ADDENDUM #1 REQUEST FOR PROPOSALS

Transcription

1 ADDENDUM #1 REQUEST FOR PROPOSALS HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services TO: FROM: CLOSING DATE: SUBJECT: All Potential Responders Angie Williams, RFP Coordinator September 24, 2015 at 3:00PM (UNCHANGED) HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services DATE: September 4, 2015 Proposers Questions and Answers Question #1: May I respond to the RFP noting this Partner (sub-contractor) in my response? A: Yes. Question #2: If allowed to respond with a sub-contractor, will we automatically receive less points than a company who has in-house PEN testers or will the Evaluator rate our response equally / without prejudice as compared to the other respondents? A: You will be evaluated equally whether subcontracting or having testers in-house. Question #3: To price a PEN test I ll need some more information about number of IP addresses, etc. Typically we scope the environment via phone conference. May I set up a time with you to discuss (scope) the PEN testing requirements or do you prefer I send you a list of questions via ? A: There are 30 IP addresses for penetration testing. There will not be a phone conference. Bidder may submit written questions and comments until 3:00 p.m. Pacific Time by September 1, Question #4: Does each of the 17 departments/offices have their own set of HIPAA-related policies and procedures that would need to be reviewed OR are there overarching ones at the County level? A: Not all 17 departments deal with HIPAA data. There is an overarching policy for all departments and each department that deals with HIPAA data has department specific practices and procedures.. Question #5: How many business-side interviews does the County anticipate the consultant to be conducting for data gathering purposes?

2 A: At a minimum, anticipate 2 interviews per department/office. This could increase depending on the complexity and volume of the HIPAA data handled by the department/office. Question #6: How many IT staff does the County have and could you breakdown the IT Department by position/title? A: Number of IT staff is not relevant. The vendor will be working with 5 key IT staff members. Question #7: What is the total number of applications/systems that would need to be reviewed for possible HIPAA compliance? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #8: How many servers does the County have? (Please provide number of physical vs. virtual servers.) A: Not relevant. We have approximately 10 servers dealing with HIPAA data (most are virtual). Question #9: How many internal target systems are expected to be in-scope of the external penetration testing? A: 10. Question #10: How many external target systems are expected to be in-scope of the external penetration testing? A: 30. Question #11: Does the County desire to have wireless penetration testing performed? If yes, how many wireless network will be in-scope? A: No. Question #12: What is the total population of BAAs/agreements/contracts from which we could select a sample? A: Approximately 100 BAA s/agreements/contracts that have HIPAA related elements

3 Question #13: Is it expected that each department/office in scope will have a separate and distinct HIPAA Privacy and Security Rule Gap Analysis Report developed and applicable just to their business operations? A: One report addressing the County s overall HIPAA Program compliance with specifics for each department/office included. Question #14: Is a presentation to Commissioners or County management expected at the end of the engagement? If yes, how many presentation sessions need to be factored into our fee quote? A: There will likely be a single final presentation expected. Question #15: What is the number of users in the environment (employees, contractors, others, etc.)? A: Approximately Question #16: How large is the county government body? a. Is it centrally located or distributed? b. Do remote sites have an on-site IT support presence? A: Kitsap County consists of 10 elected offices and 10 departments. The Courthouse Campus is located on Division St. in Port Orchard, WA, however there are a few departments/offices located within the county. Most remote sites do not have IT support on-site. Question #17: List any key outsourced IT services or security services (e.g. data center hosting)? A: Baracuda cloud backups. Question #18: Are security policies and procedures defined and applicable across all locations, with little to no deviation from site-to-site? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #19: When was the last information security risk assessment completed? A: A basic security assessment was likely completed in 2003 when the HIPAA program was developed and implemented, however the use and management of ephi has significantly increased since this initial assessment. Question #20: Do you utilize Cloud services?

4 A: Yes. Question #21: Is there a dedicated Information Security team or resource(s)? A: No. Question #22: Which applications/information systems are in scope? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #23: Are all sites that will be assessed on the same network infrastructure? a. If not, how many sites are on their own infrastructure? b. Are the sites that are on separate networks governed by a different set of security policies and procedures? A: Yes and we are governed by the same security policies and procedures. Question #24: Are there any strict compliance or organizational deadlines for finalizing the risk assessment? A: No but we must complete this as soon as possible. Question #25: Has the County determined a budget for this project? If so, can it be shared? A: There has not been a budget determined. Question #26: Does the County desire regular status updates/reports for the duration of the project? If so, at what frequency (e.g., bi-weekly, monthly)? A: Yes, weekly. Question #27: Does the County have a preference for contracting a local firm for this work? If so, what weight will this have in the evaluation process? A: There is no local preference for the work. Question #28: Does the County desire that the selected consultant give and/or facilitate presentations during the project? If so, at what milestones and to what audiences?

