The following applications have been approved by SOM IT Security and will not require a full assessment if the product meets the criteria below. A ticket submission and intake Form B is still required to ensure the applications are being utilized in the permitted data classification. Users wishing to procure an item off of this list, must still follow SOM IT Procurement process. The applications may be pre-approved if:

• There has been a recent full intake assessment completed within a reasonable period.
• The product is intended to be used by the permitted methods listed below.
• Appropriate agreements are active between the vendor and UCR School of Medicine.
• Additional agreements including IRB, BAA’s, do not require an agreement renewal.
• The application not purchased following our Procurement Process:
  • Purchased from approved vendors
  • Purchased with the assistance of SOM/Central Procurement
  • Is not an unauthorized purchase seeking reimbursement.

How are Applications Added?

Applications that are frequently requested to be purchased or reviewed are added to the list after security review, agreements have been established with the vendor, vendor security documentation has been obtained, and the risk for sharing of UCR SOM Institutional data is has been evaluated. This list is subject to change and will be updated accordingly. Please check back before placing a request. If you have any questions or concerns regarding this list please contact info-security@medsch.ucr.edu

Your Responsibilities

It is the responsibility of the user of the products to protect university institutional data ensuring that your use of software is following applicable policies, such as Vendor Security Risk Management Policies, storing, and processing all sensitive data within School of Medicine managed systems. If you have any questions or concerns regarding the permitted data types of the applications listed below, please contact info-security@medsch.ucr.edu

Approved Applications

Association of Pulmonary and Critical Care Medicine Program Directors (APCCMPD) In-Service Exam

The APCCMPD in service examination is a pulmonary and critical care medicine for fellows. Fellows will be tested evaluating a clinician's knowledge of pulmonary and critical care medicine.

Permitted:

• Student FERPA classified data.

Not Permitted:

• Use in a clinical environment or integration with patient data.
• Processing of credit card information.

Articulate 360

An e-learning editing tool that allows you to create interactive and engaging online courses, simulations, quizzes, and other learning content for students.

Permitted:

• Lecture content consisting of PowerPoint, visuals, and educational diagrams not containing sensitive information.

Not Permitted:

• Student FERPA – pertaining but not limited to course or exam grades, and other sensitive student information.
• Publishing of PII and clinical data.

BioRender

BioRender allows the creating, editing, and collaboration on scientific diagrams, and illustrations for visual presentations.

Permitted:

• Educational Scientific diagrams consisting of P2 data elements.

Not permitted:

• P3 data consisting of but not limited to: PII, identifiable human research, patient information or images.
• Graphs or images used in a clinical environment.

EMRA

The American College of Emergency Physicians (ACEP) provides continuing medical education for physicians. Assists with training student-physicians in emergency medicine.

Permitted:

• Student FERPA and student documents.

Not Permitted:

• Health or clinician information.
• Patient information.
• To be used in a clinical environment.

EndNote

Reference management software enabling the ability to create personal databases of references relevant to your associated files. Assist with providing citations without modification of main text.

Permitted:

• Administrative work and resources.

Not Permitted

• Student FERPA, HIPAA, or Health Information.

GraphPad Prism

Scientific software designed to simplify data analysis and visualization for researchers. It may assist with creating scientific graphing, statistics, and data organization.

Permitted:

• P1, P2, and P3* data elements, excluding identifiable human research.

Not Permitted:

• To contain clinical data from patients or to be used in a clinical environment.

IBM SPSS

Statistical software utilized for data analysis, and problem solving.

Permitted:

• P2 Research data intended for analysis.

Not Permitted:

• Human identifiable/unidentifiable research data.
• Health data or clinical data.
• Student FERPA.

Matlab

Scientific and engineering application designed for data analysis, image processing, modeling, algorithm development, and visualization.

Permitted:

• P2 Research data intended for analysis.

Not Permitted:

• Human identifiable/unidentifiable research data.

MAXQDA

Online tool designed to analyze and understand qualitive data. Includes the ability to code and categorize the data, identify patterns and themes, and create visual representations of the data.

