System Registration and Certification Program


The CUIMC Information Security Office (ISO) performs information security risk assessments of CUIMC IT systems using standards and regulations from HIPAA and HITECH.  The assessments help validate that patient, employee, business, and other sensitive or confidential data are protected.

An IT System that fulfills the assessment process is designated as “certified” by CUIMC IT Security when completed.  The goal is to have all CUIMC IT systems certified to enhance our security compliance posture for HIPAA, HITECH, and PII protection.

Program Phases

The System Registration and Certification Program consists of the following phases:

  1. System Registration
  2. System Risk Assessment
  3. Remediation of Findings (if any)
  4. System Certification

See below for details on each phase.

System Registration

Per CUIMC IT policies, all multi-user applications and systems within Columbia University Medical Center are required to be registered with CUIMC IT. This requirement is regardless of whether the system will transmit, store or use PHI, ePHI, or PII information.

Registration of CUIMC IT Systems is done within the RSAM system. RSAM is used to manage data associated with IT Risk management and compliance for all IT systems within CUIMC.  Registration involves providing demographic and technical information about the system.  The information is used by CUIMC IT to assess the level of information security risk presented by the system.

To register your system, access RSAM using your UNI and password at https://rsam.cumc.columbia.edu.
NOTE: if you are using an off-campus computer you will need to connect to VPN first.

System Risk Assessment

Once the System Owner and IT Custodian (collectively, Stakeholders) have Registered the system by completing the Attribute and Criticality information in RSAM and submitted the Registration to ISO, the ISO Risk Analyst reviews the information to gauge the level of information security risk.

There are five Risk Ratings: Critical, High, Medium, Low, and Minimal. Systems rated as Low or Minimal are classified in RSAM workflow as “41 Reviewed” or "43 Inventoried".

All others move forward in RSAM workflow to Self-Assessment, and the Stakeholders are notified that there are additional questions about controls in and over the System that need to be answered. Based on the responses to those questions, follow-up discussions with the ISO Risk Analyst, and the results of a scan for technical vulnerabilities (internal systems only), an Information Security Risk Assessment report is generated. The report contains the findings from the assessment, recommendations for each finding, and a timetable for remediation based on the severity of the findings. The goal is to complete assessments within 30 days, and all findings must be remediated within 90 days.

Risk Remediation

All risks Identified in the information security risk assessment must be corrected.  The timing of the corrective actions varies with the severity of the Risks identified.  The system owner and IT custodian are responsible for ensuring that all corrective actions are implemented within expected time frames.  As each corrective action is implemented, the system owner or IT custodian provides an update through RSAM.  This informs the CUIMC IT Security Risk Team of the remediation status.

Certification

IT systems assessed as being in compliance with HIPAA and HITECH standards and policies will be issued “certified” status by the CUIMC Information Security Office.

Program Resources

For information about the System Certification Program at CUIMC please contact the Information Security Office at security@cumc.columbia.edu.