5 A: Yes, weekly to project team and final management presentation. Question #29: Does the County require that proof of insurance be returned with the proposal, or would the County request this upon execution of a contract? A: Proof of insurance should be provided upon execution of a contract. Question #30: Does the County anticipate that the selected consultant will meet with County staff by functional area? If so, what are the functional areas and at what staff level does the County anticipate the consultant will conduct these meetings (e.g., County leadership, management)? A: Yes, department management and HIPAA Coordinators. Question #31: Does the County anticipate that any external or third-party stakeholder groups will take place in any of the requested interviews? A: Possibly. Question #32: Section II.F: Do the departments identified represent one physical location each? What is the distance from the most central location to the most outlying location? A: Most of the departments/offices are on the Courthouse Campus. The furthest remote location is 15 miles away. Question #33: Section III.A.7: How many third-party entities is the County sharing ephi with? A:. Estimate 30. Question #34: Section III.A.10: Please provide a definition of sampling or a range of how many County contracts are to be reviewed. A:. Estimate 100 contracts that have HIPAA Program components. Question #35: Section III.A.10: Are the contracts to be reviewed electronic, paper, or a combination? A:. Electronic. Question #36: Section III.B: Are the policies to be reviewed electronic, paper, or a combination?

6 A:. Electronic. Question #37: Section III.D: Please clarify the scope of the on-site validation of physical security controls. For example, are intrusion attempts required? A: An audit of required physical security requirements. Question #38: Do all systems that are in scope reside in a central location (i.e., Information Services Network Operating Center)? A: Yes. Question #39: To the extent that you are able, please provide a summary of the in-scope infrastructure and systems (e.g., number and types of systems, operating systems, databases, firewalls). A: Approximately 5 servers hosting HIPAA data, 30 servers for external penetration testing and 10 servers for internal penetration testing a. Mainly virtual servers b. Microsoft Server 2008 c. Checkpoint Firewalls. Question #40: Is there a centralized medical records department for the County s healthcare-related departments? A: Each Department/Office manages their records, however some may have access to a centralized system. The County also is self-insured for employee medical benefits and this is managed by the Human Resources Department. Question #41: Are the medical records electronic, paper, or a combination? A: Combination Question #42: Para II.F Facilities to be visited: Can you provide approximate distances between the various locations that are noted? A: See Question 32.

7 Question #43: Para III.A: Please define Branch/Program in your opening paragraph noting a written report of analysis findings for each branch/program? How many branch/programs exists and do you want a written report for each? A: Each of the 17 departments, although some may not deal with HIPAA. One report detailing the HIPAA Program overall with department/office specifics included. Question #44: Para III.A.6: Can you describe your expectations regarding to include the costs of failure related to privacy or security breaches and related public communication costs? Are you looking for more historical perspective within the industry, or types of costs vs. exact dollars? A: Costs related to breaches from an industry perspective. Question #45: Para III.E: HIPAA Security Risk Analysis As written, it appears that you expecting a single over-arching SRA for Kitsap County-held PHI, or are you expecting multiple reports by a Kitsap entity, or branch/program? If multiple, how many and what is the determination. A: See Question 13. Question #46: Para III.F: Internal Penetration Test a. How many total devices will need to be assessed? b. How many offices will need to be assessed? c. Are all the offices connected to each other, meaning can we conduct the penetration test from one physical location and "see" all the devices at the other offices that are in scope? A: 10, see RFP document for listing of departments to be assessed, all of our offices are on the same network. Question #47: Para III.G: External Penetration Test a. How many total systems will need to be assessed? b. Are any of these systems hosted by a cloud provider? A: See Question 3, see Question 17. Question #48: Appendix A, Sect 4 Compensation references Exhibit B for Contractor Compensation. For purposes of this RFP, we have assumed that Exhibit B is for the final agreement and that our price proposal is not required to be in this format (refer to Para VI.5 (a), (b), and (c)). If a specific pricing format is required, please provide? A: Yes, there is no specific format required.

