Purchasing New Information Technology

IT Security Considerations

Before introducing new technologies or systems from outside vendors into the Michigan Medicine IT environment, it’s essential to ensure they’re secure—especially since so many systems handle sensitive, interconnected data.  

Before purchasing a new or novel technology, staff should first work with a Procurement Service Provider to check if a security-vetted system with similar capabilities already exists. 

Visit Procurement - Find Products & Services

If the desired technology IS NOT in use, an approved purchase confirmation from the Procurement Office is required before an IT security review can be initiated by a Michigan Medicine IT Trusted Service Provider (TSP)*.

Read more information on Procurement Compliance: SPG 601.3-3 Software, Licensing, and Cloud Services Procurement Compliance

Done with Procurement?

To help understand the technical requirements for safely integrating new technology into our environment – from implementation to long-term support – you will need to work alongside a TSP*. TSPs assist you in ensuring the technology runs smoothly and meets Michigan Medicine’s IT security requirements.

Academic IT Systems/Services
Trusted Service Provider Support Request		Clinical IT Systems/Services
Trusted Service Provider Support Request

*Based on the type of system/service, a TSP will work with Information Assurance to review the risk of the technology, identify and address any risks before the technology is deployed, and ensure ongoing operational support is planned.

What does an IT Security Review entail?

Assurance of technologies with University of Michigan Sensitive Data connecting to Michigan Medicine IT environments are performed in concert with Trusted Service Providers (TSPs) and Information Assurance (IA:MM). 

TSPs assist units and departments across the enterprise to manage their IT. TSPs help the technology owner(s) identify important information used to answer a short questionnaire used in the IT security review, ultimately performed by IA:MM. 

TSPs are required to submit a Michigan Medicine Investment Assurance Request (MMIAR), which is used to determine the potential risk level of said technology – and will define artifacts and documents required for the cybersecurity teams to determine if the technology meets Michigan Medicine’s IT security standards.

How long does an IT security review take?

This can depend on a number of factors. 

If TSPs determine the technology is either already in use – or a comparable alternative is available – then, the security review should be rather fast. 

New and novel technologies, particularly ones handling sensitive data and/or interconnecting with other sensitive IT systems, can take longer. Backlogs for these systems are not uncommon, underscoring the importance of working with TSPs early and often after completing the prerequisite Procurement processes. 

If your assigned TSP is unfamiliar with the MMIAR process, they can begin educating themselves by visiting our Michigan Medicine TSPs Safe Computing page dedicated to helping TSPs navigate IA:MM requirements.