Request for Proposal nshealth.ca Identity and Access Management (IAM) Single Sign On and Password Management
1. Introduction... - 3-1.1 District Health Authorities/HITS-NS... - 3-1.2 Identity and Access Management (IAM) Need... - 4-2. Bid Instructions... - 5-2.1 RFP Purpose... - 5-2.2 RFP Response... - 5-2.3 RFP Process Schedule... - 5-2.4 Bid Receiving... - 6-2.5 Bid Closing Date and Time... - 6-2.6 Inquiries Solicitation Phase... - 6-2.7 Format and Content of Proposal... - 6-2.8 Evaluation Process... - 7-2.9 Evaluation Criteria... - 7-2.10 Basis of Selection... - 7-3. General Terms and Conditions... - 7-4. Requirements... - 7-5. Timeline... - 8-6. Resources... - 8-7. Training... - 8-8. References... - 8-9. Financial Proposal... - 8-10. Signature of Authorized Officers... - 9 - Appendix A General Terms and Conditions... Error! Bookmark not defined. Appendix B - Requirements... Appendix C Financial Proposal... - 2 -
1. Introduction The Province of Nova Scotia has made considerable progress over the last few years in the journey towards the vision of a private and confidential, person-based, longitudinal and portable electronic health record that is accessible across the spectrum of health and wellness services. Many key foundational components, accessible on a provincewide infrastructure, have been designed and implemented. The Department of Health and Wellness (DHW), with support from Canada Health Infoway (CHI) is currently immersed in a project to implement an Interoperable Electronic Health Record in Nova Scotia. The ability to provide secure access to this application and others used through the nshealth.ca network is a fundamental requirement of the overall Nova Scotia Health Information Technology Strategy. 1.1 District Health Authorities/HITS-NS The jurisdictional authority for health in the province of Nova Scotia is the Nova Scotia Department of Health and Wellness (DHW). The province is organized into nine District Health Authorities (DHAs) and the IWK Health Centre (the IWK Health Centre, located in Halifax, provides care to children, youth, women and families in the three Maritime Provinces). Figure 1 Nova Scotia Hospitals by DHA, identifies the location of each facility within the province. From an information systems perspective the districts are often organized or clustered in three groupings as follows; DHA 1-8, DHA9 and the IWK. Figure 1 Nova Scotia Hospitals by DHA Health Information Technology Services Nova Scotia (HITS-NS) was formed early in 2006 to provide management and ongoing support for those Provincial Health Information Technology systems that are under its care. The IWK Health Centre provides financial, procurement and human resource services to the HITS-NS organization. - 3 -
1.2 Identity and Access Management (IAM) Need The Province has identified the need to implement a coordinated identity and access management (IAM) system to support the varied applications and systems residing on the nshealth.ca network. Currently many applications or systems maintain information about their users independent of each other. In order to streamline the provincial health information systems environment the Province has determined that it needs to implement a comprehensive identity and access management system. The project to complete an IAM system for nshealth will be composed of a number phases. Each phase will focus on a particular aspect of the IAM process. The phases are identified as : IAM SSO (Single Sign on and Password Management). This phase will be focused on implementing the tools required to support the mechanical functions of IAM. Some of the key functions to be supported be this phase include web based account management, single sign on, etc. IAM Workflow. There are two aspects to this phase of the IAM project. We are concerned here with defining the processes needed to support IAM in nshealth and also providing an appropriate ITSM system to automate this workflow. These two phases can be completed in parallel. Other phases to be considered for later implementation are : IAM Provisioning. Investigate the possibilities of providing automated provisioning to applications supported on nshealth. This may involve integration with the SAP HCM module. IAM Consent. When consent legislation is finalized, investigate and integrate, where possible, the consent requirements within the IAM process. 1.3 IAM SSO This RFP is for the IAM SSO phase of the project. IAM SSO (SSO) is concerned with the identification of users for multiply protected systems with a single set of login credentials. An integrated SSO solution is made up of software/hardware technologies designed to ease access to network resources. The primary goals for implementing the SSO phase are : Provide a better end user experience Facilitate information system user administration Provide tighter security controls around user administration Satisfy the requirements of the CHI Blueprint The benefits that will be realized by implementing a provincial SSO include : - 4 -
