PMACS NewsletterWinter 2025

The new year greets us with many new changes! This winter brings us two especially important leadership updates.

Mike Restuccia, the longtime CIO of Penn Medicine, retired on February 15 after more than 16 years of service. While many CIOs last only four to five years, Mike guided the Penn Medicine Information Services organization through many changes, including digitizing the electronic health record and establishing enterprise platforms across the health system. Closer to home, Mike also oversaw the creation of Penn Medicine Academic Computing Services (PMACS) in 2012, bringing together IT staff from multiple programs to provide central IT services across the Perelman School of Medicine. Under Mike’s leadership, the PMACS organization grew from approximately 30 professional IT staff to 100 today.

This winter, it was also announced that Li-San Wang has been appointed as the inaugural Associate Dean for Computing. In his new role, Li-San and PMACS will work closely to develop and implement strategies and policies for advancing PSOM’s computing resources. Li-San has an established track record in using computational approaches for big data in genomics, working with various computational resources, including PMACS resources and cloud services, and experience with compliance requirements such as NIST 800-53. His experience and faculty partnerships will help PMACS better serve the diverse needs of PSOM faculty, staff, and trainees.

We wish Mike well in his retirement and welcome Li-San to his new role.

Jennifer Linnell was promoted to the position of Lead Application Analyst on the Laboratory Information Management Systems (LIMS) team at Penn Medicine. Jennifer began working on the LIMS team in 2017. During this time, Jennifer has maintained relationships with key clients, colleagues, and stakeholders while successfully delivering on complex projects. She has been instrumental in implementing the LIMS platform in more than fifty projects across the School of Medicine and HUP, including crucial groups such as the Center for Cellular Immunology, the Gene Therapy Program, the Genetic Diagnostic Lab, and Investigational Drug Service, and the Penn Medicine Biobank. Jennifer is always up for a challenge and positively impacts and encourages others within her team and in collaborating groups. Jennifer actively commits to improving her leadership knowledge through stretch assignments and through continuing her professional development as an MBA candidate at the LeBow College of Business. Congratulations to Jen on the promotion!

PMACS Client Services Group is happy to announce the promotion of two Senior IT Support Technicians to IT Support Supervisor roles. Charles Miles and Raj Choksi have been promoted from Senior IT Support Specialists. Raj will work primarily out of the Market corridor. With over 10 years of experience in IT support, Raj has been a Senior IT Support Technician with Penn Medicine since 2022. Charles will work primarily out of the Smilow building. He brings almost 20 years of IT support experience and has been with Penn Medicine since 2016. Both Raj and Charles have earned the respect of their colleagues and the support base through their dedication, exceptional contributions, and leadership. We are confident that they will continue to excel in their new roles and contribute to the ongoing success of our IT team. Congratulations to both Raj and Charles on their promotions!

With Ginny Barry's retirement in November, Greg Barendt and Wally Wormley have taken on new roles within Software Development. Wally, in his new role as the Director of the Abramson Cancer Center’s One Cancer Research Data Technology team (covered in the Fall 2024 PMACS newsletter), will continue to lead the team supporting the ACC's software development portfolio. Greg has taken on leadership of the other custom software development teams. Greg has been with the University of Pennsylvania since 2006. As a PMACS Software Architect since 2012, Greg has helped guide the PMACS custom app architecture and helped build applications like CAMS, PilotGrants, and PennOpen Pass.

The Software Development team gained two new hires in November. Mike Capelli joined as a Product Owner supporting the Abramson Cancer Center and Tristan Smith was hired as a developer who will primarily support the Office of Academic Affairs. Welcome, Mike and Tristan!

The Office of the Vice Provost for Research (OVPR) and the Perelman School of Medicine have recognized the need to provide the research community with solutions that meet the proposed NIH GDS Policy requiring NIST 800-171 compliance. Currently, the in-scope NIH repositories have not implemented the NIST 800-171 attestation for new requests and renewals. However, this may change at any time, and data requestors should continue to monitor their requests for implementation of the new security requirements.

PSOM and OVPR continue to prepare for future NIST 800-171 compliance. Because compliance requires significant investment and associated operational changes, not all environments will be brought into compliance at this time. Because these environments may incur higher costs, we strongly advise anyone considering using data from these repositories in any new grant proposals to work with a PMACS Service Information Officer (SIO) to develop a budget with sufficient technology funding.

As a reminder, PSOM and OVPR are focused on making the following options available when NIST 800-171 compliance is required:

• OVPR and ISC are creating a secure data enclave in Amazon Web Services. This environment is expected to be available in late February / March.
• PSOM is evaluating options to bring the High-Performance Compute (HPC) cluster into NIST 800-171 compliance. The timeframe for the initial work is expected to be completed by mid-2025.
• The new PARCC research cluster, currently in development, expects to offer NIST 800-171 compliance by the end of 2025.
• Penn Medicine’s Azure environment is under consideration for NIST 800-171 compliance, but no timeline has yet been developed.

