HIPAA Technical Risk Security Assessment 1. Will you be issuing additional directions for the formatting of the final proposal due November 21st? There is not specific formatting requirements, just submit the proposal per Section 4.0 of the RFP. 2. Are there any restrictions on when the work can be performed (e.g. only at night, only during business hours, only on weekends)? No. 3. When do you estimate the start and completion of this project? Open with vendor’s timeframe. 4. What is the budget? Open, as part of a larger project. 5. Can you please define the scope of this project in greater detail? Scope to include the following: Conduct an accurate and thorough identification of all relevant threats, identification of vulnerabilities, control analysis, likelihood determination, impact analysis, risk determination, control recommendations, and results documentations. The proposer shall prioritize risk areas based on results and make recommendations for remediation. 6. If we plan on incurring travel or other expenses relating to the performance of the HIPAA risk assessment activities, would the County like these expenses included in the lump sum amount or noted as a separate line item within the fee estimate? All expenses are to be included in the lump sum. 7. Is the intent of the RFP to secure a firm fixed price engagement or time and materials? Fixed price. 8. Will there be a single point of contact coordinating among the three facilities? Yes. 9. Does Outagamie County have a self‐funded health plan? No. 10. Does Outagamie County currently have a HIPAA Security & Privacy Officer responsible and accountable for the County’s HIPAA compliance? Please specify name and title. Security Officer – Joan Mitchell, Technical Manager Privacy Officer – Tom Stratton, ALTS Manager Privacy Officer – Karen Spielmann, Health Information Coordinator
11. Can you describe in more detail the HIPAA compliance initiatives that are already in place? Currently writing and implementing Policies/Procedures – 75 % complete 12. Are your HIPAA policies and procedures up‐to‐date with your practices? No 13. When were the HIPAA policies and procedures last updated? ongoing updates 14. Will you provide us with a list of HIPAA security related policies and procedures that you have in place? Will you supply them to the proposars? No only to Awarded Vendor 15. Will the assessment reports and remediation checklists from the previous HIPAA compliance audit/assessment be made available to the successful consultant who wins this project? Yes. 16. The title of this RFP, HIPAA Security Technical Risk Assessment. For clarification purposes, is the county looking for an assessment that measures compliance with the HIPAA Security Rule or is there also an expectation that this assessment will include a technical aspect that includes such things as a vulnerability assessment of the network perimeter, testing (white hat hacking) of internal technical controls, etc.? If so, please provide an estimate of externally accessible systems and internal systems. Just HIPAA Security Rule 17. When was the last HIPAA review/assessment conducted? November 2008 18. Who did the last assessment? Awarded Vendor 19. When was the last HIPAA security awareness training program delivered to the 3 department’s employees, contractors, and authorized users that work for those departments? Brewster Village performs routine ongoing, others are only at new hire.
