By Audrie Ramirez, Information Security Intern, UCOP. Ann Chang, chief compliance security officer for UCLA Health Sciences, began working with computers at UCLA while completing her undergraduate degree in mathematics. The School of Medicine owned a mini computer that no one was familiar with yet, and Chang became an expert at using it for her numerical analysis homework assignments. After graduation, she accepted a full-time programmer position and from there, her career in information technology developed.
Subsequent roles in database administration, networking, and server support gave her a strong foundation for ultimately becoming a departmental IT director. She grew interested in information security when learning how to protect her own systems and became active in security-focused workgroups. While serving on the HIPAA committee, she applied for and accepted a position as information security officer.
She designs and implements the information security compliance program, which addresses policies, auditing, monitoring, awareness training, incident response and prevention. She particularly enjoys opportunities to consult on implementing security for cutting-edge clinical and research projects, such as mobile apps that use sensors to measure activity, blood pressure, and weight to keep patients and their physicians aware of their health status. Not only is information security crucial for projects involving confidential information, but so is the implementation approach. After all, projects near completion can be delayed if it turns out that security measures were not addressed. “It’s always exciting when groups understand the importance of security and compliance, and consult with us early on,” Chang said.
Working with medical application, equipment, and services vendors can be an eye opener for her, she said. For example, vendors often claim they are HIPAA compliant, but then turn out not to be. Medical device security still has a long way to go, and the thought of possible vulnerabilities keeps Chang awake at night. She also sees continuing challenges for IT security as cyber criminals’ techniques become more advanced and as attacks spread more widely across the Internet of Things.
Her first rule is for everyone to be wary of emails with links and/or attachments. The most dangerous phishing scams are those that appear to come from a trusted source. If you have doubts about an email, do not hesitate to pick up the phone and verify it with the sender.