After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

Transcription

1 After reviewing all the questions, the most common and relevant questions were chosen and the answers are below: 1. Is there a proposed budget for this RFP? No 2. What is the expect duration for this contract? Based on vendor recommendation 3. Is or has some other firm currently performed this work? No 4. Can this assessment be worked remotely? Vendor 5. How many Public Facing External IP s are in scope for the External Penetration testing? ~20 6. How many Virtual Servers are in scope for the Internal Penetration testing? ~ We are a NY state approved security vendor that partners with a firm called Contextual Security out of Tennessee for these types of services. Would there be any challenges or issues if we, Network Security Group, submit this RFP with the understanding that the services will be performed by a partner of ours? Please include the condition as part of the RFP 8. In addition to the items listed in the Infrastructure overview, additional quantification would provide a better understanding of the network. Please specify the numbers of virtual machines, wireless networks and APs (and brand), databases, web servers, applications. Information will be provided during assessment. 9. We assume the configuration review to be performed with credentials. How will the vulnerability assessment/penetration testing be performed? Vendor should proposed the appropriate method 10. How many live IPs would be included in the assessment / test? ~ Is there an identified timeline, or should the Proposer provide in the RFP? Vendor can provide this information in the RFP. 12. Is the vulnerability assessment to include zero day vulnerabilities and unknown vulnerabilities in their applications, or to assess the applications for existing vulnerabilities? Vendor should proposed the appropriate method 13. Remote locations where are the locations? Vendor can find all the addresses from our website at Will visits to each be required? Vendor 15. Does the application assessment include Mobile apps? No 16. Does this assessment include any websites? No 17. HIPAA Technical Safeguards: a. How in depth does Nassau want the technical testing portion of the assessment to be? i. IE. The VPN configuration reviews, Malware Defenses Reviews, firewall/dmz and router configuration reviews, Server configuration, Remote Access Security reviews, etc Vendor

2 ii. Are you looking for an organization to gap these to make sure that you currently have appropriate safeguards in place? Yes iii. Are you looking for the respondent to test to validate that these are all configured and implemented correctly? Validate a sample of each category is acceptable 18. Are devices consistent across your entire network? IE Site one has the same firewalls/routers/switches on the same version as site two? Yes, for 5 of the 6 remote sites. The exception site is a substantially larger site. 19. What type of VPN are you currently utilizing? Information will be provided during assessment. 20. Do you currently have a network architecture diagram? Yes 21. What encryption devices and tools are you currently utilizing? Information will be provided during assessment. 22. Has the organization considered Incident response as part of the penetration test? Vendor 23. Does the organization perform quarterly vulnerability scanning with quarterly remediation? No 24. Can SecureState utilize social engineering during the penetration tests to validate training per HIPAA (5) (i)effectiveness? Yes 25. How many active Internal IP s/hosts/devices do you have? ~4, Are they all in scope for this assessment? Yes 27. Do you process, store, or transmit credit cards? No 28. Can reports utilize a CVSS scoring format, rather than DREAD? Yes. Vendor should proposed the appropriate method 29. Is a physical security assessment a requirement for our response? Yes i. If so, how many facilities are in scope? 7 ii. Are they generally close in proximity? Yes, within Nassau County 30. Apart from HIPAA, what security standards does NUMC follow? Will the assessment measure compliance against any particular IT security standard? (NIST/ISO) Vendor should proposed the appropriate method 31. What is the structure and makeup of the team responsible for IT and HIPAA security? Information will be provided during assessment. 32. Will the review include Disaster recovery sites and related policies and procedures? (The RFP mentions Main Hospital and 6 remote locations Yes 33. Does the assessment cover vendors and third parties with access to the organization's ephi? (the RFP mentions Business Associate security requirements in the Administrative controls section to what degree will this be a technical evaluation, if any?) Vendor should proposed the appropriate method 34. Are cloud services and any SaaS products used by NUMC going to be covered? No 35. Are mobile devices in scope for the assessment? Yes 36. Are medical devices and instruments in scope? No 37. Are patient portals and or any telemedicine solutions in scope? No 38. Will you provide the infrastructure inventory (if not detailed, then summary) for Network, Security, Servers, Virtualization, OS, Desktops/Laptops/VDIs? Yes

3 39. Will you provide the details of Business critical applications (i.e. EMR, PACS, Billing Systems etc.)? Yes 40. Are there any web servers in the provided IP ranges? Yes 41. Is testing the web applications to be in scope for this testing? Yes 42. Do you want a thorough analysis of the web pages or just web application testing? Vendor 43. If so, do you have an estimate of the number of pages in the web application? No 44. Please state which of the two (or both) test perspectives below you would like to perform: a. Non Credentialed testing This is testing without the ability to login to the site. b. Credentialed testing This testing is performed with a generic account provided by the client. The purpose of this testing is to assess what an attacker could do if they were given an account. Vendor 45. Will the penetration test include a test of the DMZ? Vendor should proposed the appropriate method 46. Are there any database that would be part of the test and if so, how many instances? Vendor 47. Are there any specific goals that need to be obtained, e.g., compromise of specific system, obtaining specific sensitive information, etc. Vendor should proposed the appropriate method 48. Wireless testing: at how many locations and where? 7 locations 49. Electronic Social engineering (listed under Internal): Please define what you would like. a. Is E mail Phishing desired? b. How many users? Vendor 50. When would you like the project to start? Within 60 days after a vendor is selected 51. DREAD reporting is stated as a requirement; however, this risk/threat modeling technique has been out of popular use since 2008 ( Would alternatives be considered for risk assessment? Vendor should proposed the appropriate method 52. Please note and briefly describe key Information Technology functions (e.g. system monitoring) that have been outsourced to a third party. Information will be provided during assessment 53. Has the organization performed a Risk Analysis, as required by HIPAA, in the past 12 months? Yes a. If so, was a Corrective Action Plan developed and executed? Yes, if possible 54. Have HIPAA specific Information Security Policies been developed? Yes 55. Does your definition of Vulnerability Assessment equate to only an automated scan? Vendor 56. Are all the servers different? I.e., are different operating systems in use or are they all using the same OS as in Server 2008? Yes

4 57. If any, how many are configured in exactly the same way? No. They are configured based on application requirements. 58. For the External Penetration Test, is this a: a. Black Box Pen Test the tester will be provided with only a domain name and be left to discover everything else on his own? This is the most time consuming and expensive kind of pen test. b. Gray Box Pen Test only some information is provided, but not everything. As the color implies, it is in the mid range regarding time and cost. c. White Box Pen Test all information such as IP addresses for all Internet facing devices is provided. This is the least expensive kind of external pen test as less time is involved regarding host / target identification. d. Under External Penetration Testing, you have listed: Recon, Enumeration, Network Surveying / Services Identification, Network Penetration Testing, and Password Cracking. But all of those are typically considered under the umbrella of an External Penetration Test. Typically an external attack is going to follow this flow. Please clarify is this is what is meant or something else: e. Reconnaissance f. Scanning (Host Identification) g. Enumeration (Network Surveying / Services Identification, etc) h. Gaining Access (Password Cracking, etc) i. Maintaining Access j. For Application Vulnerability Validation I need a clear definition of what this entails. Is there a particular web application that needs to be checked for vulnerabilities? Are there a bunch of applications? Usually an application such as a web app is first scanned for vulnerabilities and if any are identified, they are manually reviewed to ensure they are not false positives. Web app pen testing involves trying to exploit any real vulnerabilities present. k. As for the Internal Vulnerability Assessment, in many environments a standard OS image is deployed. If you get every endpoint scanned and some are mirror images of each other regarding configurations, settings, etc, you will be paying for nothing. To be cost and time efficient I recommend scanning only by groups. For instance, if the doctors use a particular image, test only one of that image or a few at random. Do this for all the different images and you get the results you want without the accompanying cost. If you want every single endpoint scanned, please confirm. l. Insofar as the Internal Pen Test is concerned, the same applies as the External Pen Test regarding the process flow with the exception to the Wireless Pen Test. For the Wireless Pen Test, is this a WEP, WPA/WPA2, or 802.1x enabled wireless network? Vendor 59. Electronic Social Engineering typically involves borne attacks using various payloads. Do you just want to see if the users fall for it with something harmless or you want to see if it can lead to a compromise? Do you want USB attacks to be included? Vendor should proposed the appropriate method

5 60. Please clarify Wireless Client based attacks. Are you referring to a typical LAN MITM attack just on the WLAN? Vendor 61. Is the goal to be completely HIPAA compliant or to simply address the security rule of HIPAA? Address HIPAA security rules 62. Although IT is leading the project, have the stakeholders been identified and will we be able to interview them? Yes 63. How many Covered Entities are being assessed under NuHeath and the scope of the RFP? NuHealth consists of Nassau University Medical Center, A. Holly Paterson Extended Care Facility, and Long Island FQHC which operates 5 Family Health Centers 64. Are the locations above all using the same EMR/EHR (In Patient and/or Ambulatory Group) system(s)? No 65. Please state the names of the EMR/EHR applications used. Medical billing system(s)? Please state the names of the Medical billing system. Vendor should proposed the appropriate method 66. Does NHCC/NuHealth have its own data centers? Yes. How many and where? 1 at Nassau University Medical Center 67. Are all 25 buildings in scope for the Physical assessment? Vendor should propose the appropriate method. A sample of certain percentages is acceptable. 68. The security testing requirements for this RFP are extensive. Is testing to be performed after hours Vendor 69. Please specify the rules of engagement pertaining to the vulnerability assessment testing and penetration testing. Vendor 70. Will we be provided with login credentials to perform credential vulnerability assessment scans to minimize False Positives out of the gate? If not, please specify what your expectations are regarding vulnerability assessment reporting and recommendations for patching and remediation (e.g., provide detailed instructions for remediation?) Vendor 71. How many Active Directory Domains are in use? Is the Testing Environment in Scope? No 73. Is this IT Security Risk Assessment part of the required annual HIPAA Security Rule assessment? Or is this for Meaningful Use Stage 1 or 2 attestation and Book of Evidence Submittal? We will utilize some or all of the outcome from the assessment to satisfy the above requirements. 74. Does NHCC/NuHealth have last year s risk assessment report and gap remediation checklist? If yes please share. If no explain why not. Yes. Additional information will be provided during assessment. 75. Did NHCC/NuHealth attest for Meaningful Use Stage 1? If yes how much money was earmarked for on going HIPAA compliance and maintenance? If no why not? Yes. Additional information will be provided during assessment. 76. Regarding providing cost magnitudes estimates (CAPEX and OPEX), do you want a 1 year, 2 year, 3 year financial model to support all gap remediation requirements along with on going

6 maintenance and life cycle support for maintaining HIPAA Security Rule compliance? This will be determined based on the outcome of the assessment 77. Who are the members of the IT Leadership that is mentioned regarding collaborating with them? Please provide names and titles. Information will be provided during assessment. 78. Do your employees have the ability to bring their own device (BYOD) for use your workplace and access your systems? No 79. Will we be allowed to install scanning tools on your current systems to assist us with understanding your current environment? Yes 80. Are the configurations for Workstations, Servers, and Network elements configured using templates and central management or is there likelihood for a large variety of configurations? There will be a large variety of configurations 81. Would a sampling of templates and as running systems be appropriate for Configuration Analysis, or is a comprehensive analysis of all systems required? Sampling is acceptable. 82. What level of Internal Penetration Testing is required? Typical methodology involves a first pass with vulnerability scan and automated penetration tools followed by manual testing to identify and exploit specific vulnerabilities. Can the penetration piece be mostly automated, or is extensive manual effort expected? Is a sampling of targets an acceptable scope or is a comprehensive investigation touching all possible targets required? Vendor should proposed the appropriate method 83. We assume the configuration review to be performed with credentials. How will the vulnerability assessment/penetration testing be performed? Vendor should proposed the appropriate method 84. Are all in scope facilities managed by a centralized IT Department? Yes 85. Identify the data centers in scope. Are the owned, leased, or third party? Owned 86. Are all in scope facilities governed by a centralized IT Security Team? Yes 87. Does NuHealth System rely on any shared services or systems from New York City Information Technology & Telecommunications? If so please explain in detail. No 88. Are all in scope NuHealth facilities governed by a common/centralized set of policies and procedures? Yes 89. Does NuHealth System wish to follow a specific risk analysis framework/methodology (e.g., NIST , HITRUST CSF, Octave)? Vendor 90. Is NuHealth System s objective to satisfy the (a)(1)(ii)(A) Risk Analysis requirement or does NuHealth also wish to have controls tested to ensure they are operating as intended? Vendor 91. Is NuHealth System currently involved in an OCR investigation/corrective action plan (CAP)? No 92. Does NuHealth System have designated Privacy and Security Officers? Yes 93. Please describe the applications in scope for the assessment, including: Name, number of users, and manufacturer (if not internally developed). Information will be provided during assessment 94. Are in scope applications administered by a centralized IT department or does each application have a local administration function? It s a combination

7 95. Please describe the network topology for all in scope facilities. Information will be provided during assessment 96. Does NuHealth System maintain an ephi asset inventory identifying all systems where ephi may be accessed? If so, please provide the following: Count by type (e.g., server, database, application), operating system, and physical or virtualized. Information will be provided during assessment 97. Describe the organizational hierarchy for the IT and IT Security Departments, including number of departments, responsibilities, and number of employees for each. Information will be provided during assessment 98. Does NuHealth System permit the flow of ephi to ancillary devices such as smartphones, external hard drives, USB devices, etc.? Yes If so, should these devices be included in scope? Yes 99. Will NuHealth System provide a dedicated project manager? Yes, if required Does NuHealth System have a HITRUST subscription? No 101. Are any system design changes or hardware upgrades planned for the information technology systems within the upcoming year? Examples: Network design upgrades, Hardware refresh projects. Yes. Due to nature of the business, this is ongoing Has NuHealth System previously performed a security assessment (such as HIPAA risk assessment, PCI Gap assessment) and will any previously completed security assessments be made available? Yes 103. How would NuHealth System like to see the deliverables provided? In other words, should reports be provided by facility and by activity (i.e. pen testing report, vulnerability scan report, risk assessment report, etc.)? Vendor 104. Do you require and overall HIPAA Enterprise risk assessment? No 105. How many employees are in your organization? ~5, Are the systems managed within a private data center or the data center of a third party? If it is a third party, is the physical access dedicated or shared? It is a combination 107. Are you interested in a physical penetration test, a physical security review, or both? Physical Security Review 108. Who is the executive sponsor(s) of this project? CIO 109. Will NHCC provide the selected consultant with a project liaison or coordinator to assist with the coordination, scheduling, and communications of this project? Yes 110. Will NHCC be willing to provide materials, transmitted securely, to allow the successful consultant to review documentation and make preparations prior to conducting work onsite at NHCC? Yes 111. Is this a new contract or a renewal of an earlier contract? If it is a renewal, who is/was the incumbent vendor? New contract 112. Will New York firms receive preference over out of state firms? No 113. Regarding RFP Section V (page 10): The RFP mentions that bidders need to complete and return the Affirmation of Understanding of and Agreement pursuant to State Finance Law, as found in Appendix I. We do not see this form in Appendix I. Can NHCC provide bidders with this form or instructions as to where we can find it online? Pending answer from Legal

8 114. Regarding Exhibit JC of the RFP (page 20): It would seem that consulting services of this nature would not qualify as Covered Staff according to the definition provided. Please confirm our understanding or clarify. Correct 115. Does this inventory cover the medical facility, extended care facility and Community Health Practices operations? Yes 116. The main building and 6 remote locations as well as 25 buildings were referenced in the RFP. How many and which of these locations are connected directly to the internet? Information will be provided during assessment 117. Are all of the buildings/remote locations on the same LAN/WAN and can these sites be scanned from the central location? Yes 118. Is the system included in the assessment requirement and is it your expectation that outbound will be evaluated for policy infringement? Vendor should proposed the appropriate method 119. Are mobile devices included in the inventory and included in the assessment requirement? Yes 120. Is there a complete infrastructure inventory available in electronic format for use during the assessment? Yes 121. Is there one set of IT policies & procedures or do they differ by organization? One set 122. Is there a complete vendor list available electronically that can be used during the assessment for a BAA audit? Yes 123. Do you have an estimated number of systems and applications which create, receive, process or transmit ephi? Information will be provided during assessment 124. Is it expected that the vendor is going to create and document a comprehensive listing of the systems and applications which create, receive, process or transmit ephi? If so, is this high level in nature or is the vendor expected to use automated tools in the discovery of ephi? Information will be provided during assessment 125. How are responsibilities for compliance areas such as HIPAA Security assigned? This will assist us in determining who to interview to discuss the Security compliance processes. The IT department is responsible for HIPAA security 126. Does a standardized process for receiving and investigating reports of unauthorized disclosures, and reporting of security incidents when necessary, exist? Yes 127. Do these processes vary by department/location, or are they centralized? Centralized 128. Do HIPAA / Information Security training requirements vary for staff, management, and executive levels, or by department/location? It s based on the user role Are there any restrictions to using offshore resources? We prefer work is being done by resources from U.S Does your organization have any dedicated connections to other organization s networks (vendors, business partners)? Yes 131. Does your organization use site to site Virtual Private Network (VPN) tunnels? Yes 132. How many databases and what type of databases does your organization use? (Examples Oracle, Microsoft SQL, IBM DB2, MySQL) Information will be provided during assessment

9 133. Will the vendor selected be provided with floor plans for each location depicting infrastructure and security surveillance points such as video camera locations, wire closets etc? Only general floor plans will be provided