Research Computing
Welcome to UF
  • Current Students
  • Family & Visitors
  • Faculty & Staff

Procedures for Regulated Data

Procedures for Regulated Data on HiPerGator and HiPerGator-RV

HiPerGator is a shared system, with many users working on open and sensitive data, as classified by UF Guidelines: https://it.ufl.edu/it-policies/information-security/related-standards-and-documents/data-classification-guidelines/ 

HiPerGator-RV is a secure enclave with a higher level of security controls active. University policy requires that work with data that is classified as CUI (Controlled Unclassified Information) or CDI (Covered Defense Information) needs to be done on HiPerGator-RV.

Additionally, there are many projects with various forms of restricted or regulated data as defined here https://policy.ufl.edu/policy/data-classification-policy/.  These require diverse security controls and often compliance with regulatory requirements. Each data type will have its own needs and slightly different requirements. This page describes the procedures for working with regulated data on HiPerGator and HiPerGator-RV. The procedures for the most common data types and regulations are provided; for different situations, please contact UFIT Research Computing.

Regulated Research Data Types and Compliance

HiPerGator has been assessed by the HITRUST Alliance and certified to meet its security controls. Furthermore, the HITRUST CSF 11.3 controls have been mapped to the NIST SP 800-171r3 controls, and because of compliance with HITRUST CSF, HiPerGator has been determined to be compliant with the NIST 800-171r3 controls

It must be emphasized that security and compliance are a shared responsibility: special steps are required by anyone working with regulated data in HiPerGator because some controls are the responsibility of the user. Groups must actively follow the policies and procedures outlined below for their work and research with regulated data to be compliant with all the controls.



Data Type

Regulations

Compliance Level

System 

Protected Health Information (PHI, ePHI)

HIPAA

HITRUST CSF 11.3

HiPerGator

NIH Genomic Data Sharing (GDS)

NIH

NIST 800-171-r3

HiPerGator

Export Controlled, Controlled Unclassified Information (CUI), International Traffic in Arms Regulations (ITAR)

ITAR/EAR

NIST 800-53r5,

800-171r3, CMMCv2 level 2

HiPerGator-RV in most cases

As required by the sponsor (e.g., NASA)

Various

NIST 800-171r3

HiPerGator

Student records

FERPA

HITRUST CSF 11.3

HiPerGator

Centers for Medicare & Medicaid Services

IS2P2

NIST 800-53r5 Moderate

ResShield (Limited availability)

Intellectual Property (IP)

Various

Various

Open a support request to discuss details.

Data from European Union countries

GDPR

HITRUST CSF 11.3 or NIST 800-171r3

HiPerGator

Research Health Information (RHI),  “Limited data sets”

Treated under HIPAA

HITRUST CSF 11.3

HiPerGator

 

Project Owner/Data Manager Responsibilities

UFIT Research Computing as the operator of the HiPerGator and HiPerGator-RV services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility, and some responsibilities, with accountability, fall on the Principal Investigator (PI) or the designated data manager of the approved project involving regulated data and the authorized members of the project team.

  • Record and maintain the signed Rules of Behavior form (paper or electronic) signed by each user after training. Provide a copy of this list as a report to UFIT Research Computing quarterly.
    • For each regulated project, a support ticket will be created quarterly listing users associated with the project. 
      • PIs will need to reply to that ticket after verifying that each user should continue to have access and that training is up-to-date for all users.
      • Failure to reply to the ticket within three weeks will result in access to the storage being limited. After a month, the project will be put on hold until deficiencies are addressed.
    • The list of authorized participants is maintained in the following systems:
      • For projects involving PHI research, the IRB.
      • For projects involving operational work with PHI, the UFHealth risk assessment record 
      • For ITAR/EAR projects, the technology control plan (TCP),  maintained in UF RISC’s Export Mitigation Database.
      • For FERPA projects, the UFIT risk assessment system.
      • For NIH dbGAP data, the NIH GDS Data Use Agreement (DUA) and Data Access Application from the PI should be attached to the UFIT risk assessment.
  • Keep a record of when users complete training and ensure that training is renewed annually. Training examples include:
    • HIPAA training (PHI)
    • FERPA training (FERPA)
    • Export control training (Export controlled data)
    • Protecting UF: Information Security Training
  • Verify and review authorized accounts regularly, at least once per month, and notify UFIT Research Computing staff immediately when users leave the project or change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the regulated data project can be removed.
  • If the regulated data project involves transaction-based systems, the project manager and team are responsible for ensuring transactions can be recovered in the case of failures. This can be implemented in collaboration with UFIT Research Computing staff.
  • The users and their supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator or HiPerGator-RV follow UF standards:
  • All persistent storage within mobile computing devices will be encrypted (see:https://policy.ufl.edu/policy/mobile-computing-and-storage-devices-policy/)
  • Computer and mobile device screens should lock automatically after no more than 15 minutes of inactivity.
  • Users will also be instructed not to access the HiPerGator or HiPerGator-RV system and their regulated data projects from their endpoints while in public locations like airports, libraries, and other public venues such as coffee shops.
  • If transferring files via Globus (if permitted for the data type), it is the responsibility of the user/project manager to enforce the use of encrypted communication options available in Globus for the incoming or outgoing data transfers.
  • These standards also apply to users who telework when approved. Note that most projects with TCPs do not allow work off-campus.

