Request for Quote
HIPAA Security Risk Analysis
4/26/135/6/20135/3/2013 Page 2 of 12
Purpose
The Florida Department of Children and Families (DCF or the Department) is looking for a qualified information security assessment firm to perform a Security Risk Analysis (RA) as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(A). DCF is requesting fixed price quotes for defined deliverables based on the Department of Management Services (DMS) State Term Contract, IT Consulting Services numbered 973-561-010-1 using vendors and services as defined in Project Area 1, Analysis and Design. The terms and conditions of the Purchase Order/task order resulting from this Request for Quote (RFQ) shall take precedence over the terms and conditions set forth in the DMS state term contract, except where the terms and conditions of the state term contract are required by law. Funding for the Purchase Order/task order is contingent upon annual state legislative appropriation. Although the document that will result from this RFQ will be a Purchase Order issued under the relevant DMS state term contract(s), the term “contract” is used in the RFQ as a matter of convenience to denote that document. The goals of this engagement are to:
1. Satisfy the Meaningful Use Core Objective to “Protect Electronic Health Information.”
2. Guide the Department of Children and Families’ Risk Management Program to more effectively prevent, detect, contain, and correct security violations.
3. Meet HIPAA Security Rule testing requirements. 4. Develop a long term security partner relationship.
The Department of Children and Families is responsible for providing services to protect children and adults from abuse and neglect; addressing the needs of the developmentally disabled; administering public benefits programs and issuing benefits according to Federal mandates; administering
programs to help clients overcome the effects of substance abuse; and providing treatment for mentally ill children and adults. As a result of this responsibility, DCF is in contact with detailed and often non-public, information concerning these vulnerable citizens and is dedicated to protecting the confidentiality, integrity, and security of this information.
Schedule
The following schedule has been defined to efficiently solicit multiple competitive quotes, select the most qualified vendor, and start the project within a short time period.
Event Date
1. RFQ Released to Vendors April 26, 2013
2. Questions from Vendors About Scope or Approach Due May 1, 2013 3. Responses to Vendors About Scope or Approach Due May 26, 2013
4/17/13 Page 3 of 12
5. Vendor Presentations May 816-17, 2013
6. Finalist’s Review May 15, 2013
76. Anticipated Decision and Selection of Vendor May 1622, 2013 87. Anticipated Project Start Date June 3, 2013
All quotes must remain valid for up to 30 days following the quote due date. Any costs incurred during the development of this quote or associated work will not be reimbursed.
Award Selection
Criteria
All quotes will be reviewed using the following criteria: • completeness
• proven technical capability
• ability of deliverable to clearly communicate findings and recommendations • demonstrated information security experience in healthcare
• vendor objectivity • cost
Quotes should be submitted as a firm fixed price that includes travel costs. The Department of Children and Families reserves the right to not select the lowest cost and to not select a vendor if none sufficiently meet the goals of this RFQ.
Quote Structure
The following sections will be included, in this order:
1. Executive Summary – This section will present a high-level synopsis of the vendor’s
response to the RFQ. The Executive Summary should be a brief overview of the engagement, and should identify the main features and benefits of the proposed work and describe how the vendor solution addresses stated high level business and technical goals.
2. Company Overview – Provide a description of the company’s history, culture, # of years performing security assessments, relative engagement experience, and key differentiators. 3. Fees – Itemize all fees associated with the project.
4. Deliverables – Include descriptions of the types of reports used to summarize and provide detailed information on security risk, vulnerabilities, and the necessary countermeasures and recommended corrective actions. Include sample reports as attachments to the quote to
4/17/13 Page 4 of 12 provide an example of the types of reports that will be provided for this engagement. 5. Schedule – Include the method and approach used to manage the overall project and
correspondence. Briefly describe how the engagement proceeds from beginning to end and include payment terms.
6. Contact Information – Key sales and project management contact info including: name, title, address, direct telephone and fax numbers.
7. References – At least three healthcare clients where a similar scope of work was performed. 8. Team Member Biographies/Resumes – Include biographies and relevant experience of
key staff and management personnel that will be involved with this project.
