UCSF IT Consolidation Overview

UCSF IT Consolidation Overview

UCSF Information Security Risk Briefing October 2014 Background and Context External, independent assessment of UCSF-wide information security risk. Findings indicate that UCSFs level of risk is high. These security risks are present throughout our organization. Operating units and IT Security must operate collaboratively to mitigate risks. Data Security Compliance Program (DSCP) is being developed to drive this collaboration. 2 Federal HIPAA Breach Data National industry data of all breaches reported to OCR from 03 present, ranked by frequency Named Wall of Shame by Industry & Regulators

Rank 1 UnitedHealth Group Organization Breaches 7 2 University of California, San Francisco 4 2 2 Mount Sinai Medical Center Cook County Health & Hospitals System 4 4 3 3 3 3 3 3 The University of Texas MD Anderson Cancer Center Newark Beth Israel Medical Center Georgetown University Hospital Jackson Health System

Oregon Health & Science University Delta Dental of Pennsylvania 3 3 3 3 3 3 859 Organizations 925 Breaches Data Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html 3 website at this time. A 5th reported UCSF incident from 2013 is not on the OCR Federal Action Intensifying 4 Industry Issues and Fines Escalating UCSF Breaches with Open Investigations 9/22/09 610 individuals Email 11/20/09 7300 individuals Laptop 09/09/13 3553 individuals Laptop, paper 09/25/13 8294 individuals - Laptop 01/11/14 9861 individuals Desktop Computer 5

Overall Compliance Total Compliance Summary (includes HIPAA, FERPA, state regulations) 100% 90% 80% 70% 50% 55% 56% 57% 55% 53% 58% 55% 58% 58% 41% 32%

32% 10% 10% 53% 60% 50% 40% 30% 33% 38% 10% 6% 27% 35% 27% 30% 41% 37% 20%

10% 0% C a ic lin s ab lL 18% FA S 15% 4% a br Li ry PI LP ed M C

Compliant Note: Includes central services such as IT, HR, Legal, & Privacy which are shared across all control points 20% 12% r te n e SA A 4% D SO Incomplete 6 M SO N SO P

SO Non-Compliant 10% U D A R HIPAA Security Compliance The lack of a comprehensive data security risk management program has resulted in insufficient HIPAA compliance posture across UCSF. Note: Includes central services such as IT, HR, Legal, & Privacy which are shared across all control points 7 What is Driving this Risk Profile Highly variable work practices across our control points, e.g.: Data handling for business workflow. Methods of sharing data. Granting access to data and applications.

Storage and movement of data such as removable storage media, internet collaboration tools. No IT security compliance oversight to drive progress across control points. The lack of a risk management program was a key factor in OCRs issuance of a $4.8M fine for New York-Presbyterian and Columbia University for a desktop that exposed data for 18 months. Lack of security-related procedures and practices, e.g.: Keeping computer systems updated with security fixes Physical security of computing devices Decommissioning of computing and storage Ex.: In technical testing at UCSF, a vulnerability in a CPFM web application resulted in compromise of domain admin credentials, that would have allowed access to all UCSF systems, including Epic database. The tester accomplished this in 4 hours The widespread use of personally owned devices for UCSF work. 8 What is Driving this Risk Profile Lack of technical controls to enforce policy / procedure, e.g: Control what devices can attach to the UCSF network. Ability to monitor where PHI / PII exists and how it is being moved. Limit the ways in which users and data can enter our network: In a 5-day period, there were over 140,000 SSH remote login attempts on the UCSF firewall. 91% of those were bad traffic. 74% of all attempts were from China. 20,000 gained access.

An IT funding mechanism within Campus that requires individual departments and individuals to make decisions about investing in security controls. Concern that secure equals 1) lower computing performance; 2) less efficient; 3) less collaboration. Some are valid risks that must be mitigated but should not stop action. Missions that require a very open and collaborative culture but a culture that also resists most forms of limitation, control, oversight. 9 Data Security Compliance Program IT risk management program to secure UCSFs sensitive data and satisfy compliance requirements. Collaborative effort between UCSF IT and the Control Points / Departments: Each Control Point appoints two or more DSCP Champions. These are individuals who have familiarity of the business operations and IT environment of their respective Control Points. Address the risks documented in the Enterprise Risk Assessment. Consults, coordinates, and tracks remediation activities being conducted by the Control Points.

Periodic updates to the enterprise risk assessment to discover changes in risk exposure. Report compliance status to the IT Governance and the Privacy Compliance Committees. 10 DSCP Champions (* in progress) School of Dentistry (SOD) Langley Porter Psychiatric Institute (LPPI) Clinical Labs (CL) Student Academic Affairs (SAA) School of Nursing (SON) University Development & Alumni Relations (UDAR) Library & Center for Knowledge Management (LIB) School of Pharmacy (SOP) Finance & Administration (FAS) Tom Ferris, Computer Resource Manager, Dentistry Network & Info Services Tommy Kwong, Programmer Analyst, Dentistry Network & Info Services Ann Saggio, Information Systems Director Laverne Tarpley, Manager, Health Info Management Services Enrique Terrazas, Associate Clinical Professor James Reese, Programmer/Analyst III Doug Carlson, Registrar & Student Information Kevin Yeung, Programmer/Systems Coordinator

