HIPAA Technical Risk Security Assessment 1. Will yu be issuing additinal directins fr the frmatting f the final prpsal due Nvember 21 st? There is nt specific frmatting requirements, just submit the prpsal per Sectin 4.0 f the RFP. 2. Are there any restrictins n when the wrk can be perfrmed (e.g. nly at night, nly during business hurs, nly n weekends)? N. 3. When d yu estimate the start and cmpletin f this prject? Open with vendr s timeframe. 4. What is the budget? Open, as part f a larger prject. 5. Can yu please define the scpe f this prject in greater detail? Scpe t include the fllwing: Cnduct an accurate and thrugh identificatin f all relevant threats, identificatin f vulnerabilities, cntrl analysis, likelihd determinatin, impact analysis, risk determinatin, cntrl recmmendatins, and results dcumentatins. The prpser shall priritize risk areas based n results and make recmmendatins fr remediatin. 6. If we plan n incurring travel r ther expenses relating t the perfrmance f the HIPAA risk assessment activities, wuld the Cunty like these expenses included in the lump sum amunt r nted as a separate line item within the fee estimate? All expenses are t be included in the lump sum. 7. Is the intent f the RFP t secure a firm fixed price engagement r time and materials? Fixed price. 8. Will there be a single pint f cntact crdinating amng the three facilities?. 9. Des Outagamie Cunty have a self funded health plan? N. 10. Des Outagamie Cunty currently have a HIPAA Security & Privacy Officer respnsible and accuntable fr the Cunty s HIPAA cmpliance? Please specify name and title. Security Officer Jan Mitchell, Technical Manager Privacy Officer Tm Strattn, ALTS Manager Privacy Officer Karen Spielmann, Health Infrmatin Crdinatr
11. Can yu describe in mre detail the HIPAA cmpliance initiatives that are already in place? Currently writing and implementing Plicies/Prcedures 75 % cmplete 12. Are yur HIPAA plicies and prcedures up t date with yur practices? N 13. When were the HIPAA plicies and prcedures last updated? nging updates 14. Will yu prvide us with a list f HIPAA security related plicies and prcedures that yu have in place? Will yu supply them t the prpsars? N nly t Awarded Vendr 15. Will the assessment reprts and remediatin checklists frm the previus HIPAA cmpliance audit/assessment be made available t the successful cnsultant wh wins this prject?. 16. The title f this RFP, HIPAA Security Technical Risk Assessment. Fr clarificatin purpses, is the cunty lking fr an assessment that measures cmpliance with the HIPAA Security Rule r is there als an expectatin that this assessment will include a technical aspect that includes such things as a vulnerability assessment f the netwrk perimeter, testing (white hat hacking) f internal technical cntrls, etc.? If s, please prvide an estimate f externally accessible systems and internal systems. Just HIPAA Security Rule 17. When was the last HIPAA review/assessment cnducted? Nvember 2008 18. Wh did the last assessment? Awarded Vendr 19. When was the last HIPAA security awareness training prgram delivered t the 3 department s emplyees, cntractrs, and authrized users that wrk fr thse departments? Brewster Village perfrms rutine nging, thers are nly at new hire.