Enhanced User Experience: Users often complain about having an excessive number of ids and passwords to manage, the differing processes required to get access and wait on service desk calls to get passwords reset. An SSO system will provide single sign-on for systems, reducing the number of ids and passwords that each user must remember. Users will also be able to self service their own password resets. Increased Efficiency: SSO will improve user productivity and reduce administrative overhead. The burden of password resets will be removed from the helpdesk and users will be able to reset their passwords allowing faster access to information resources. Increased Security and Control: Without SSO we are susceptible to a number of potential security vulnerabilities including: application accounts staying active long after employees have left, multiple user ids and passwords leading to users writing down the information which can compromise security, sharing of passwords, etc. Compliance Monitoring: SSO provides the mechanisms for logging and auditing user access and activities within the nshealth.ca information systems. This would greatly simplify the security auditing and compliance requirement 2. Bid Instructions 2.1 Request For Proposal (RFP) Purpose The purpose of this RFP is to obtain information and proposals about the availability and costs of the software and/or associated technology tools described within these specifications. 2.2 RFP Response Respondents are asked to complete Appendix A, B and C. A soft copy of the RFP may be obtained from the purchasing contact. All responses to this RFP shall reference the appropriate RFP section and conform to the sequence set forth in these specifications. Vendors must understand that added products or services are for information purposes only and may not be considered part of the RFP response. To the extent that the vendors do not respond to a particular question or sections of the RFP, we will assume the vendor is unable to comply or meet the requirements outlined. 2.3 RFP Process Schedule The vendor response must be received on or before the bid closing date listed below at the purchasing address listed below. Late submissions will not be accepted, will be considered a Non-Response and will not be evaluated. - 5 -
2.4 Bid Receiving Bids must be submitted to the following address: HITS-NS 5161 George Street, Suite 900 Halifax, Nova Scotia B3J 1M7 Attention: Leigh Whalen 2.5 Bid Closing Date and Time Your offers must be received on or before July 8, 2011 at 1600 hrs. 2.6 Inquiries Solicitation Phase All inquiries regarding the bid solicitation must be submitted in writing to the Contracting Authority named above as early as possible within the bidding period. Inquiries must be received no less than five calendar days before the bid closing date to allow sufficient time to provide a response. Inquiries received after that time may not be answered prior to the bid closing date. To ensure consistency and quality of information provided to bidders, the Contracting Authority will provide, simultaneously to all companies to which this solicitation has been sent, any information with respect to significant inquiries received and the replies to such inquiries without revealing the sources of the inquiries. All inquiries and other communications pertaining to this RFP with HITS-NS, DHA, IWK or DHW officials throughout the solicitation period are to be directed ONLY to the Contracting Authority named above. Non-compliance with this condition during the bid solicitation period can (for that reason alone) result in a disqualification of your bid. 2.7 Format and Content of Proposal Respondents are required to reply to the requirements as outlined in the corresponding appendices and submit the responses as follows: B. General Terms and Conditions Two hard copies and one electronically on CD C. Requirements Two hard copies and one electronically on CD D. Financial Proposal Two hard copies and one electronically on CD It is a must for respondents to note the following requirements for each of these submissions sections: a) The RFP document must be duly completed and signed. b) The functional/technical proposal must address each of the criteria specified in this RFP. Compliance with each point is to be indicated, explaining any areas where the system passes or fails the specifications. Compliance and specification explanations may be provided in one of three ways: As notes immediately following each bullet in the electronic specification document. As typed or clearly legible, hand-written notes in the space provided, accompanied by separate expanded points or notes where required - 6 -
Or as points on separate pages. c) The Financial Proposal (see Appendix C) must address each of the cost elements specified in the RFP. It is requested that the Financial Proposal be submitted unbound and in a separate sealed envelope that is clearly marked with the words Financial Proposal. Furthermore, no financial information, whatsoever, shall appear in the technical proposal. Failure to do so will render the proposal non-compliant on this point alone. The price of bids will be evaluated in Canadian dollars, the Harmonized Sales Tax (HST) excluded. 2.8 Evaluation Process The following factors will be considered in the evaluation of responses: Proven ability to support the solution in an environment similar to Nova Scotia Ability of the proposal to meet functional/technical requirements Ability to implement the proposal to meet client s timelines Vendor strength and stability Ability of the vendor to make available key technical personnel Proven ability of the vendor to partner, if third party vendors are required Total cost of replacements: purchase, implementation, support Ability for the proposal to grow as more applications are added to the nshealth.ca network 2.9 Evaluation Criteria The following criteria will be taken into consideration in the evaluation of each bid: 1) Functional/Technical compliance; 2) Delivery requirement; 3) Descriptive Literature (where applicable); 4) Price, FOB Point; 5) Acceptance of terms and conditions as mentioned in the bid solicitation; 6) Completion of the solicitation. 2.10 Basis of Selection To be considered, a bid must meet all of the mandatory requirements of this solicitation. Mandatory requirements are either stated as such or indicated in the body of the RFP by words must, shall and/or will. Bids not meeting all of the mandatory requirements will be given no further consideration. 3. General Terms and Conditions Please complete Appendix A 4. Requirements Please complete Appendix B. - 7 -
