RESEARCH ADVISORY BOARD (RAB) March 12, 2019 8:30-10:00 a.m.

Medical Sciences Building: Conference Room S-30 & Zoom: 1-669-900-6833 Meeting ID: 914 749 821 https://ucsf.zoom.us/j/914749821

AGENDA

Topic Presenter Time 1. Contracting under GDPR: Impacts on faculty

and their projects when General Data Protection Regulation data is involved

Jean Jones Senior Associate Director (Contracts/Awards) UCSF Office of Sponsored Research

8:30 – 8:45am

2. UCSF Simulated Phishing Test; IT Security Updates

Pat Phelan Chief Information Security Officer UCSF Information Technology

8:45 – 9:05am

3. High Containment Laboratory Oversight Group Jonathan Koolpe High Containment Laboratory Director/Assistant Biosafety Officer UCSF Office of Environment, Health, and Safety

9:05 – 9:30am

2019 Meetings: 2nd Tuesday of each month

March 12 April 9 May 14 June 11 July 9 August 13 September 10 October 8 November 12 December 10

UCSF Research Advisory Board 1 March 12, 2019

RESEARCH ADVISORY BOARD (RAB) March 12, 2019 8:30-10:00 a.m.

Medical Sciences Building Conference Room S-30 & Zoom Minutes

Attending: Lindsey Criswell, Jane Czech, Clarice Estrada, John Ellis*, David Erle*, MC Gaisbauer*, Julene Johnson, Jim Kiriakis, Georgina Lopez*, Wallace Marshall, Teresa Moeller, Michael Nordberg, Christine Razler, Jon Rueter, Elizabeth Sinclair, Brian Smith, Matt Springer, Paul Volberding, Winona Ward*, Irene Broderick (staff). Guests: Jean Jones, Jonathan Koolpe, Pat Phelan, Peili Zhu. *: on phone 1. Contracting under GDPR: Impacts on faculty & their projects when General Data Protection Regulation data is

involved** Jean Jones

The European Union (EU) General Data Protection Regulation (GDPR) is a European Privacy regulation; it is an umbrella regulation and applies to data collected from persons in the European Economic Area (EEA). The GDPR states that privacy is a human right and that data subjects have rights to their information, including access, restriction, and erasure. If requested, entities must destroy data down to the key/coding level. In the United States, privacy is regulated by industry (HIPAA, FERPA). The GDPR affects research contracting if data is collected from natural persons in Europe and beyond - application of GDPR regulations is determined by the physical location that data is collected. GDPR imposes new terminology, for example, de-identified under HIPAA is not the same as anonymized. GDPR mandates implementation of safeguards: collect as little data as possible, anonymize it, and delete it once it is no longer necessary. The EEA extends the EU's single market to non-EU members making the EAA bigger than the EU (it includes all member states who signed on to the GDPR).

As UCSF is not a member of the Privacy Shield, mechanisms may have to be implemented to comply with data protection requirements when transferring personal data from the European Union. For transfers requiring Standard Contractual Clauses, a determination will be needed as to whether a situation poses high risk; complexity depends on the flow of data, i.e., does the research data involve using or obtaining personal data of individuals located in the EEA? UCSF (the Processor) is fully liable to the Controller (institution sending UC the data) for the performance of the sub-processor’s obligations (UC vendor or third-party collaborator). Enforcement is as yet an unknown and requirements are still fluid. Each member state’s laws govern contracts.

If you are unsure if/how GDPR applies to your project, contact the Office of Sponsored Research (OSR) and the Privacy Office early in the project planning and development process as project planning requires extra due diligence and funding. OSR is moving forward; GDPR has been in place for two years & OSR has been working on it for one year. Existing contracts will be amended going forward.

Action: RAB asked to consider communications channels: webinar? Link to slides

2. UCSF Simulated Phishing Test; IT Security Updates** Pat Phelan

UC system-wide recently embarked on an intentional phishing exercise targeting staff; this exercise was bundled with the cyber security training and ran from September 2017 through July 2018. Four major campaigns (Over Quota Second Notice; HR Notification; Cyber Attach Credit Security; and Pending Inbox Messages) were introduced throughout the year; the quality of the messages varied among the four

UCSF Research Advisory Board 2 March 12, 2019

campaigns. Staff who opened emails/links in the first campaign were re-tested with additional emails. UCSF’s results were consistent with industry: the average click rate across the UC system was 10% and UCSF’s average was 12%. Robust metrics are not available as the current software does not provide statistics on the number of unopened emails. The exercise will be repeated again next year, and the software chosen for next year will provide much better statistics. UCSF is making great strides in combatting phishing, including, spam filters, URL scanning & blocking, FireEye, and Duo two factor authentication. UCSF is replacing the Barracuda Spam Filter software with ProofPoint. Pat Phelan recently attended an excellent training at the FBI Academy at Quantico; the training was eye-opening and illustrated how certain entities are targeting selected areas in academic medicine. Action: Pat will share the phishing examples with the RAB; Pat will also find out if Block lists can be imported

to Proof Point, and how much control users will have on block/watch lists. Action: Future RAB presentations: Tiger Team; local FBI agent to discuss cyber security issues.

3. High Containment Laboratory Oversight Group** Jonathan Koolpe

The HCLOG was formed, in part, as a result of safety lapses at the CDC in 2014 (workers exposed to anthrax, active influenza virus shipped accidentally). UC President Napolitano established the UC Systemwide High Containment Laboratory Task Force to assess the risk groups and (A)BSL3 facilities at UC, consider oversight levels, and determine the likelihood that breaches of this kind could happen within the UC system. A 2015 UC Presidential Directive mandated all UC campuses increase oversight for High Containment Labs, establish a High Containment Laboratory Director position, and establish a High Containment Laboratory Oversight Group (HCLOG). At the UC Systemwide level, the High Containment Laboratory Oversight Committee (HCLOC) was convened. UCSF’s HCLOG is chaired by Brian Smith, Associate Vice Chancellor – Research Infrastructure and Operations, and membership is comprised of individuals from capital programs, UC Police, Finance, and others; Brian Smith represents UCSF on the Systemwide HCLOC. The UC HCLOC must submit an Annual Report to President Napolitano. Campus HCLOGs discuss issues related to BSL3/ABSL3 facilities including design guidelines, operations and maintenance, new construction and renovation projects, and accident/incident investigations. Infectious agents are categorized by Risk Group Levels (1-4, with 4 being the highest) and biosafety levels correlate to Risk Groups. There are no BSL 4 labs in California, and only 14 in the United States. There are currently five 5 BSL3 labs at UCSF. UCSF’s Institutional Biosafety Committee (IBC) makes the decisions as to which Biosafety Level laboratories (BSL 2 or 3) particular research projects fall into. In 2016, UC’s Task Force visited all UC campuses with High Containment Labs; they looked at lab operations, SOPs, HVAC Operations, equipment, and more. It is crucial to begin planning for High Containment Labs in the beginning of the new building design process; not doing so incurs additional time and cost. UCSF’s HCLOG developed a design guide, which the Systemwide HCLOC modeling for a Systemwide version.

If anyone on the RAB learns of a new PI coming to UCSF who may do high containment work, let EH&S know right away.

**Contains excerpts from PowerPoint; see PowerPoint for detail.

3/12/2019

Jean JonesSenior Associate Director, OSR

GDPRImpact on Research Contracts

Quick recap: GDPR summary and scope

New terminology

The mechanics of GDPR data transfers

What do researchers need to do?

Timeline impact

What our researchers need to know

Today’s focus

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

US regulates by industry (HIPAA, FERPA)

GDPR is an umbrella regulation

Applies to data collected from persons “in the EEA”

Data subject has rights to- Access, Erasure- Restrict, Object

European Privacy Law – privacy is a human right

Quick Recap - GDPR

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

New Terminology

Lawful BasisLegitimate Interest

Controller

Processor

Sub-processor

PseudonymizedPrivacy Shield

Anonymized

Personal DataStandard Contractual Clauses

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Personal data ≠ PHI

De-identified ≠ anonymized To be anonymized key/coding must be destroyed

Requires appropriate safeguards- Data minimization

- Use pseudonymized or anonymized data where possible

- Keep no longer than necessary

What should researchers remember about GDPR?

New Terminology

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Privacy Shield

Consent- When UCSF collects data directly from subjects in EEA- UC consent template for GDPR

Standard Contractual Clauses- When UCSF receives data collected from an institution

located in EEA

Transferring Personal Data from EEA to US

The Mechanics

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

What do our researchers need to do?

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Not sure how GDPR applies to a project?- Consult with contracts officer, or- Contact OSRinfo@ucsf.edu; privacy@ucsf.edu

Engage early – during project planning & development

Transfers requiring Standard Contractual Clauses

What do our researchers need to do?

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Risk Mitigation delays to expect- GDPR complaint systems and processes (project-specific)- Contract negotiation- Engaging sub-processors

Transfers requiring Standard Contractual Clauses

Timeline Impact

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Establish system and procedures for GDPR compliance- IT Risk Assessment

https://it.ucsf.edu/services/risksonar-it-security-risk-assessment

- Consult with Privacyprivacy@ucsf.edu

Transfers requiring Standard Contractual Clauses

Timeline Impact

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Contract Negotiation- Complexity depends on the flow of data

Transfers requiring Standard Contractual Clauses

Timeline Impact

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Engaging Sub-Processors - The Processor (UC) remains fully liable to the Controller (institution

sending UC the data) for the performance of the sub-processor’s obligations (UC vendor or third-party collaborator).

Violates Standing Order 100.4(dd)(9)

Example:- International consortium members send data to UCSF for collective

analysis. UCSF engages subcontractor to perform additional data analysis.

Transfers requiring Standard Contractual Clauses

Timeline Impact

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Possible financial liabilities PI/department must accept- Subject to litigation in the EEA- Contract governed by EEA Member State law- Data subjects can directly enforce certain provisions, entitled to damages

Transfers requiring Standard Contractual Clauses

Other researcher considerations

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

Requirements are still fluid- EEA Member States can enact derogations - Enforcement / Legal Opinions

Remember- Engage early – project planning & development stage

Transferring Personal Data from EEA to US

Final thoughts

Research Advisory Board | GDPR: Impact on Research Contracts | 3/12/2019

7/25/2019

Patrick PhelanChief Information Security Officer

UCSF Phishing Campaign Case Study - 2018

What is phishing?

The use of fraudulent email messages designed to trick you into:- Downloading harmful attachments;- Clicking a link that leads to a harmful website;- Divulging sensitive information, such as passwords, bank

account numbers, and Social Security numbers

Spear phishing and whaling are highly targeted forms of phishing aimed at a specific group or executive-level staff

7/25/2019 3

1 PhishMe Enterprise Phishing Susceptibility and Resiliency Report 20162 https://blog.dashlane.com/phishing-statistics/

Methodology

Steps for each Campaign:

1. Warn users once prior to start of first campaign2. Phish (complexity increases as we progress)3. Educate4. Re-test5. Analyze Results and Adjust6. Repeat

3/27/2018 CRGC

7/25/2019 5

7/25/2019 6

7/25/2019 7

7/25/2019 8

7/25/2019 9

Campaign 1: Entire Organization

Campaign # Phished # Clicked % FailedCampaign 1 29,537 3138 11%Re-test 26171 813 31%

3/27/2018 CRGC

1. Number re-tested does not match # clicked because we had to remove affiliates and other UC campuses that were in our feed

Campaign 1: Entire Organization

Category # Phished # Clicked % FailedAdministrative Staff 7838 427 28%Clinical Care 6143 490 8%Contractors 6231 490 8%IT 1118 133 12%Physicians & Researchers 6543 702 11%Senior Leadership 83 19 23%Students 1509 427 11%

3/27/2018 CRGC

What is IT doing to combat phishing?

Two layers of spam filtering- >85% of emails sent to UCSF addresses are blocked before you even

see them

Replacing Barracuda with ProofPoint, best-of-breed antispam/antiphishing

Automated scanning of URLs in email

Secure web gateway that prevents UCSF visits to known bad sites

Responding to messages reported by users- Contact Service Desk or forward messages to security@ucsf.edu

Reducing impact of stolen credentials through use of Duo

7/25/2019

“Amateurs hack systems, professionals hack people.

Bruce SchneierCryptographer and noted security expert

High Containment Laboratories and Oversight at UCSF

Jonathan Koolpe

Assistant Biosafety Officer/High Containment Laboratory Director

Office of Environment, Health & Safety

Topics

History of UCSF High Containment Laboratory Oversight Group (HCLOG)

Function and accomplishments of HCLOG

Looking ahead

National Biosafety Concerns

- Safety lapses at CDC (2014)

- Workers exposed to anthrax

- Accidentally shipped active influenza

- National media coverage

Risk Group Levels for Infectious Agents

Risk Gp. 1 Agents not associated with disease in healthyhuman adults

Risk Gp. 2 Agents associated with human disease which israrely serious and for which preventive ortherapeutic interventions are often available

Risk Gp. 3 Agents associated with serious or lethal humandisease for which preventive or therapeuticinterventions may be available (high individualrisk, low community risk)

Risk Gp. 4 Agents likely to cause serious or lethal humandisease for which preventive or therapeuticinterventions are not usually available (highindividual risk, low community risk)

Biosafety Levels for Infectious Agents

UC President Concerns (2014)- President Napolitano inquiry to UCOP Risk Services

- What Risk Group 3 Infectious agents used at UC campuses?

- How many BSL3/ABSL3 facilities at UC?

- What are the chances for an incident at UC?

- Who provides oversight?

- UC Systemwide High Containment Laboratory Task Force established

UC Presidential Directive (2015)

- All UC campuses directed to increase oversight for High Containment Laboratories (HCLs)

- Established positions: High Containment Laboratory Directors (HCLDs)- Funded by UCOP for 1st year- UCOP funding tapered off after 1st year- Currently funded by individual campuses

- Directed each campus to establish High Containment Laboratory Oversight Group (HCLOG)

- Established UC Systemwide High Containment Laboratory Oversight Committee (HCLOC)

High Containment Lab Oversight Group (HCLOG)- Members include UCSF Leadership, PIs, Lab Managers, EH&S, UC

Finance, Capital Programs, Facilities Services, UCPD

- Meet bi-monthly and/or as needed

- Review/discuss issues related to BSL3/ABSL3 facilities including:- Design Guidelines- Operations and maintenance- New construction and renovation projects- Accident/incident investigations- Funding strategies

Systemwide High Containment Lab Oversight Committee (HCLOC)

- Members include HCLDs, EH&S, Campus Leaders, PIs, UCOP

- Meetings:- Quarterly conference calls- Annual in-person meeting

- Resource for campuses to consult on HCL renovations, operations, etc.

- Campuses present/discuss issues concerning HCLs- Includes research activities, HCL operations and design,

support and funding strategies, accident investigations, etc.

- Progress reports to UCOP Leadership

UCSF BSL3/ABSL3 Research Facilities

10HCLOC October 1, 2018

Lab Facility Name RG-3 Agent(s) in Use Location

Sil BSL3 facility Blastomyces dermatitidis,Histoplasma capsulatum, Coccidioides immitis

Med. Sci., Rm. S475

Kato-Maeda BSL3 facility Mycobacterium tuberculosis ZSFG, Bldg. 100, Rm. 125

Gladstone BSL3 facility HIV Gladstone, Rm. 561Prusiner BSL3 facility Prions Neurosciences

Bldg., Rm. 360Ernst, Rosenberg, Andino BSL3/ABSL3 facility

Mycobacterium tuberculosis, Poliovirus (RG2)

Genentech Hall, Rm. N113/N189

UCSF Microbiological Clinical Facility

- Located at China Basin

- CLIA-certified microbiological laboratory

- Validated testing for patient samples

- Operates at BSL2* containment

- Potentially handles higher risk agents - (e.g. M. tuberculosis, Yellow Fever virus, West Nile virus,

etc.)

UC Task Force Follow-up Visit (2016)- UC Task Force visited all UC campuses with HCLs

- Thorough inspections conducted and facility validations performed- 5 active UCSF BSL3 facilities reviewed

- Included 1 ABSL3 (animals)- Also reviewed Clinical Microbiology lab (BSL2*)

- Examined lab operations and SOPs, HVAC operations, equipment maintenance, emergency response plans, etc.

- Reports issued to identify any facility issues

- UCSF immediately began corrective actions

UCSF Task Force Findings- Facilities in overall good shape

- Good relationships between Leadership, Capital Progams, Facilities Services, PI/labs, etc.

- Issues have been resolved for all BSL3/ABSL3 facilities:

- Included significant upgrades for GH-N113 and ZSFG BSL3

Current Facility Upgrades

- Renovations underway for inactive BSL3/ABSL3 facility at Medical Sciences (MS791 for Dr. Sil)

- Upgrades for BSL2* Clinical facility

- New BSL3/ABSL3 facility planned for ZSFG

UCSF HCLOG Ongoing Oversight- Validation programs initiated for all facilities including:

- Annual training sessions for PIs, lab users, FS, UCPD, Emergency responders

- Annual facility inspections (visual, integrity/smoke testing, equipment certifications, etc.)

- Annual HVAC failure testing- Annual review of facility records- Emergency exercises/drills

- Continue to work with Capital Programs/Facilities Services

Additional HCLOG Accomplishments- Design Guide developed, reviewed, and accepted

- Annual validations (ongoing) - e.g. HVAC systems tested, users trained, room

integrity issues addressed, SOPs reviewed, etc.

- Resolved funding challenges- Ongoing operations and maintenance- ZSFG autoclave

Looking Ahead

- New BSL3 facility at ZSFG- For work with TB- Currently in planning stages

- Renovations underway at MS791 and Clinical Microbiology facility at China Basin

- New regulations coming on Poliovirus will impact BSL3/ABSL3 facility at Genentech Hall

Questions?