HCL’s University of California deal raises security issues
The IT employees say workers in India will have access to University of California at San Francisco medical and financial information as well as to files with research and study data.
Data security is a simmering issue in offshore outsourcing. The offshore workers who staff help desks, call centers and manage systems are accessing data in the U.S. The University of California IT employees, who will soon lose their jobs to overseas workers, are trying point this out.
The IT employees say workers in India will have access to UCSF medical and financial information as well as to files with research and study data. The data will reside on hardware based in the U.S.
They believe the university has an obligation to disclose its plans to the broader university community and give researchers, in particular, options about who can access this data.
The employees are fighting for their jobs and are trying to get the university to reverse course.
The public university hired HCL, a major India-based IT services firm, to manage infrastructure operations. As part of this shift, about 50 IT workers and another 30 contractors are facing layoffs, according the university, but the employees are using a higher number. The contract can used by other University of California institutions if they decide to take a similar path.
“Exactly how will this contract save UCSF money?” wrote an IT employee in a letter to U.S. Sen. Dianne Feinstein (D-Calif.). “How will this contract benefit the state of California if we move 97 individuals from the group of ‘California taxpayers’ to the group of ‘California unemployment recipients?’ “
This question has been debated in a number of states, some of which took steps to block what the University of California is now doing.
In 2004, Missouri’s governor at the time — Bob Holden, a Democrat — concluded that “international outsourcing could aggravate unemployment and workforce dislocation of Missouri and United States residents,” and limited offshoring to a “unique” good or service that can’t be provided domestically. This executive order, which continues to be in force today, also pointed out that offshoring “could provide fewer privacy protections for state residents whose personal information may, in the course of service delivery, be transmitted to locations outside the United States.”
Ohio Gov. John Kasich, a Republican, in 2011, approved an executive order barring the use of public funds “to purchase services which will be provided outside the United States.” Kasich’s executive order was similar to the one his predecessor, Gov. Ted Strickland, a Democrat, hadissued in 2010.
New Jersey has a similar offshoring rule by law, adopted in 2004, according to a report from the U.S. Department of Health and Human Services Inspector General on Medicaid outsourcing by state.
But most states, including California, don’t appear to have restrictions on public sector offshore outsourcing.
Sara Blackwell, a Florida attorney who is representing Disney workers in a lawsuit lawsuits filed over their layoff, is fighting the use of H-1B visa workers, but believes security concerns can be used to fight layoffs.
U.S. firms argue that vendors are bound to contacts to protect data, but “it really doesn’t protect the actual American people if it’s just a contract between two companies,” says Blackwell.
Allowing offshore access to data is not only a risk to data privacy and security, says Blackwell, “it’s also the reason why a lot of our jobs can be offshored.” She is trying to interest lawmakers to draft legislation protecting personal information from overseas access.
In the letter to Feinstein, the IT employee wrote in part: “The HCL workers who will be stationed in India have FULL access to not only UCSF medical and financial information, at the system and database level, but file shares that contain research and study data. Good luck to UC if the research for a cure for a major disease is stolen. If we are doing this in the interest of security, why are we allowing access to our systems from one of the least secure countries? Furthermore there has been little communication to the UCSF population that access to systems that contain their personal information is going to be accessed by workers in India.
“Staff, students and patients probably have no recourse, but certainly the researchers who UC holds in great esteem should at least be given the courtesy to be notified and the opportunity to move their data to an onshore location where intellectual property laws exist and are upheld.” A separate UCSF IT employee interviewed raised very similar concerns. They asked that their names not be used because they are still employed.
This was the second note sent to Feinstein. The senator’s staff initially responded to the IT employee concerns with a form letter, but subsequently sought more information from the employee after Computerworld asked questions about the initial response. A Feinstein aide described their initial response as a mistake.
Told of employee concerns about IT security, UCSF officials responded with this email statement:
“Security and privacy have been integral to UCSF’s outsourcing from the beginning. All UCSF data will remain in the United States in this delivery model. HCL staff assigned to the UCSF account will only have access to data via a virtual desktop over a private encrypted network. This will ensure that all UCSF data stays in the United States. HCL has a secure, modern facility and employs technical, procedural and audit controls to prevent its workers from saving, copying or recording data. This delivery model will provide increased security for administration of UCSF information systems.”
While the issues raised are in the context of the HCL agreement, the concerns can be applied to almost any offshore contract by any outsourcing firm.
Generally, IT security experts say that the data risks are as great in the U.S. as they are overseas. “If data is connected to the Internet it is already accessible by anyone, anywhere in the world,” said Jim Christy, VP of investigations and digital forensics at security firm Cymmetria.
Laws and protections vary, and the UCSF letter to Feinstein points out the U.S. government’s own concerns about India detailed in the U.S. Trade Representative’s annual report on intellectual property protections.
Some IT security experts saw merit in the argument that the university should alert researchers, in particular, about where the data will be accessed from.
Nathan Wenzler, principal security architect at AsTech Consulting, said researchers should be informed about security — “that should happen regardless.” Researchers should know how the university is protecting and storing data, he said.
What is clear is that the data the UCSF has in its care is sensitive.
Electronic health records sell at a premium in the criminal world when compared to a consumer’s social security number or credit card, said Darren Hayes, an assistant professor and director of cybersecurity at Pace University’s Seidenberg School of Computer Science and Information Systems in New York. When hospitals admit star athletes, for instance, they may see a spike in hacking efforts. “It’s very, very valuable” information, he said.