Protection Across the System

Compromised credentials and phishing were responsible for 16% and 15% of breaches, respectively. (Source: IBM Cost of a Data Breach Report 2024, IBM Security)

In early 2023, UC San Diego Health launched a first-of-its-kind risk mitigation effort to address phishing-related data breaches.

Goal

Recognizing that email systems have become an archive of sensitive data over time, UC San Diego Health aimed to identify emails containing large amounts of potentially sensitive data.

Approach

1. Significantly reduce the impact of data loss by scanning emails for potentially sensitive data, such as Protected Health Information (PHI), Personally Identifiable Information (PII), credit card numbers, and more.
2. Delete this data from user email accounts using a web application and established processes, and communicate project information to stakeholders.

Implementation

1. Scans were conducted on all email accounts within the email tenant using various vendor partners’ tools.
2. UCSD Web Services built a tool to consolidate scanned data, show individuals their scanned results, and support a deletion exception process.
3. Continuous communication was maintained with users and leadership committees through emails and presentations to ensure stakeholders were informed about the project's progress and required actions.

Outcomes

• 8+ months to complete scanning
• 20 virtual servers ran the scanning application
• 6,500+ users had at least one email with more than 200 records of sensitive data
• 40,500+ email accounts scanned
• 154,000+ individual emails scanned
• 29 Million total PHI/PII data elements moved to a secure location
• 1.25 Billion total PHI/PII data elements removed or deleted
• 1.5 Billion individual pieces of sensitive data flagged for review 

"Thank you for making our clinical area safe and secure. We didn’t know (a remote access tool) was installed on my laptop."

—UCLA Physician

Checking off a completed project is a great feeling, but nothing compares to the satisfaction of happy customers especially—when they take the time to provide glowing reviews! That’s exactly what happened with UCLA Health’s initiative to reduce cyberattack surfaces by blocking non-standard remote access tools and encrypted tunnel applications to medical devices.

Given the complex environment and many barriers, the best approach for UCLA Health was to address applications with firewalls. This approach aimed to reduce exposure to cyber threats and increase efficiency.

It was not an easy feat. Faced with a diverse user base, including IT, clinical staff, faculty, and researchers, the initiative’s team knew it would be a tough cultural shift. The team focused on two core competencies: understanding users’ needs and communication.

The core team: 

• Documented use cases and identified key partners from several functional areas who interfaced with end users. They mapped out a phased approach, starting with simple fixes and progressing to specialized applications. When tunnel apps were discovered, the team expanded the scope to tackle that as well. The team learned and shared their successes with each project phase.
  
  
• Kept end users at the forefront of the entire project, sending regular communication several times before they took any action. The communications explained what was happening, when, and why these measures were necessary. They also explained how bad actors have become more tech-savvy and included educational resources such as a link to their policy and examples of recent cybersecurity breaches.
  
  
• Covered all aspects of the project and worked together in partnership with firewall and communication teams and business relationship managers. Not only was the project completed on time, but it also earned praise from users, including thank-you notes from physicians and others for safeguarding their data.

Benefits

• Over 175 unauthorized remote access applications were blocked
• Huge bandwidth savings on firewalls

"Thank you for helping me easily onboard an IT-supported solution."

—UCLA Research Student

"Thank you for the massive communication to avoid any surprises."

—UCLA Department Head

In the spring of 2024, UC San Francisco implemented a new written Standard Operating Procedure (SOP) for reviewing cybersecurity clauses in sponsored research proposals and contracts. The SOP aims to ensure that UC San Francisco meets cybersecurity requirements imposed by sponsors and partners in research contracts, reducing the risk of civil or criminal liability from non-compliance.

The new process is a collaboration between three entities:

1. The UCSF Office of Sponsored Research Government Contracts Team handled reviewing, negotiating, and signing sponsored project government contracts (federal, state, and county/city).
2. The UCSF School of Medicine Technology Services housed a new Research Cybersecurity Team.
3. The UC Office of the President’s Research Policy Coordination and Analysis group provided input on the SOP regarding which Federal Acquisition Regulation (FAR) clauses should be flagged for review by the Office of Sponsored Research.

More Efficient Support System

The new approach streamlined support by involving the Office of Sponsored Research, a new dedicated Research Cybersecurity Team engaged directly with grants or contract officers, Principal Investigators (PIs), and sponsors to assess cybersecurity requirements. This streamlined support system helped guide PIs throughout their projects. Additionally, the team retained consultants to conduct a Controlled Unclassified Information review of federal contracts when necessary.

Immediate Impact

The impact of the SOP has been significant, improving contract processing times and reducing compliance risks. PIs receive clear, timely guidance, while contract officers can confidently certify cybersecurity clauses. The campus is now better prepared for external audits, backed by a documented and posted SOP.

