Duke ITAC - March 22, 2018 Minutes
ITAC Meeting Minutes – March 22, 2018
4:00 - 4:05 – Announcements
Ken Rogerson warmly welcomed everyone as he convened the meeting.
John Board announced an upcoming faculty retirement celebration at the Law school, inviting attendees to RSVP by the end of the week.
4:05 - 4:35 – Medical Center Device Management (MDM) and Network Access Control (NAC) – Billy Willis, Chuck Kesler
What it is: Enrolling in Duke Health Mobile Device Manager (MDM) is now required for anyone connecting mobile devices to the secure Duke Health wireless network. With the growing number of mobile devices connecting to the secure Duke Health wireless network and accessing resources such as Duke Email it is more important than ever to ensure data security.
Why it’s relevant: Accessing Duke Health resources using our secure wireless network via a smart phone or tablet puts the security of critical clinical information, financial data, research, and intellectual property at risk. This presentation will highlight how mobile device management and controlling network access improve Duke Medicine’s ability to enforce basic security controls and gain the ability to wipe Duke Data from mobile devices when necessary, while leaving personal data intact.
The basic IT security requirements for systems on the Duke Health network include maintaining an inventory of systems in the Service Now CMDB (Configuration Management Database), installing security and systems management tools like BigFix and CrowdStrike Falcon (replaced Endpoint protection from Symantec), sending server logs to Splunk and regularly reviewing vulnerability scans, promptly patching all systems, and upgrading or retiring old systems in a timely manner.
Currently, the Health System has two initiatives underway to enhance their security efforts:
- Duke Mobile Device Manager (MDM)
- Network Access Control (NAC)
MDM will address regulatory HIPAA, cybersecurity requirements and maintain an inventory of approved mobile devices that can connect to the Duke Health Enterprise (DHE) network thereby preventing compromised device connections and ensuring that basic security controls (e.g. encryption) are implemented on every device. MDM provides a means to separate Duke apps and data from personal apps and data and is capable in removing Duke data/apps from a device without touching personal data/apps when individuals leave Duke and/or devices are lost or stolen.
MDM is a small management agent (AirWatch) that is installed on devices connecting to the Duke Health network to address cybersecurity risks associated with mobile devices while simplifying the management of Duke apps, such as Haiku and Canto (mobile versions of Epic Systems which is the Duke Health App). The DHE is in the midst of an extensive pilot phase, since open enrollment began in August and expects to go-live on January 5, 2019.
The MDM agent can see the list of Duke Apps installed, OS version, and the wireless network it connects to, however, configurations to see personal apps installed, location of device, aggregate phone usage stats, phone number, and carrier information, are disabled. Also, the agent will never see any content or network traffic for apps, mail messages, call detail records, text messages, photos, and web sites visited. AirWatch is using Google’s and Apple’s built-in, enterprise management hooks to manage these devices.
DHE has implemented safeguards to ensure privacy so that administrative access is limited to a small number (currently 2) of DHTS staff that are approved by the CIO and CISO. Internal audit and the ISO are periodically reviewing the system to ensure that policy settings reflect only those that have been approved. Any change to policy settings that would affect user privacy will be vetted through governance processes and communicated out to users. Inappropriate administrative access will result in sanctions and potential termination of those who violate policy.
Enrollment in MDM is required if the device is Duke-owned or Duke-subsidized, and connects to Duke’s wireless network, and if it uses Duke Health apps and Duke’s enterprise email.
A new initiative known as Network Access Control (NAC) will addresses risks associated with unknown devices connecting to the network which include devices that don’t meet security requirements. These devices will only be provided limited network access and/or may be quarantined for further investigation. NAC will also interface with the AirWatch agent used with MDM. The Health System purchased this product and started the pilot in September 2017 and is currently running in “discovery mode”. The extensive pilot phase will be used to hone policies and architecture to minimize service disruptions with an expected completion in December 2018.
Some references to learn more are as follows:
- DHTS mobile device help site:
- HHS OCR’s recent guidance on securing mobile devices:
Q1: Will this tool be extended to the university side?
A: We have not had an urgent need for it and peer institutions are looking into common and required solutions.
Q2: How do you define a device? For example, I use Chrome OS in the cloud and run Android.
A: If it’s an AirWatch managed device, we will be able to see it but there are going to be some outliers such as bio-medical devices and we are in the process of working through the details.
Q3: Will the NAC system be required?
A: It will not be required as the AirWatch agent will manage most devices.
Q4: Are you gathering statistics in AirWatch and are you able to see the negative metrics?
A: Yes, and one of the biggest problems are old phones that are not supported and cannot be patched that present the highest risk.
