HIPAA SECURITY RISK ANALYSIS FORMAL RFP

Transcription

1 HIPAA SECURITY RISK ANALYSIS FORMAL RFP ADDENDUM NUMBER: (2) August 1, 2012 THIS ADDENDUM IS ISSUED PRIOR TO THE ACCEPTANCE OF THE FORMAL RFPS. THE FOLLOWING CLARIFICATIONS, AMENDMENTS, ADDITIONS, DELETIONS, REVISIONS, AND MODIFICATION FORM A PART OF THE CONTRACT DOCUMENTS ONLY IN THE MANNER AND TO THE EXTENT STATED. Please note that the following clarification: 1. In reference to Addendum #1, please note that Broward Health will not require the successful Contractor to include 10% Diverse Subcontracting in their response to this RFP. However, if the RFP respondent chooses to offer subcontracting in their proposal, then this vendor subcontracting solution shall be evaluated based upon all appropriate documentation included in the Contractor s response. Broward Health will not necessarily reject any proposal to this RFP should the respondent choose to subcontract for this engagement. 2. Does this RFP ask us to perform a broad based HIPAA risk assessment or conduct an OCR mock audit? As stated in the RFP a HIPAA Risk Analysis, Broward Health is not requesting a mock audit however; the OCR Guidelines should be followed to complete the required Risk Analysis. 2. Has a risk assessment been performed to-date? If not, how have the controls been implemented and scoped to meet the safeguards and implementation specifications? 3. Does a current HIPAA program exist? How many resources are devoted to HIPAA? Where does the responsibility lie for HIPAA? Have the HIPAA controls been tested in the past?, Broward Health has a seasoned HIPAA program. Broward Health has 2 employees in the Corporate Compliance Department responsible for HIPAA compliance., controls have been tested. 4. What will this report be used for? Yearly Risk Analysis as per the OCR Guidelines. 5. Has Broward Health been notified of an upcoming OCR audit? Page 1 of 14

2 6. Are the HIPAA controls centralized or distributed over the Broward Health environment? Centralized 7. Are processes and systems consistent across of all Broward Health's operations? Processes, yes systems can vary. 8. Does Broward Health have a defined time frame for execution of the assessment and presentation of deliverable reports? As stated in the RFP Broward Health is looking at an aggressive timeline and would start this project upon award and contract completion. 9. What are the key IT risks/concerns that Broward Health is currently facing? Broward Health is constantly monitoring and remediation is a continuous process. 10. Does Broward Health expect any significant change in operations/information technology in the upcoming future that would impact our approach?. 11. Is IT centralized with respect to core processes (change management, software development, application/system support) across the 112 applications or is it decentralized? Centralized 12. Are the business processes or formalized policies at hospitals, clinics and doctors offices aligned across all facilities or does each facility have separate processes and policies? Aligned 13. Please describe the level of centralization of key processes such as patient or non-patient billing. Billing is centralized for the Hospitals and clinics and employed physician offices, one home health care site has individualized billing. 14. Are all 112 applications in scope or are we looking at the top number based on the risk assessment of the 112? Is a risk based sampling approach acceptable? All PHI associated applications are in scope. Broward Health has requested the vendor provide a solution to the approach being proposed that will align with the regulations. 15. Is there a mapping of applications to facilities? Or do all 112 applications apply to all facilities? All 16. What the breakdown of the 112 applications between packaged/purchased applications is vs. in-house developed? Approximately 80% vendor 20% in-house 17. What steps have you taken so far to address the Privacy and Security Rules, including the Breach tification Process? Page 2 of 14

3 This area is covered within our Corporate Compliance Department and upon award of the contract will be discussed in detail. 18. Please briefly describe how your organization achieves a culture of compliance? This area is covered within our Corporate Compliance Department and upon award of the contract will be discussed in detail. 19. Were any unresolved findings related to HIPAA compliance identified in previous financial audits or risk assessments? 20. Will there be a compliance officer and department providing coordination for the engagement? All coordination of Broward Health s resources will be the Healthcare Information Security Administrator s responsibility. All necessary resources will be available, scheduled and engaged to create a successful engagement. 21. Please describe any recent or planned IT system or other process changes that would affect HIPAA compliance. 22. Would all locations and practices be considered in scope, or would a test sample of the locations be expected? As stated in the RFP, vendor should provide recommendation in solution being submitted. 23. External IT infrastructure: a. How many websites are running from Broward Health s infrastructure? Three (3) b. Please describe the Internet facing systems/applications run by Broward Health that are hosted on in-house systems. Outward facing portals. c. Please describe any in-house managed, Internet facing systems that are conducting some form of e-commerce. d. Please describe any in-house managed, Internet facing systems that are providing access some form of EPHI. e. Please describe each form of remote access provided to staff, IT, and/or vendors. Provided in RFP f. Are there any hosted applications (not on Broward Health infrastructure) that should be considered in-scope for this assessment? Provided in RFP 24. Please list the number of active directory domains in operation. Provided in RFP Page 3 of 14