20. Has Outagamie County and the 3 departments ever been cited for a violation of HIPAA Security or Privacy Law mandates by a county citizen? If yes, specify for what and if this has since been remediated. Never been cited. 21. Are you looking to complete the privacy review/evaluation for (DHHS and Brewster Village)? No 22. The American Recovery Reinvestment Act required implementation in 2009. What would be considered in scope included for this review? (Privacy and Security‐Breach Notification Interim Final Rule) No. 23. Are Business Associate Agreements in place and have they been updated since the changes in 2009? Yes. 24. Is the scope of the HIPAA Security Technical Risk Assessment limited to HIPAA Security Law requirements and mandates as defined in Sections 164.308, 164.310, 164.312 or does the scope include HIPAA Privacy Law as defined in Sections 164.520, 164.522, 164.530? Just the security laws. 25. To help quantify the scope of the HIPAA risk assessment, can you provide some additional details regarding the size (e.g., number of employees, number of physical offices) and business functions for each of the in‐scope departments (e.g., Department of Health and Human Services, Brewster Village Nursing Home, MIS Department)? Brewster Village: 272 employees 65 physical offices
Our non-contracted general business functions include:
o Patient accounts o Accounts receivable o Administrative services o Nursing o Social services o Dietary o Environmental services Human Services o ~350 employees o ~350 physical offices
o Mental Health
o Public Health
o Youth & Family Services
o WIC/Maternial Child Health
o Fiscal
o Long Term Support
o Economic Support
o Child Support
o Children, Youth & Families
o Child Suport
o Aging & Disability Resource
o Administrative
MIS Department o 17 employees
o 17 physical offices
o general business functions include:
o IT Helpdesk Functions
o Servers – Network Security
o Telecommuncations – LAN/Phone
o PC Technicians
o Programming
o Reprographics – Print Shop
o Micrographics – Mailing/Records Storage
o Records Management 26. The County mentioned in the RFP that they were open to different options on how the risk assessment can be performed. However, are there a minimum set of deliverables that the County would like to be provided at the conclusion of the project? Identify which HIPAA Security Laws are not in compliance 27. Is the scope of this HIPAA compliance audit/assessment merely to identify the gaps that the 3 departments have based on our interviews, findings, and policy/procedure review and then to provide recommendations for gap remediation, man‐hour estimates, and cost magnitude estimates to remediate the gaps or does Outagamie County want us to fill the identified gaps as part of this scope of work effort? Just identify the gaps only. 28. Does Outagamie County and the 3 departments have a PHI and ePHI mapping that identifies points of entry for receiving/collecting PHI or ePHI and where the PHI and ePHI traverses through the department internally and externally to outside entities (i.e., requires a Business Associate Agreement be in place, etc.)? Will this mapping be
available to the selected consultant or must we identify and document PHI and ePHI flow throughout these 3 departments and Outagamie County as part of the scope of service? Nothing formally documented 29. How many software applications store or transmit ePHI? 2 Major applications and several web‐based, and database applications and interfaces. 30. Are all ePHI related systems hosted on the County's internal network? If not, please specify the applications that are hosted by an outside vendor and the purpose of the application. Yes 31. Does Outagamie County and the 3 departments have a complete list of internal and external recipients of PHI or ePHI from that department? If yes, can you specify how many Business Associate Agreements (BAAs) are currently in place for each of the 3 departments? Not one complete list per depts 32. Do all three facilities fall under the same policy guidelines? Same general with a few minor exceptions 33. Are physical site surveys a part of the risk assessment (designed to provide a snapshot of facility physical security posture and practices)? If so, how many facilities and are they located within 15 miles or the primary site? Campus location downtown, Nursing Home facility 6 miles from campus. Temporary relocation 1 mile from campus. 34. We conduct interviews with 3 groups (management, operational, technical). Would multiple interview sessions per group be involved? Possibly 35. Does Outagamie County currently have in place updated HIPAA Business Plan Documents? Specify the last revision dates for the following elements: Business Impact Analysis (BIA) Risk Management Plan Configuration Management Plan Incident Response Plan Business Continuity Plan Disaster Recovery Plan
Physical Environment Security Plan No 36. Does the scope of the risk assessment include technical scans? Yes 37. Will the scans be performed internally, externally or both? Both 38. How many internal IP addresses will be scanned? All of them 39. How many external IP addresses will be scanned? all of them 40. In addition to assessing vulnerabilities, will we be asked to penetrate the vulnerabilities (external, internal, or both)? Yes 41. How many physical locations or data centers will be involved in the vulnerability scan? Two Locations – OneMain and one Backup Site 42. Are network assets involved in the security assessment accessible from a single location? Yes 43. How many (approximate) IP addresses and systems are in each location? N/A – scan all 44. Will Web application assessments be included in the scope of this assessment? If so how many, are they accessible on the internet (if not how many are not), how many pages on each application and how many user levels / rolls will be tested? No we don’t have any web application 45. Describe the technology in use including firewalls, networking equipment, servers, workstations, and applications in use. Wireless used? Portable devices (smartphones, iPads)? Estimated counts for each of these items? OC uses firewalls, networking equipment, servers, workstations, and SQL and Wireless. Checkpoint, PaloAlto Networks, Fortinet, Cisco, HP, Extreme Networks, VMWare Environment, Dell, HP Lefthand SAN, AS400, etc.