The initial commitment for the solution will be 1,000 5,000 users but the proponent must clearly show, through documentation such as architectural diagrams, how their proposed solution can scale to approximately 30,000 users. Initial scope will be for a basic implementation of the proposed solution. Proponent must clearly show what is included in the base system and the options / enhancements available. 5. Timeline Please provide the timeline that you need to deliver the software and services. 6. Resources Please provide a list of Bidder resources that will be assigned to this project. This list should include the person s name, title, description of services/tasks that s/he will perform, estimated effort in days, and availability to meet the project timeline. Also, provide client resource recommendations with recommended skill set required to implement the proposed timeline. Please provide a CV for all proposed resources. 7. Training System implementation and administration training will be required. Please provide details of the instruction that will be provided. These details should include both formal classroom training that will be provided as well as formal and/or informal skills transfer that will occur during the project. Details of formal classroom training should include dates and locations. Costs, if any, must be clearly identified. Include estimates of travel and living costs if required (must be included within your cost proposal). 8. References Please provide names and contact information for 3 current customers who actively use the components proposed in your Identity and Access Management solution. 9. Financial Proposal Please complete Appendix C. - 8 -
10. Signature of Authorized Officers SUPPLIER CERTIFICATION AND ASSURANCES This form must be attached to and form part of the Vendor s proposal for: 1. I/We make the following certification and assurances as a required element of the RFP that the truthfulness of the facts affirmed here and the continuing compliance with these requirements are conditions that apply to this RFP or the Agreement entered into pursuant to this RFP: 2. I/We certify that this bid is made without any connection, knowledge, comparison of figures or arrangement with any other company, firm or person making a bid for the same work and is in all respects fair and without collusion for fraud. 3. I/We agree to comply with all of the terms, conditions, and provisions as outlined herein, understanding that such conditions and provisions apply to this RFP or the Agreement entered into pursuant to this RFP. Authorized Signature Print/Type Name Position Date Mailing Address of Supplier: Street City Province Postal Code Telephone Number: Fax Number: - 9 -
Appendix A General Terms and Conditions Please indicate acceptance or rejection of each of the following terms and conditions. Any references to an agreement pertain to a purchase agreement arising from the award of this tender. This agreement shall contain these terms and conditions where applicable. Vendor Liability The Vendor guarantees that all products sold to HITS-NS shall function as detailed in the Vendor supplied functional specifications. In the event the aforesaid does not perform as specified, and Vendor does not correct the malfunction within a reasonable period of time as defined by industry standards, and HITS-NS suffers damages as a result of this malfunction, Vendor shall be liable for these damages up to a maximum of two times (2 X) the total purchase price of the Vendor product. HITS-NS has an obligation to mitigate, by all reasonable means, any damages incurred from the malfunction of the Vendor product before seeking damages from Vendor. Termination HITS-NS has the right to terminate this agreement with 30 days notice after providing written notification of intent to terminate. Upon termination of this agreement, HITS-NS suspends all rights and privileges provided through this agreement. Accept/ Reject Comments - 10 -
Appendix A General Terms and Conditions Entire Agreement This Agreement embodies the entire agreement between HITS-NS and Vendor. Vendor supplied Software License Agreements and Maintenance Agreements shall form part of this overall agreement. All statements, representations, promises, inducements, or understandings of any kind or nature made either in words or by conduct during negotiations for this Agreement and relied upon by either party are relevant and binding only if explicitly incorporated into this Agreement. No change, amendment, or modification of any term or condition of the Agreement shall be valid unless reduced to writing and signed by both parties. Warranty Vendor warrants that all equipment/software supplied under this agreement shall be free from major or recurring defects. If HITS-NS identifies and communicates in writing to Vendor, a major defect in the equipment which in the opinion of HITS-NS makes the system unusable and unacceptable, and said defect is not rectified by Vendor within ten (10) days, Vendor shall refund all funds paid to Vendor by HITS-NS to that point in time under this agreement. This warranty shall be in affect for three calendar years after implementation and acceptance of the Vendor product. Accept/ Reject Comments - 11 -