20. Has Outagamie Cunty and the 3 departments ever been cited fr a vilatin f HIPAA Security r Privacy Law mandates by a cunty citizen? If yes, specify fr what and if this has since been remediated. Never been cited. 21. Are yu lking t cmplete the privacy review/evaluatin fr (DHHS and Brewster Village)? N 22. The American Recvery Reinvestment Act required implementatin in 2009. What wuld be cnsidered in scpe included fr this review? (Privacy and Security Breach Ntificatin Interim Final Rule) N. 23. Are Business Assciate Agreements in place and have they been updated since the changes in 2009?. 24. Is the scpe f the HIPAA Security Technical Risk Assessment limited t HIPAA Security Law requirements and mandates as defined in Sectins 164.308, 164.310, 164.312 r des the scpe include HIPAA Privacy Law as defined in Sectins 164.520, 164.522, 164.530? Just the security laws. 25. T help quantify the scpe f the HIPAA risk assessment, can yu prvide sme additinal details regarding the size (e.g., number f emplyees, number f physical ffices) and business functins fr each f the in scpe departments (e.g., Department f Health and Human Services, Brewster Village Nursing Hme, MIS Department)? Brewster Village: 272 emplyees 65 physical ffices Our nn-cntracted general business functins include: Patient accunts Accunts receivable Administrative services Nursing Scial services Dietary Envirnmental services Human Services ~350 emplyees ~350 physical ffices general business divisins include:
Mental Health Public Health Yuth & Family Services WIC/Maternial Child Health Fiscal Lng Term Supprt Ecnmic Supprt Child Supprt Children, Yuth & Families Child Suprt Aging & Disability Resurce Administrative MIS Department 17 emplyees 17 physical ffices general business functins include: IT Helpdesk Functins Servers Netwrk Security Telecmmuncatins LAN/Phne PC Technicians Prgramming Reprgraphics Print Shp Micrgraphics Mailing/Recrds Strage Recrds Management 26. The Cunty mentined in the RFP that they were pen t different ptins n hw the risk assessment can be perfrmed. Hwever, are there a minimum set f deliverables that the Cunty wuld like t be prvided at the cnclusin f the prject? Identify which HIPAA Security Laws are nt in cmpliance 27. Is the scpe f this HIPAA cmpliance audit/assessment merely t identify the gaps that the 3 departments have based n ur interviews, findings, and plicy/prcedure review and then t prvide recmmendatins fr gap remediatin, man hur estimates, and cst magnitude estimates t remediate the gaps r des Outagamie Cunty want us t fill the identified gaps as part f this scpe f wrk effrt? Just identify the gaps nly. 28. Des Outagamie Cunty and the 3 departments have a PHI and ephi mapping that identifies pints f entry fr receiving/cllecting PHI r ephi and where the PHI and ephi traverses thrugh the department internally and externally t utside entities (i.e., requires a Business Assciate Agreement be in place, etc.)? Will this mapping be
available t the selected cnsultant r must we identify and dcument PHI and ephi flw thrughut these 3 departments and Outagamie Cunty as part f the scpe f service? Nthing frmally dcumented 29. Hw many sftware applicatins stre r transmit ephi? 2 Majr applicatins and several web based, and database applicatins and interfaces. 30. Are all ephi related systems hsted n the Cunty's internal netwrk? If nt, please specify the applicatins that are hsted by an utside vendr and the purpse f the applicatin. 31. Des Outagamie Cunty and the 3 departments have a cmplete list f internal and external recipients f PHI r ephi frm that department? If yes, can yu specify hw many Business Assciate Agreements (BAAs) are currently in place fr each f the 3 departments? Nt ne cmplete list per depts 32. D all three facilities fall under the same plicy guidelines? Same general with a few minr exceptins 33. Are physical site surveys a part f the risk assessment (designed t prvide a snapsht f facility physical security psture and practices)? If s, hw many facilities and are they lcated within 15 miles r the primary site? Campus lcatin dwntwn, Nursing Hme facility 6 miles frm campus. Temprary relcatin 1 mile frm campus. 34. We cnduct interviews with 3 grups (management, peratinal, technical). Wuld multiple interview sessins per grup be invlved? Pssibly 35. Des Outagamie Cunty currently have in place updated HIPAA Business Plan Dcuments? Specify the last revisin dates fr the fllwing elements: Business Impact Analysis (BIA) Risk Management Plan Cnfiguratin Management Plan Incident Respnse Plan Business Cntinuity Plan Disaster Recvery Plan
Physical Envirnment Security Plan N 36. Des the scpe f the risk assessment include technical scans? 37. Will the scans be perfrmed internally, externally r bth? Bth 38. Hw many internal IP addresses will be scanned? All f them 39. Hw many external IP addresses will be scanned? all f them 40. In additin t assessing vulnerabilities, will we be asked t penetrate the vulnerabilities (external, internal, r bth)? 41. Hw many physical lcatins r data centers will be invlved in the vulnerability scan? Tw Lcatins OneMain and ne Backup Site 42. Are netwrk assets invlved in the security assessment accessible frm a single lcatin? 43. Hw many (apprximate) IP addresses and systems are in each lcatin? N/A scan all 44. Will Web applicatin assessments be included in the scpe f this assessment? If s hw many, are they accessible n the internet (if nt hw many are nt), hw many pages n each applicatin and hw many user levels / rlls will be tested? N we dn t have any web applicatin 45. Describe the technlgy in use including firewalls, netwrking equipment, servers, wrkstatins, and applicatins in use. Wireless used? Prtable devices (smartphnes, ipads)? Estimated cunts fr each f these items? OC uses firewalls, netwrking equipment, servers, wrkstatins, and SQL and Wireless. Checkpint, PalAlt Netwrks, Frtinet, Cisc, HP, Extreme Netwrks, VMWare Envirnment, Dell, HP Lefthand SAN, AS400, etc.
