Cybersecurity, Do It!

Friday, October 23, 2015

Did you know that all UCSF students signed an agreement upon enrollment that prohibited automated forwarding of UCSF e-mail to outside accounts such as Yahoo! and Gmail? No?

Then, depending on how thoroughly you skim your UCSF e-mail inbox, this may also come as a surprise: UCSF has updated its Minimum Security Standards in a big way. This means that your personal computer may not be meeting the requirements it needs to in order to access the UCSF network safely and securely. If your computer continues to fail to meet these minimum standards, you may eventually be denied access to the UCSF network from the comfort of your own computer.

The changes to UCSF’s cybersecurity policies were initiated in response to a major data breach that took place at UCLA earlier this year due to their lack of encryption standards. The hackers that instigated that breach may have accessed the protected health information (PHI) of as many as 4.5 million patients. Needless to say, UCSF is eager to avoid any such leaks.

Caroline Tai, a third-year doctoral student in the Epidemiology and Translational Science who serves as a Student Affairs Officer on the Associated Students of Graduate Division (ASGD), was nominated to serve as the only graduate student advocate on the Encryption Recommendations Task Force (ERTF), an entity charged with giving sets of recommendations to the Committee on Educational Technology (CET) regarding how to enforce the new policies for students. Her goal is to prepare students and staff for the changes ahead and help to appease any concerns.

In terms of possible upcoming changes, each set of recommendations from the ERTF will contain three components:

  1. How to ensure that all UCSF community members own devices that can handle the new standards
  2. How to ensure that every member of the UCSF community adheres to the minimum requirements
  3. How to ensure that when someone with UCSF credentials leaves UCSF, all UCSF-related data is completely wiped from their computer. (This is referred to as “off-boarding”.)

In a personal communication, Tai wrote, “We [the ERTF] have not given the CET the recommendations yet. Our deadline for submitting and presenting these recommendations is the first week of November so we are currently finalizing the draft that we have. And then the CET will hopefully make a decision by the end of December, perhaps January, but I don’t believe there is a set timeline for that.” The task force’s rough draft of their recommendations are described below.

1) For now, there is an exemption application available for those whose devices do not have an adequate operating system for the new standards, but it expires after 12 months. In order to ensure that all UCSF community members own devices that have an adequate operating system, the ERTF will possibly recommend that UCSF provide funding to buy a new computer for everyone who cannot afford to upgrade and that the university should immediately begin to advise new students of the minimum requirements before they spend money on a computer that can’t handle the specifications. An alternative solution the ERTF has developed for handling the influx of new students is to allow individual programs to buy computers for their enrollees. However, in order for any of this to occur, funding would need to be allocated with approval from the CET committee.

2) To ensure adherence to the new policies, the ERTF could recommend a number of consequences for non-compliance: withholding grades, preventing enrollment in the next quarter until the minimum requirements are met, or, as a very last resort, utilizing network access control (NAC), i.e. if your computer does not have the required software, you will not be able to connect to the UCSF network.

3) To address off-boarding, the ERTF might suggest that everyone leaving UCSF must have an IT staff member conduct an analysis and data wipe of their personal computer, if deemed necessary. Furthermore, if UCSF allocates funds to buy new computers, personnel and students using this program would need to return their computers to UCSF upon leaving their position, allowing IT to completely wipe it and give it to another incoming student or staff member in need.

Tai also gave responses to quite a few complaints she has heard about the new policies. To students and staff who do not conduct human subjects research and believe that these measures are unnecessary as they are not at risk of violating the HIPAA Privacy Rule, she urges taking the new policies seriously. She states, “The concern is not really data on your computer, it’s your credentials … [which] can potentially access PHI even if you don’t regularly do so.” From a security perspective, UCSF credentials can be used to sign into multiple portals and so every UCSF student and staff member is a potential “leak source”.

Students and staff have also been resistant to BigFix, a tracking and security management software which everyone is required to install under the new standards. “BigFix is software developed by IBM that collects information about your computer and sends it to UCSF IT so that they identify security vulnerabilities. This is also how UCSF IT is able to register devices to your UCSF account ... BigFix itself only conducts monitoring it is not the actual encryption software,” Tai said in an e-mail. Because BigFix is a proprietary program, meaning it is owned by a company (in this case, IBM), the source code is kept secret.

According to Tai, UCSF chose to use BigFix to expedite uptake of the new standards. If UCSF IT had taken time to develop their own monitoring software, it would have likely taken more resources than was available . However, some opponents of BigFix, mostly members of the graduate division, claim that someone who hacks IBM could have access to the UCSF network.

They also argue that using software with open source code, meaning the code is accessible to anyone, would allow security solutions to be developed faster by the coding community than can be developed by IBM alone if a hacker were to breach the monitoring system. On the flip side, an open source code could also have greater vulnerability to hackers for the same reasons.

The last complaint that Tai addressed was the relative lack of communication that staff and students have gotten about the new policies. “Most people don’t know, but the IT staff is made up of individual teams in multiple departments,” she said. “Lots of pressure has been placed on IT by UC and UCSF leadership because of the incident at UCLA.”

Because all of the teams are separate and under this enormous time crunch, they have had a difficult time communicating between departments, let alone passing the information on to the UCSF community at large. Tai and the ERTF understand that people feel blindsided, but they emphasize that the IT department is trying to do their best under difficult circumstances.

Bottom line: UCSF students and staff, please follow the Minimum Security Standards as soon as possible, even if you don’t work with PHI. The patients that UCSF serves are depending on us!

Click here to see the: Minimum Security Standards

Click here to see answers to: Frequently Asked Questions about the new standards

Other FAQ’s according to Tai include:

Q: Why is Apple's FileVault2 not sufficient for encryption?

A: Apple FileVault II is used for encryption in conjunction with Dell Data Protection Encryption (DDPE), the recommended encryption product for UCSF students, therefore it does not interfere with encryption. FileVault II on its own is not sufficient encryption because it does not include the logging component to corroborate compliance.

Q: Who can I contact to ask more question about the encryption project?

A: The chair of the Encryption Recommendations Task Force is Kirk Hudson (Kirk.Hudson@ucsf.edu) and he is very experienced in helping students with encrypting their own devices. Alternatively, Jesse Anderson can also be reached for questions (Jesse.Anderson@ucsf.edu)