Special Precautions

If there are special precautions that apply to a project and are called out in the risk assessment, then such actions and requirements will be added to the security responsibilities of the PI, data manager, and users as documented in Archer and will become part of regular review, vulnerability scanning, and/or risk reassessments, depending on the level of risk assessed for the set of special precautions.

Regulated Data Project Retirement and Removal

All regulated data projects on HiPerGator and HiPerGator-RV are required to have a data management plan filed with the security risk assessment. This data management plan must include a project retirement and removal section. Unless otherwise approved by the director, all regulated data projects will have the following retirement conditions:

  • Upon completion of the project, the designated data manager is responsible for removing all data in the project group's folders within the HiPerGator or HiPerGator-RV ecosystem. This includes, but is not limited to, all regulated data.
  • Once removed, the data manager will contact UFIT Research Computing support and open a request to have the top-level project folders or the HiPerGator-RV team removed.
  • The UFIT Research Computing staff will then remove all designated project folders/teams and record the project closure date in the support request and any appropriate internal systems.

Abandoned Restricted Data Projects

If the storage investments for a specific regulated data project expire and no new investments are made, then the regulated data project will be considered abandoned. UFIT Research Computing staff will make a good-faith effort to notify the Principal Investigator (PI) when internal processes indicate that a project has been abandoned. The standard UFIT-RC Data Removal policies will be followed.

Project Registration with Integrated Risk Management

Any project with regulated data must be registered by entering a request in UF’s Integrated Risk Management (IRM) system. This will record details of the project to meet part of the documentation controls:

  • The data owner, usually the principal investigator or the designated data manager for the project.
  • The type and size of data involved
  • Additional Approvals depending on the nature of the work:
    • For research projects with PHI or Limited Data Sets: Provide the Institutional Review Board (IRB) record number.
    • For healthcare operational work, such as care quality assessments: Provide the UFHealth Risk Assessment record number.
    • For work with NIH GDS data: Provide the UF Office of Research UFIRST Agreement number (of the form AGR000XXXXX, found in the top right of the UFIRST Agreement). 
      • Many use cases involving GDS data will also have an IRB. In that case, both the IRB number and the UFIRST Agreement number need to be supplied. 
      • If a DUA is in place for multiple IRB projects, the GDS data will be stored separately from the IRB project data so that DUA-authorized people do not gain unauthorized access to IRB data without explicit authorization in the IRB approval.
    • For other sponsors requiring NIST 800-171 (e.g., NASA): Provide the UF Office of Research UFIRST Agreement number (starting with AGR, found in the top right of the UFIRST Agreement).
    • For FERPA (student records): The IRM alone will be used.

The risk assessment by the UFIT Information Security Office (ISO) is simplified because of the security controls in place on HiPerGator, but it provides a record about the project and who will be involved in it.  

To ensure a streamlined review, please make sure to select:

  •  For HiPerGator, in the “Usage Purpose” section of the assessment form, select “Regulated data on HiPerGator”.
  • For Export Controlled and CUI projects, in the Data Usage section, select “Export Controlled (ITAR, EAR).

Required Documents

  • A Participant Registration and Agreement, one copy signed by each participant, needs to be uploaded into the IRM system. The document content is described below. The Word document Participant Registration and Agreement can be downloaded to add to the IRM record. The link is also available within the IRM system.
  • A data flow diagram: The Data Flow Diagram Template can be downloaded, edited if necessary, and added to the IRM record. The link is also available within the IRM system.
  • A data management plan submitted as part of the risk assessment will briefly describe the workflow and disposition of the project data and what actions participating members, by their role, are expected and allowed to do with the data.

A service core can be authorized to process data for approved projects. In that case, the core submits the IRM request and includes the authorization for the core to operate and the list of staff who work in the core to replace individual project IRB approval and the list of project participants.

Project Registration for Projects with Technology Control Plans (TCPs)

The majority of CUI handled at the university is information that is covered by ITAR (International Trade of Arms Regulation) and EAR (Export Control Information). 

Each ITAR/EAR project will be authorized by UF Research with the details spelled out in the TCP (Technical Control Program). The TCP lists the resources the project will use, which include HiPerGator-RV and possibly other equipment in labs. It will also list all participants, who will be required to sign the TCP, indicating that they are aware of the requirements for training and safeguarding data during the lifetime of the project.

Other projects may require compliance with CUI safeguarding, and as such, will have to work inside HiPerGator-RV.

