Handling regulated data is becoming a key requirement for supporting research, especially for high performance computing (HPC) service providers who have not previously been subject to rules and regulations. While the list of institutions with research cyberinfrastructure approved for critical data such as protected health information (PHI) or Controlled Unclassified Information (CUI) is growing, it still remains woefully short. Any major university effort to accommodate researchers with regulated data adds to the pool of research enablers, while simultaneously protecting sensitive research data.
For HPC service providers that support research sponsored by the NSF, pursuing compliance also diverts resources, potentially affecting this support. External help can be invaluable in reducing the impact, especially for providers tackling compliance for the first time.
Trusted CI recently concluded a highly successful engagement with UC Berkeley that both validated and bolstered UC Berkeley’s nascent regulated data effort, namely a “Secure Research Data and Compute” (SRDC) platform. The SRDC platform is expected to have a significant impact on UC Berkeley’s ability to enable and empower a wide range of researchers to conduct research with data subject to rules and regulations in scientific fields as diverse as biology, engineering, computer science, and a broad spectrum of social sciences and professional schools such as business, public health, and law.
According to Ken Lutz, Director of Research Information Technology at UC Berkeley:
“Our engagement with Trusted CI has been very successful and has been an important part of preparing for the launch of our SRDC Platform. While we had already obtained a commitment by senior leadership to develop the platform, the perspective and expertise provided by the Trusted CI team helped us build trust across our complex network of stakeholders. Our UC Berkeley team especially appreciated the broader higher education experience that the Trusted CI team brought to the engagement. Based on this engagement, we feel confident that we are developing a platform and service that will enable our research community to pursue high impact research involving highly sensitive data.”
Initial engagement objectives included a review of SRDC’s design, security and compliance goals and future vision, a comparison of SRDC security against best practices at peer institutions, gap identification, and recommendations on how to fill those gaps.
The engagement spanned eleven 1-hour meetings and an all-day virtual campus visit. The meetings, submitted artifacts, and other input from UC Berkeley enabled Trusted CI to assess the SRDC security architecture, workflows, and current policies and procedures, evaluate and validate the cybersecurity framework UC Berkeley is developing with help from a commercial third party, and gauge UC Berkeley’s approach to regulated data against what peer institutions are doing.
During the virtual campus visit, Trusted CI met many of the other SRDC stakeholders on campus (including the CISO) and did a presentation for a group of these stakeholders that detailed current regulated research data approaches nationally and how UC Berkeley’s effort fits in.
The final product of the engagement was a 21-page report containing specific, prioritized recommendations on how to address the security gaps identified during the engagement (including HIPAA gaps), adopt best practices, and avoid pitfalls while maintaining a healthy balance between usability and security. Trusted CI also provided policy templates and guidance on how best to leverage the cybersecurity framework recommended by the third party.
Trusted CI benefited from this engagement as well from working alongside a commercial third party and learning about their approach to compliance, and from the addition of another institution that Trusted CI can refer future seekers of compliance to for guidance and counsel.
The success of this engagement is noteworthy in light of the challenges COVID-19 introduced in the midst of the engagement, including the cancellation of a campus visit and face to face interaction, both of which are typically important to the success of highly collaborative projects.