9. Scope and Methodology – Detail specific objectives this scope will answer and reference frameworks, standards and/or guidelines used to develop scope. Also provide a detailed description of the methodology applied to complete the scope of work.
10. Sample Reports – Include as a separate attachment, sample reports of services to be provided.
It is required for each quote to completely address each section in this order to ensure a fair and accurate comparison of vendors.
4/17/13 Page 5 of 12
Scope of Work
The Department of Children and Families is in the process of developing an internal Risk Management Program and seeks an objective third-party to aid in the RA process. This process should include the following phases:
1. Develop a project plan to define the overall project timeline, including key project milestones and deliverables.
2. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.
3. Validate that vulnerabilities and risks identified have been sufficiently mitigated. The identification of vulnerabilities should use multiple approaches including:
• A review of the following control categories: o Business Associate Oversight
o Business Continuity and Disaster Recovery
o Data Security (ePHI and meaningful use reporting) o Information Security Program
o Network Analysis o Personnel Security o Physical Security
o Security Event and Incident Management o Systems Analysis
• Internal technical vulnerability assessment • External penetration testing
• Social Engineering
The vendor shall use both technical and non-technical methods to:
1. Identify missing controls by performing a gap analysis between implemented safeguards to those required by the HIPAA Security rule.
2. Identify non-functioning controls by comparing documented policies and procedures to actual implemented controls.
3. Identify internal technical vulnerabilities by testing implemented security domains, device configurations, access controls, system hardening procedures, vulnerability management programs, etc.
4. Identify external vulnerabilities by enumerating all Internet-accessible services and validating which software, configuration, and password vulnerabilities are exploitable.
5. Identify areas to improve employee HIPAA security awareness and training by focused social engineering testing.
4/17/13 Page 6 of 12 6. Validate all identified vulnerabilities have been addressed in a timely manner.
7. If sampling is part of your methodology, define when and how sampling will be used. The Department of Children and Families infrastructure for the purpose of this RFQ includes: Number of Physical Locations 125
Locations Requiring Physical Visit 5 Total
• Northwood 1940 N. Monroe Street Tallahassee, FL 32399 • Winewood 1317 Winewood Blvd Tallahassee, FL 32399-0700 • Florida State Treatment Center
100 N Main Street
Chattahoochee, FL 32324
• Northeast Florida State Treatment Center 7487 Florida 121
Macclenny, FL 32063
• North Florida Evaluation and Treatment Center 1200 NE 55th Blvd
Gainesville, FL 32641-2759 Number of Employees 11,866 Total Department FTEs
• Northwood—139 • Winewood—1052
• Florida State Treatment Center—1679
• Northeast Florida State Treatment Center—1048 • North Florida Evaluation and Treatment Center—356 • Northwest Region—721 • Northeast Region—1322 • Suncoast Region—1461 • Central Region—1976 • Southeast Region—849 • Southern Region—1263
Number of IT staff 277 Total FTEs
4/17/13 Page 7 of 12 • Florida State Treatment Center—20
• Northeast Florida State Treatment Center—11 • North Florida Evaluation and Treatment Center—4 • Northwest Region—11 • Northeast Region— 11 • Suncoast Region—11 • Central Region—14 • Southeast Region—8 • Southern Region—10
Number of Beds 1784 Total Beds
• Florida State Treatment Center—959
• Northeast Florida State Treatment Center—632 • North Florida Evaluation and Treatment Center—193
Number of Servers 130
Number of Workstations 12091 Total
• Northwood—249
• Winewood (including Hotline)—1248 • Florida State Treatment Center—787
• Northeast Florida State Treatment Center—508 • North Florida Evaluation and Treatment Center—194 • Northwest Region—1126 • Northeast Region—1597 • Suncoast Region—1588 • Central Region—2354 • Southeast Region—920 • Southern Region—1522
Number of Windows Domains 3
Number of Firewalls and Vendor(s) 1, CISCO
Number of Routers and Vendor(s) • Northwood—One Cisco router that provides MFN service
• Winewood—Two Cisco routers that provide MFN service (includes Hotline)
• Florida State Treatment Center— One Cisco router that provides MFN service
