Department of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review DCF Answers to Vendor Questions

Transcription

1 Department of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review s to Vendor Questions Questions as Submitted by Vendors (Duplicates omitted) 1. Have controls been designed at a DCF level and DCF Headquarters specifies most propagated to the regions/facilities/offices or are the controls for Regions and some parts of respective entities (regional offices/facilities, divisions, the hospitals and treatment facilities. etc.) within DCF responsible for designing their own controls? 2. Can you explain why the 5 locations of 125? We need on site visits for the 5 locations only at this time. We may visit the other locations depending on cost and budget in future projects. 3. How can separate reports/deliverables be created for the 11 locations when visits are limited to the 5 noted in the RFP? Are these additional 6 locations (regional offices) that require a deliverable, co located within the 5 locations included in scope? 4. Is their information technology assets that store/transmit data within scope at each of the 5 locations outlined in the RFP or are all of these technology assets centralized? 5. Is PHI stored on workstations within the various locations or only in central servers? 6. You have identified 159 applications that store PHI are you confident these are the only applications and will the scope be limited to the 159 App? 7. What platform do these apps run on (open source servers, mainframe)? Are they hosted on the 130 servers in scope? Are you aware in some of these serves are merely file/print servers that do not need to be evaluated for HIPAA compliance? 8. What is the platform of the 130 servers (Windows, UNIX, Linux, etc.)? 9. Why are HIPAA Privacy and HITECH breach notifications not included in this procurement? 10. Would DCF internal audit resources be available to work with our team for field work in an effort to reduce the cost of this project? 1 See the answer to #1 above and #23 below. Assessment of the Regions controls that are not centralized (e.g., physical security) can be conducted through , phone interviews, and means other than travel. All IT assets in each of the 5 locations are in the scope of the RFQ. It is the Department policy that ephi should only be stored on servers. Yes, the scope will be limited to the 159 applications. Applications run on all of the open source servers and mainframe. Approximately 25% of the 130 are print servers and can be excluded. The servers run on Windows, UNIX, or Linux. Human Resources Office of Civil Rights is responsible for assessing HIPAA privacy compliance and breach notifications. This procurement covers the HIPAA Security Rule only. Yes.

2 11. Could the Department give a one calendar week extension for submitting the proposals (i.e. May 14, 2013 instead of May 7, 2013)? 12. Does the Department have a not to exceed budget allocated for this project? 13. Are there any time constraints in terms of when the Department needs the final report(s) / deliverables outlined in the RFQ? 14. Based on our understanding of the scope of work, it is anticipated that with a project start date in June, the project would run through September. Does this anticipated end date present any conflicts for the Department? 15. The RFQ states 3. Validate that vulnerabilities and risks identified have been sufficiently mitigated. As some risks may take an extended period of time to be sufficiently mitigated, can you please clarify the Department s intent with regard to this provision? 16. Is there a weighting system for each category of the RFP? 17. Does the vendor have to be registered with MyFlorida to respond to the RFP? 18. What is the anticipated period of performance post award? 19. What is the opening and closing timeline for RFP submission? The Advertisement Detail ( _ad?advertisement_key_num= ) states that: Request for Information will be opened at the below address at 02:00 P.M., May 07, In contrast, page 12 of the RFQ states, Electronic responses are due to the Office of Information Systems Procurement Office no later than May 7, 2013 by 2pm ET. The Department has extended the due date for quotes to May 14, Please indicate what your company can complete by June 30, Any deliverables delivered after June 30, 2013 will be contingent on the availability of funding in fiscal year 2013/2014. The project should be completed by June 30, Please indicate what you can complete by June 30, Any deliverables delivered after June 30, 2013 will be contingent on the availability of funding in fiscal year 2013/2014. The Department is requesting that respondents provide a suggested solution or plan with an explanation of how the solution will mitigate the vulnerabilities and risks. Yes. The project should be completed by June 30, Any deliverables delivered after June 30, 2013 will be contingent on the availability of funding in fiscal year 2013/2014. Please indicate what you can complete by June 30, Quotes can be submitted until May 14, 2013 by 2:00 p.m. 2

