Protect the Cloud
Connectivity and Security Enabling an Evolution
Information Technology department announced new summer initiative — Cloud9 to improve connectivity services to the medical school community, students, faculty and administration. Cloud9 is launching with ServiceNow, Outlook 365, Dropbox, and ultra-speed wireless connection!
To ensure that our cloud partners comply with the legal and compliance needs of the Medical School, a multi-departmental team was formed to apply necessary due-diligence. Microsoft’s Office 365 and Dropbox Business have been identified as appropriate solutions for specific types of use. The matrix below identifies the key areas that were reviewed and presents our guidance for the proper use of Office 365 and Dropbox.
|
|
|
|
|
Type of Information Approved |
Based on the reviews and assessments: Confidential, Internal and Public data is acceptable. This means PHI and PII is acceptable. For example, research data. |
|||||
Based on the reviews and assessments: Internal and Public data is acceptable. No PHI or PII can be stored in Dropbox. |
Contract Review:
The UMass Chan Medical School Information Technology Department engages the President’s Office General Counsel’s Department for any contract review. Contracts are reviewed by General Counsel both generally for any legal terms that are acceptable or not, as well as specific Information Technology related terms to ensure the Medical School is agreeing to appropriate terms as acceptable to both the Medical School and General Counsel’s Office.
Business Associate Agreement Review
The UMass Chan Medical School Information Technology Department engages the Senior Privacy Officer, ForHealth Consulting’s Office of Compliance and Review, as well as the Office of General Counsel, to ensure a Business Associate Agreement is in place when necessary and required, and includes agreed upon language.
Security Assessment
The UMass Chan Medical School Information Technology’s Information Security Office conducts security assessments of IT vendors when requested. The security assessment is not a one size fits all, however, a baseline security review is applied for IT vendors. For example, the Information Security Office assists with the contract review. In addition, various third party attestation reports are obtained to verify controls are designed appropriately and functioning effectively, including: HITRUST CSF, SOC2 or SOC3 (AT101), NIST, etc.
Privacy Assessment
The UMass Chan Medical School Information Technology Department engages the Senior Privacy Officer to ensure an assessment of the privacy requirements for the IT vendor is complete.
*Acronym Definitions:
PHI: Protected Health Information
PII: Personally Identifiable Information
SOC2 Type II: Report on Controls at Service Organization Relevant to Security, Availability, Processing Integrity, and Confidentiality
HITRUST: The Health Information Trust Alliance – Common Security Framework