Research Town Meeting
October 29, 2014Research
Administrators Workgroup
Version: for posting
Agenda

Welcome

Research Updates (Rauch)


Leadership, Space, Performance & Metrics
Studies of Light and Dark (Richter, Chateaneuf, Yale, Zurba)
 Dark: Stories of the Dark side and how the institution is
protecting you and your research
 Light: Making sense of research data: How Research and
Information Security is helping

Anne M. Cataldo Excellence in Mentoring Award
(Greenfield & Rauch)

Reception
2
Welcome
Research Updates
• Dr. Ressler – New CSO and Chief, Depression &
Anxiety Division
• Due to begin full-time August 2015
• Already engaged in meetings and planning
• His lab personnel will start arriving in spring 2015
• Located on 1st floor of Mailman and 3rd floor of Oaks.
• Most of his lab and equipment will arrive in summer 2015
4
Research Metrics
RESEARCH METRICS
Research Activity
FY10
FY11
FY12
FY13
FY14
$s in thousands
Federal Applications - Awarded (#)
Federal Applications - Awarded ($)
27
28,176
36
49,818
23
17,716
16
17,235
47
30,248
Based on fund set-up
Federal Success Rate (%)
13.2%
24.5%
25.3%
11.3%
36.4%
3
1
1
1
0
17
1 (Silveri )
17
1 (Ongur )
16
4
17
0
11
1 (Nickerson )
$30,516
$7,510
$38,026
$32,706
$10,838
$43,544
$31,964
$10,538
$42,501
$33,710
$10,977
$44,687
$33,073
$10,332
$43,405
24.6%
33.1%
33.0%
32.6%
31.2%
FY10
283
385
127
FY11
286
361
132
FY12
313
370
140
FY13
297
410
140
FY13
314
386
140
Center and Consortium Grants
K awards
Investigators winning 1st R01 (or equivalent)
# awarded /# of application (DHHS,ARRA, other Federal)
Grants with >$1 million/year in federal funding (P50,
U01)
Research Financials
Direct Research Revenue
Indirect Research Revenue
Total Research Revenue
Effective Indirect Cost Recovery Rate
Research Personnel
Full Time Equivalent (FTE)
Employee Count (# of people)
Principal Investigators (PI's)
Direct research revenue = direct research expense
= Indirect Revenue/Direct Revenue
5
Proposals Submitted Trend by Fiscal Year
160
312
312
140
296
120
246
DHHS
100
Non-Profit
Foundations
80
All Other Sponsors
Industry/Corporate
60
Other Federal
ARRA
40
20
0
2011
2012
2013
2014
6
McL Research Revenue Trends
Millions
Research Revenues
$60
$50
$40
$30
$20
63%
64%
60%
$10
$0
FY01 FY02 FY03 FY04 FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14
DHHS
Other Federal
Source: PHS Research Revenues FY01- FY14 Actual.
Note: Research Activity, excludes Other Science and P&L adjustments
Industry / Corporate
All Other
7
Research Revenue Metrics
• In FY2014, Total Direct Costs were favorable to budget
• TDC Actual = $33.1M; Budget = $31.8M (FY13 = $33.7M)
• In FY2014, Indirect Costs were unfavorable to budget
• IDC Actual = $10.3M; Budget = $11.0M (FY13 = $11.0M)
• Reflects shift from Federal to alternative funding sources at lower
indirect cost rates (e.g., foundation, industry, philanthropy)
• Indirect cost recovery impacts financial performance of the
hospital
8
Conclusions
• Overall research at McLean remains robust &
successful
• Major investments being made in physical plant
• New CSO; additional recruitments ongoing
• Shifts from Federal to alternative funding sources
reflect national & Partners-wide trends
• Indirect rate negotiation with NIH to occur in FY15
9
Research Town Hall
Studies of Light and Dark
Studies of Light and Dark
Light: Making Sense of Research Data: How Research and
Information Security is helping
Dark: Stories of the Dark side and how the institution is
protecting you and your research
Brent Richter, Associate Director, Enterprise Research
Nicholas Yale, McLean Site Manager, Enterprise Research
Joe Zurba, Research Information Security Officer
Christine Chateauneuf, McLean Information Security Officer,
October 2014-Research Town Hall
Real stories that happen every day –
Joe Zurba & Christine Chateauneuf
Light: How We Make Sense of Research Data and Help
Collaboration
Data Classification
Technology/Tools
Information Security
Syncplicity, Send Secure
Nick Yale and Brent Richter
Data Classification Policy & Data
Classification Standards drafted
Brent Richter and Joe Zurba
Understand Technology-EWS
Survey Feedback
Joe Zurba
Education and Training
Information Security and Privacy Office (ISPO)
Christine Chateauneuf/Joe Zurba
12|
Collaboration-Nick Yale/Brent Richter
What do I use to store or share data?
Tool
What is it?
Secure File Transfer
Large file share
Internal
External
http://transfer.partners.org
Send Secure
Email Encryption
http://rc.partners.org/emailencry
ption/
Shared File Area (SFA)
http://rc.partners.org/storage/sfa
Internal file
share & storage
Research Interactive
Storage (RFA)
Internal file
share & storage
http://rc.partners.org/storage/rfa
Syncplicity
http://rc.partners.org/syncplicity
File share, sync
& storage
14
KnowledgeBase: http://rc.partners.org/kbase?cat_id=29&art_id=533 Contact: rcc@partners.org
Syncplicity – What is it?
Online file-sharing and collaboration tool
• Synchronizes files and folders across multiple devices
• Cross-Platform: Mac, Windows, Android, iOS, WP8
• Share files and folders with collaborators outside of
Partners
• Can be used to share files with Partners co-workers
• HIPAA Compliant, safe for use with ePHI and PII data
**Syncplicity is the only collaboration tool of its kind currently approved by
the Chief Information Security & Privacy Officer for transporting or storing
Partners Confidential Data.
15
1
Syncplicity – Why should I use it?
How do I get started?
1) Request online from the PHS-EGI (Ergonomic Group)
website: http://web1.ergogroup.com/partners/
• Research Instructions: How to place an order in PHS
Ergonomics (EGI).
2) If approved, you will receive a welcome email from
Partners with basic instructions to install the client.
3) FAQs / Screenshots / Best Practices in ERIS
KnowledgeBase: http://rc.partners.org/kbase?cat_id=85
Website: http://rc.partners.org/syncplicity
Contact: rcc@partners.org
16
Licensing Costs
Licensing
• All licenses include unlimited* storage
• Licenses 0-1200: $0 until August 2016. $50/year
thereafter
• Licenses 1201+: $50/year. Licenses run annually
from August to August (costs will be pro-rated if
purchased out of annual cycle)
Ordering:
• Via EGI: http://web01.ergogroup.com/partners
Support:
• Via Partners Service Desk
• EMC or ERIS KnowledgeBase
Website: http://rc.partners.org/syncplicity
Contact: rcc@partners.org
17
1
Data Classification-Brent Richter/Joe Zurba
How Data is Classified Today
•All Data and
information generated
Confidential within Partners and
Hospitals
or PII/PHI
•Research,
Administration, etc
19
Proposed Data Classification (Research)
High Risk
• Extremely Sensitive PII/PHI
• National Security
• Criminal Liability if Disclosed
Confidential
• Contractual or Regulatory Data
• PHI or PII
• Financial Information
• Legal, Regulatory, or Serious Legal, Psychological, Social, Financial
Harm if Disclosed
Institutional
• Non-confidential data that Partners has chosen to keep private
• Expectation of Privacy
• Small Reputational Risk if Disclosed
20
Proposed Data Classifications
• Institutional Information
– Information, the disclosure of which would not cause material harm,
but which an organization has chosen to keep confidential
– There is an expectation of privacy
• Data that is: de-identified, unpublished work, Personnel records, IP or
Patentable, building plans, etc
• Confidential Information
– Information that would cause material, or serious harm to individuals
if released
• PHI, PII, PCI and FERPA information, IP and IRB-sensitive data, financial
records, donor information, genetic information,…
• High Risk / National Security
– Information that would cause severe harm to individuals or
Partners Healthcare if disclosed
21
A Practical Approach to Securing Devices