David Kell, Programmer/Analyst III Doug McCracken, IT - Programmer/Analyst Jansen Lowe, Director, Information Technology Sushmita Sharma, Director, Information Systems Kirk Hudson, Manager, Technology Commons Rich Trott, Director, Academic Information Systems Michael Nordberg, Associate Dean, Admin & Finance Valerie Starling, Controller Jane Y. Wong, Executive Director-Business Applications, UCSF IT Cindy Yoxsimer, CLS BTS Manager * Medical Center (MC) * School of Medicine (SOM) * Enterprise (UCSF IT) 11 Changes To Expect If your organization operates an IT environment they will need to adhere to standards of operation to improve security, for example: Granting access to data Physical security of IT assets Consistent patching and management of systems Technical testing at UCSF found hundreds of unpatched systems across the enterprise Technical controls that you havent seen previously, for example: Enforce encryption on all computers and removable storage (e.g. USB flash drives).

Network Access Control to prevent non-conforming computers from attaching to the UCSF network. Require software on computers that identify where PHI exists and enforce controls on how it is used and where it is being shared (e.g. Google & DropBox). Require management software on all computers attached to UCSF network. 12 Changes To Expect Password expiration policies. Wellpoint ACO contract requires password changes every 90-days. UCSF currently does not require periodic password changes. Two-factor authentication for technology system administrators and remote users.

Requires two forms of identification for remote users. Network traffic into and out of UCSF will be subject to more firewall restrictions to close known security risks. 13 Actions Taken to Date New IT Security Policy mandating encryption: Med Center approved policy for all devices including personally owned devices. Similar policy for Campus is supported by the IT Governance Steering Committee and policy process initiated. Medical Center encryption program substantially completed July 2014. Mandatory annual online training on security and privacy rolled out to all UCSF staff. Process for firewall security tightening has been approved by ITGS. Data Security and Compliance Program (DSCP) established.

14 Next Steps Plan and resource the encryption rollout for Campus. Complete Network Access Control software pilot followed by final selection and rollout planning. Initiate computing device management software rollout for Med Center and Campus. Identify and train control point/departmental DSCP Champions. Present additional recommendations for security changes to IT Governance at least quarterly. Present approved changes at Chairs committee. This will be a long sustained effort that will elicit concern and even protest in some areas. Your leadership will be critical. 15

Requests Make data security an agenda item at your department meetings. Ask who your information security champions (aka DSCP Champions) are. Ask them to present at a future department meeting regarding security issues and priorities in your area. If you know of a particular risk in your department engage IT Security to assist. Set a high bar for your leaders regarding information security. This can be accomplished without materially impacting our ability to do research, education and patient care. 16

Recently Viewed Presentations

  • Safety Snippets May Two weeks too long An

    Safety Snippets May Two weeks too long An

    LWCCG: I have checked the formulary I have set up for West. Simvastatin 40mg is on the formulary and a synonym was linked which included atorvastatin 10mg therefore if searching for atorva simvastatin 40mg tablets being formulary appeared at the...
  • Connecting Literature to Life: Interdisciplinary Approaches ...

    Connecting Literature to Life: Interdisciplinary Approaches ...

    Connecting Literature to Life: Interdisciplinary Approaches in the English Classroom. ... Sweet home Alabama. Lord, I'm coming home to you, here I come. Example : Gatsby Songs ... Interdisciplinary Approaches in the English Classroom
  • M&R Global meeting - wishwonder.com

    M&R Global meeting - wishwonder.com

    MARPOL IV & ECA "MARPOL IV" International regulation for the prevention of pollution from ships to minimize pollution of the sea, including dumping, oil and exhaust pollution. ECA(Emission Control Area) Area which severely controled SOx(Sulphur Oxide) emission from ship designated...
  • Chapter 1: Careers in Automotive Technology

    Chapter 1: Careers in Automotive Technology

    CHAPTER 1 Careers in Automotive Technology ...
  • Criminal Law - yardvmc

    Criminal Law - yardvmc

    Criminal law is a system that tries to balance the rights of society to be protected against the civil rights of the individual by the law ... if you are asked to return a book to the library, but you...
  • Microsoft Word 2007

    Microsoft Word 2007

    microsoft graph chart . check the current document for features that are not supported by earlier version of word. ... correct spacing . and . ... a current mail merge letter to a printer.
  • Muslim Achievement - Weebly

    Muslim Achievement - Weebly

    * * * * * * * * * * * * * * * Muslim Architecture Cultural Blending It is in Architecture that the greatest cultural blending can be seen Already existing buildings were modified by Islamic Ideals Islamic...
  • Status of 1956 CMR Convention in UNESCAP region

    Status of 1956 CMR Convention in UNESCAP region

    9th IRU Symposium of Lawyers Geneva, 24 February 2012 Contractual liability of international road carriers in Asia Mr. Fedor Kormilitsyn ... (Istanbul Convention), 1990 IMO Convention on Facilitation of International Maritime Traffic (FAL) * * * * Participant Signature Ratification,...