8 Question #49: The scope of work section of the RFP indicates Kitsap County offices and departments must be visited to perform the assessment. How many such offices and departments and locations are in scope? A: See Question 32. Question #50: The RFP describes the following deliverables including: a. Gap analysis to HIPAA Security and Privacy requirements, b. HIPAA Privacy and Security policy development, c. Training program development, a risk analysis, d. Internal penetration test, e. External penetration test, f. Onsite validation of physical security control Is there a specific order desired for these activities? A: No specific order Question #51: Is the training program to be developed, as well as, implemented? How many training sessions may be required as a part of this engagement? Is there a desired medium for training such as web training or web sessions or classroom training? A: Develop the training program, preferably web based, to allow for internal implementation and oversight. Question #52: The RFP lists a requirement to identify gaps in compliance with WA state privacy and security regulations and confidentiality statutes. Are there specific regulations and statutes in mind? A: Other privacy and security requirements such as RCW or RCW as applicable Question #53: The scope and deliverables section requires an onsite visit of all involved branches/programs/ offices. How many such facilities and locations are there? Are they similarly configured and is it acceptable to select a representative sample of such locations for site visits? A: See Question 32. Question #54: List PHYSICAL locations where ephi is created, received, maintained or transmitted, including locations of:

9 a. IT equipment / Data Center(s) b. IT equipment / Third-party service providers c. Backup or failover site(s) d. Media storage onsite e. Media storage offsite? A: Data Center, CenCom Building and Barracuda Cloud Storage. Question #55: List the NUMBER and PHYSICAL locations of IT personnel, including contractors, who support the ephi environment: a. Application Support / Business Analysts b. System Administrators / Engineers c. Network Administrators / Engineers d. Data Base Administrators e. Application Developers / Testers f. Others? A: All IT personnel are located on the Courthouse Campus The Total IT staff supporting ephi is approximately 5. Question #56: Please identify third-party organizations engaged to support the ephi environment and explain their support role(s)? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #57: Can third-party organizations which provide IT applications or infrastructure services to your Organization provide an external auditor s report concerning the design and operating effectiveness of the control environment? A: The Apparently Successful Proposer will work with each Office/Department to determine. Question #58: Describe your Organization s IT security compliance efforts to-date in terms of the following: a. Privacy and security officers identified? b. HIPAA / HITECH security policies in place? c. IT / ephi environment risk analysis performed?

10 d. Accurate and up-to-date ephi inventory? e. IT security compliance assessment performed? f. Remediation plan developed and progressing? g. Business Continuity Plan / Disaster Recovery Plan? h. Business Associate compliance management? A: Each department has designated privacy and security officers. These department officers would ensure security policies, inventory, and compliance assessments are conducted. The County s IS department maintains a General Business Continuity/Disaster Recovery Plan, however this is not necessarily specific to HIPAA data. Business Associate compliance is a department/office function. Question #59: Describe any technical testing performed, how frequently, and any scope limitations. a. External vulnerability scans or assessments? b. Internal vulnerability scans or assessments? c. Penetration testing? d. Third party assessments or testing? A: No testing has been performed recently. Question #60: Please describe your ephi environment in terms of the technologies in use, including: a. Perimeter security and protection b. Domain / LDAP architecture c. Virtualization d. Operating systems e. Database management systems f. Encryption of ephi at rest g. Encryption of ephi in transit h. Audit trails and logs? A: A-G IS Department has security systems in place. The intent of this consult is to determine whether the systems in place are sufficient and appropriate. H Each Department/Office maintains an audit trail and log. Question #61: Please describe any use of network segmentation to limit access to sensitive data.

11 A: There are none. We use Active Directory rights. Question #62: Are IT services centralized in one place and managed by a central department? A: Yes. Question #63: If IT services are distributed, please provide a brief description of how it is managed. A: N/A. Question #64: Please quantify the number of application, database, file, web, and other servers used to store, process, or transmit ephi. A: 5. Question #65: Please describe your ephi environment in terms of the applications in use, including: a. ephi Applications Overall (Note the approximate number of ephi applications and comment on whether a list of these applications exists.) b. ephi Applications Desired in Scope (Note the number of ephi applications which should be within the scope of services and list them below.)? A: Each department/office accesses specific applications. This will be determined during the consult. Question #66: Specify the number of business lines and/or business process areas which create, receive, maintain or transmit ephi. (Note: This drives the potential number of business process subject matter expert interviews and/or questionnaires.) A:. Approximately 10 department/offices Question #67: Number of external IP addresses (internet-facing, publicly routable)? A: 30. Question #68: Number of internal IP addresses? A: 10.

12 Question #69: Does any technical testing (e.g., automated scans) need to be performed outside of normal business hours (8 am to 6 pm Monday through Friday)? A: No. Question #70: Can internal network technical testing be performed remotely via a VPN connection or must it occur physically onsite? A: On-site. Question #71: How do the remote locations connect to each other? A: All on our network (LAN/WAN). Question #72: How many applications are in scope? A: See Question 7. Question #73: Is the desired testing blackbox? A: No.