Article Image
Columbia Spectator Staff

Despite two data leaks in the last two years, Columbia doesn't have unified set of data security standards—something a University Senate committee is working with CUIT to create. In April, the senate's Information and Communications Technology committee reported that although Columbia University Information Technology "has a large number of well-developed and well-defined policies that govern data management and security many members of the Columbia University community may not realize how important these policies are," or even that they exist. University senator Kenny Durell, CC '12 and a member of the committee, attributes that to the decentralized nature of the University, which made it important to begin creating comprehensive guidelines. "We have come up with what we think a University-wide policy should be, but implementing that is much tougher," Durell said. The committee has recommended that CUIT take a proactive role in educating students, faculty, and administrators about creating strong passwords, guarding against hackers, and using firewalls, and recommended creating a Permanent Data Governance Committee. The recommendations extend to how faculty and administrators handle others' data as well. The committee said that they should be made aware that Social Security numbers, student medical and financial records, drivers license numbers, and credit card numbers are among the most sensitive types of data, which should be saved on shared servers, not personal hard drives. The senate recommendations have already made some impact. CUIT Vice President Candace Fleming said in an email that, in response, CUIT is working to "create data dictionaries of information" that explain things such as what data should be treated with what level of sensitivity. The recommendations have not yet been implemented, although Durell believes they will be. "Thankfully, because most people involved in high-level tech at this school sit on the committee, there is a very good chance that these recommendations will come true," Durell said. This examination of data security by the senate included discussion of a July 2010 incident in which data relating to about 6,800 intensive care unit patients in New York-Presbyterian Hospital and Columbia University Medical Center was accidentally posted online. The information—which included names, addresses, clinical data, and, in 10 cases, Social Security numbers—was indexed by Google. Fleming said that the last security breach on the Morningside Heights campus was in January 2010, with the theft of three notebook computers containing personal information from the offices of Columbia College. But Fleming said that Columbia has started taking steps to rectify data security problems in advance of the senate recommendations, including increased physical security of offices and encryption of laptop storage drives. According to Robert Sideli, CUMC's chief information officer and a bioinformatics professor, CUMC also took action after the July 2010 incident. The University closed the CUMC system as soon as it discovered the leak, reported the breach to the federal and state governments, informed all affected patients, and also offered fraud protection services to patients whose Social Security numbers had been released, he said. But in a longer-term response to the data leak, CUMC has started requiring all multiuser computer systems to be registered and certified. As of May 2011, systems containing patient or staff information, or other sensitive data, go through a "rigorous certification process" which consists of "a series of questions where we interrogate the technical owner of the system," Sideli said. "Rather than relying on someone knowing what the policy is and taking the correct action to implement it, we are actually finding and discovering all the systems we need to protect and are putting them through a certification program," he said. That new policy is being implemented in tandem with other new security measures at CUMC, such as disabling Cubmail auto-forwarding to external email systems such as Gmail, and "private clouds" for remote data storage, Sideli said. New and expanded security measures have recently been initiated on the Morningside campus as well. Ron Forino, CUIT's director of enterprise reporting, said that CUIT is currently working to implement a new set of applications designed to manage the University's financial data. But one complication for data security at Morningside is that CUIT has no authority over several other school-specific computing offices on campus, including Columbia College Information Technology, and computing departments at the Law School and the School of International and Public Affairs. As Nelson Padilla, an associate technology service technician at CUIT, put it, there are "decentralized autonomous groups" focusing on information technology. Padilla added that "sensitive information is being phased out Social Securities are being taken out of the system and replaced with challenge questions." For Durell, distributing information about proper security procedures is paramount. But even Durell, who's worked on coming up with recommendations, said data security isn't always the first thing on his mind. "As a student, I don't know how often I think about what is safest for my computer. I do have a password on my computer and iPhone now, and those are minor things I can do," he said. "Beyond that, however, I think it's something that students don't think about very much. And administrators seem to be very concerned about that."

data security