4 25. Please describe any (centralized) authentication mechanisms in place. Microsoft AD 26. Please describe the number of in-house servers, including their operating systems. Microsoft/count provided in RFP 27. How many are virtualized? Approximately What is the virtualization technology in use? VMware 29. Does Broward Health have an accurate, up to date inventory of which servers contain PHI? 30. Is any of the sensitive data contained on workstations/laptops/mobile devices? These devices are included in scope. 32. Does Broward Health allow staff to use personally owned devices (laptops, tablets, smart phones) to access Broward Health resources?, through VPN 33. Has Broward Health adopted a governance framework (i.e. COBIT, ISO, etc )? 34. Does the scope include printed documents as well as electronic data?, as stated in the RFP all forms of media. 35. What third-party service providers are currently being utilized by Broward Health from an IT Perspective? Infrastructure only providers? Data storage/processing/management providers? 36. Has Broward Health made a determination as to whether it needs to be PCI-DSS compliant? not requested in scope of this RFP. a. If yes, how long has Broward Health been engaged in PCI compliance activities? b. What portion/percentage of the infrastructure is in-scope for PCI compliance? Page 4 of 14

5 37. Is there a pre-established budget for this project? Could Broward Health provide the budget figure? Broward Health has the proper budget for this project; Broward Health will review the vendor RFP for value added and savings. 38. Is this the first time that Broward Health will contract a vendor for a project with this (or similar) scope? If no, could you please name the previous successful contractor and the amount of the last successful bid? Broward Health is performing this project based on the new HITECH/HIPAA requirements. 39. Further, if there is an incumbent, what is the reason that Broward Health is looking to contract a new vendor for this requirement (e.g. poor performance by previous vendor, conflict of interest issues, etc.)?. 40. Please provide a high-level overview of the entire technical environment in scope. Please elaborate on the various platforms (operating system names, database names, software names, etc.) employed in the Broward Health environment. Broward Health has included a High Level Overview in the current RFP and addendums. 41. Please describe how comprehensive the security policies and procedures documentation to be reviewed is (number of policies, number of procedures, number of pages per policy/procedures, etc.). Broward Health has approximately of 50 policies for review in addition would expect the Analysis to determine any weaknesses or improvements in the security policies that could be made to be included in this analysis. 42. For server configuration reviews, while the RFP document provides the number of servers within scope, please provide the various operating system types (e.g. Windows, HP UX, AS/400, etc.). Also, please include a high-level description of purposes that the servers perform. Microsoft Platform Any server that contains EPHI should be considered clinical in nature and in scope. 43. For the Application Threats Assessment, please provide a high-level description of the applications in scope and their purpose. How many of these applications are web-based and how many internal? Also, is Broward Health also looking for a detailed application security assessment that includes intrusive hacking methods? - Network Infrastructure (Penetration Testing) is excluded from this RFP as stated in the RFP and application security assessment should not include intrusive hacking methods. Applications in scope would be the applications pertaining to ephi or as required in the HIPAA regulations and should be evaluated based on risk and security. 44. For the interrogation of the Broward Health clinical hosted system connectivity could Broward Health elaborate on what it is specifically looking for the vendor to do? Is it a combination of a network and application based penetration test? Broward Health is requesting that the clinical hosted systems be reviewed for best practice and identification of strengths and weakness in the security processes and identification of any weaknesses and risks. Applications in scope would be the applications pertaining to ephi or as required in the HIPAA regulations and should be evaluated based on risk and security. Page 5 of 14

