University of California
2015 Sautter Award Application
Establishing a Data Security Compliance Program
1.
Project title:
UCSF Data Security Compliance Program - Establishing a culture of compliance
2.
Submitter’s name, title, and contact information:
Patrick Phelan
Information Security Officer | Director of IT Security
University of California San Francisco
patrick.phelan@ucsf.edu | 415-502-0782 | http://it.ucsf.edu/security
3.
Names of project leader(s) and team members:
IT Security: Patrick Phelan, Toby Barber, Timothy Hoffman, Christine Ziegler, Joe Bengfort. These are
60 of the core participants – we consider them the project leaders. Dozens more were active in the
planning and execution of the compliance activities.
Clinical Labs (CL): Enrique Terrazas, James Reese; Langley Porter Psychiatric Institute (LPPI): Ann
Saggio, Laverne Tarpley; Library & Center of Knowledge Management (LIB): Rich Trott; Medical Center
(MC): Carrie Meer, Kevin Pattison, Brigid Ide, Tim Mahaney, David Steinmetz, Michael Skehan, Russ
Cucina, Sunny Bang, David Morgan, Shirley Kedrowski; Office of VC, Finance & Administration (FAS):
Jane Y. Wong, Cindy Yoxsimer, School of Dentistry (SOD): Tom Ferris, Tommy Kwong; School of
Medicine (SOM): Chris Orsine, Ed Martin; School of Nursing (SON): David Kell, Doug McCracken,
Mattice Harris; School of Pharmacy (SOP): Michael Nordberg, Valerie Starling, Student Academic
Affairs (SAA): Doug Carlson, Kevin Yeung; University Development, Alumni Relations (UDAR): Jansen
Lowe, Sushmita Sharma, Wanda Ware; Enterprise (IT): Karen O'Neill, Sian Shumway, Jane Wong, Pierre
Brickey, Irene Brezman, Patrick Phelan, Andrew Clark, Quinn Hearne, Esther Silver, Jesse Anderson,
John Arbolino, Mark Day, Greg Lennon, Manish Sompura, Kevin Dale, Kristina Mariscal, Christian
Sisenstein, Toby Barber, Jann Fong, Rebecca Nguyen, Kevin Barney, Sarah Mays.
4.
Project description:
Technology utilized in the project
IT Security risk management frameworks and regulatory
guidance; risk profile calculation and tracking tools;
technical test discovery tools.
Timeframe of implementation
October 2013 – April 2015
Files/exhibits
Available on request
Project Drivers
included compliance with regulatory requirements,
hardening of infrastructure
Applicable Regulations and Standards
HIPAA Security Rule, HITECH Act, Family Educational Rights
and Privacy Act (FERPA), California Security Breach
Information Act (S.B. 1386), Payment Card Industry (PCI),
UC Office of the President Business Finance Bulletins, UCSF
policies and many other laws, standards and frameworks.
Document1
1 of 5
University of California
2015 Sautter Award Application
Establishing a Data Security Compliance Program
Establishing a Data Security Compliance Program
At UCSF we have established a Data Security Compliance Program (DSCP) to address the HIPAA Security
Rule and other regulations including the HITECH Act, Family Educational Rights and Privacy Act (FERPA),
California Security Breach Information Act (S.B. 1386), Payment Card Industry (PCI), UC Office of the
President Business Finance Bulletins, UCSF policies and many other laws, standards and frameworks.
The DSCP is charged with ensuring UCSF implements and maintains the security controls required by
these laws and regulations. In 2013-2014, UCSF retained Accuvant LABS to conduct an enterprise IT
security risk assessment. The assessment covered 142 unique controls that must be satisfied by all 12
administrative control points, which include the schools, medical center, central IT and all of their
departments, divisions and programs. The DSCP team is working with these control points to fill gaps
and address findings identified in the 2013-2014 Enterprise Risk Assessment. All of the control points
have been given recommendation plans for each risk identified. In some cases the recommendations
can be addressed by the control point directly, while in other cases the risk identified belongs to the
enterprise as well as the control point, and as such, a joint effort is required to satisfy the
recommendation.
