- IT Service Request
- Privacy and Security
- Use of Department Server Drives and Access to Data
- Computer Purchasing
- Mobile Devices
- Additional Related Links
Information Security is Easy.
Ignoring it is Hard—and Expensive!
FERPA. HIPAA. SB 1386! AB 211 and SB 541? IS-3? 650-16?!
Don't know where to start with information security compliance? With so many policies and standards, and seemingly a new one every year, it's no wonder so many people are confused about information security. Please follow these helpful tips!
1. Secure Your Computer
In order to comply with federal and state laws and university requirements, it is the policy of the Department of Ob, Gyn & RS that
- All faculty, staff, and trainees must undergo HIPAA training, and comply with all policies governing restricted information. This includes complying with minimum security standards such as
- Physical Security
- Anti-virus Software
- Firewall Software
- Email and Encryption of Confifidential Information
- Software Updates and Patches
- Unnecessary Services
- All laptops, mobile computing devices (e.g., mobile phones), and any computers that store restricted information must use encryption in compliance with Department of Medicine, School of Medicine, and other applicable standards (e.g., VA, DPH).
- Restricted information must not be stored on personal computers.
For information and help, please contact Brian Auerbach at 353-7668 or e-mail him with your question.
2. Work Safely
Most information security is achieved by working smarter, not by using the latest technology. Some simple behaviors can save you a lot of trouble later.
- Always be suspicious of any email with urgent requests for personal or financial information.
- Don't use the links in an email or instant message to get to any web page if you don't know the sender.
- Don't ever provide an account number, Social Security Number, password or PIN via email.
- Don't trust public computer terminals. If you must use one, quit the web browser before leaving.
3. When In Doubt, Ask
Trust your instincts. If something feels wrong, or if you're just not sure, contact Brian Auerbach at 476-3646 or Brian.Auerbach@UCSF.edu.
Why Should I Care About Information Security?
When you lose your unencrypted laptop or phone, or give someone your password, it typically takes 100 staff-hours from the time you report the loss to the police just to determine if restricted information was exposed. At that point the clock starts on $100 per day fines until we notify the state and the people whose data was released. Then the state decides whether to impose fines of $250,000 or more on both the University and the individual responsible for the exposure. Finally, there's the cost to UCSF’s reputation, and the time it takes to rebuild the community's trust. It's easier to avoid all of this wasted time, effort, and money by following some simple rules.
Keeping restricted information safe is everyone's responsibility. Thanks for doing your part!
IT Security Update: Frequently Asked Questions – Encryption, Privacy and Data Protection
These FAQ address device encryption and associated topics. Related links are also provided for additional information.
All mobile devices (laptops, phones, tablets, flash drives) used for UCSF work must be encrypted. Devices provided by the department through the IT service come encrypted, those would be laptops and mobile phones. Devices purchased for personal use and also used for work – that is, purchased privately by an individual – do not come encrypted and it is the responsibility of the individual to do this. These devices cannot be used for UCSF work unless encrypted. Question #7, below, discusses encrypted flash drives, which we ask that you use.
1. Is password protection on a laptop or mobile device (phone or tablet) the same as encryption?
Password protection is not the same as encryption as a password can be breached, encryption cannot.
2. I know my UCSF-provided laptop is encrypted, but what about my UCSF-provided mobile phone or tablet?
A phone provided by the department is already encrypted by ActivSync when UCSF Exchange mail access is set up. It is the same process for a tablet.
3. Can I get my personal phone encrypted?
If you would like to encrypt a personal phone or tablet, then you need to contact the IT service desk at 514-4100 to set up ActivSync.
4. What is the process for getting personal laptops encrypted?
If the user has a premium subscription with ITFS, then an ITFS tech can encrypt a personal device. A ticket should be placed for this request. If the user does not have a premium subscription, they can go to this link and follow the instructions for encrypting a PC laptop or contact me directly for assistance in encrypting an Apple laptop. Please print, sign and return this Confidentialty_Statement to assure compliance of personal computer encryption. Please follow this link to more information and resources for encrypting personal computer. http://it.ucsf.edu/category/its-categories/security?page=2
5. How do these encryption efforts relate to Privacy and HIPAA?
It is the responsibility of all who work at UCSF to protect the privacy and privileged information of patients and employees. Laptops and other mobile devices can "walk away" and if they are not encrypted, all data is vulnerable.
The Final Omnibus Rule is here!
The Final Omnibus Rule of 2013, which amends the HIPAA rules, went into effect Monday, September 23, 2013. It includes important changes that impact multiple areas.
What you need to know: Final_Omnibus_Rule_Summary
UCSF Medical Center has a new Notice of Privacy Practice!
As a result of the Final Omnibus Rule changes, the UCSF Health System Notice of Privacy Practice (NPP) and Acknowledgement of Receipt Form have been updated and will be available in English, Spanish, Russian, and Chinese. Effective September 23, 2013, the updated NPP must be provided to all new patients, to patients who have recently turned 18 years of age at their next encounter, and to anyone else who requests a copy.
Click here (http://hims.ucsfmedicalcenter.org/hippa_forms.htm) to view the current versions.