As always, don't hesitate to contact an SIO for the most current information.

One of the most important steps for protecting data is to ensure devices are patched or updated promptly. Various hacking groups, including government and non-government organizations, constantly monitor for new vulnerabilities and leverage those vulnerabilities to gain access to systems.

Recognizing those threats, current University and Penn Medicine policies require all Penn-owned computers connected to networks, including the Internet, to be patched within 30 days. To improve PSOM’s security posture, PMACS is updating our current patching process.

This Spring, PMACS expects to deploy the first of several changes to improve compliance with our patching policy. With this change, all Mac devices running Monterrey (Mac OS X 12) and higher will receive a notification when Apple releases a new patch that their computer is eligible to receive. Each user can choose to defer the patch for up to 30 days. If, after 30 days, the computer is not updated, you will continue to receive a message asking you to update your computer until the update is successfully installed.

More information about Mac OS patching can be found on the PMACS website.

The Penn Medicine Biobank (PMBB) consent process enables patients to voluntarily contribute blood and tissue specimens for future research endeavors. In recent years, PMBB has collaborated with various teams within Penn Medicine to integrate the consent and blood sampling procedures into PennChart and LabVantage LIMS. Two notable projects have recently expanded these capabilities.

The Pathology Department's Tumor and Tissue Bank (TTAB) has collected tissue samples under PMBB consent for many years and these samples were cataloged and managed through an independent software system. Over the past several months, the LIMS team has worked closely with TTAB to facilitate the collection of tissue specimens within LabVantage under PMBB consent, developing a process similar to that for blood samples but focused on tissues. A workflow was implemented in collaboration with TTAB for logging these samples and tracking their long-term storage locations. An advantage of this integration is that researchers can easily identify participants who have provided both blood and tissue samples. This initiative was brought to a successful conclusion in February thanks to the efforts of both groups in developing and validating new workflows.

The PMBB team also joined forces with PMACS Enterprise Research Applications and our Lancaster-based colleagues to broaden the reach of PMBB consenting and sample collection geographically. This is an important extension as it adds people with different backgrounds into the collection of research samples so that researchers can draw upon a larger data set to better understand any disease being studied. This PMO-led project involved implementing the consent procedures previously built in PennChart within LGH’s eHealth and MyChart platforms. Teams from both entities worked together to exchange configurations and tailor them for LGH’s systems. The outcome allows patient consenting through MyChart across various LGH locations, cross-referencing consents with PennChart, coordinating blood draws, transporting tubes back to the PMBB laboratory in Philadelphia, and integrating those samples into LabVantage LIMS along with other PMBB collections. Collaborative efforts from LGH eHealth, Lab IS, clinical staff, the PMO, PennDnA, and PMACS Research Information Systems were integral to this project's success. The next step in the process will expand collections from the pilot sites to Lancaster sites.

The PSOM Faculty Appointment Database System 2.0 launched the first phase of an ongoing project to replace the legacy FADS application. The initial phase delivered new user interfaces to replace the existing application's Faculty Information and Payroll sections while moving towards a single, authoritative source for personal information.

Additionally, the introduction of Power BI reporting laid the groundwork for enhanced reporting capabilities on faculty data that will continue to be built out in subsequent phases. Developed on the Ruby on Rails platform, later phases will incorporate Faculty Position History and continue decommissioning portions of the legacy pHp code base.

Zoombombing occurs when someone disrupts a video conference by sharing inappropriate content. It's often carried out by internet trolls or hackers.

How does zoombombing happen?

• Someone joins a meeting using the meeting ID or join link
• They share unwanted content using their video, audio, or screen sharing
• The content can be lewd, obscene, racist, anti-semitic, or pornographic

Fortunately, Zoom makes several features available to reduce the risk of zoombombing. To avoid being being the victim of zoombombing, you can enable security features, such as those below:

• Meeting password/passcode
• Waiting room
• Meeting registration
• Authenticated users can join meetings

You should also avoid using your Personal Meeting ID (PMI) for group and public meetings.

If you are hosting a large public event, you may want to consider using the Zoom webinar platform. Zoom webinars only allow specific individuals to present content and are available for an extra fee. Please submit a ticket or contact your LSP for more information.

Protecting Sensitive Systems and Data

Bad actors are using advanced social engineering techniques, including Microsoft Teams and malicious QR codes, to access sensitive systems and data.

Key Points:

• Attackers pose as service desk personnel on Microsoft Teams.
• They send QR codes that download malicious software.
• This malicious software infiltrates networks, steals credentials, and deploys ransomware.

Action Items:

• Look out for social engineering tactics.
• Never scan a QR code from an unfamiliar source.
• Be extremely wary if a QR code takes you to a website that asks for personal information, login credentials or payment.

For more information, see Black Basta Group Using QR Codes in MSFT Teams Chats for Initial Access.