Over the past 4 months, ACE IoT’s data acquisition technology has been successfully deployed in a growing number of hospitals and institutions of higher education. In fact, we can report – proudly- that ACE IoT’s Managed Cloud Platform now delivers into SkySpark more than 1 million data points from hospitals. To deploy our edge gateways in these institutional networks, ACE IoT completed vetting processes that included meeting with each institution and having them evaluate our systems and the cybersecurity mitigation we have in place. For one of the deployments, we were asked to complete standardized cybersecurity review known as the HECVAT.
Since completing the HECVAT, we have since shared our completed HECVAT with other institutions where we will deploy—whether they have required it or not! In this blog post, we’ll discuss the value of have an approved data acquisition gateway on the network, we’ll nerd-out about the HECVATi and illustrate why we think a standardized cybersecurity review will help accelerate the deployment of innovative smart technologies in buildings.
What Is HECVAT and Why Is It Important? The HECVAT (Higher Education Community Vendor Assessment Toolkit) is a framework designed to help higher education institutions, hospitals and other institutions assess and evaluate third-party vendors that provide information technology services, such as the building data monitoring solutions we offer at ACE IoT Solutions. So far, about 150+ colleges, universities and hospitals use HECVAT. One reason is that the framework provides a set of standard criteria and questions to consider when evaluating a vendor’s security and privacy practices, as well as other important factors such as reliability, data ownership, and vendor support.
When selecting a vendor in the building data monitoring space, for example, it is crucial to consider factors such as the vendor’s ability to collect, store, and analyze data securely, their compliance with relevant data privacy laws and regulations, and their ability to provide reliable and accurate data. By using HECVAT to evaluate potential vendors, higher education institutions can ensure that they are selecting one that meets their specific needs and has the necessary security and privacy safeguards in place to protect their data. This can help to mitigate risks associated with data breaches, data loss, or other security incidents.
Why We Share Our Completed HECVAT Form (even when it is not required)
There are several reasons why the completed HECVAT has value for ACE IoT, including:
• It offers a comprehensive review: The HECVAT (Lite) weighs-in at 112 questions. We think the completed HECVAT provides a comprehensive snapshot of ACE IoT’s systems, our edge gateway and the cybersecurity mitigations we have in place.
• It offers great time savings: A institutional cybersecurity review can take several hours to complete. The institutional reviews generally solicit the same information, but they pose questions differently. We provide the completed HECVAT Lite (version 3.04) with the hope that the completed document will address the vast majority of institutions cybersecurity questions and that remaining questions can be addressed in a meeting or a follow-up submittal. This saves ACE IoT time but using the HECVAT should also save institutions time in terms of doing any due diligence on data vendors.
• It is standardized: We are excited to share the word about the HECVAT as a standardized cybersecurity review. With more and more institutions adopting the HECVAT or similar standardized cybersecurity reviews, we think the result will be better security on OT networks and fewer cyber-security-review-related delays in data acquisition, data analytics and data-enabled retro-commissioning projects.
Convergence of IT + OT Network Management
If our experience deploying data acquisition solutions in hospitals are any indication of the future direction of smart buildings, we should expect more and more organizations will move away from VPN access to their OT networks. Indeed, we see a lot of companies converging the management of IT and OT networks; more and more, we are deploying directly to institutional network environments where the enterprise IT team is responsible for network segmentation and advanced application layer firewalls for both IT and OT networks.
Whereas negotiating a secure site-to-site VPN can be complicated (to say the least), approving a secure gateway for deployment on a segmented network is much more a no-brainer. For this reason, we expect more of our customers will be asking to conduct cybersecurity reviews of ACE IoT’s edge gateway. And by employing HECVAT or another standardized evaluation framework, these institutions will not only save time on their end (no need to recreate the wheel after all), but also get answers from vendors like us more quickly. That’s a huge step for everyone who seeks to advance the deployment of secure and innovative smart building tools and technologies.
About ACE IoT Solutions. At ACE IoT, we act as data plumbers for buildings, providing an end-to-end solution delivering key data directly to our clients’ preferred data analytics system or data lake. We use open-source software tools to establish independent Data Layers (IDLs) in buildings and we do not charge for data on a per-point basis. We aim to resolve for our clients their data acquisition headaches. Please contact Bill Maguire (bill@aceiotsolutions.com) for additional information about ACE IoT and the support we provide our customers.
Please follow ACE IoT on our LinkedIn page.