Permitted:

• Animal research data.
• Deidentified human research.
• P1 and P2 data elements.

Not Permitted:

• Clinical or any health data.
• Identified human research data.
• Personally Identifiable Information (PII).
• Student FERPA.

Pymol

Online tool used to visualize macromolecules, biomolecules, and proteins and DNA in higher quality images, and 3D models.

Permitted:

• Protein resolution or adjustments consisting of P1 or P2 data elements.

Not Permitted:

• Analyzing of clinical, health, or patient data

Qualtrics Pro Service & Research Service

Allows users to create and distribute surveys and collect data for analysis, and research.

Permitted:

• P1, P2, and P3* Data elements.
• Anonymized data.

Not Permitted:

• Health or Patient data.
• P4 Data elements.

Quartzy

Solution used to manage lab inventory, request equipment, and track order requests

Permitted:

• Utilization of product to keep lab inventory up to date.
• P2 Data elements.

Not Permitted:

• Ordering of laboratory equipment within application.
• Storing or sharing Credit Card information.
• Processing payments or orders within the application.

Rosalind

Software used for life science research enables scientists to analyze and interpret data without programming languages.

Permitted:

• Analyzing of raw molecular data.

Not Permitted:

• Clinical environment or patient data.

Stata

Statistical software used for data analysis, manipulation, visualization, and reporting.

Permitted:

• P2 Research data intended for analysis.

Not Permitted:

• Human identifiable/unidentifiable research data.

Trumba Connect

Web-hosted event management system allowing tracking, updating, and editing event calendars to bring awareness to the campus community.

Permitted:

• Usage for publishing public marketing content and event.

Prohibited:

• Sharing of publishing PII and P3, and P4 data elements.

School of Medicine Prohibited-Applications

The following applications have been reviewed and are prohibited to be used at SOM. For alternative products we have referenced under each application below. For any questions or updates, please engage SOM IT Security: info-security@medsch.ucr.edu

DropBox

• Cloud storage and file hosting service.
• Drop box should not be utilized to back up any UC data. Users must utilize campus approved storage vendor such as OneDrive or Google Drive.

Survey Monkey

• Allows users to create and distribute surveys and collect data for analysis, and research.
• Users should utilize Qualtrics as an active agreement has been established

Frequently Asked Questions

• Why do I not see an application my department uses?

This list has just been implemented as of 2024. Our team is currently evaluating applications that meet the criteria to be on the approved list. We will continue to add applications as they meet the criteria to be on the approved list.

• How do I get applications on the approved list?

During the procurement process, we are evaluating items that meet the requirements of being on this list. We will continue to monitor and evaluate as items are submitted to us for review. However, during your next renewal, you may request us to evaluate the application to be added to the SOM Security approved list.

• Will items be removed from this list?

Preapproved applications may be removed based on vendors’ security posture, lack of engagement with UCR SOM, or other unforeseen circumstances. Additionally, each vendor/ software on this list must have a current full assessment on file. If the assessment becomes outdated, we will need to reassess to keep the vendor current on the list.

• How does the pre-approve list make the security review faster?

Pre-approved requests do not require a full intake review, rather a quick review of Intake Form B, to ensure the product is used in the approved data classification level. Therefore, the request will move faster through the security process only. (It is important to note there are additional procurement steps outside the security review. For additional information, please review the Procurement Steps & Responsibilities.

• What if I have additional questions?

Additional information can be found at SOM IT Procurement Process, or by contacting SOM IT Security: Info-security@medsch.ucr.edu

Resources

• Procurement Process - https://somit.ucr.edu/it-procurement
• Vendor Security Risk Management Policy - https://somcompliance.ucr.edu/sites/default/files/2022-05/950-02-208_vendor_security_risk_management.pdf
• Procurement Steps & Responsibilities - https://somit.ucr.edu/it-procurement#step-1-requestor
• SOM IT Security – Info-security@medsch.ucr.edu