• Return to Care New England
Care New England Research

Information Services

Today researchers utilize online platforms, connected devices, and AI-based solutions which can conduct much of the fieldwork while simultaneously collecting and organizing data into accessible formats. The security of all technologies must be considered, evaluated, and documented in order to protect study participants, datasets, and the research organization from unintended exposure and use.

Glossary of Terms

IT Asset

An IT asset is anything which connects to the CNE computer network, or is managed by CNE IT, or an electronic platform or service, which may house, shepherd, or otherwise be leveraged while working with CNE data. This includes but is not limited to computer desktops, laptops, CNE-owned smartphones, CNE-owned tablets, servers, or IoT (Internet of Things) devices. Medical devices with an interface to or through the CNE network may fall into this category. Software installed on CNE devices also falls into this category.

Endpoint

An endpoint is computing device that communicates back and forth with a network to which it is connected. Examples are computer desktops, laptops, smartphones, tablets, servers, or IoT devices.

Desktop Engineering
The Desktop Engineering team is responsible for the build and management of physical computer desktop environments, the virtual desktop environment, and much of the software installed therein. Desktop Engineering is sometimes consulted before a new piece of software is brought into the environment. They can evaluate the desktop requirements of the software for compatibility with other software which is required for our environment.
InfoSec

The Information Security Team is responsible for safeguarding Care New England’s computer network from external and internal threats and bad actors. Infosec manages our firewall rules and anti-virus/eThreat software at the end-point level. InfoSec evaluates external vendors and their subsequent platforms for security maturity and best practice before allowing them into our environment. We must understand the potential risk to the organization and individual confidentiality which may stem from the use of an IT asset.

IPAC

The Information Services Project Approval Committee is a governance board of several IT individuals who evaluate new IT assets and projects to determine the need for and level of effort to implement and manage them.

Security Exception Form

The Security Exception Form is an online form used to request the use of an IT asset which falls outside of currently approved assets. This form is to be completed by the requesting end-user and submitted to Information Security for a decision.

ServiceNow

ServiceNow is CNE’s IT Service Management Platform. Through ServiceNow we can request virtually all of our IT needs. A request through ServiceNow automatically generates a record number that can be tracked. We prefer ServiceNow for 95% of inquiries made to the I.S. department as requests made via email can become easily lost in the system.

Common and Helpful Forms

General Help Request

Make a general non-specific request

Learn More

Request Access to CNE Systems

Provisioning for various CNE Systems.
Learn More

Request for Video Conferencing

Requests for Zoom and Zoom Plus accounts.
Learn More

Request Hardware Relocation

Request device relocation.
Learn More

Report Blocked/Missing E-Mail

Report a missing email. This may include blocked, held, or rejected messages.
Learn More

Request Box.com Account

Box.com is a HIPAA-compliant cloud-based storage platform.
Learn More

Request for Security Exception

This form is used to request and document an exception to published Information Security Policies, Standards, or general security best practices.
Learn More

Request PC/Terminal Hardware

Request various items related to desktop computing. Note: A request made does not guarantee fulfillment of said request. Grant-related purchases must be made through the grant.
Learn More

Vendor Risk Assessment

Use to submit a request for a Vendor Assessment. This must be done for new vendors and their subsequent IT platforms.
Learn More

Report Blocked External Website

Use this to report an external website that is not accessible, but is needed. Note: Websites are blocked based upon category and potentially threatening content at a system level. Therefore the website you are seeking may not be blocked intentionally.
Learn More

Data Repository Assessment

This is to request a data repository risk assessment and should be done prior to creating your DMSP and submitting your application.

PHI & Technology

Before initiating any new project, stop to think whether any of the 18 HIPAA identifiers will be collected, stored, or pass through a third-party entity. If so, you should work in partnership with IS to answer the questions below for the types of devices or systems you will be using.

