Information Assurance (IA) Review Process

Summary

Managing risk associated with information and data security is important for any remote study or study utilizing mobile technologies. These studies require data to be transferred from a 3rd party into the university computing environment creating vulnerabilities that need to be managed. This article will help investigators determine if an Information Assurance (IA) review is necessary, what to expect during a review, how to prepare for a review, and how to initiate a review. 

General Overview

NOTE: Several of the links in this article require being logged in with Level 1 or Level 2 U-M credentials. If links are not working login and retry the links. 

Technology is becoming an increasingly important tool that helps researchers manage research studies, conduct research remotely, and gather data from mobile devices. However, the use of technology in research increases the potential for security incidents. While keeping research data secured is a shared responsibility at the University of Michigan, Information Assurance approval is required for technology to be used in research. This article will help investigators determine if an Information Assurance (IA) review is necessary, what to expect during a review, how to prepare for a review, and how to initiate a review. 

To learn about the key components that feed information security requirements at Michigan, review Are you purchasing an IT System or Service? Scroll down to the interactive "snake chart" and follow each step. If you aren't sure if you need an IA review, you can request a consult to have an IA team member provide guidance. 

Technology Selection

There are several resources to help investigators select research technology. Selecting technology that is already approved for use at Michigan Medicine or the University of Michigan may reduce the need for an IA review while ensuring that research data is kept secure. Below are some of those resources:

Articles:

Consultations:

Does My Study Need an IA Review

A review is required if:

  • The technology or service is not on the approved list. 
  • If the technology or service is approved at a lower data classification than needed for your study. Learn more about Data Security at U-M. 
    • Contact your IRBMED representative if you need to determine the data classification level for your study.

The following additional situations may require an IA review to ensure information and data is secured. This list does not cover every possible situation. 

  • If you want to automate pushing data into the U-M computing environment from an outside vendor.
  • If you are moving or storing data with entities outside of Michigan Medicine or the University of Michigan, including other academic institutions.
  • If the vendor will have a U-M / MM sponsored account.

Before Requesting an IA Review

► ► First, determine if your unit has a Michigan Medicine Trusted Service Provider (TSP) designation. If you are unsure, ask your unit administrator. If your unit has a TSP, your TSP will likely gather this information for the request.

► ► Gathering the following information BEFORE requesting a review will significantly reduce the time necessary for the review process. 

General Information

  • Company and product names of any technology that will be used in the study.
  • A description of the technology and how it will be used. What problem does it solve?
  • The primary use of the technology: academic (including research), business and administration, clinical.

Vendor Access to Data

  • Will the vendor have access to data? Access to data includes but is not limited to data on the university network or data stored in a cloud or off-premise location.
  • Will the vendor have a 'service and support' connection? e.g.: VPN, remote viewing, remote access
  • Will the vendor have any sponsored accounts?

Compliance

  • Completed and signed Data Processing Agreement (DPA) and a Business Associate (BAA) are required before receiving IA/CISO approvals. You should begin these at the same time as the IA review process. HITS Contract Team can help. Check the Contracts and Procurement section of HITS InSite for guidance.
  • While the IRB process is distinct from the IA review process, gathering this information before submitting your IRB application will reduce the need for amendments. See IRB Considerations for Studies with Mobile Devices and Mobile Apps for additional guidance. 

Resources to help gather the information in this section

Timing

A minimum of 6 weeks should be planned for a review if the investigators unit has a TSP. Reviews take longer for investigators without a TSP within their unit, possibly adding a few months. For MM units without a TSP, HITS is will serve as the TSP for the request and will work with the investigator to prepare for the review. 

It is advised that investigators begin the process as soon as funding is secured. Factors that impact how long a review will take include:

  • How many requests are already in que.
  • Whether the investigators unit is a TSP or HITS is serving as the TSP.
  • How prepared the investigator is for the process. See section titled: Before Requesting an IA Review
  • How the request is prioritized. Requests are prioritized by factors including risk type, data types, and study deadlines.  
  • How promptly the investigator and vendor respond to requests for information from either HITS or IA. 

What to Expect During an IA Review

During the review process information will be gathered about the tools, technology infrastructure, and security protocols used by the vendor to accurately evaluate the risk associated with  the vendor having access to Michigan Medicine and University of Michigan data. New questions often emerge throughout the process requiring back and forth between the review team and vendor. Additionally, the review team may make recommendations to the vendor to reduce risk which may take the vendor time to review and implement.

The Vendor Security Assessment section of this article provides additional information on what to expect. 

*Review time will be impacted if the study team or vendor does not promptly reply to requests for information from the review team.  

Request an IA Review 

MICHIGAN MEDICINE

For Michigan Medicine PI's and Co-I's and for University of Michigan PI's who will be using Michigan Medicine data in their study. 

Units with a TSP

If your unit has a TSP, provide them with the links below and ask that they submit an MMIAR on your behalf.

Units without a TSP

If your unit does not have a TSP, c​omplete the Michigan Medicine Investment Assurance Request - Consult form to begin the process. Indicate that you need an IA review and the reason you believe you need a review. e.g.: I would like to use (name of technology / vendor) for a research study and it is not on the IA approved list.

UNIVERSITY OF MICHIGAN

University of Michigan PI's who will not be using Michigan Medicine data should submit a ticket to ITS requesting an IA review. 

Resources

University of Michigan - Level 1 login required

Michigan Medicine - Level 2 login required

About the Author

                                                
            

As the Mobile Technologies Core Manager at the University of Michigan’s Eisenberg Family Depression Center, Victoria Bennett helps investigators navigate the university’s robust resources while perpetually looking for opportunities to curate new resources. She aims to reduce friction for investigators who wish to utilize mobile technologies in health research. Drawing from her extensive experience with entrepreneurship, Victoria applies an entrepreneurial mindset to create efficient systems, improving operational effectiveness and impact. 

            

 |  

            
Print Article

Related Articles (4)

IRB Considerations for Studies with Mobile Devices and Mobile Apps
This article provides general IRB guidance for investigators planning to include mobile apps, mobile devices, and other mobile technologies in human health research. It is not intended to address all aspects of an IRB review, only those related to mobile technologies.
Mobile Study Data Flow
Standardized data flow for research studies that utilize mobile technologies at the University of Michigan. It depicts how data typically moves from a smart watch or wearable device, into University resources behind a firewall, and finally lands on long-term storage for preservation and analytics.
Technology Elements & Budget Implications for Studies Utilizing Mobile Technologies
Understanding the technology elements for a study utilizing wearable and mobile technologies will assist researchers during the study planning process in several ways.

- Build a more accurate study budget.
- Develop a Data Management & Sharing Plan, which can be a requirement for funders and journal submissions.
- Prepare for regulatory and compliance processes, like an Information Assurance (IA) review, if needed
What Technologies Does the Mobile Technologies Core Support?
MTC focuses on consumer-grade, over-the-counter wearable and nearable devices with potential clinical applications. We concentrate on study management platforms from vetted vendors, although we can refer researchers to other resources when necessary.