IRB Review and VISPs

Risk assessments are performed by Partners HealthCare Risk Assessment Team to ensure that technologies comply with Partners policies and standards.  Information Systems acquired, developed and maintained on behalf of Partners must incorporate information security across the entire lifecycle. 

Definitions:

Intake Form: is a questionnaire Info Security uses "internally" for data gathering from the business owner who is requesting or requires an assessment. It helps to know what the data is, where the data will be located, who will support the system, and who will have access to the data. This will determine if a VISP is required and sets the scope of the assessment.

Vendor Information Security Profile (VISP): is a questionnaire used "externally" for data gathering from the vendor who is offering a service. This questionnaire is based on the NIST800-53 security guidelines. In this questionnaire, the answers define the:

  • Vendor's internal policies, procedures, and standards to manage their own infrastructure (e.g., how does the vendor provision access to new employees?)
  • Proposed system or application (e.g., how does the business owner provision access to a new user?)

 

Process:

To request an assessment: Please use this link to submit an IS Service Desk request to the Vendor Risk Assessments queue.

Once the request is submitted, an Info Security Analyst will be assigned to your review.  They will determine if a completed Intake Form and/or completed VISP is already on file. 

If not on file, an Intake Form will be sent to the business owner.  A VISP will be required based on the following criteria:

  • The vendor will access, process, store, or transmit ePHI/PII
  • The vendor will host the data in the cloud
  • The system will be hosted at Partners but the vendor will provide remote support

If any of these apply, the VISP template will be sent to the vendor.

Once the Info Security Analyst receives the vendor's response to the VISP, they will review, follow-up with the vendor if needed and highlight any weaknesses or potential risks. They will work with the vendor to mitigate any potential risks.

The Analyst will communicate their findings and the mitigation plan with the business owner.

The VISP will require internal review and approval by Partners Risk Assessment team. Once approved, the vendor and Partners Risk Manager will sign off on the documentation.

 

Timeline

On average, it takes 2-6 weeks to complete an assessment and that depends on the vendor’s responsiveness.  In our experience some assessments have taken months (4-6). Be advised to start the process early when engaging new vendors or collaborators.

If the vendor requires remediation (changes to code, technologies, processes) or documentation of mitigations, this will impact timeline causing delays to use the technologies.

 

Recommendations / Lessons Learned

Prior to submitting to the Partners IRB, be sure that you have at least an Intake Form on file for your applications and processes.  If a vendor assessment is required, you should initiate process prior to IRB protocol submission.  The IRB cannot approve protocols if technologies are unknown and not vetted by the Risk Assessment team.

 

Information Security Policies

Policy Central currently contains policies and procedures for the following entities:

  • Partners HealthCare System (PHS)
  • Spaulding Rehabilitation Network (SRN)
  • Partners Community Physicians Organization (PCPO)

Partners Users can use their ID and password to access Policy Central via:

  1. Partners Applications menu, under Policies and Procedures
  2. https://grcarcher.partners.org

For any additional questions or clarifications, please contact RISO at riso@partners.org

Recent blog post

RISO highlights A cybersecurity primer for translational research by Eric D. Perakslis and Martin Stanley