PMACS NewsletterWinter 2026

Across our institution, conversations with colleagues consistently point to a shared reality: the environment surrounding data security and risk management is becoming more complex, and expectations for research organizations are steadily increasing. Over the past several years, Executive Orders, federal rulemaking, and updated agency guidance have reshaped how universities must think about managing sensitive data.  

Just as importantly, the very definition of “sensitive” data is expanding. It is no longer limited to traditional categories like PHI. Increasingly, regulators are focused on broader sets of human-derived data — including genomic, biometric, geolocation, and other participant-level information — particularly when aggregated at scale. Recent Department of Justice rules restricting certain “bulk” transfers of U.S. sensitive personal data underscore this shift, applying even when data are anonymized or encrypted. In today’s environment, “de-identified” is no longer the safety net many once assumed it to be. 

At the same time, NIH policy is moving the research community beyond a compliance model centered primarily on HIPAA and PHI. In 2025, NIH implemented requirements that data from widely used repositories such as dbGaP be stored and analyzed in NIST SP 800-171–compliant environments, and draft guidance would further expand the scope of data subject to these standards. The direction is clear: human-derived data — even when not traditionally categorized as PHI — are increasingly subject to robust, lifecycle-based security expectations. Protection is no longer about a single transaction or disclosure; it extends from collection and analysis to storage, sharing, and long-term stewardship. 

Taken together, these developments reflect a meaningful evolution in how data are viewed and governed. Data are increasingly understood as a strategic institutional asset that requires coordinated, enforceable safeguards. For academic medical centers, this is about more than regulatory compliance. It is an opportunity to strengthen our collective security posture, build resilient and sustainable practices, protect research participants, and preserve public trust. By recognizing that the definition of sensitive data is expanding — and by responding proactively across both clinical and basic science settings — we position ourselves to continue advancing discovery and collaboration while upholding the values that define our research mission. 

Chris Dymek, Entity Information Officer 

John joined us in November and brought with him 15 years of experience in systems administration and automation. John's most recent role prior to joining PMACS was with the University of Maryland, where he oversaw the University's collaboration tools including Google Workspace, Zoom, Box, and email). John will be working with the PMACS App Dev team, maintaining and improving the infrastructure that hosts our custom applications and websites. 

The second phase of the PSOM Faculty Appointment Database System (FADS) 2.0 successfully launched on November 10, 2025. This release introduced a new Ruby on Rails–based Position History module that provides both highlevel and detailed views of each PSOM faculty member’s academic history. 

Phase 2 replaces multiple components of the legacy FADS PHP application and delivers several key enhancements, including: 

• Improved search and filtering for faster, more intuitive navigation 
• A modernized interface that highlights essential data points 
• Integration with Workday, Interfolio, and RTR, enabling greater operational efficiency for the Office of Academic Affairs (OAA) 

Additionally, this phase includes a suite of new and enhanced Power BI reports and dashboards, offering stakeholders insights ranging from basic faculty counts to careertrajectory analytics across cohorts. 

Future phases will continue to replace and enhance the remaining legacy FADS modules.

The University of Pennsylvania and Penn Medicine require third-party risk assessments when purchasing technology services and software. While the University of Pennsylvania uses the v-Star process, the Perelman School of Medicine follows the Penn Medicine Third-Party Risk Management (TPRM) process outlined below. Risk assessments performed by the Penn Medicine Cybersecurity team should be shared with university procurement during the purchasing process to address any concerns. 

What: All purchases of services or products, including cloud applications, medical devices, research equipment, non-medical devices, software, or hardware, that will store, transmit, or analyze Penn or Penn Medicine data are required to undergo the TPRM review process. After Penn Medicine Cybersecurity has completed its assessment, the resulting TPRM report must be submitted to your procurement to attach to purchasing documentation and to help facilitate determination of any necessary next steps with the vendor. 

Examples that are considered in scope include any hosted, cloud-based, or on-premise product or service that handles moderate (confidential) or high (sensitive) data, allows vendors access to our product or networks, or involves integration with other systems. 

Examples out of scope include: 

• A PSOM-issued computer, tablet, or cell phone that is intended for individual use. 
• Desktop software, accessories, and utilities for individual use without a licensing agreement (winzip, etc). 
• A request for an individual license for an application provisioned by Penn Office of Software Licensing (OSL), or Information Systems and Computing (ISC). 
• Any product developed in-house that utilizes AWS@Penn cloud services. 
• Any product developed in-house that utilizes Microsoft Azure through Penn Medicine.  
• Any product that is available with a PSOM Microsoft 365 license (Outlook, Visio, etc.). 
• Any internal services built and maintained by Penn / Penn Medicine staff (such as Penn Medicine Academic Computing Services (PMACS), High Performance Computing Cluster (HPC), Limited Computing Performance Cluster (LPC), Cluster for Biomedical Image Computing (CUBIC), and Penn Advanced Research Computing Center (PARCC). 

Where: To begin, complete the TPRM Intake form. If you're unsure whether you need to participate in the TPRM process, try the TPRM Wizard. For questions about the TPRM process, contact tprm@pennmedicine.upenn.edu. 

When: TPRM must be initiated prior to contract execution and any data transfer. Furthermore, existing vendors who have not yet completed this process may be identified and required to participate in the process. 

Why: Identifying, profiling, and rating Penn third parties by set criteria ensures compliance, protects reputation, and reduces risks from vendor security issues. 

PMACS is pleased to announce that DocuSign is now available to the Perelman School of Medicine (PSOM) community through a centrally managed instance supported by PMACS. This service enables faculty and staff to securely collect electronic signatures for documents involving low and moderate-risk data, helping streamline administrative workflows, reduce paper processes, and accelerate turnaround times. View information about DocuSign access and support.

The University provides this DocuSign instance at no charge for appropriate institutional use. It may not be used to collect high-risk data, including personally identifiable patient or research subject information, Social Security numbers, criminal records, government-issued ID numbers, or disciplinary records. In addition, this instance may not be used to obtain signatures from patients or research subjects, nor for documents requiring submission to health regulatory authorities (such as the FDA) or compliance with 21 CFR Part 11. If you need to use DocuSign for patient or research subject signatures, 21 CFR Part 11–compliant workflows, or similar regulated use cases, please submit an Athena ticket (UPHS account and Intranet access required). 

All users must attest to these appropriate use requirements and agree to contact PMACS Support if they become aware of any misuse. By adhering to these guidelines, the PSOM community can take advantage of a secure, efficient electronic signature solution while maintaining compliance with institutional and regulatory standards. 

Sharing your credentials or falling for a phishing email is like handing your home keys to a complete stranger - putting patient data, our operations, and the entire health system at significant risk.

When you receive an email, ask yourself: 

• Do you know the sender and does the email address match the company name?  
• Are you being asking for your password?  
• Is there a false sense of urgency prompting you to act? 
• Does it start with a generic greeting, have misspelled words or poor grammar? 
• Does it contain a suspicious link or attachment? 
• Do you need to ‘validate your account’ or ‘reconfirm access for applications you already use? 

These could be signs of a phishing email, sent by a scammer to trick you into doing something unsafe such as clicking a link, opening an attachment, or sharing sensitive information.

Report suspicious emails in Outlook using the Report Button and select Report Phishing or forward to phishing@pennmedicine.upenn.edu.