UCSF to Launch New Data Security Campaign

UCSF is launching a campuswide IT Security Awareness Campaign that will include prizes, tips and training on protecting the University’s data assets, including patients’ personal and health information.

“UCSF is unique because we are exclusively a health sciences campus, and we are geographically dispersed across San Francisco,” said David Rusting, the University’s Chief Information Security Officer. “As a result, it is all the more important that we continually reach out to our faculty, staff and students. Every dollar we spend investigating information security and privacy incidents is one that is not being spent on clinical care, research and education. Instead, we want those resources to go to directly supporting UCSF’s mission.”

The costs are staggering, Rusting said, and individual incidents can add up to millions of dollars. Since 2005, it is estimated that information security and privacy breaches have cost UCSF over $20 million. The new campaign, which will be unveiled in March, is designed to protect UCSF’s reputation, protect patients’ and employees’ sensitive information, and prevent hefty state and federal fines for violations.

“When we look at the things that put us on the front page of the paper in a bad way, there are four main areas,” Rusting said.

Lost and stolen devices top the list, followed by phishing (compromised account credentials), malware infections (a compromised computer), and insider misconduct or mishandling of sensitive information.

The upcoming campaign, which will span the remainder of 2012 and likely become permanent, will employ a multimedia approach to educate everyone on campus about the “threat landscape,” as Rusting calls it, and the many free solutions that are available to the UCSF community. (See tips to take to protect data)

The focus of the campaign will change periodically, drawing attention to a single subject — such as encryption, social media or software updates — that will give users time to absorb the content and engage in one of the campaign’s promotional programs.

“The person is the perimeter of our network,” Rusting said. “They are the strongest link and the weakest link. The more aware they are, the stronger the protection for UCSF.”

Raising Data Security Awareness

Campus and shuttle posters, emails, flyers, and use of social networks, such as Facebook and Twitter, will attempt to drive people to essential websites, such as http://awareness.ucsf.edu and http://security.ucsf.edu, where they can learn more, said Hooman Moayyed, UCSF’s security awareness program manager.

“The first challenge was how we would take what can be a dry topic, such as IT security, and make it something people will take some interest in,” Moayyed said.

To motivate people, the campaign will have a range of incentives to persuade the campus community to participate in the campaign. For instance, somebody who watches a short video and takes a short quiz will receive a prize, and also qualify for a grand prize drawing, which is currently a Kindle Fire.

“Once people are aware of the impact of these breaches, they’re very open to helping and ask, ‘What can I do?’” Rusting said.

He said UCSF wants to instill a culture that is alert and security-conscious, in which people realize their actions affect everyone else.

“October is National Cyber Security Awareness Month. But we want to do it continuously instead of just once a year and have it reach different audiences,” Rusting said. “We’re doing something unique and innovative in the UC system. No other campus is approaching it this way.”

He said metrics will be used to measure adoption of safeguards, which in turn should lead to a decrease in breaches.

“Given our urban and high traffic environment, we don’t think the number of stolen devices is going to go down,” said Rusting, who added that UCSF police receive about two reports a week of lost items, such as cells or laptops. “But we need the number of encrypted devices to go up, as that prevents breaches of data.”

So far, about 6,000 laptops have been encrypted, he said.

“Even though we have the tools in place, there’s a lack of community and user education,” Rusting said. “We’re seeing a plateau in adoption of technologies, and the threat factors are increasing. The more people adopt these tools, the better chance there is in preventing the breach in the first place. Many times when we’ve investigated a breach, we find that people are not aware of the free services that are available, which would have prevented the breach.”

Five Tips to Secure Your Data

  1. Stop, think and then connect. If you receive an email that is too good to be true, or suspicious, it probably is. These emails "phish" for your login credentials or other private information. The best defense is common sense.

  2. Encrypt your laptop, smart phone and tablet. Encryption prevents UCSF data and your personal data from being exposed Free software is available from security.ucsf.edu or by calling the Help Desk at 415/514-4100.

  3. Install the UCSF anti-virus solution on any Mac or PC used for UCSF work. Free software is available from security.ucsf.edu/ or by calling the Help Desk at 415/514-4100.

  4. Do not leave your laptop or smart phone unattended. Physically secure your laptop with cable locks, which fasten to a fixed object such as a desk, to deter casual theft. These locks are available through CDW-G and OfficeMax, both which are in BearBuy. Also, remember to lock your office doors. This is one of the easiest ways to become a victim of theft.

  5. Be aware and a good steward of UCSF data. If you see someone mishandling data, either intentionally or inadvertently, report it to [email protected].