6. Should office desktop computers be encrypted?
Office desktop computers are being encrypted with new deployments and re-imaging of devices in for service. There is no retroactive program for desktop encryption.
7. Do you have a link to order encrypted flash drives or do we create an IT ticket?
Encrypted flash drives are available through BearBuy/CDW. Encrypted flash drives SHOULD NOT be purchased through Office Max or Office Depot as these devices did not work correctly when someone tried. Follow this link for more information:
8. What is the process for disposing of un-encrypted flash drives?
To dispose of an un-encrypted flash drive, delete everything on the drive and then empty the trash on the computer. Then use for personal transport of non-privileged information or give as gifts to those in need of unencrypted flash drives.
9. What about Anti-virus software? Is that available through UCSF IT Services?
Yes: Symantec Endpoint Protection (SEP) is provided free of charge to faculty, staff, students, and researchers of UCSF. SEP is designed to detect, remove, and prevent the spread of viruses, spyware, and other security risks.
The SEP client combines various client security technologies under a single application to help protect your computer without sacrificing performance.
SEP provides Windows, Macs, and Linux computers with anti-virus (AV) and anti-spyware. SEP scans local hard disks and monitors file access to detect potential threats and blocks any unnecessary access until the threat has been resolved. On Windows computers, for added protection against network-related threats, SEP also provides intrusion prevention (IPS), proactive threat scanning, and personal firewall capabilities.
In addition, the UCSF SEP clients will automatically keep both the client software and security definitions (AV and IPS) updated for the most complete protection. For more information on SEP Anti-virus software and to download, follow this link: https://it.ucsf.edu/services/symantec-endpoint-protection-sep
IT Service Requests
There are three ways to contact ITS for service on your computer, to ask a question or to submit a request such as a computer move:
Telephone Contact – For Urgent Requests
Call the IT Service Desk at 514-4100. This will get you to a service desk technician quickly. A technician can usually remote into the computer and attempt to fix the problem or can quickly dispatch a field technician.
Service Now – For Standard Requests
You will need a My Access account to use Service Now. Follow this link to get a My Access account.
Submit a Service Now ticket. Service Now is the new on-line ticketing system. The benefit of using this method is that you have a record of the request, which will come to you as an e-mail. Keep this e-mail for your records. Any follow up correspondence should be send using this intital e-mail.
Documentation on the use of Service Now is available here.
E-mail contact – Also for Standard Requests
Privacy and Security
Additional Items to Consider for E-mail and General IT Security (bullets and links provided by department IT management):
Please consider your audience. If in doubt, ask department IT management or administrative management about the most appropriate list to use.
Never use a third-party, non-UCSF e-mail address for university work—EVER. Please do not ask that one be used for any reason, including international travel. The request will be denied.
Please do not request that a third-party, non-UCSF e-mail address be added to any department list. That request will always be denied. The department cannot vouch for the security of a third-party account and does not want to assume the liability. Nor should you as an individual.
E-mail and general IT security is every employee's responsibility. There are no exceptions.
HIPAA compliance is everyone's responsibility. If you have a question, please refer to one of the web links below.
Use of Department Server Drives and Access to Data
Every permanent employee is provided with access to a home or 'I' server drive folder, which is used for storage of protected data, such as an Outlook archive and also highly confidential documents
Temporary employees are given specific access to 'S' drive folders as requested by their supervisor.
Access to the 'S' or shared drive is provided upon request to the Technology Manager. This server is for collaborative work.
All department servers are always accessible through VPN and are backed up daily. Your data is safe and easily accessible from anywhere with an Ethernet or wireless connection.
The department does not recommend nor support the use of a computer hard drive as the sole source of data storage. The server drives are backed up daily.
CrashPlan: CrashPlan cloud back up is provided to all laptop users with ITFS Premium subscription. The CrashPlan service backs up computer data on an on-going basis, as long as the computer is connected to Ethernet or wireless, whether at home or at work. While CrashPlan is effective, it is not infalliable. CrashPlan will always alert a user when a computer has not been backed up or if there is a connectivity issue. It is the responsiblility of the user to contact the IT Service Desk to respond to the alert. Ignoring alerts can result in lost data in the event of a hard drive failure or any other reason.
Desktop computer hard drives are not backed up. If you work off of your hard drive for any reason, please make sure and move your work to the server at the end of your workday. Each user is responsible for the protection of their files.
Please consult with with the department Technology Manager about storage of especially large amounts of data on our server drives.
UCSF Box, available through My Access, is a excellent source for data storage. Each UCSF employee is given 60gb of capacity. If a user requires more, up to 100gb can be made available upon request with supporting documentation.
Each employee shall sign an Access with Consent form, provided by the department, to assure that all work-related data is available if a person is not available or is leaving the department. All incoming employees should sign this form, or if not, should sign at the same time that a resignation occurs.
All orders for computers will now be processed through BearBuy by Brian Auerbach. We are centralizing this process to better track our inventory.
Please contact Brian directly to coordinate any computer purchase.
Exception to this are all groups associated with our SFGH division.
Judy Louie of our Finance team will continue to manage all purchases for phones and tablets (e.g., iPads).
UCSF Privacy and Confidentiality:
UCSF Information Technology Security Services: https://it.ucsf.edu/services/category/security
ITFS Support Team: