Aim
Departments and researchers have increasingly been looking to Amazon Web Services (AWS) to meet computing needs like data storage, databases, servers, application hosting, and high-performance computing. Since early 2015 there has been an emerging need for secure, compliant cloud computing for protected health information (PHI) at UCSF to take advantage of the unique capabilities that the cloud offers. Since spring 2017, SOM Tech received nearly 40 cloud computing inquiries from technologists across the School of Medicine.
To begin solving the unique information security and compliance challenges of the cloud environment, in late 2017 SOM Tech partnered with UCSF IT Security and the Privacy, Legal, and Risk committee (PLR) to better understand the scope of the demand, identify the challenges of potential use cases with PHI, and develop a secure, scalable environment for use across the university.
Approach
We started on paper by developing secure cloud architectures for projects in four School of Medicine departments - UCSF’s Center for Digital Health Innovation (CDHI), Weill Institute for Neurosciences, Epidemiology and Biostatistics, and Anesthesia.
To contain risk, we consulted closely with UCSF IT and PLR before agreeing to move forward with building one departmentally managed proof of concept (POC) project with a confined set of requirements and AWS services. CDHI’s four unique use cases were chosen because they were thought to be common among researchers in the School of Medicine, offered compelling cases for the cloud, and met all compliance and support requirements.
This POC effort was the first cloud platform at UCSF to support data up to the highest classification standard as defined by the UCSF Data Classification Standard. The four initial use cases represented core categories of research-oriented infrastructure and functionality including solutions for research computing, containerized application support, PHI de-identification, and a Windows application development.
While the POC project got underway, we also identified the long-term need for an enterprise solution, a UCSF IT-managed service that will integrate our advanced security and operations tools to ensure a safe expansion into the cloud. A UCSF IT-led workgroup was created to solve the challenges associated with creating a secure connection between AWS and the UCSF network.
"I am excited to collaborate and partner with SOM Tech with building an enterprise and long-term cloud solution," said Jane Wong, UCSF’s Associate Chief Information Officer.
Solution
UCSF’s AWS Research Cloud (ARC) solution was launched in August 2018, supporting three clients. The ARC allows clients to set up their own environments within a secure AWS platform. Under this structure, researchers can quickly deploy complex projects while being automatically integrated into ARC’s security and compliance cloud controls.
Following this shared responsibility model, clients control the secure set up and management of applications and services within the cloud while SOM Tech provides security, operational support, and daily monitoring to ensure platform compliance.
"Cloud computing has been transformational for our process," said Eugenia Rutenberg, Director of Research Computing at UCSF's Bakar Computational Health Sciences Institute. "The ability to quickly, securely set up our research data in the cloud has allowed us to remain focused on the innovation of new technologies."
On the security and compliance side, we aligned with UCOP policies for electronic information security and business associate agreements. Following the Cloud Security Alliance Cloud Controls Matrix, we mapped each control to an operational procedure in our environment and incorporated the controls as technical design requirements. The resulting compliance documentation includes an IT Security Plan with procedures including risk management, incident response, and physical security, among others.
Partners
UCSF IT Security
UCSF Privacy, Legal, and Risk Committee
UCSF IT Systems Engineering
UCSF Center for Digital Health Innovation
