UCSF Implements Data Security Awareness Campaign

By Lisa Cisneros

UCSF is taking steps to improve the security of confidential electronic data, following a campuswide review of its data security systems, practices and policies.

UCSF, a national leader in patient care, health sciences research and teaching, is committed to protecting medical, personal and sensitive data of all types — whether it’s information about patients, employees, students, donors or research subjects.

Last year, UCSF Chancellor Mike Bishop, MD, appointed a task force to develop and implement a data security action plan in the aftermath of a few security breaches, which had the potential of exposing sensitive data and private patient information to the outside world.

UCSF is now implementing that action plan, which contains a series of recommendations based on the findings from the campuswide review. They are:

  • Align governance: Formalize management hierarchy, and determine clear accountability for management and oversight of data security with a centralized leadership structure;
  • Foster a culture of compliance: Provide clear regulatory guidance and ongoing communication pertaining to privacy and security issues, especially considering the number of new state regulations in the areas of information privacy and security;
  • Adopt a solid policy platform: Benchmark policies against which security and privacy are maintained, and improve the process for mandating policies based on industry standards;
  • Address risk management issues: Assess and address the risks associated with new and existing information systems and applications;
  • Improve asset management: Develop a formal asset management program to keep track of information systems, update equipment, and achieve cost efficiencies in the long run by regularly evaluating databases, servers, other hardware and software.

UCSF also is offering training targeted to different audiences and is reinforcing the importance of data security by launching a campuswide communications campaign. The theme of this campaign — and what faculty, staff, students and trainees should realize — is that safeguarding sensitive data is everyone’s responsibility.

Take these six simple steps to secure sensitive data:

  • Secure your work area and information when unattended: Lock up files and folders, log off your computer when away, lock your workplace when leaving for the day, etc.
  • Protect sensitive data on portable devices: Use an approved encryption system when storing data on a mobile device or medium.
  • Back up your data: Store backup data to a department’s server, DVD, external hard drive, etc., and protect the backups.
  • Use cryptic, strong passwords: Create strong passwords that are hard to guess, but easy for you to remember.
  • Install antivirus and security updates: Ensure that every device is protected with antivirus software.
  • Practice safe emailing: Use UCSF secure email services whenever communicating protected information outside of the UCSF network.

For more information, visit security.ucsf.edu or call:

  • UCSF Medical Center Information Security Officer: 415/353-3539
  • UCSF Information Security Officer: 415/502-1593
  • UCSF Chief Privacy Officer: 415/353-2750

Training, which can be tailored to the specific needs of units and departments, is available to the campus community upon request, and detailed information about how to reduce risks and safeguard protected data is posted on the security website. In addition, news and information about data security issues will be posted on UCSF Today.

The good news is that UCSF will be able to make regular investments in information technology (IT) systems with the implementation of a new data recharge funding model. In accordance with the UCSF Strategic Plan, which calls for making investments in infrastructure, including IT systems, the University in November will begin charging a fee to support improvements to the UCSF data network. Some of the money derived from the new fees will be used to replace critical security equipment, such as firewalls, for the UCSF data network.

“Even one server or workstation that is weak and unprotected can compromise the information security throughout UCSF,” says Carl Tianen, UCSF information security officer. “Server vulnerability depends on the applications, connectivity between servers and ongoing maintenance. Even though a system may not have sensitive information, it can be a window to access other information.”

Heightened Importance

While protecting privacy and confidentiality has always been a priority at UCSF, it has heightened importance in this era of electronic information, with increased speed of information flow and the risks and liabilities associated with protecting this information.

Consistent with state and federal laws, both the University of California and UCSF have privacy policies that include a policy stating that unauthorized access to — or use, disclosure and viewing of — medical information is unlawful and subject to sanctions and disciplinary actions up to and including termination of employment.

However, raising awareness of and adherence to data security practices and policies are especially critical with the recent passage of state medical privacy laws that elevate individual and institutional liability for breaches and establish strict notification requirements. Fines and penalties for unauthorized use or disclosure of protected health information (PHI) or personally identifiable information (PII) are steep — up to $250,000 for each offense.

In addition, individuals also face criminal sanctions, as well as disciplinary action by licensing boards, for unauthorized access to, use of or disclosure of medical information. Academic medical centers and hospitals can incur fines for failure to prevent or report unauthorized access to, use of or disclosure of medical information.

UCSF has posted policies, guidelines and standards on the Enterprise Information Security website  to assist individuals in protecting electronic information. UCSF leaders are urging all members of the campus community to learn about and to practice safe data-handling procedures.