A project is registered by UF Research, which will create a TCP for the project as required.

A data management plan that is part of the TCP will briefly describe the workflow and disposition of the project data and what actions participating members, by their role, are expected and allowed to do with the data.

Participant registration and agreement

The members of the project group will then sign the TCP, which specifies

  • They understand their role in the project,
  • All participants will take the following training in myTraining 
    • “Export Controls: The Basics” (UF_RSH613_OLT)
    • “Export Controls: UF Project Personnel” (UF_RSH633_OLT)
  • The project administrators will also take
    • “Export Controls: UF Administrators” (UF_RSH623_OLT)
  • They will take HiPerGator-RV training.

See Export Control Training for more details.

Resource Allocation on HiPerGator

A project-specific HiPerGator group will be created to provide access to the data. Only those listed in the additional approval documents above and who have submitted Participant Registration and Agreement forms can be added to the group. 

PIs will need to make investments in the storage space needed for the project. While NCU and GPU allocations can be shared across regulated and non-regulated groups, storage must be allocated to each project individually.

Data will be stored in directories in Blue/Orange/Red filesystems that are not exported by the SMB service to limit opportunities for unauthorized distribution of regulated data.

Establishing a Regulated Research Group on HiPerGator

Once the IRM process has been completed, the PI should open a UFIT Research Computing Support Request with the following information:

    • PI Name:
    • If applicable, Data Custodian name:
    • Project Name (and suggested short version for a group name)
    • Risk Assessment Project Number
      • When a request on the risk management site is opened, a Request Number will be sent. 
      • The Risk Management team will then create a Categorization number, and then create a Project Number. That Project Number is what is needed. 
      • Please do not open your request with UFIT Research Computing for a HiPerGator PHI Group until you have that Project Number.
  • A HiPerGator Regulated Research Group cannot be created until that Risk Assessment Project has been marked as 'complete' by the Risk Assessment team.
  • Authorization source, one of the following:
    • IRB #
    • UFHealth risk assessment number
    • GDS DUA number UFIRST AGR000XXXXX
    • GDPR agreement number UFIRST AGR000XXXXX
  • Specific staff to add to the group (must be listed on the authorization source above, and must have the signed Participant Registrations and Agreement form entered in the IRM request).
  • Amount of Orange/Blue/Red storage to allocate from new or existing purchase

Resource Allocation on HiPerGator-RV

Each PI or lead personnel in HiPerGator-RV will have one (or possibly more) teams in the system. Only those listed on the TCP or appropriate approval documents can be added to the Team. 

PIs will need to make investments in the storage space and compute needs (CPUs, memory, GPUs) needed for the team’s project(s). Resources cannot be shared among teams, but can be allocated among projects.

Within the team, it is the PI's responsibility to manage project and/or group membership and permissions. UFIT Research Computing cannot add users to projects or groups within the system.

Establishing a Team on HiPerGator-RV

Once a TCP has indicated that the work will include HiPerGator-RV, PIs should work with UFIT Research Computing to establish a team in the system. The PI should open a UFIT Research Computing Support Request with the following information:

  • PI Name:
  • Project Name:
  • TCP number:
  • General description of the work to be completed in HiPerGator-RV, including the software, operating system and compute resources needed.

Prior to getting access to HiPerGator-RV, an investment in resources and training of staff will be needed.

Timeline on HiPerGator

The procedure to set up the use of HiPerGator with regulated data involves several steps that each take time. It is important to consider this when planning a project.

    1. Get IRB, UFHealth Risk Assessment or signed DUA. See details above when you need what. This can take several weeks, sometimes months.
    2. UFIT Risk request:
    • If you have all the information ready, this takes a few days to a week.
      1. You need an IRB number, UFHealth Risk Assessment number, or a signed GDS DUA with the Office of Research record number.
      2. You need all participants to submit the signed participant registration and agreement form
      3. You need a data flow diagram.
    1. Make sure the team takes the required training and signs the agreement listed above. This can take a week to several weeks if people do not respond quickly to requests from the principal investigator.
    2. HiPerGator storage (and optionally, compute) resources are purchased or requested to be re-allocated from another investment. 
    3. HiPerGator group creation cannot start until all of the above are in place. Once in place, groups are generally created in 3-4 business days.

    Timeline for HiPerGator-RV

    The procedure to set up the use of HiPerGator-RV with regulated data involves several steps that each take time. It is important to consider this when planning a project.

    1. TCP review by the Office of Research. This can take several weeks, sometimes months.
    2. Make sure the team takes the required training and signs the agreement listed above. This can take a week to several weeks if people do not respond quickly to requests from the principal investigator.
    3. HiPerGator-RV storage and compute resources are purchased.
    4. Virtual Machine image creation can take longer if specialized software is needed.

    University of Florida
    Gainesville, FL 32611
    UF Operator: (352) 392-3261
    Website text-only version

    Resources

    Campus

    Website