4:35 –5:00 – Predatory Journals and Conferences – David Hansen and Elena Feinstein
What it is: With the rise of author-pays open access publishing, academics are increasingly solicited with offers to publish or present their work for a (often substantial) fee through outlets of low or no quality. In some cases those solicitations are outright fraudulent—they obtain payment information or other sensitive financial information and would-be authors incur primarily financial and privacy loss. In other cases the solicitations are for publishing outfits that may be new, are often foreign in origin, and whose quality and truthfulness may be difficult to assess.
Why it’s relevant: Dave and Elena will talk about the risks these predatory publishers pose to authors and to the University, resources for assessing publishers (including resources within the Libraries), and how they relate to broader changes within the scholarly publishing system.
Predatory publishing, a topic resulted from one of the faculty lunch discussions, is an exploitative, and typically open-access, academic publishing business model that involves article processing charges (APCs) to authors without verifying articles for quality and legitimacy and without providing any associated services that legitimate journals provide. This practice is called "predatory" because academics are tricked into publishing with a poor quality or even fraudulent journal, and new scholars from developing countries are especially at risk.
In August 2016, the Federal Trade Commission (FTC) filed a lawsuit against the OMICS Group, iMedPub, Conference Series LLC, and the individual Srinubabu Gedela, a foreign national. In the lawsuit, the defendants are accused of "deceiving academics and researchers about the nature of its publications and hiding publication fees ranging from hundreds to thousands of dollars".
Note: While writing these minutes in October 2019, research revealed that the FTC won the above suit in a summary judgement in March 2019 and was awarded $50 million in damages and a broad injunction of OMICS practices.
According to the Canadian Association of Research Libraries guide, key things to consider when assessing a journal are:
- Check to see if Open Access journals are listed at Directory of Open Access Journals DOAJ.
- Not to trust unsolicited emails to join editorial boards or conferences.
- Check for writing and research quality, relevance to discipline, and adequate copy-editing.
- Review the journal website for a clear and appropriate scope, an editorial board of recognized experts with current contact information, a description of the peer review process, and applicable APCs or other fees.
- Check whether or not the impact metrics listed are recognized and reputable.
The following questions highlight the key institutional takeaways to prevent predatory behavior:
- Do we understand how APC fees are being paid?
- Do we have any red-flags in our financial systems?
- Do we pressure researchers into accumulating publication stats in a way that incentivizes shortcuts and bad behavior?
ThinkCheckSubmit.org is an international, cross-sector initiative to help researchers identify trusted journals through a range of tools and practical resources aimed to educate, promote integrity, and build trust in credible research and publications.
Q1: Is there a centralized location that tracks the predatory publishers?
- Beall’s list, a major effort in developing a blacklist was fully public and well used but wasn’t universally supported and was taken down in January 2017, however, there are archived versions still around. The Society for Scholarly Publishing, Cabell's International, offers both a black list and a white list for subscription on their website and is somewhat expensive. Duke does not subscribe to it.
Q2: In trying to get a sense of the problem, are people at Duke succumbing to this?
A: Some graduate students feel the pressure to publish and may not be taking the time to research these journals especially when there’s money involved.
Q3: Why aren’t unsolicited invitations from predatory journals and conferences being blocked?
A: The emails and invitations look the same as legitimate ones so it very hard to block anything but there may be things that can be done and should be researched.
Open Access is a big business and Duke alone spends an average of $3 – $5 million annually. The library is good source to vet these scams. Duke has funding for Open Access only publishing and has recently been doubled to $84k.
5:00 - 5:15 – DukeMobile App Update – Hugh Thomas
What it is: DukeMobile is a single application that brings Duke information together in one place. Features include: directory search of all faculty, staff, and students; campus map with information on places of interest including operating hours of dining venues around campus; Duke Card offices; Duke Gardens; and other locations.
Why it’s relevant: DukeMobile is the mobile app for Duke University students, faculty, and visitors. It provides access to the latest information about Duke wherever you are for iOS and Android smartphones. This presentation will highlight the recent updates to improve functionality and usability within the app.
The following are major highlights of Duke’s Mobile App Update during the first quarter of 2018:
- Since the Native version Duke Mobile was released October 2017, the supported iOS & Android versions successfully migrated from previous “Hybrid” app to “Native” app and provided functional parity with existing hybrid app. The migrated versions improved analytics such as 12K app downloads and updates reduced the app crash rate < 0.001% a month.
- A minor release update was applied in Jan 2018 that fixed minor bugs
- Major new development underway for release in Summer 2018 includes:
- Giving to Duke, an alumnus requested feature, on both iOS & Android versions, uses Apple Pay & Google Pay “One click” to donate. The donor can select specific funds and the app fully integrates with the existing gifts.duke.edu site, making giving simple and secure.
