Regulated Data at UFIT Research Computing¶
UF Information Technology supports research and business practices that use and interact with regulated data types via several secure systems carefully designed and routinely assessed to meet regulatory requirements and classification standards.
HiPerGator is a shared system, with many users working on open and sensitive data, as classified by the UF Data Classification Policy. Also see the UFIT Information Security Data Guide for classification help.
HiPerGator-RV is a secure enclave with enhanced security controls in place. University policy requires that work with data that is classified as CUI (Controlled Unclassified Information) or CDI (Covered Defense Information) be done on HiPerGator-RV.
Additionally, there are many projects with various forms of restricted data as defined in the policy or other regulated data. These require diverse security controls and often compliance with regulatory requirements. Each data type will have its own needs and slightly different requirements.
This section of the site describes the procedures for working with regulated data on HiPerGator and HiPerGator-RV. The procedures for the most common data types and regulations are provided; for different situations, please contact UFIT Research Computing.
HiPerGator¶
HiPerGator has been assessed by the HITRUST Alliance and certified to meet its security controls. Furthermore, the HITRUST CSF 11.3 controls have been mapped to the NIST SP 800-171r3 controls, and as a result of compliance with HITRUST CSF, HiPerGator has been determined to be compliant with the NIST 800-171r3 controls.
Warning
It must be emphasized that security and compliance are shared responsibilities: special steps are required by anyone working with regulated data in HiPerGator because some controls are the responsibility of the user. Groups must actively follow the policies and procedures outlined in these pages for their work and research involving regulated data to ensure compliance with relevant controls.
HiPerGator-RV¶
HiPerGator-RV is a secure computing environment where researchers and their collaborators can perform computations on and store restricted data as classified by UF. See the UF data classification guide for details.
The software middleware of the system is tiCrypt, and is developed and maintained by Tera Insights in collaboration with the University of Florida to address the needs of researchers working with restricted data, specifically projects requiring compliance with NIST 800-171 and NIST 800-53 standards. The actual work is done inside virtual machines running Windows or Linux operating systems and applications.
For more information on HiPerGator-RV, please see the HiPerGator-RV section of the site.
Regulated Data Types and Compliance¶
This table lists many data types, complicance frameworks and recommended systems. For your specific use case, please work with UFIT Research Compiting.
| Data Type | Regulations | Compliance Level | System |
|---|---|---|---|
| Protected Health Information (PHI, ePHI) | HIPAA | HITRUST CSF 11.3 | HiPerGator |
| NIH Genomic Data Sharing (GDS) | NIH | NIST 800‑171‑r3 | HiPerGator |
| Export Controlled, Controlled Unclassified Information (CUI), International Traffic in Arms Regulations (ITAR) | ITAR/EAR | NIST 800‑53r5, 800‑171r3, CMMCv2 level 2 | HiPerGator‑RV (in most cases) |
| As required by the sponsor (e.g., NASA) | Various | NIST 800‑171r3 | HiPerGator |
| Student records | FERPA | HITRUST CSF 11.3 | HiPerGator |
| Centers for Medicare & Medicaid Services | IS2P2 | NIST 800‑53r5, Moderate | ResShield (Limited availability) |
| Intellectual Property (IP) | Various | Various | Open a support request to discuss details |
| Data from European Union countries | GDPR | HITRUST CSF 11.3 or NIST 800‑171r3 | HiPerGator |
| Research Health Information (RHI), "Limited data sets" | Treated under HIPAA | HITRUST CSF 11.3 | HiPerGator |
For faculty from other institutions
Faculty from Florida institutions other than UF wishing to use HiPerGator with regulated data must first set up a business associate agreement (BAA) between their institution and UF. Please contact UFIT Research Computing and your institutional IT department to discuss the process. A BAA is a legal agreement between the two institutions, and faculty should expect that the process will take time to establish.
Procedure sections¶
Please consult the following sections for relevant proceedures:
-
For all regulated data projects
- Project owner/Data manager responsibilities
- Special Precautions
- Regulated Data Project Requirements and Data Removal
- Abandoned Regulated Data Projects
-
- Project registration with Integrated Risk Management
- Resource allocation on HiPerGator for regulated data groups
- Establishing a Regulated Research Group on HiPerGator
- Timeline for establishing projects using regulated data
-
For projects using HiPerGator-RV
- Project registration for projects with Technology Control Plans (TCPs)
- Project registration for projects with regulated data not covered under a TCP
- Resource allocation on HiPerGator-RV
- Establishing a Team on HiPerGator-RV
- Timeline for establishing projects using regulated data