Paul Gray gave background information on the McKinsey study initiated last spring by the Chancellor to look at campus organizational effectiveness. The consultants conducted campuswide interviews and reported their observations on how business-related processes work, concluding that our organizational structure follows a decentralized model more closely than a centralized one, especially in IT services. They suggested a “shared-services” model might work better, with greater centralization in areas such as training, policy development, hardware and software standards, and hardware purchase. Paul noted that this kind of change might heighten this committee’s standards and policy-setting role on campus.

Jack McCredie added that the other major functions observed by McKinsey under the “best practices hybrid model” were Financial Services and Human Resources. He said McKinsey has been trying to determine where these services lie in the centralized/decentralized continuum, and after discussions with management have been able to understand better how the hybrid model works on the UCB campus. Jack pointed out that the work done in the IT policy area over the past few years has been significant and he feels it is important now to focus on the gaps and overlaps in IT services provided by several departments, which are very costly. (BFS data indicates that the campus spent $75M last year on computer-related expenditures, not counting salaries.) Ed Denton remarked that the issue is not one of mandating change, but of offering a good deal such as substantial hardware discounts.

During a discussion of IT at a meeting of university provosts, Paul Gray discovered that very few institutions have a group such as the e-Berkeley Steering Committee, and they are quite concerned about how to handle campuswide IT change.

3. Health Insurance Portability and Accountability Act (HIPAA)

Steve Lustig and Phil Chuang of University Health Services presented an overview of HIPAA, a federal law that protects the privacy of a patient’s personal and health information (PHI), provides for electronic and physical security of that information, and sets data standards in order to simplify billing and other transactions. UC is designated as a single health care component, with one privacy officer (Dr. Maria Faer) in charge of university compliance. Steve is the primary privacy liaison for UC Berkeley.

Steve said the campus implementation of HIPAA began in May with privacy notification, with several departments involved in compliance:

Intercollegiate Athletics
Psychology Clinic
School of Optometry
University Health Service
Sponsored Projects Office
Committee for the Protection of Human Subjects
Audit and Advisory Services
Office of Human Resources – Benefits
Information Systems and Technology
Risk Management

The impact on IT organization and policy will be felt in the need to track the authorized release of PHI; to ensure that appropriate agreements are in place with vendors who have access to the data (such as off-site tape storage vendors); to ensure that the data is processed using proper coding and format (enforced October 15, 2003); and to follow best practices in IT operations and security (by April 2005).

Policy issues need to be settled on how to ensure that these standards are followed and that vendor agreements are in place, and how much of the campus technology infrastructure will be affected by HIPAA regulations. Compliance with HIPAA is voluntary at this point; investigations will be made on the basis of complaints. However, penalties for violations are high, and it seems prudent to address the risk by taking measures to comply. Phil Chuang noted that a lot of departments are involved, and instead of an oversight committee there is a point person in each department to coordinate training and identify problems. Greg Brown commented that UC San Diego has web-based training available, with certification, for principle investigators as well as staff. He asked whether we could use this to certify in advance, perhaps as part of the Human Subjects protocol; Steve will investigate.

Paul Gray asked whether the “one person at OP” structure is working out. Steve said it is working well; UC has been able to move fast and to have one channel to appeal to the feds for clarification.

4. Approval of e-Berkeley Policy

Network Access Blocked for Infected Computers; and New Policy Coming on Minimum Security Standards

Jack McCredie explained the latest process for dealing with the worms and viruses that have attacked many computers on campus: network access for an infected computer is blocked until the machine is fixed and free of infection. In the past, the System and Network Security Office would notify a departmental security contact before blocking an infected computer. However, because of the rapid spread of these viruses, SNS is now blocking infected computers immediately. About 250 systems are blocked every day. Jack said that the Campus Information Security Committee is becoming more active in defining requirements for computer security on campus and is creating a document on “Minimum Security Standards for Networked Devices,” which will be brought to the Steering Committee after discussion with other groups. The effective date for the standards would most likely be six to nine months from the date the policy is approved.

Personal Information Modifications to HRMS Self-Service

David Scronce gave some background on the development of HRMS, which was rolled out for use by administrative staff in July 2002, as a web-based application with data encryption and CalNet authentication. At the end of June 2003, employee self-service was rolled out, with single sign-on through the blu portal. This meant that anyone with a CalNet ID could look at his or her personal information in HRMS. Since that time there have been requests for removal of some of the personal information because of identity theft concerns, and the decision was made to remove the display of information such as social security number and date of birth, and the bank account number has been masked. A copy of the memo from VC Horace Mitchell announcing the modifications was included in the meeting packet. The memo also stressed the importance of maintaining the confidentiality of the CalNet ID, and Paul Gray commented that many people do not realize the importance of this. Tessa Michaels noted that BAS is preparing further communication about the CalNet ID.

California Senate Bill 1386

Jack McCredie has been presenting information to groups on campus on SB1386, which became effective in July 2003. A copy of Jack’s presentation slides “New Personal Data Security Legislation” was included in the meeting packet. It is crucial that campus departments reduce the personal information stored on local systems and increase computer security.

Part of the UC requirement for compliance with this legislation is that every department must keep an inventory of any systems containing first name/initial and last name, in combination with social security number, or driver’s license number, or financial account or credit card number in combination with any password that would permit access to the individual’s account. The department must also have a way of contacting each individual. The reason for the inventory is that people whose personal information is kept in a computer that has been compromised must be notified. Jack said that this has occurred on campus on two occasions in the past several months, and notification was sent to those affected. Jack said that the law is causing many organizations to clean house, get rid of unneeded personal information, and adopt security measures, which is the intent. He added that every department needs to be aware of this legislation, and that he is available to present this information upon request.