The program is sponsored by UCSF Deans, Chancellors, and Executives including the CEO and CIO who
championed and funded the enterprise-wide effort to review and reinforce security controls across the
entire UCSF Medical Center and Campus. The program is founded on IT Security Risk Management
principles and controls commonly recommended across NIST, SANS, ISO 27K, COBIT, PCI and many other
frameworks.
While HIPAA, FERPA, PCI and other regulations are long instituted and familiar to most at UCSF,
leadership and staff wanted to refresh operating procedures and bring data security to top of mind for
all employees, faculty, educators, researchers and care givers.
Document1
2 of 5
University of California
2015 Sautter Award Application
Establishing a Data Security Compliance Program
The strategic objectives of the program are to:








Improve UCSF IT security posture
Empower business units to identify and remediate risks
Assist in prioritizing remediation tasks
Educate the organization regarding real threats and weaknesses
Increase visibility and capability to track risks
Improve the consistency of risk assessment approaches
Establish a common formula for risk evaluations
Meet audit and regulatory requirements, and customer expectations that we protect their
information
Cross-functional collaboration
Once the interviews were completed in winter 2013 - spring 2014, UCSF control points were given their
final deliverables. All five deliverables were customized by control point.





Risk Assessment Executive Summary Reports: Provided overview of the risk assessment and the
key risks and areas of concern. The report recommends remediation as short or long term goals.
Risk Assessment Detailed Findings Reports: Provided the control point a detailed report of
information about the process used and discrete risks identified during the risk assessment.
Gap Tracker: Provided a detailed assessment of compliance with each compliance control
including HIPAA Security, FERPA, & California SB1386.
Risk Analysis: Provided ownership mapping of each risk to the control point, enterprise, or both.
Impact and likelihood of occurrence are assigned to each risk and risk scores are documented.
Final Presentation: Presentations included context of risk assessments, consequences of
ignoring data security related risks, and recommendations on priority of remediation actions.
With these tools in hand, people stepped up to the work of remediating gaps. Between July and October
2014, the Data Security Compliance Program team reached out to more than 60 core participants – we
consider the participants “champions” and “task leaders”. Dozens of additional technical and business
staff were drawn in to the planning and execution of the remediation activities.
The scale of the effort was massive: roughly 30,000 workforce members who somehow interact with
UCSF technology resources, including PHI, PII, sensitive or restricted data. We had to communicate the
information that would help secure the humans. We had to convey necessary business practice type
guidance.
Simultaneously, we planned, funded and began implementation of technical controls by reaching
administrators, developers and other resource proprietors who could assist with securing the
environments.
Plan the work – work the plan
Program goals were laid out in spring 2014. In the year that followed, the DSCP experienced
unprecedented momentum and incredible success. The table below outlines the milestone activities
including their general start and end dates.
Document1
3 of 5
University of California
2015 Sautter Award Application
Establishing a Data Security Compliance Program
Milestone Activities
Enterprise Risk Assessment
Brief Description
12 control points, 408 individuals interviewed, 120 documents
reviewed; 6 data rooms visited' 200+ applications assessed
Start
01/01/14
Complete
07/01/14
Distribute Final
Deliverables
5 deliverables prepared for each of the 12 control points;
technical test report; applications inventory
04/01/14
07/31/14
Assign Enterprise DSCP
Program Manager
Temporary and permanent staff were identified to develop and
then sustain the data security compliance program.
04/01/14
07/01/14
Assemble and Distribute
Control Point Training
Materials
Assign Control Point
Champions
Over 30 individuals participated in 2-hour data security risk
management training.
04/01/14
07/30/14
Director, manager and staff commitment was obtained from
each control point. Garnering bottom-up and peer-to-peer
support.
05/01/14
07/31/14
Create Control Point
Communication Plans
More than 60 control point champions and task leads were
drawn in to the data security compliance program.
07/01/14
08/01/14
Conduct Senior Leadership
Roadshow
Leadership commitment was obtained for each control point.
