Skip to end of metadata
Go to start of metadata

Quick Links: Emory Service Dashboard | Internal-facing Service Review Process | Public-facing Service Review Process | Vendor-provided Service Review Process

Draft Policy for Emory Internal-facing ESB, Web, and FHIR Services (draft, not yet adopted)

In order to implement integration services in a consistent and secure manner and with proper authorization and controls from data custodians Emory requires a review of all new internal web or ESB services and events at Emory (developed at Emory or vended) prior to publication to end users for production use. Additionally, Emory requires a review of any new consumers of web or ESB services and events prior to authorizing production use. Internal ESB or web services are those intended for use by Emory people, Emory affiliates, and Emory applications only and not external entities or the general public. This process is initiated by LITS in consultation with Legal Counsel and the Emory Healthcare and Emory University Compliance Officers. To begin this process, please visit the Emory Review Process for Internal-facing ESB, Web, and FHIR Services. While internally published web and ESB services do not have the same security and compliance requirements as publicly published services, internal web and ESB services have many of the same custodial, legal, compliance, and security implications. For this reason Emory must perform technical, compliance, regulatory, and security reviews for internal ESB and web services as well as perform a data custodian review to obtain a data release specific to the proposed use. ESB and web services may be published internally to a limited user base for development and testing purposes prior to this review, but the reviews must be completed satisfactorily prior to publishing services and events for production use.

Emory requires that all web and ESB services developed at Emory be listed in the Emory ESB and Web Service Registry and appear in the Emory ESB and Web Service Dashboard. This practice helps ensure that Emory can track ESB and web service usage, implement proper authorization and other controls specified by the data custodian, manage application updates, and otherwise support and secure the services. Emory must also determine if the ESB or web services collect, transmit, or store any sensitive data and, if so, ensure that Emory's FERPA, HIPAA, PCI, or other appropriate compliance obligations are met. Some vended web services such as those provided by cloud and software-as-a-service providers may require publication by the vendor. Such services are subject to the Policy for Services and Events Published by Other Entities and Consumed by Emory.

Draft Policy for Emory External-facing ESB, Web, and FHIR Services (draft, not yet adopted)

Emory requires a review of all ESB and web services and events developed at Emory prior exposing them to external entities or the general public over the internet. This process is initiated by LITS in consultation with Legal Counsel and Emory Healthcare and Emory University Compliance Officers. To begin the process, please visit Emory Review Process for External-facing ESB, Web, and FHIR Services.  All ESB and web services bound for external publication should first complete the internal review process, which identifies the data custodian and obtains proper release with any specific controls from the data custodian. Prior to external publication, the service must be reviewed by data custodians and assessed by Compliance and Information Security for any vulnerabilities specific to general availability on the internet.
 
Emory must also determine if the ESB or web services collect, transmit, or store any sensitive data and, if so, ensure that Emory's FERPA, HIPAA, PCI, or other appropriate compliance obligations are met. Publication of web or ESB services to any external (non-Emory affiliated) entities without completing Emory's service review process is prohibited.

Draft Policy for Vendor- or Partner-provided ESB and Web Services (draft, not yet adopted)

Emory requires a review of all ESB and web services used for purposes subject to Emory policy and regulatory compliance. These purposes include the acquisition, storage, and transmission of data that is subject to Emory compliance policies such as student information, employee data, and protected health information. ESB and web services developed at Emory are already covered under internal and external publication review policies. This process applies specifically to ESB and web services available from vendors and software-as-a-service providers, vendor-provided services.

Emory requires that all vendor-provided services that are intended to acquire, store, or transmit sensitive information be reviewed for suitability and compliance by the appropriate Compliance Officer and Information Security.  Emory must also determine if the ESB or web services collect, transmit, or store any sensitive data and, if so, ensure that Emory's FERPA, HIPAA, PCI, or other appropriate compliance obligations are met. Once approved, all Vended Apps will be listed in the Emory Web Service Registry along with a description of their approved use and when appropriate prohibited uses. To begin this process visit Emory Review Process for Vendor- or Partner-provided ESB, Web, or FHIR Services.

Processes

Here are the processes for ESB and web service review and distribution at Emory to address the requirements for internal and external publication and vendor-provided service consumption. Detailed descriptions of these processes are at:

 

 

 

  • No labels