3 20. Page 3 of the RFQ shows item 5 in the top chart, Vendor Presentation May 8, 2013: Is this an onsite presentation? o If so, what is the presentation location, time and time allocation? Will vendors be notified that they will have the opportunity to present? or Are all vendors allowed to present? 21. Please further define the requirements to perform a full HIPAA controls gap analysis. Page 2 of the RFQ details that the purpose is to, perform a Security Risk Analysis (RA) as defined in the HIPAA Security Rule 45 CFR (a) (1) (A). In contrast, the RFQ extends the purpose into a full controls gap analysis (RFQ page 5). However, 45 CFR (a) (8) is generally considered the Evaluation for accessing technical and nontechnical gaps in controls and would be referenced during the Risk Analysis. 22. Will there be a follow on scoping activity to determine the fix price cost of the remediation validation activities once the initial assessment has been performed? Referencing the requirements to validate all remediation activities (RFQ pages 10 11), there appears as two different RFQ s: 1. Assess and recommend, 2. Manage remediation efforts. 23. Please clarify the site visitation requirements as referenced in RFQ page 6 contrasted against RFQ pages 10 through 11. RFQ page 6 details 5 sites to visit RFQ page 10 has 5 sites and page 11 shows 6 regions to physically assess Yes, presentations will be on site at: DCF 1940 North Monroe St. Suite 80 Tallahassee, FL The exact time will be determined later. All responding state term contract vendors will be asked to present and will be allowed one hour per presentation. We require a HIPAA Security Rule risk analysis as outlined in the RFQ. No, there will not be a follow on scoping activity. We will manage remediation efforts. You will only be required to visit 5 locations. Systems used by the regions are located in Tallahassee. Addresses for the 5 locations are: Northwood 1940 North Monroe Street Tallahassee, FL Winewood 1317 Winewood Boulevard Tallahassee, FL Florida State Hospital 100 North Main Street Chattahoochee, FL

4 Northeast Florida State Hospital 7487 Florida 121 Macclenny, FL Are there predefined Rules of Engagement and a predefined tool set for the electronic assessment and social engineering activities? 25. Will there be a State senior level project sponsor assigned to the project? 26. What is the Department of Management Services (DMS) State Term Contract, IT Consulting Services numbered using vendors and services as defined in Project Area 1, Analysis and Design? Does the vendor need to be on this contract vehicle to submit a quote? 27. When was the last HIPAA assessment completed for the DCF, who completed the assessment, and what was the cost of the assessment, and was the scope of the previous assessment larger or smaller than the scope of this RFQ? 28. The RFQ does not highlight the need to perform an assessment of procedures to address the requirements for breach notifications. Does this assessment include only the safeguards identified from the final HIPAA Security Rule and not other regulations (HIPAA Privacy, HIPAA HITECH Act, state regulations, etc.)? 29. Is IT centralized or decentralized for the core IT processes used across the stated physical locations? (i.e. change management, user administration, SDLC, patching, incident response, etc.). 30. Have the stated 159 applications which contain ephi been risk ranked as part of the inventory? 31. Are the computing resources that host the applications which contain ephi within data center facilities operated and managed by the Department of Children and Families or are any portion of these hosted and/or managed by third party service providers? 32. How many of the 159 applications which contain ephi are custom developed / In house developed software? North Florida Evaluation and Treatment Center 1200 N.E. 55th Blvd Gainesville, FL Yes, Art Harwood is assigned to the project. Yes. The Department has not completed a prior HIPAA assessment. This RFQ covers only the HIPAA Security Rule Risk Analysis requirements. Please see #9 above. Most of the core IT processes are centralized across physical locations. Most applications are hosted in a State of Florida data center. Some hospital applications run on systems located at the hospitals. Most of the 159 applications were developed by DCF. 4