Securing top down support.
04/01/14
08/31/14
Schedule and Hold Kickoff
Meetings
Roughly 30 meetings, working sessions and phone calls were
held to on board, orient, train and update the participants.
07/01/14
10/01/14
Control Points Prepare Risk
Management Plans
Each control point prepared risk response plans to address each
of their 8-12 priority group findings (recommendations related
to 142 controls grouped in themes)
08/01/14
12/31/14
Report Control Point
Results to Privacy Office
Findings and progress were shared with the UCSF Privacy Office
and Ethics and Compliance Board
10/01/14
12/31/14
DSCP Return Comments on
Mitigation Plans to Control
Points
Control points submitted plans, discussed with DSCP, compared
notes on enterprise solutions that would cover their gaps,
common controls, etc.
09/01/14
03/31/15
Bi-monthly Progress
Reporting
Informal check points as well as scheduled status reporting
sessions were held with DSCP and control points. UCSF-wide
status published bimonthly
10/01/14
10/31/14
04/01/14
02/28/15
Budget Planning for Risk
Assessment Remediation
Data security compliance activities are being organized by IT Security and executed by hundreds of
workforce members across UCSF. During the assessment phase over 400 interviews were conducted and
hundreds of systems and documents were reviewed. The energy carried through technical testing and
remediation of the findings; as a result, UCSF closed numerous high profile gaps in first year of the
program. The focus was on building momentum by developing a multifaceted strategy involving
estimating and securing staff, and starting the work. Realizing that “perfect is the enemy of the done”,
we are taking action whether the plan was perfect or not.
The result of the program has been first year mitigation plans that set scope, priority, and strategy for
addressing findings from the initial assessment. In many cases the control points have also prepared
detailed work plans for managing the more complex projects. The champions are assembling
workgroups to simplify and streamline remediation efforts as well as share solutions. Business and
Document1
4 of 5
University of California
2015 Sautter Award Application
Establishing a Data Security Compliance Program
technical teams are executing the work; they are implementing control technologies, procedures and
other solutions. As they progress, they are ensuring that they are set up to collect evidence of
compliance.
Progress amidst competing priorities
One of the amazing things about the creation of the Data Security Risk Management Program at UCSF is
that the progress took place amidst the most demanding of competing priorities. All of the work was
completed in the same years that UCSF prepared for the national Affordable Care Act / Covered
California (via the WellPoint contract) and stood up the technology infrastructure at the Mission Bay
Hospital.
UCSF compliance staff operated on the premise that there was always something else we could move
forward on without taking key staff attention away from mission critical work. We developed a
compliance infrastructure, built relationships, and developed seemingly small but helpful items such as
template, samples and pre-populated accelerators. We “practiced” with the least busy and caught the
saturated in 10-30 minute increments.
Another key factor to our success was the top-down, middle-middle, and bottom-up approaches applied
consecutively, not as gates one to another. The executive road show was well received and firm
sponsorship was established.
Technology for the journey
The DSCP is managed largely with spreadsheet tools that capture regulatory controls, assessment
results, gaps and recommendations. The tools also support risk ranking and prioritization and will be
used later to adjust to residual risk levels as remediation of the risk item is confirmed. Although we will
be moving to a GRC software tool as the program matures, we believe that a DSCP program can be
successfully managed using simple Microsoft Office-based tools.
The value of the program
The DSCP program has already allowed UCSF to measurably reduce its risk profile. In it we have
established a repeatable framework for future assessments and ongoing risk management. Importantly,
we have also established the foundation for a new culture of compliance at UCSF.
Our investment in dedicated resources is bringing security and value to UCSF. Continuing to execute and
mature this program will:





Protect customer data against technology-related security breaches
Establish a posture that is proactive and prepared
Reduce risk and demonstrate due diligence (minimize OCR fines, protect reputation)
Strengthen relationships and heighten awareness among IT service providers.
Address HIPAA requirements by standardizing on the National Institute for Standards and
Technology (NIST) control framework
Document1
5 of 5