Applications and data are
grouped into the logical
privacy pools
Each pool has a privacy
classification
As the privacy classification
increases so does the set
of device prerequisites
necessary to access* pool
The specific requirements
to be a trusted device will
vary by the pool accessed*

Device Prerequisites
Partners network +
Specific information pool
security requirements
•
•
Partners Device Policy
Additional NAC
verifications
3: High Risk
Information which, if disclosed,
would cause serious or severe
harm to individuals or
organizations
2: Confidential
Information which contains
personally identifiable health
data
Partners Network
•
NAC verification
connection
Requirements are defined by
the application and data owner
*Note: privacy classification also
applies to the devices where data
objects are stored
Pool Privacy Classification
Public Internet
•
No prerequisites
1: Institutional
Information which Partners has
chosen to keep confidential
0: Public
Information which is publicly
available
Trusted Device
Semi-trusted Device
Untrusted Device
22
Technology and Tools-Exchange Web Services
(EWS) Survey-Joe Zurba
History
• Partners has a goal to increase security for all Internetfacing applications by implementing 2-factor
authentication and security questions
• EWS, or Exchange Web Services, is the protocol that
allows Macintosh computers to communicate with
Partners’ email servers for Outlook and Apple Mail
• *PC users have to use VPN from outside of Partners in
order to use Outlook
• VPN is a way to enforce 2-factor authentication
• VPN, or Virtual Private Networking, is software that
creates a secure tunnel between your machine and the
Partners network
24
The Survey
• Gather feedback from our research community
• Sent to Research email lists at McLean, BWH, MGH,
SRH, as well as EFGH
• Asked 7 to 9 questions about how the proposed change
would affect you and how you work
25
The Results
437 Total
Responses
339 Full
Responses
26
The Results (cont)
59% Use Outlook or Apple Mail
Remotely
58% Do Not Use VPN
67% It Will Affect How Mail is
Accessed
57% Not Worth the Increase in
Security
7% Use Gmail or Another
Provider for Partners’ Business
27
Lessons Learned
28
You Said……
• I don’t have confidential information in my email so
there’s no security risk
• Password breaches are not common
• VPN is unreliable, complex, and inconvenient
• Security is a trade off between access and protection
• It’s excessive
• The survey is too technically worded
• I don’t care about security
• Will it affect my iPhone?
• Convince me that it will improve security
• Anything that requires a high level of security should
not be on the common network
29
We Heard You….
• The EWS retirement is on hold
• Looking at alternative technologies that would have
less of an impact
• Looking for the “right amount of security”
• But…
This may be inevitable
30
The Dark Side-How We Protect You
and Your Research
The Partners Information
Security and Privacy Office
(ISPO)
• Detected 4,789 Viruses
• Stopped 5 Mil +
unintended recipients
• Spam, etc.
Education and Training
• User responses still result
in malware and viruses
from Phishing e-mails
• Security Bulletins
• Information Security and
Privacy Week (10/27-10/31)
• Staff Meetings
McLean Top 2:
Phishing-User response to
emails which generate
malware
Encryption-All mobile devices
used for business purposes
• Other?
Your help maintains our ability to obtain and retain grants, provide
care to patients (reputation), etc.
31
Discussion & Feedback
32|