Appendix A General Terms and Conditions Vendor Confidentiality Any information contained in a proposal that is considered proprietary by the vendor must be clearly identified. HITS-NS and its representatives shall respect the confidential nature of any information so identified. HITS-NS agrees to sign non-disclosure agreements, where necessary. HITS-NS Confidentiality Information contained in this RFP is considered proprietary by HITS- NS. Vendors must agree to maintain the confidential nature of this and any other proprietary information so identified by HITS-NS. Vendors must agree to sign non-disclosure agreements, where necessary. Selection HITS-NS reserves the right to reject within its legal rights any and all proposals submitted or to negotiate separately with any source in any manner necessary, to serve the best interest of HITS-NS. Neither the lowest nor any other bid shall necessarily be accepted. Proposal Costs HITS-NS will not pay for the information solicited by this RFP. All costs incurred by a vendor in the preparation of a proposal are the responsibility of the vendor. Accept/ Reject Comments - 12 -
Appendix A General Terms and Conditions References References, identified in the proposal, may be contacted by HITS-NS or its representatives to substantiate the proposed solution s capabilities and reliability, vendor performance, and overall service. Vendors are expected to cooperate fully in helping HITS-NS and its representatives to verify vendor claims. Contract HITS-NS intends to initiate and negotiate a contract(s) which would obligate the vendor to meet any warranties and representations made during the selection process. HITS-NS will require that a copy of the completed vendor(s) proposal be included as a schedule in the final purchase agreement. This agreement will be governed solely by the laws of the Province of Nova Scotia. The selected vendor(s) must be prepared to negotiate and sign a custom contract. Joint Venture In the event of a joint venture between two or more vendors, HITS-NS will contract only one prime vendor, who agrees to assume full responsibility for the venture and the performance of the contract. Literature System manuals and / or user documentation submitted with the proposal will be returned to the vendor after solution selection, if required. All other materials will become the property of HITS-NS, and will not be returned to the vendor. Accept/ Reject Comments - 13 -
Appendix A General Terms and Conditions Addendum HITS-NS reserves the right to ask vendors to address requirements that may have been omitted from this RFP. Should additional requirements be identified, they will be submitted to vendors in writing as an addendum to this document. Codes and Standards All equipment must comply with and be approved for all applicable CSA codes and standards. Registration The successful vendor and any subcontractors listed in the proposal must be registered in the Province of Nova Scotia under the Corporations Registration Act or the Partnerships and Business Names Registration Act before a contract is awarded by HITS-NS. Currency All prices / costs are to be quoted in Canadian dollars and exclusive of any taxes. FOB All prices are to be FOB destination (freight included) on delivery to the locations as identified on the individual Purchase Orders. Discounts HITS-NS qualifies for government and educational discounts from various hardware and software vendors. All applicable discounts are to be identified in the cost section. Accept/ Reject Comments - 14 -
Appendix A General Terms and Conditions Invoicing HITS-NS may require special invoicing arrangements (consolidated invoice monthly). Invoices will be received from only the Prime Contractor. Hazardous Materials The vendors shall identify any component of their solution that includes hazardous materials requiring HITS-NS to take environmental or personnel precautions. HITS-NS Data The selected vendor waives any hold, right to, custody or control of HITS-NS data supplied to them for benchmark, conversion or implementation processes. Accept/ Reject Comments - 15 -
Appendix B - Requirements Specific Requirements Identifier R1 R2 R3 R4 R5 R6 R7 R8 R9 Description Solution MUST be prepackaged without the need for development Solution MUST be appliance (physical or virtual) based. Solution MUST be able to perform SSO for MEDITECH (client / server and Magic) out of the box without additional development or cost. Solution MUST Must be able to perform SSO for the McKesson line of healthcare products out of the box without additional development or cost. Solution MUST be able to perform SSO for the Cerner line of healthcare products out of the box without additional development or cost. Solution MUST be able to perform SSO for the following application types without the need for addition development: Client server Web Based Terminal Based Terminal Server Based Telnet Network Logins VMWare VDI Hard Disc encryption (ie Symantec) Solution MUST support a PRE-Windows logon self service password resets. Solution MUST operate even with the loss of connectivity to the central repository. Solution MUST seamlessly integrate with standard swipe card technology to allow SSO Pass / Fail Comments - 16 -