6 45. For the physical security reviews, could you please provide the number of locations within the scope of review and their physical proximity to each other (e.g. x locations with a y mile radius of each other). All locations are in Broward County Florida and no more than 25 miles from the main headquarters and are referred to in the RFP 46. What level of overall sampling is acceptable to Broward Health? A percentage estimate (e.g. 10%, 15%, etc.) is what we are looking for at this time. Broward Health has requested the vendor provide a solution to the approach being proposed that will align with the regulations. 47. Our company is responding to the Broward Health HIPAA Security Risk Analysis RFP. We do not qualify as a Certified Diverse Vendor ; however, the solicitation evaluation criteria provides for 10% of the allotted points Diverse Vendor Participation. Broward Health also issued an addendum prohibiting the use of subcontractors. Please see answer to question #1. 1. How can a non-certified Diverse Vendor respond with a potential of receiving more than 90% of the allotted points? Please read the RFP carefully and respond to the Diverse Participation questions. Points are awarded based upon Vendor response 2. Given that the use of subcontractors is disallowed, are we required to respond to Section IV? See answer #1. Subcontractors will be allowed for this engagement. 48. Please provide a copy of the Broward Health General Administration and Procedures Manual so we can review the travel reimbursement policy and insure we can comply. 49. Broward Health indicates all EPHI to be included within the Risk Analysis portion of the assessment including all storage mediums; are care devices (imaging, monitoring, diagnostic, etc.) included as well? If so, is the number included or different than the provided number of applications and workstations? 50. Is a risk-based sampling approach acceptable when it comes to the 4 hospitals, 13 clinics, and 37 doctors offices from an overall project perspective including physical security, risk analysis, etc? Broward Health has requested the vendor provide a solution to the approach being proposed that will align with the regulations. 51. In-depth penetration testing is noted as not in scope for this RFP however, is a vulnerability scan/assessment considered an expected component? Page 6 of 14

7 52. Databases were not specifically listed under the Technical Safeguards area with the other security assessments; are database security reviews a desired component?, 53. If so, provide database types and quantities considered in scope. Oracle, SQL and Access are to be considered in scope. Approximately Is it appropriate to propose other technologies not specifically listed under the Technical Safeguards such as mobile devices, architecture, etc. to be reviewed from a security perspective as well?, Broward Health has requested the vendor provide a solution to the approach being proposed that will align with the regulations and provide the best value to Broward Health. 55. The RFP states Guide Broward Health in conducting an inventory of protected health information (PHI); both electronic and non-electronic. Confirm whether this component is to assist with creation of a data inventory or is there a completed inventory to rely upon and enhance? Broward Health has an inventory of ephi and would want to review the inventory. 56. If creation of inventory is required, provide a description of the organization structure including estimated number of departments/units, number of employees to interview or other pertinent information to help understand the effort to create a data inventory. 57. We understand goals as noted to evaluate the confidentiality, integrity and availability EPHI leveraging guidance of OCR Risk Analysis and Audit Protocol. Are you looking for assessments for detailed evaluation of individual systems storing or transmitting EPHI (i.e. individual applications, databases, mobile devices, etc.) based upon risk? 58. Requesting a copy of the General Administration and Procedures Manual in effect to review expense policies. See Attachment 59. This is a substantial scope of work, and an aggressive timeline is mentioned. Can you please define aggressive in terms of this project (Start date, length of project, etc.)? As stated in the RFP Broward Health is looking at an aggressive timeline and would start this project upon award and contract process completion. Vendor is responsible to determine an aggressive timeline that will allow Broward Health to complete this project in a prompt manner. 60. A fixed price bid is required within Section IX. Is this fixed price for the first year of the three-year term, or all three years of the three-year term? First Year - The term of this Agreement shall be three years, unless otherwise agreed to in writing ("Initial Term"). Broward Health, in its sole discretion, may renew this Agreement for two- (2) additional one- (1) year terms upon giving Contractor written notice of its intent to renew at least (90) days prior to the expiration of the current term ("Renewal Term"). Any Renewal Term shall be on the same terms and conditions of the Initial Term, including all payment and pricing provisions. 61. Briefly describe your timeline for implementation of EHR. Completed Page 7 of 14

