An IT asset is anything which connects to the CNE computer network, or is managed by CNE IT, or an electronic platform or service, which may house, shepherd, or otherwise be leveraged while working with CNE data. This includes but is not limited to computer desktops, laptops, CNE-owned smartphones, CNE-owned tablets, servers, or IoT (Internet of Things) devices. Medical devices with an interface to or through the CNE network may fall into this category. Software installed on CNE devices also falls into this category.
An endpoint is computing device that communicates back and forth with a network to which it is connected. Examples are computer desktops, laptops, smartphones, tablets, servers, or IoT devices.
The Information Security Team is responsible for safeguarding Care New England’s computer network from external and internal threats and bad actors. Infosec manages our firewall rules and anti-virus/eThreat software at the end-point level. InfoSec evaluates external vendors and their subsequent platforms for security maturity and best practice before allowing them into our environment. We must understand the potential risk to the organization and individual confidentiality which may stem from the use of an IT asset.
The Information Services Project Approval Committee is a governance board of several IT individuals who evaluate new IT assets and projects to determine the need for and level of effort to implement and manage them.
The Security Exception Form is an online form used to request the use of an IT asset which falls outside of currently approved assets. This form is to be completed by the requesting end-user and submitted to Information Security for a decision.
ServiceNow is CNE’s IT Service Management Platform. Through ServiceNow we can request virtually all of our IT needs. A request through ServiceNow automatically generates a record number that can be tracked. We prefer ServiceNow for 95% of inquiries made to the I.S. department as requests made via email can become easily lost in the system.
Report a missing email. This may include blocked, held, or rejected messages.
This form is used to request and document an exception to published Information Security Policies, Standards, or general security best practices.
Request various items related to desktop computing. Note: A request made does not guarantee fulfillment of said request. Grant-related purchases must be made through the grant.
Use to submit a request for a Vendor Assessment. This must be done for new vendors and their subsequent IT platforms.
Use this to report an external website that is not accessible, but is needed. Note: Websites are blocked based upon category and potentially threatening content at a system level. Therefore the website you are seeking may not be blocked intentionally.
Before initiating any new project, stop to think whether any of the 18 HIPAA identifiers will be collected, stored, or pass through a third-party entity. If so, you should work in partnership with IS to answer the questions below for the types of devices or systems you will be using.
The following questions and guidelines must be considered before deploying mobile devices such as smartphones, iPads, tablets, wearable devices, or any IoT device for any study-related activities.
Engaging with IS is necessary to a) determine the level of risk an IT asset may present to the organization, b) establish expectations of support both internally and externally for the IT asset, and c) document the request/need for the asset along with its expected function and benefit to the organization.
Care New England Information Services must be consulted before any IT asset is introduced into the organization. Even if the IT asset is not expected to connect to the network but is still expected to be used during business or research, CNE Information Services must be consulted. The vetting processes of other organizations, our even established partners, are not sufficient for the introduction of an IT asset into Care New England.
Before engaging with any vendor or consultant you should request Sanction Screening from Compliance Services.
Titles approved for use at Care New England are subject to licensing policies of both CNE (as a non-profit healthcare organization) and the vendor. Software that is personally owned or licensed to another organization is not allowed to be installed on CNE devices. Questions regarding non-standard software titles should be routed to the Academic and Research IT Site Manager.
Vendors are approved on a case-by-case basis. A vendor being approved on the basis of a particular title or platform is not a blanket approval for all of the vendor's technologies. In addition to vendors being approved by CNE I.S., a Business Associate Agreement (BAA) may be required by the Compliance department.
All computer hardware must be purchased and/or approved for purchase by the CNE I.S. Site Management.
CNE I.S. has relationships with strategic partners and works with them to standardize upon known compatible technology and devices. Requests for new hardware can be made through ServiceNow, our IT service management platform.
Researchers are advised to reach out to IT Site Management as early as possible to begin discussion of a potentially new IT asset. The evaluation process can take some time and is in part dependent on the responsiveness of the external vendor of the IT asset. It is best to consult the IT Site Manager at the onset of consideration or evaluation in planning your research project. Your IT Site Manager is a consultive resource to the research community.
Desktop software is a computer program which requires a computer operating system to execute or operate. This includes but is not limited to office applications such as Microsoft Word, web browsers, text editors, programming IDE’s, runtime engines, and utilities.