Use of Internet Based Platforms in Research
  1. Has the platform been previously evaluated and approved by CNE InfoSec or I.S. Site Management?
  2. Does the platform reside in the United States?
  3. Is the platform HIPAA compliant?
  4. Does CNE have a valid BAA (Business Associate Agreement) with the platform vendor/developer/owner?
  5. Does the platform require the use of desktop software for access?
Use of Mobile Applications in Research
  1. Has the application been previously evaluated and approved by CNE InfoSec or I.S. Site Management?
  2. Will the collected data reside on the device or will it be transmitted to a remote server or system?
  3. Does the app encrypt collected data on the device?
  4. If the application transmits data over WIFI, does it do so with encryption before transmission?
Use of Internet Connected Devices in Research

The following questions and guidelines must be considered before deploying mobile devices such as smartphones, iPads, tablets, wearable devices, or any IoT device for any study-related activities.

  1. Will the device be used to collect participant data? If yes, see questions regarding mobile applications.
  2. Will the device need WIFI or cellular network access?
  3. What data will the device transmit or receive?
  4. If PII/PHI is transmitted, is end-to-end encryption (E2EE) leveraged?
  5. Will the device be returned to CNE when at the end of participation or will the participant keep the device?
  6. If the device will be retained by the participant, is there a written protocol for device reset prior to surrender?
  7. Will the device be provisioned with an account which is generic or otherwise unassociated with the participant personally?
  8. Will the device be enrolled in a Mobile Device Management platform? If so, Internet Based Platform questions apply.
Use of Data Storage Platforms in Research
  1. Has the platform been previously evaluated and approved by CNE InfoSec or I.S. Site Management?
  2. Does the platform reside in the United States?
  3. Is the platform HIPAA compliant?
  4. Does CNE have a valid BAA (Business Associate Agreement) with the platform vendor/developer/owner?
  5. Does the platform require the use of desktop software to access?

Procurement & Implementation

Engaging with IS is necessary to a) determine the level of risk an IT asset may present to the organization, b) establish expectations of support both internally and externally for the IT asset, and c) document the request/need for the asset along with its expected function and benefit to the organization.

Care New England Information Services must be consulted before any IT asset is introduced into the organization. Even if the IT asset is not expected to connect to the network but is still expected to be used during business or research, CNE Information Services must be consulted. The vetting processes of other organizations, our even established partners, are not sufficient for the introduction of an IT asset into Care New England.

Before engaging with any vendor or consultant you should request Sanction Screening from Compliance Services.

Approved Titles

Titles approved for use at Care New England are subject to licensing policies of both CNE (as a non-profit healthcare organization) and the vendor. Software that is personally owned or licensed to another organization is not allowed to be installed on CNE devices. Questions regarding non-standard software titles should be routed to the Academic and Research IT Site Manager.

Approved Vendors

Vendors are approved on a case-by-case basis. A vendor being approved on the basis of a particular title or platform is not a blanket approval for all of the vendor's technologies. In addition to vendors being approved by CNE I.S., a Business Associate Agreement (BAA) may be required by the Compliance department.


Hardware Procurement

All computer hardware must be purchased and/or approved for purchase by the CNE I.S. Site Management.

CNE I.S. has relationships with strategic partners and works with them to standardize upon known compatible technology and devices. Requests for new hardware can be made through ServiceNow, our IT service management platform.

Timelines 

Researchers are advised to reach out to IT Site Management as early as possible to begin discussion of a potentially new IT asset. The evaluation process can take some time and is in part dependent on the responsiveness of the external vendor of the IT asset. It is best to consult the IT Site Manager at the onset of consideration or evaluation in planning your research project. Your IT Site Manager is a consultive resource to the research community.

New IT Assets

  • Desktop Software
  • Free and Open-Source Software
  • Platforms or Systems
  • Hardware

Desktop software is a computer program which requires a computer operating system to execute or operate. This includes but is not limited to office applications such as Microsoft Word, web browsers, text editors, programming IDE’s, runtime engines, and utilities.

Examples of desktop software purchases include:

  • A data analysis program that has not previously been used at CNE. (If you are not sure whether it has been used previously, please check with your IT Site Manager).
  • A software application which requires Internet access to achieve basic or enhanced operation is considered cloud-based. An example includes Microsoft 365 and its suite of applications.

When seeking to purchase or use software new to our environment, there are a few steps to take and questions to ask.