46. Hw many databases supprt the in scpe applicatins? 4 47. List all database platfrms that stre credit card data. Nne 48. What are the perating systems fr the servers? Win 2003, Win 2008, SQL 49. Is there segmentatin between the systems string ephi and the rest f the netwrk? Sme and Sme N 50. Hw many Internet, DMZ, r segmentatin firewalls are in place? 2 51. Hw is segmentatin achieved? Firewall, VLans 52. Is wireless technlgy in use anywhere n the netwrk? If s, hw many lcatins?, al 53. Is ephi data transmitted ver wireless devices at any pint? 54. Are ephi data transactins accepted thrugh a web server? N 55. Hw many data centers stre and/r transmit ephi data? Tw 56. Is any part f the envirnment utsurced t a 3 rd party? N 57. Are there third parties, utsurcers, r business partners cnnected t the netwrk?, as needed cnsultants/vendrs 58. Is there a netwrk diagram and data flw diagram f the ephi data envirnment? Netwrk Diagram = yes Data flw = n 59. Is the Cunty's netwrk segmented t islate electrnic prtected health infrmatin (ephi) frm systems and users that have n need t access it? N
60. Can the Cunty prvide sme details arund the IT systems that supprt the in scpe departments? This may include the number f systems, platfrms (Windws, UNIX, etc.), architecture (virtual, physical, etc.) r anther key system attributes that wuld assist with the scping f the assessment activities. Windws/Linux, Virtual, Physical Servers 61. Regarding the IT infrastructure and MIS rles, respnsibilities, and accuntabilities, des the Outagamie Cunty MIS Department take wnership f the IT systems, applicatins, and supprt fr the Department f Health & Human Services and the Brewster Village Nursing Hme?, MIS takes wnership and supprt fr hardware and sme applicatins. 62. What plicies and prcedures are currently dcumented and in place fr the Outagamie Cunty MIS Department regarding hw MIS emplyees, cntractrs, and authrized users are t access, handle, and transfer/mve PHI r ephi within IT systems, servers, and databases? N frmal plicies 63. What web applicatins and n line services des Outagamie Cunty and the Department f Health & Human Services and Brewster Village Nursing Hme currently ffer its citizens? Please prvide the URL link fr these nline, web applicatins and services. nne 64. Please describe r prvide a shrt summary f the IT systems, applicatins, and services that the Outagamie Cunty MIS Department prvides and supprts n behalf f the Department f Health & Human Services and Brewster Village Nursing Hme. One Cluster Server fr BV and One Cluster Server fr HHS 65. Please describe r prvide an Org Chart f the MIS Department s IT rganizatin and the individuals that are respnsible and accuntable fr managing and supprting the IT systems, applicatins, and services fr the Department f Health & Human Services and Brewster Village Nursing Hme. MIS Department staff: 14 emplyees supprting IT general business functins include: IT Helpdesk Functins Servers Netwrk Security Telecmmuncatins LAN/Phne PC Technicians Prgramming Recrds Management
And including HHS MIS Crdinatr and Brewster Village Infrmatin Services Crdinatr 66. Please indicate whether r nt the fllwing plans are develped, implemented, tested and the last date f their review: Name f the Plan Develped X Implemented X Tested X Overall Security Plan Disaster Recvery Plan Cntinuity f Care Plan Risk Management Plan Emergency Mde f Operatin N frmal plans develped yet 67. Is the current disaster recvery, cntinuity and risk management plan a part f the HIPAA evaluatin/review? N 68. Have any f the systems had penetratin testing? 69. Have yu identified a Security Official? Last Review Date 70. Fr each f the cvered cmpnents (DHHS, Brewster Village, and MIS) please address the fllwing: 1. Hw many systems are utilized t access, create, mdify, stre r transmit prtected health infrmatin fr each f the cvered cmpnents? asked this earlier 2. Are these systems supprted by a vendr r managed by internal IT resurces? Bth 3. Des the rganizatin share health infrmatin with ther health rganizatins electrnically? 4. Is the rganizatin using an electrnic health recrd? 5. What ther system related prjects are planned that may impact this review? Nne 6. Are yu currently billing electrnically fr the billable services ffered by the cvered entities?