- The new look and feel Duke Mobile will also include a major User eXperience (UX) redesign for both iOS & Android native version, with a modern and intuitive app experience like a tiled Mac backdrop. The apps will retain 100% of its existing functionality but will also provide location context, advanced search capabilities, and user customizable content based on secure and persistent account login.
Q1: From the student survey perspective, are there other features/functionality or gaps that are missing from what we have today?
A: The map idea is great and others have tried to address things like restrooms etc.
Q2: Will the maps extend to inside the building?
A: Not in this release but we will be adding indoor floor plans during the summer internship program. The goal is for DTech scholars along with Apple’s help to define the requirements and build the app.
Q3: Will alumni and everyone else see the same profile going forward? Will alumni need to login?
A: The icons will be categorized by student, staff, faculty, and other and the alumni requirements will have a smaller footprint.
Q4: Is there a security issue with internal maps being available to all?
A: The app will now have a login capability and users will be able to customize their view of the app. The guest version will not be the same as a student login.
Q5: Is the parking app incorporated in this release?
A: Parking will be a separate app designed by DTech scholars during the summer internship program.
5:15 - 5:30 – Academic Media Recording and Streaming Update – Stephen Toback and Todd Stabley
What it is: Academic Media Technologies provides enterprise lecture recording (DukeCapture/Panopto) and secure media streaming (Warpwire) services to the Duke community. They recently completed an extensive user satisfaction survey with the University student population and will share the results of that survey as well as plans for the actionable items based on the survey. They are planning and have implemented some major changes to the video streaming service, Warpwire, and will discuss those changes and their impact on Duke’s mission.
Why it’s relevant: Media use by faculty, staff, and students is a critical service and Academic Media Technologies is working to stay in front of the ever changing needs of their customers and our partners in Duke’s schools and departments that provide direct support for their constituents.
The questions driving the user satisfaction survey were:
- Do students know about the service?
- How widely is it used?
- How are students using the service?
- Do students perceive this service as valuable?
- How satisfied are students with the service?
- Do students need advanced features, or are simple videos enough?
- Does recording classes mean students skip more?
- What can we do to improve the service?
- Is Panopto the right tool, or should we look for another?
There were two distributions of the survey and 259 students responded:
- 29% distributed by Duke Student Government
- 71% distributed through the Panopto Interface
Detailed results for each question, action items and sample comments are as follows:
Q1: Service Awareness
Action Items: Increase service visibility through planned communications programs with OIT Communications and schools.
- Having more knowledge of when classes are being recorded, since to my assumption, none are
- I would love it if they were recorded but as far as I am aware they have not been.
- I don't think I've had a class recorded since my freshman year, like 6 years ago. Or at least I haven't been aware.
Q2: Service Utilization
Action Items: Discuss findings with IT deans to see if their understanding of their students’ needs is accurately reflected in this survey. If so, partner with them to determine the best ways to address these needs.
- It would be nice if more (maybe even all large lectures) were recorded.
- A system in place to make sure that every class is being recorded.
- Please publicize this more and please make this available for as many classes as possible - particularly 100-and 200-level/introductory classes and lectures. Especially in STEM.
Q3: How do you use the system? Rate lecture capture use from least to most important (0-10).
Action Items: This information will help drive our decisions for future enhancements and marketing efforts for the service.
Q4: Perceived Value
Action Items: Discuss these survey results with IT deans and departments to determine if the apparent high value accorded capture by their students accurately reflects their perception of needs in those functional areas. If so, partner with IT deans to develop a strategy for addressing these needs.
The responses were:
- 69% Highly valuable
- 23% Valuable
- 8% Not valuable
Q5: Student Satisfaction
Action Items: Research methods to capture more student feedback on an ongoing basis to help improve the service.
The responses were:
- 44% Highly satisfied
- 46% Satisfied
- 10% Not satisfied
Q6: Feature Importance such as note takings and bookmarks
Action Items: Continue to survey students and staff to ensure evolving features are meeting current needs. Continue conducting semi-annual lecture capture survey where we follow industry trends and compare leading products.
Q7: Does Recording Encourage Skipping Class?
Action Items: Communicate these survey results to increase understanding of the high value of lecture recording and the relative low risk to in-person attendance.
The responses were:
- 6% Highly Likely
- 31% Maybe - if they were sick or planning a trip
- 63% Unlikely
Q8: Areas for Improvement include:
- 50% of students did not know that classes were being recorded.
- Improve audio quality that can suffer due to batteries or podium mics, or other noise interference
- Improve clarity/resolution for content
- Record more classes
- Technical issues/Reliability
- Include captioning/transcripts
- Address issues with start/end times
Q9: Is Panopto still right for Duke?
In Conclusion, Panopto is still a great tool for recording lectures and there are plan to improve this service. Also, Warpwire is being expanded for secure steaming.