8 62. The phrases Security Risk Analysis and Vulnerability Assessment appear to be used interchangeably in Section C: Scope of Work. Can you confirm that the phrase Vulnerability Assessment used in this section is synonymous with Security Risk Analysis, and does not mean that vulnerability scans will be performed on systems in the environment? The Vulnerability Assessment in the context of a penetration level test is excluded from this RFP. Assessments for detailed evaluation of individual systems storing or transmitting EPHI (i.e. individual applications, databases, mobile devices, etc.) based upon risk should be considered in scope. 63. Network penetration testing is not included in this scope of work. Should web application and / or physical penetration testing be considered? Should social engineering be considered?. Vendor should in addition utilize the HIPAA Audit program protocol recently established by OCR, providing a comprehensive audit protocol that contains the requirements to be assessed through the performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. 64. What is the total number of assets to be included in the risk analysis? Refer to the RFP 65. Are both the physical and logical (databases, file shares, etc.) locations of ephi documented? 66. Do documented data-flows exist for how ephi is transmitted or moved within Broward Health and to Broward Health s business associates? 67. Describe current security policies and procedures? If possible, provide an estimated page count of policies and procedures. Approximately 50 policies or 150 pages 68. Are there multiple IT departments or one central department? Are there multiple Information Security departments? One central IT, compliance and security, are all located in one location. 69. Approximately how many individuals from Broward Health would be involved in being interviewed, relative to HIPAA controls? This would need to be determined and agreed upon based on the recommended solution. 70. It is understood that Penetration Testing is out of scope, but is basic External /Internal Vulnerability a part of the scope? If so, please provide the number of externally visible systems. 71. How many applications would be in scope for the item called "Application Threats Assessment"? Please describe. As stated in the RFP (112) ephi applications. Page 8 of 14

9 72. What are Broward s expectations and desired results for the Assessment, relative to the HIPAA Privacy Rule Compliance? Completion of a third party Risk Analysis as required and within the HIPAA / HITECH regulations. Vendor should in addition utilize the HIPAA Audit program protocol recently established by OCR, providing a comprehensive audit protocol that contains the requirements to be assessed through the performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. 73. Does Broward expect the breach notification process assessment to include privacy breaches and notification requirements in its policies to include key Privacy Rule tenets such as: Impermissible Use, Disclosure, Exceptions to tification, and Risk of harm to affected individuals Broward Health expects the OCR Audit Protocol and regulations to be followed. 74. What are Broward s expectations relative to Legal requirements of the Assessment? Is Legal review of Privacy Rule compliance or other aspects of the assessment, considered a part of the intended scope? 75. For the specific area of Privacy, what is the scope of this initiative beyond what is covered in the OCR Audit protocol? Broward Health expects the OCR Audit Protocol and regulations to be followed. 76. Based upon the clarification provided in Addendum 1, specific to sub-contracting, please clarify the language in regards to There is NO Sub-contracting approved. See response to #1 of this addendum 77. Specifically, does this language disqualify, or provide scoring penalties, for vendor s inclusion of a sub-contractor as part of the proposed approach? See response to #1 of this addendum 78. Does the phrase There is no Sub-contracting approved extend only to the a vendor s eligibility for issuance of the 10 Diverse Vendor Enhancement Points or shall it be construed to prohibit use of a sub-contractor (regardless of Diverse Vendor classification) by the proposed vendor. See response to #1 of this addendum Page 9 of 14

10 79. For purposes of this RFP, does the joint partnership and proposal by two organizations constitute a vendor / sub-vendor relationship if both are equally and severally responsible for the delivery of services specified. A response shall be evaluated as a joint partnership, only if that partnership has already been established as a partnership prior to the RFP response; that partnership shall be reviewed with references having done business with that partnership. If not a true partnership, then one firm will be primary and accountable for all guarantees of this engagement. 80. Is the Client s expectation that the assessment is conducted through interviews with staff or that data discovery tools are used to scan the network for ephi? Broward Health s expectation is to have a combination of both. 81. What types of media will be in scope in PHI discovery? Referred to in the RFP 82. Has Broward Health met requirements for Meaningful Use Stage 1 attestation? 83. What is the target date for starting / completing the engagement once vendor has been selected and contracts negotiated? As stated in the RFP Broward Health is looking at an aggressive timeline and would start this project upon award and contract process completion. Vendor is responsible to determine an aggressive timeline that will allow Broward Health to complete this project in a prompt manner. 84. How many IT resources are focused on security? Two (2) 85. Is Privacy managed by the HIM or Compliance department? Compliance 86. How many data centers does Broward Health have? One (1) 87. Are mobile devices used in Broward Health to transmit, store, handle ephi? Broward Health does not allow ephi to be stored on mobile devices. 88. If yes, are personally-owned devices allowed? Page 10 of 14