Examples of desktop software purchases include:
When seeking to purchase or use software new to our environment, there are a few steps to take and questions to ask.1. Open a General Help Request and assign it to the SN AG – Academic and Research team. Please include the following information if known:
2. Once this form is submitted, the IT Site Management team will evaluate the request. It is most likely that the Site Manager will request to meet with you to discuss next steps. A subsequent task may be assigned to Desktop Engineering, InfoSec, and Corporate Compliance for their input and feedback.
3. If approved, and if necessary, in the case of purchased and subscription-based software titles, you and your IT Site Manager should speak with a vendor representative to discuss any terms of contract/agreement or at the very least review a quote before moving forward with a purchase and installation.
If any PII/PHI is even remotely expected to pass through the software or system, a BAA from the Compliance Office will likely be required before CNE can sign any agreements or make purchase. The exception to this may be applications which do not require Internet connectivity to operate.
Regarding free and open-source software (FOSS), the same General Help Request should be submitted. However, the evaluation process may be different. FOSS often does not enjoy the same vendor/developer support and therefore we may not be able to evaluate in the same fashion. Many of the questions we may have asked a vendor can only be answered during an internal evaluation. In these cases, a small test group of individuals may be established and documented in a Security Exception Form.
Examples of platforms or systems include:
The process of evaluating new platforms or systems can be more in-depth and therefore requires more scrutiny. The process starts with a General Help Request through Service Now assigned to the SN AG – Academic and Research team answering the same questions as listed above. Platforms and systems generally require more support as they may need:
Your IT Site Manager will contact you to set up a meeting and likely direct you to complete an iPAC Concept Form. This form (currently in MS Word format) is submitted by your IT Site Manager via email to the IPAC governance board. The board meets bi-weekly to review and evaluate submitted concept forms. You will be required to attend this virtual meeting with your IT Site Manager serving as sponsor. The committee may approve or deny the request during this meeting, determine if more information is needed, or approve provisionally pending the availability of internal resources. If an existing system in use by Care New England supports most of the functionality of your requested system, it may be determined that the existing system is the one to use.
If any PII/PHI is even remotely expected to pass through the platform or system, a BAA from Corporate Compliance will be required before we can sign any agreements or make purchase.
When seeking new or replacement hardware, start with a Request PC for Terminal Hardware in Service Now. If you are requesting a non-standard hardware asset, the IT Site Manager will contact you for further discussion. You can expedite the process by answering the following questions in the free text field of your request:
If any PII/PHI is even remotely expected to pass through the hardware or system, a BAA from the Compliance Office will be required before we can sign any agreements or make purchase.
CNE's I.S. department leverages a project governance board to evaluate projects with an IT component. In the case of research this could include:
The requestor, along with the IT Site Manager, will fill out an IPAC Concept form. This form details the project, its impact to the organization, any risks in implementing or not implementing, and the initial and operating costs. The form is submitted to the IPAC chair (Project Management Office Director) and scheduled for review by the committee. The requestor may be asked to attend the meeting (currently every Monday at 2PM) to speak to the project, with the IT Site Manager being the IT sponsor.
Research Electronic Data Capture (REDCap) is a web-based application developed by Vanderbilt University to capture data for clinical research and create databases and projects. It is Health Insurance Portability and Accountability Act (HIPAA)–compliant, highly secure, and intuitive to use. The databases use instruments such as surveys and forms as research capture tools. Projects are self-sufficient and secure databases that can be used for normal data entry or for surveys across multiple distinct time points. They are workflow-based and focus on collecting data and exporting it to statistical programs and other data analysis software. REDCap is designed to provide a secure environment so that research teams can collect and store highly sensitive information.
No. The licensing agreement established between the software vendor and Brown University only applies to Brown University’s computers and perhaps those personally owned by their students and faculty. Care New England computers are not personally owned by you and therefore are not eligible for these software agreements to which you may be personally entitled. In addition, personally owned computing devices cannot be connected to the Care New England production network, only the CNE-Guest network.
Possibly. Information Security’s assessment is largely consultive. If the assessment points out (signals?) glaring issues, the Principal Investigator, or director of the researching team will need to decide if the risk outweighs the benefit to the study and the organization. However, in cases where
PHI/PII may be imported from a CNE system, Legal and Corporate Compliance will likely rule against the use of the product.
There are two documents, published by the CNE Compliance Office (Link to Compliance page) which can help determine if a BAA will be required for a particular engagement. They are available:
BAA Decision Tree –
Determining BAA Relationship –