1. Open a General Help Request and assign it to the SN AG – Academic and Research team. Please include the following information if known:
  1. The title of the software.
  2. The company or developer’s website.
  3. Does the software capture PHI/PII?
  4. What business purpose will the software satisfy within Care New England.
    1. How is the software expected be used within Care New England?
  5. The number of people who are anticipated to use the software initially.
  6. Is there a cloud-based component for the software?
  7. Is there an associated cost, either one-time, subscription, or operating?
  8. Which IT team is expected to support the software?
  9. What are the minimum system requirements for the desktop software?

2. Once this form is submitted, the IT Site Management team will evaluate the request. It is most likely that the Site Manager will request to meet with you to discuss next steps. A subsequent task may be assigned to Desktop Engineering, InfoSec, and Corporate Compliance for their input and feedback.

3. If approved, and if necessary, in the case of purchased and subscription-based software titles, you and your IT Site Manager should speak with a vendor representative to discuss any terms of contract/agreement or at the very least review a quote before moving forward with a purchase and installation.

If any PII/PHI is even remotely expected to pass through the software or system, a BAA from the Compliance Office will likely be required before CNE can sign any agreements or make purchase. The exception to this may be applications which do not require Internet connectivity to operate.

 

Regarding free and open-source software (FOSS), the same General Help Request should be submitted. However, the evaluation process may be different. FOSS often does not enjoy the same vendor/developer support and therefore we may not be able to evaluate in the same fashion. Many of the questions we may have asked a vendor can only be answered during an internal evaluation. In these cases, a small test group of individuals may be established and documented in a Security Exception Form.

 

Examples of platforms or systems include:

  • Contracting with an external company such as Mosio to send text messages to participants.
  • Contracting with an external company such as ilumivu to provide JIT adaptive interventions.
  • Contracting with a transcription company through which you upload audio recordings to their platform for transcription.

The process of evaluating new platforms or systems can be more in-depth and therefore requires more scrutiny. The process starts with a General Help Request through Service Now assigned to the SN AG – Academic and Research team answering the same questions as listed above. Platforms and systems generally require more support as they may need:

  • A Project Manager for implementation.
  • Virtual or physical servers which require operational support from CNE’s Server Team for operating system patching or data backups.
  • An Application Analyst to support the platform or its desktop components.
  • An annual support contract with the vendor.
  • End-User support.

Your IT Site Manager will contact you to set up a meeting and likely direct you to complete an iPAC Concept Form. This form (currently in MS Word format) is submitted by your IT Site Manager via email to the IPAC governance board. The board meets bi-weekly to review and evaluate submitted concept forms. You will be required to attend this virtual meeting with your IT Site Manager serving as sponsor. The committee may approve or deny the request during this meeting, determine if more information is needed, or approve provisionally pending the availability of internal resources. If an existing system in use by Care New England supports most of the functionality of your requested system, it may be determined that the existing system is the one to use.

If any PII/PHI is even remotely expected to pass through the platform or system, a BAA from Corporate Compliance will be required before we can sign any agreements or make purchase.

CNE IT supports the following hardware:
  • Computers (laptops and desktops) purchased through and managed by CNE IT.
  • Apple iPads purchased through and managed by CNE IT.
  • Printers and Multi-Function devices through CNE IT contracted services.
  • Zebra label printers which are certified by Cerner and Epic.
  • Certain external webcams, mice, and keyboards.
  • macOS laptops and desktops*1

When seeking new or replacement hardware, start with a Request PC for Terminal Hardware in Service Now. If you are requesting a non-standard hardware asset, the IT Site Manager will contact you for further discussion. You can expedite the process by answering the following questions in the free text field of your request:

  1. Include the following information if known:
    1. How is the hardware expected to be used within Care New England?
    1. The name of the hardware.
    2. The company or developer’s website.
    3. Is the hardware a medical device?
    4. Does the hardware capture PHI/PII?
    5. What business purpose the hardware will server within Care New England.
    6. The number of people who are anticipated to use the hardware initially.
    7. Is there a cloud-based component for the hardware?
    8. Is there an associated cost? Either a one-time, subscription, or operation?
    9. Which IT team is expected to support the hardware?
    10. What are the minimum system requirements for hardware software?