46. How many databases support the in‐scope applications? 4 47. List all database platforms that store credit card data. None 48. What are the operating systems for the servers? Win 2003, Win 2008, SQL 49. Is there segmentation between the systems storing ephi and the rest of the network? Some Yes and Some No 50. How many Internet, DMZ, or segmentation firewalls are in place? 2 51. How is segmentation achieved? Firewall, VLans 52. Is wireless technology in use anywhere on the network? If so, how many locations? Yes, al 53. Is ephi data transmitted over wireless devices at any point? Yes 54. Are ephi data transactions accepted through a web server? No 55. How many data centers store and/or transmit ephi data? Two 56. Is any part of the environment outsourced to a 3rd party? No 57. Are there third parties, outsourcers, or business partners connected to the network? Yes, as needed consultants/vendors 58. Is there a network diagram and data flow diagram of the ephi data environment? Network Diagram = yes Data flow = no 59. Is the County's network segmented to isolate electronic protected health information (ePHI) from systems and users that have no need to access it? No
60. Can the County provide some details around the IT systems that support the in‐scope departments? This may include the number of systems, platforms (Windows, UNIX, etc.), architecture (virtual, physical, etc.) or another key system attributes that would assist with the scoping of the assessment activities. Windows/Linux, Virtual, Physical Servers 61. Regarding the IT infrastructure and MIS roles, responsibilities, and accountabilities, does the Outagamie County MIS Department take ownership of the IT systems, applications, and support for the Department of Health & Human Services and the Brewster Village Nursing Home? Yes, MIS takes ownership and support for hardware and some applications. 62. What policies and procedures are currently documented and in place for the Outagamie County MIS Department regarding how MIS employees, contractors, and authorized users are to access, handle, and transfer/move PHI or ePHI within IT systems, servers, and databases? No formal policies 63. What web‐applications and on‐line services does Outagamie County and the Department of Health & Human Services and Brewster Village Nursing Home currently offer its citizens? Please provide the URL link for these online, web‐applications and services. none 64. Please describe or provide a short summary of the IT systems, applications, and services that the Outagamie County MIS Department provides and supports on behalf of the Department of Health & Human Services and Brewster Village Nursing Home. One Cluster Server for BV and One Cluster Server for HHS 65. Please describe or provide an Org Chart of the MIS Department’s IT organization and the individuals that are responsible and accountable for managing and supporting the IT systems, applications, and services for the Department of Health & Human Services and Brewster Village Nursing Home. MIS Department staff: o 14 employees supporting IT
o general business functions include:
o IT Helpdesk Functions
o Servers – Network Security
o Telecommuncations – LAN/Phone
o PC Technicians
o Programming
And including HHS MIS Coordinator and Brewster Village Information Services Coordinator 66. Please indicate whether or not the following plans are developed, implemented, tested and the last date of their review: Name of the Plan Developed “X” Implemented “X” Tested “X” Last Review Date Overall Security Plan Disaster Recovery Plan Continuity of Care Plan Risk Management Plan Emergency Mode of Operation No formal plans developed yet 67. Is the current disaster recovery, continuity and risk management plan a part of the HIPAA evaluation/review? No 68. Have any of the systems had penetration testing? Yes 69. Have you identified a Security Official? Yes 70. For each of the covered components (DHHS, Brewster Village, and MIS) please address the following: 1. How many systems are utilized to access, create, modify, store or transmit protected health information for each of the covered components? asked this earlier… 2. Are these systems supported by a vendor or managed by internal IT resources? Both 3. Does the organization share health information with other health organizations electronically? Yes 4. Is the organization using an electronic health record? Yes 5. What other system related projects are planned that may impact this review? None 6. Are you currently billing electronically for the billable services offered by the covered entities? Yes