The Research Cybersecurity Team has reviewed and provided guidance on eight proposals and contracts so far, with projections to support over 50 annually as demand continues to grow.

With senior leadership championing the initiative, UC Irvine took a bold leap forward in its IT asset management maturity. They faced fragmented inventory management practices across the campus, highlighting the need for a comprehensive, standardized IT asset management system to track IT assets. A multi-functional team, including experts from project management, the data center, and IT departments, collaborated to tackle the challenge. The Office of Information Technology (OIT) spearheaded an initiative in 2022-2023, piloting a proof-of-concept system that laid the groundwork for a campus-wide IT asset inventory system. The pilot aimed to establish a thorough IT asset inventory, implement the system campus-wide, and enable effective asset classification for individual units. After a successful pilot, improvements were made, and the new system went live in June 2024.

The system provides enhanced visibility and control over UC Irvine’s IT assets, automatically identifying and tracking both physical and virtual devices connected to the network. Its flexibility allows for manual and batch updates, ensuring comprehensive coverage. With benefits such as reduced security risks, optimized asset utilization, and compliance with IT asset inventory and UC policies, the system is poised to evolve further based on user feedback. As UCI campus units adopt the system, they have increasing real-time visibility into physical and virtual assets, while security teams and campus leadership anticipate reduced cybersecurity threats, improved policy compliance, and stronger governance, setting a new standard for IT asset management across the campus.

Total Assets Automatically and Manually Discovered: 29,571

In today’s rapidly changing landscape, UC must prioritize efficiency by leveraging existing resources and tools while maintaining quality and maximizing impact. By fostering open communication and transparently sharing the “why” behind decisions, UC can align efforts across the institution, driving innovation and growth alongside increased efficiency.

Evolving Together: Streamlining Operations for a Stronger UC

As UC continues to grow and evolve, we remain dedicated to improving and adapting as an institution. With an emphasis on “doing more with less,” we implemented organizational restructuring to streamline operations and enhance efficiency. We’re continually seeking opportunities to synergize across departments and campuses, ensuring we can meet challenges with innovative solutions and a unified approach.

"Safeguarding our systems and data is fundamental to our operational integrity and the trust that our customers place in us. We’re embarking on collaborative cross-team projects that enhance our resilience against potential cybersecurity threats."

—Molly Greek, Chief Information Officer, Office of the President

Strengthening Resilience: Lessons Learned from Incidents

Each cybersecurity incident offers valuable lessons, resulting in opportunities to enhance efficiency and resilience in our response and prevention efforts. Following a major incident, our remediation efforts first focus on restoring the service, followed by a thorough root cause analysis to understand why the issue occurred. This process often reveals common threads, such as the need to update processes, provide additional staff training, hold vendors accountable or invest in previously under-resourced areas. By addressing these factors, we strengthen our resiliency, reducing the likelihood of similar incidents.

Office of the President: Boosting Security Rating with Minimal Cost

A cybersecurity ratings company evaluates organizations’ external vulnerabilities and assigns scores from 250 to 900, similar to a personal credit rating. Executive leadership in Technology Delivery Services (TDS) at the Office of the President set a goal to improve its cybersecurity rating by 10% in 2024, with a stretch goal of 13% by April 2025. To achieve this goal, TDS adopted a new service platform with advanced analytics to better manage risks and fix vulnerabilities. This proactive approach led to measurable improvements without a significant monetary investment while creating a shared sense of purpose among the team.

Cybersecurity Investments: Leadership Awareness and Strategic Action for 2024

The UC President’s security letter from February 2024 established systemwide key standards and compliance measures, emphasizing the need for cyber investment plans to support these requirements. With robust support and increased leadership awareness of cybersecurity risks, these investments are critical for strengthening security across the organization.

Digital Risk Appetite Statement Defining an Acceptable Risk Range for UC

To ensure decisions are made using the same parameters of acceptable risk management and to support the roles of UC location Information Security Management Plans, a Digital Risk Appetite Statement was approved by the Board of Regents in March 2024. The statement defines an acceptable risk appetite range and sets expectations of risk management in accordance with best practices and applicable laws and regulations.

Digital Risk is defined as the risk posed from areas such as cyber security, digital accessibility, data privacy, IT third-party risk management, and emerging technology.

"The most challenging part of being a CISO is there are no guarantees. Answering, ‘Are we secure?’ is tough, no matter the investment or talent. Staying ahead of threat actors is always challenging, especially with the rise of AI and advanced computing."

—April Sather, CISO, Office of the President

The ORBIE Awards honors CISOs who have demonstrated excellence in technology leadership. Over 500 leaders have received an ORBIE Award since its inception in 1998.