If any PII/PHI is even remotely expected to pass through the hardware or system, a BAA from the Compliance Office will be required before we can sign any agreements or make purchase.

The IPAC Process

CNE's I.S. department leverages a project governance board to evaluate projects with an IT component. In the case of research this could include:

  • Research studies that require EHR data extractions
  • IT platforms (hardware or software) new to CNE used to collect, process, store, or analyze data 
  • New uses of existing technologies

The requestor, along with the IT Site Manager, will fill out an IPAC Concept form. This form details the project, its impact to the organization, any risks in implementing or not implementing, and the initial and operating costs. The form is submitted to the IPAC chair (Project Management Office Director) and scheduled for review by the committee. The requestor may be asked to attend the meeting (currently every Monday at 2PM) to speak to the project, with the IT Site Manager being the IT sponsor.

REDCap

Research Electronic Data Capture (REDCap) is a web-based application developed by Vanderbilt University to capture data for clinical research and create databases and projects. It is Health Insurance Portability and Accountability Act (HIPAA)–compliant, highly secure, and intuitive to use. The databases use instruments such as surveys and forms as research capture tools. Projects are self-sufficient and secure databases that can be used for normal data entry or for surveys across multiple distinct time points. They are workflow-based and focus on collecting data and exporting it to statistical programs and other data analysis software. REDCap is designed to provide a secure environment so that research teams can collect and store highly sensitive information.

Learn More

Other Forms and Information

IT Help Guides: OKTA is our chosen single sign-on product that leverages multifactor authentication (MFA). The process does require a smartphone or an Internet-enabled tablet device.

OKTA User Guide

Using F5 VPN via OKTA

Frequently Asked Questions

I have a license to a software title through Brown University. Can I install this software on my Care New England computer?

No. The licensing agreement established between the software vendor and Brown University only applies to Brown University’s computers and perhaps those personally owned by their students and faculty. Care New England computers are not personally owned by you and therefore are not eligible for these software agreements to which you may be personally entitled. In addition, personally owned computing devices cannot be connected to the Care New England production network, only the CNE-Guest network.

Can I submit a security assessment from another organization to expedite the approval process here at Care New England?
Information Security has established a standardized process for evaluation of IT assets and cannot accept the findings of another organization. While there may be similarities between two organizations, each environment is unique and must be handled accordingly. You can, however, encourage the vendor contact to answer the questions on InfoSec’s questionnaire sooner than later.
My team bought a grant-funded IT asset before we knew there was a process for evaluation. What should we do now?
Contact your IT Site Manager immediately to discuss next steps. We will likely go through one of the established processes in a modified form. It is important we understand the risks or potential risks of any IT asset to our organization. We will do our best to allow you to continue operations while we go through this process, although there may be some circumstances (e.g., if a data leak were discovered) in which operations will need to be halted.
Our IT asset will not interact with any PHI or PII, do we need to involve IT before we use it?
Yes. Purchasing will require IT approval of any IT asset before purchase. Site Management would like to ensure the existence and use of said IT asset is documented. It is not uncommon for an IT asset initially approved for use without PHI/PII, to later incorporate the use of PHI/PII. If IT does not know about the existence of a device within the environment, we cannot safeguard it or the data it collects.
If Information Security decides the vendor or product, we want to use does not meet best practices, can we still move forward with the vendor?

Possibly. Information Security’s assessment is largely consultive. If the assessment points out (signals?) glaring issues, the Principal Investigator, or director of the researching team will need to decide if the risk outweighs the benefit to the study and the organization. However, in cases where

PHI/PII may be imported from a CNE system, Legal and Corporate Compliance will likely rule against the use of the product.

Do I need a BAA for my new IS engagement?

There are two documents, published by the CNE Compliance Office (Link to Compliance page) which can help determine if a BAA will be required for a particular engagement. They are available:

BAA Decision Tree – 

ConvergePoint 🡪 Care New England 🡪 Privacy

Determining BAA Relationship – 

ConvergePoint 🡪 Care New England 🡪 Privacy