Appendix B - Requirements Identifier R10 R11 R12 R13 R14 R15 R16 R17 R18 R19 R20 R21 R22 R23 R24 R25 Description Solution M UST be able to authenticate against multiple LDAP directories in a multi-domain Active Directory forest. Solution MUST have redundancy and failover capabilities built in. (please describe). Solution MUST support federation. Solution MUST support multiple challenge response questions to authenticate a user before allowing self-service password reset Solution MUST support user self-service for password resets. Solution MUST support multiple password policies. Solution MUST service forgotten and/or expired passwords Solution MUST support basic HTTP authentication Solution MUST support FORMS based authentication Solution MUST provide transaction level audit/reporting on access to protected resources. Solution MUST support advanced authentication such as digital certificates, tokens and multiple factor, swipe cards. Solution MUST have a shared workstation solution for single sign-on. Solution MUST have no JRE dependencies. Solution MUST use LDAP directory credentials as the primary account. Solution MUST interoperate with the following authentication systems, mechanisms and protocols : Web ISO Kerberos PKI 802.1x RADIUS Active Directory Solution should support the delegation of user management. Pass / Fail Comments - 17 -
Appendix B - Requirements Identifier R26 R27 R28 R29 R30 R31 R32 R33 R34 R35 R36 R37 R38 R39 R40 R41 R42 Description Solution should support the ability for solution administrators to manage roles. Solution should limit attribute displays from queries according to access/privacy policies. Solution should support authorized access to a second domain upon successful authentication in a first domain (i.e. token,cookie,etc.). Solution should respond to attempts to access protected resources directly. Solution should respond to attempts to access protected resources after session termination. Solution should respond to attempts to access protected resources via invalid credentials. Solution should respond to attempts to access protected resources via no credentials. Solution should respond to repeated failed attempts. Solution should service a login at an application site and pass to other registered applications. Solution should support weak password (i.e. no format or expiration) Solution should support strong password (i.e. 8 character with special, alpha, numeric, case, non-repeat, short expiration) Solution should support logout from application, portal or domain. Solution should support timeout from application, portal or domain. Solution should support encrypted network communications between components and end points. Solution should support applications ability to leverage existing credentialing rather than establishing new credentialing system. Solution should support failover and recovery from failure of any part of the system. Solution should support integration with existing nshealth.ca VPN technologies. (Aventail, Checkpoint, Palo Alto) Pass / Fail Comments - 18 -
Appendix B - Requirements Identifier R43 R44 R45 R46 R47 R48 R49 R50 Description Solution should support scalability. Solution should contain role/discretionary based administration function to provide for separation of duties for administrative access and control. Solution should have option to allow users to lookup their application credentials. Solution should have the ability to identify user ID sharing. Solution should allow non-network users to request a non-local directory account. Self-service password reset feature should allow randomization of personalized questions. Solution should have ad hoc reporting capability build in. Solution should support ODBC compliant third party reporting tools. Pass / Fail Comments - 19 -
Appendix C Financial Proposal Consulting Fees : Indicate the consulting fees by task and deliverable 1 2 3 4 5 6 7 8 9 10 Task Deliverable Resource Estimated Hours Rate Total Consulting Total Cost Additional Skill Sets : List skill sets that may be needed but are not associated with a specific task or deliverable 1 2 3 4 5 6 7 8 9 10 Job Title Role on the Project Estimated Hours Rate Total for Additional Skill Sets Total Cost - 20 -
Appendix C Financial Proposal Senior Staff : Members of the project team responsible for the overall engagement including senior project manager, senior technical lead, etc. 1 2 3 4 5 6 7 8 9 10 Job Title Role/Responsibility Total Hours Rate Total for Senior Staff Total Cost - 21 -
Appendix C Financial Proposal Software : Identify any anticipated software costs 1 2 3 4 5 6 7 8 9 10 Software Product Type of License # of Licenses Unit List Price Discount Proposed Price Total Cost of all Software Purchases Total Cost Software Maintenance : Identify all software maintenance costs for the software listed above. 1 2 3 4 5 6 7 8 9 10 Software Product Standard Maintenance Fee Discount Proposed Price/Year # of Years Required Total Software Maintenance Costs Total Cost - 22 -
Appendix C Financial Proposal Hardware : Identify any anticipated hardware costs 1 2 3 4 5 6 7 8 9 10 Hardware Product Type of Component # of Units Unit List Price Discount Proposed Price Total Cost of all Hardware Purchases Total Cost Hardware Maintenance : Identify all hardware maintenance costs for the hardware listed above. 1 2 3 4 5 6 7 8 9 10 Hardware Product Standard Maintenance Fee Discount Proposed Price/Year # of Years Required Total Software Maintenance Costs Total Cost - 23 -
Appendix C Financial Proposal Other Costs : # Description Cost 1 2 3 4 5 6 7 8 9 10 Total Other Costs Proposal Total : Description Consulting Fees Additional Skill Sets Senior Staff Software Software Maintenance Hardware Hardware Maintenance Other Costs Total for Proposal Cost - 24 -
- 25 -