Information Assurance (IA) Review Process

Information security is an important aspect of any study utilizing mobile technologies because these studies require data to be transferred from a 3rd party into the university computing environment. Transferring data through the firewall creates vulnerabilities that need to be managed appropriately. This article provides information and resources for investigators that will help them navigate the complex and ever-changing landscape of data security at Michigan.

Summary

Managing risk associated with information and data security is important for any remote study or study utilizing mobile technologies. These studies require data to be transferred from a 3rd party into the university computing environment creating vulnerabilities that need to be managed. This article will help investigators provide information to asses if an Information Assurance (IA) review is necessary, prepare for a review, and initiate a review. 

General Overview

NOTE: Several of the links in this article require being logged in with Level 1 or Level 2 U-M credentials. If links are not working, login and retry the links. 

Technology is becoming an increasingly important tool that helps researchers manage research studies, conduct research remotely, and gather data from mobile apps and devices. However, the use of technology in research increases the potential for security incidents. While keeping research data secured is a shared responsibility at the University of Michigan, Information Assurance approval is required for technology to be used in research. This article will help investigators determine if an Information Assurance (IA) review is necessary, what to expect during a review, how to prepare for a review, and how to initiate a review. 

To learn about the key components that feed information security requirements at Michigan, review Are you purchasing an IT System or Service? Scroll down to the interactive "snake chart" and follow each step. If you aren't sure if you need an IA review after reviewing this article, request an IA consult to have an IA team member provide guidance. 

Technology Selection

There are several resources to help investigators select research technology. Selecting technology that is already approved for use at Michigan Medicine or the University of Michigan may reduce the need for an IA review while ensuring that research data is kept secure. Below are resources to help you identify IA credentialed technology:

Articles:

• Remote Study Technology
• Clinical Trial Management Options for U-M (Level 1 login required)
• MM IA Approved Technology & Service List
• U-M Software Directory - includes MM licensed software

Consultations:

• Mobile Technology Core Consultation
• MM Academic Applications Consultation
• MICHR Consultations

Does My Study Need an IA Review?

A review is required if:

• The technology or service is not on the approved list. 
• If the technology or service is approved at a lower data classification than needed for your study. 
  • Learn more about Data Security at U-M. 
  • Contact your IRBMED representative if you need help determining the data classification for data in your study.

The following additional situations may require an IA review to ensure information and data is secured. This list does not cover every possible situation. 

• If you want to automate transferring data into the U-M computing environment from an outside vendor.
• If you are moving or storing data with entities outside of Michigan Medicine or the University of Michigan, including other academic institutions.
• If the vendor will have a U-M / MM sponsored account.

Before Requesting an IA Review

► ► First, determine if your unit has a Michigan Medicine Trusted Service Provider (TSP) designation. If you are unsure, ask your unit administrator.  For MM units without a TSP, HITS will help identify a TSP or will serve as the TSP for the request. TSP's are responsible for submitting information into the IA ticket system and answering investigators questions during the process.

► ► Gather the following information BEFORE requesting a review to significantly reduce the time necessary for the review process. 

General Information

• Company and product names for ALL technology that will be used in the study.
• A description of the technology and how it will be used. What problem does it solve?
• The primary use of the technology: academic (including research), business and administration, or clinical.

Vendor Access to Data

• Will the vendor have access to data? Access to data includes but is not limited to data on the university network or data stored in a cloud or off-premise location.
• Will the vendor have a 'service and support' connection? e.g.: VPN, remote viewing, remote access
• Will the vendor have any sponsored accounts?

Compliance / Contracts

• While the IRB process is distinct from the IA review process, gathering this information before submitting your IRB application will reduce the need for amendments. See IRB Considerations for Studies with Mobile Devices and Mobile Apps for additional guidance. 
  • Effective May 2025 - The research approval process within the eResearch system will include questions to identify and address potential IT security risks early, simplify the overall process and reduce delays from the technology assurance process.
• A Data Protection Agreement (DPA) and Business Associate Agreement (BAA) are required before receiving IA/CISO approvals. You should begin these at the same time as the IA review process. HITS Contract Team can help. For guidance go to the Contracts and Procurement section of HITS InSite or U-M's Third Party Vendor Security and Compliance Policy. 
  • Vendors with a current IA credential should have DPA and BAA agreements on file. 
• Shared Responsibilities Agreement (SRA) may be required if sharing data with the vendor. 

Data Classification

Contact your IRB representative to assist you with determining the appropriate data classification, if needed. Below are examples of the types of data within each of the classifications. Learn about U-M Data Classification Levels here.

Low 

• Research awards
• Research proposals
• Unpublished research data
• Unpublished research

Medium

• Human subjects research
• Intellectual property
• UMIDs with names
• U-M non-public financial information

High

• PHI
• Social Security Numbers (SSNs)
• Sensitive identifiable human subjects research
• Export controlled information

Restricted

• Credit card numbers
• FISMA - data provided by federal organizations such as NIH, NASA, and the VA

Resources 

• Technology Elements document can help you collect the necessary information, download from the lower right of this article.  
• A study-specific data flow diagram. This article provides an example of a standardized data flow. The Mobile Technologies Core or MM Academic IT can help with developing a data flow diagram if needed. The data flow diagram is also helpful when developing a Data Management & Sharing Plan.

Timing

A minimum of 8 weeks should be planned for a review if the investigators unit has a TSP. Reviews take longer for investigators without a TSP within their unit, possibly adding several months.

It is advised that investigators begin the process as soon as funding is secured. Factors that impact how long a review will take include:

• How many requests are already in que.
• Whether the investigators unit is a TSP or HITS is serving as the TSP.
• How prepared the investigator is for the process. See section titled: Before Requesting an IA Review
• How the request is prioritized. Requests are prioritized by factors including risk type, data types, and study deadlines.  
• How promptly the investigator and vendor respond to requests for information from either HITS or IA. 

What to Expect During an IA Review

During the review process information will be gathered about the tools, technology infrastructure, and security protocols used by the vendor to accurately evaluate the risk associated with  the vendor having access to Michigan Medicine and University of Michigan data. New questions often emerge throughout the process requiring back and forth between the review team and vendor. Additionally, the review team may make recommendations to the vendor to reduce risk which may take the vendor time to review and implement.

The Vendor Security Assessment section of this article provides additional information on what to expect. 

*Review time will be impacted if the study team or vendor does not promptly reply to requests for information from the review team.  

Request an IA Review 

MICHIGAN MEDICINE

If using Michigan Medicine data, regardless of PI's home department, an IA review MUST be done by Michigan Medicine IA.  

Units with a TSP

If your unit has a TSP, provide them with the links below and ask that they submit an MMIAR on your behalf.

• TSP Infographic with process and links to resources

• MMIAR Process Overview

• What Changed with IA MMIAR In December 2023

Units without a TSP

If your unit does not have a TSP, c​omplete the Michigan Medicine Investment Assurance Request - Consult form to begin the process. Indicate that you need an IA review and the reason you believe you need a review. e.g.: I would like to use (name of technology / vendor) for a research study and it is not on the IA approved list.

UNIVERSITY OF MICHIGAN

University of Michigan PI's who will not be using Michigan Medicine data should submit a ticket to ITS requesting an IA review. 

Resources

University of Michigan - Level 1 login required

• Third Party Vendor Security and Compliance
• Sensitive Data Guide
• Minimum Information Security Requirements for Systems, Applications, and Data

Michigan Medicine - Level 2 login required

• Information Assurance: Quick Start Guide
• Security and Vendor Risk Assessments
• Disaster Recovery Planning and Data Backup for Information Systems and Services with ePHI

About the Author