5 33. When was the last time DCF performed an IT Security Risk Assessment? 34. What firm (or individual) performed the last IT Security Risk Assessment? 35. For the sake of the vendor objectivity evaluation criteria, will vendors who have performed security risk assessments for DCF in the past be excluded from this bid? 36. What budget (amount or range) has DCF allocated to this initiative? 37. Is it DCF s intention to have the entire scope of this RFQ performed by the selected vendor or only certain portions or regions? 38. With respect to the Scope of Work: (a) Is the Project Plan requested related to only the HIPAA risk assessment engagement or is the project plan for the entire Risk Management program within scope? (b) DCF is requesting that the vendor validate that vulnerabilities and risks found during this risk assessment have been sufficiently mitigated. How would DCF prefer the successful vendor to address the validation that the mitigation efforts are sufficiently addressed for yet to be defined vulnerabilities and risks: 1. Follow up assessment? 2. Validating DCFs planned mitigations meet the acceptable risk tolerance of the organization? 3. Other approach? (please describe) (c) Does DCF anticipate that the requested validation effort be a full reassessment of the environment or merely an assessment of the previous findings? 1. What specific activities are within scope for social engineering? 2. Phishing 3. Trusted agent impersonation 4. Phone impersonation 5. Physical access control vulnerability and penetration assessment 6. Malware penetration 7. Media based (USBs, CDs, etc.) (d) How will DCF evaluate vendor objectivity as stated in the award criteria? (e) To what extent are the HIPAA standards, policies and procedures standardized throughout DCF s 5 offices and Ernst & Young performed a security risk assessment in See the answer to question # 33. Please provide us with the cost for your company to complete the services. The selected vendor will perform all or part of the scope depending on the specifics of the selected proposal, time and budget. (a) The requested project plan is for a HIPAA Security Rule Risk Analysis only. (b) Please provide DCF with a mitigation recommendation for the vulnerabilities and risks found during the assessment. No follow up assessment is required by this RFQ. (c) The validation effort is merely a recommendation and rationale for the recommendation. For the purpose of this RFQ, no reassessment is required. (d) DCF will make a decision based on the amended selection criteria outlined in the RFQ. (e) All Regions and internal offices are required to follow DCF policy, standards and procedures regarding HIPAA. (f) Yes, assets in the NSRC are in the scope of the RFQ. (g) No previous assessments have been completed. (h) Same as above. 5

6 6 regions and county based offices? (f) Does the scope of this engagement include assets that may reside in the Northwood Shared Resource Center (NSRC)? (g) Did the previous assessment(s) include sampling? (h) Did the previous assessment(s) include the regions as well as the central offices? 39. Are the "Number of Applications that Store ephi" internal or external facing applications? 40. What types and how many of Social Engineering tests should be performed: (a) Remote 1. Phishing Campaigns 2. Phone Call Campaigns (b) Physical 1. On location human testing 2. Physical red team assessments (break in and lock picking) 41. The reference to "Number of Public Facing IP addresses in Use" is two. Will there only be two external facing IP addresses scoped for the external penetration testing effort? 42. How many fully qualified domain names will be included in the external penetration test? 43. We noted the RFP states that there are approximately 159 total applications that store ephi: (a) Is it acceptable to take a risk based approach and sample key applications against applicable technical HIPAA requirements? To assess all 159 may be cost prohibitive without providing commensurate value. (b) If so, what is the total number of applications that should be assessed? Most applications are accessed internally via the network or VPN. There are a few external facing applications. The Department is relying on the vendor to identify and quote what is required for a HIPAA compliance review. Yes, there are two public facing IP addresses in the scope for this test. Two domain names are in the external penetration test. (a) No, the cost for assessing all applications should be provided by location. (b) Same as above. 6