11 89. Is a sampling of applications acceptable to Broward Health or is it the desire that all 112 applications be reviewed? AT&T Consulting typically takes a sampling approach using judgmental sampling. All 112 applications are in scope and should be reviewed. 90. Please characterize the types and approximate number of each application type. For example: Web Applications 15, AS400 applications 25, Thick Client Applications 30, etc. The applications are approximately 75% client and 25% web based. 91. For the Application Threats Assessment, what approach does rth Broward prefer: an interview and documentation review approach to identifying threats, in depth technical testing to identify security impacting application flaws, or a combination of both? Combination of both. 92. Will the assessment team have access to application developers and administrators for each application in-scope for review? 93. Approximately what percentage of in-scope applications are externally facing (ie: reachable from the Internet) vs internal to the organization? Based on the rights of the individual any of the applications by be accessible. 94. Will the assessment team be provided test accounts to the applications? Test accounts allow the team to conducted authenticated testing and look for issues within the application (such as logic flaws and privilege escalation issues) and not just at the efficacy of the login page. 95. Have the applications in-scope undergone technical security testing in the past 12 months? 96. Are BAAs managed centrally or by each department or practice? Centrally 97. Do departments, clinics, and practices have their own policies and/or procedures? 98. Has Broward Health used other regulatory requirements or industry standards in which to base its security and privacy program / policy upon?, Industry standards 99. Please explain what is meant by interrogation in section VI.C.4.a. Is this intended to mean an assessment, as in Conduct an assessment of security software or Conduct an interrogation of Broward Health s clinical hosted system connectivity? If so, are these assessments intended to be network-based vulnerability assessments? Goals to this projected should include to evaluate the confidentiality, integrity and availability EPHI leveraging guidance of OCR Risk Analysis and Audit Protocol. Assessments and detailed evaluation of individual systems storing or transmitting EPHI (i.e. individual applications, databases, mobile devices, etc.) based upon risk are to be in scope For the Virtual Infrastructure Security Assessment, is this intended to be an assessment of virtual machines, or virtual DMZs? Page 11 of 14

12 Assessments and detailed evaluation of virtual systems storing or transmitting EPHI (i.e. individual applications, databases, mobile devices, etc.) based upon risk are to be in scope Out of the 800 servers, can you please expand on how many of these are Windows, Unix, Linux, etc.? Are any of these running in a virtual environment? Windows 95% 102. Does each facility have a server room or the like? Each of the 4 main hospitals and 6 clinics each has a secure server room. OUT OF SCOPE FOR THIS PROJECT 103. For the VPN Configuration Review, please provide a high-level description of the VPN technical environment. - Network Infrastructure (Penetration Testing) is excluded from this RFP as stated in the RFP. Broward Health utilizes a two factor solution review should be limited to the requirements of the Risk Analysis as stated Does Broward Health s internal IT/Security staff perform periodic penetration testing and/or vulnerability scanning as part of their administrative maintenance procedures? 105. Will Broward Health provide us with network diagrams? 106. For the VoIP Assessment, please provide a high-level description of the VoIP technical environment. - Network Infrastructure (Penetration Testing) is excluded from this RFP as stated in the RFP. Broward Health utilizes VoIP in the delivery of the phone system How many wireless nodes are in operation (infrastructure AND client/end points)? 108. What are the relative sizes of the networks (small branch, data center, main backbone, large points of presence, etc.)? 109. What are the locations of each network and will travel be required to each location, or are all networks centrally managed? Page 12 of 14

13 110. For the Cisco firewalls in scope, are any of these devices FWSMs and do any of the firewalls contain virtual firewalls? 111. How many total rules exist across all firewalls (a sum of all firewalls rules)? 112. How many VPN devices are in scope, and what type of devices are these? The remote access process should be reviewed not the individual devices How many SoftSwitches are in place (i.e., Call Manager)? 114. How many Voice Mail systems are in place (i.e., Unity)? 115. Number of presence and contact servers (i.e., UCCX servers)? 116. Number of Phone CPEs? 117. Number of SoftPhones? 118. How many facilities will be assessed as part of the VoIP assessment? 119. Do you have any based Wireless VoIP CPEs? 120. Is the network segregated for data and voice? 121. How many media gateways are present? Page 13 of 14

14 122. Are there any POTS lines at each location in scope, or are all calls forwarded out a central gateway? END Page 14 of 14