the deployment of a broad range of technical controls that will assist in facilitating policy compliance. To this end, we have been maturing the offerings from Central IT that aid in compliance in hopes that these "tools" will be adopted broadly. In a controlled rollout that will begin in June of this year, we will provide advice on how to integrate these tools into each unit with the expectation that if policy compliance is not achieved through the adoption of a compliant (Central IT) offering, units will document their policy compliance through other means. Some technical controls offered through this program might be mandatory across the organization, while others will simply make the process of abiding by policy mandates easier. The end goal is a secure environment that protects our assets (and our people) from bad actors who are actively working to exploit our systems for their personal gain.
- Owning Team: IT Security
Team Lead: Patrick Phelan