• Northeast Florida State Treatment Center— One Cisco router that provides MFN service
• North Florida Evaluation and Treatment Center— One Cisco router that provides MFN service • Northwest Region—28 Cisco routers that provide
MFN service
4/17/13 Page 8 of 12 MFN service
• Suncoast Region—29 Cisco routers that provide MFN service
• Central Region—30 Cisco routers that provide MFN service
• Southeast Region—19 Cisco routers that provide MFN service
• Southern Region—8 Cisco routers that provide MFN service
Number of Public Facing IP addresses in Use 2
Number of Applications that Store ePHI Approximately 159 Total
• Florida State Treatment Center— 84
• Northeast Florida State Treatment Center—33 • North Florida Evaluation and Treatment Center—9 • All other apps with ePHI—33
Number of Wireless Networks in Use • Northwood—10 Aerohive Access Points and 2 Cisco Access Points, hosting three wireless networks • Winewood--6 Aerohive Access Points and 13 Cisco
Access Points, hosting three wireless networks • Florida State Treatment Center—9 Aerohive Access
Points, hosting two wireless networks
• Northeast Florida State Treatment Center—no wireless
• North Florida Evaluation and Treatment Center—no wireless
• Northwest Region—4 Aerohive Access Points, 9 Cisco Access Points
• Northeast Region—3 Cisco Access Points • Suncoast Region—
• Central Region— 20 Aerohive Access Points and 2 Cisco Access Points
• Southeast Region—1 Aerohive Access Point and 10 Cisco Access Points
• Southern Region—47 Aerohive Access Points and 2 Cisco Access Points
Deliverables
As a result of this project, the Department of Children and Families requests:
4/17/13 Page 9 of 12 deliverables;
• weekly status reports; and
• a documented and prioritized list of risks overall and by location, each defined by a specific vulnerability, its impact, the asset affected, and a recommendation to mitigate the risk. The final report will consist of the following sections:
1. Executive Summary – appropriate for senior management to review and understand the current level of risk.
2. Introduction – including the scope and methodology used for this assessment.
3. Findings and Mitigation Recommendations – providing sufficient technical detail for the IT team to understand and replicate the issue.
4. Analysis Work Notes – documenting all control and/or vulnerability categories tested and the results of the testing per location.
The deliverables will be both concise and comprehensive, free from false positives and false
negatives, and provide sufficient technical detail to support all findings. Deliverables must be in PDF format and shall be delivered encrypted or via another secure method.
In addition, a presentation of findings to executive management and the technical team is required. Assessment follow-up access to the security engineering team for questions and clarifications is desired.
4/17/13 Page 10 of 12
Pricing
DCF requires a fixed fee for deliverable pricing schedule that identifies the cost for each of the project deliverables identified below:
Task Deliverable Cost of
Deliverable
Prepare HIPAA Review Project Plan Project Work Plan
Assess the physical and technical environment of the Office of Information Technology Services (OITS) located at the
Northwood Center, including identifying HIPAA compliance gaps, vulnerabilities, impacts, the assets affected, and
recommendations to mitigate the risks for OITS and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for OITS
Assess the physical and technical environment of the
Headquarters offices located at the Winewood Office Complex, including identifying HIPAA compliance gaps, vulnerabilities, impacts, the assets affected, and recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for Winewood Assess the physical and technical environment of the Florida
State Treatment Center located in Chattahoochee, Florida, including identifying HIPAA compliance gaps, vulnerabilities, impacts, the assets affected, and recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the Florida State Treatment Center
Assess the physical and technical environment of the North Florida Evaluation and Treatment Center location in Gainesville, Florida, including identifying HIPAA compliance gaps,
vulnerabilities, impacts, the assets affected, and
recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the North Florida
Evaluation and Treatment Center Assess the physical and technical environment of the Northeast
Florida Treatment Center located in Macclenny, Florida, including identifying HIPAA compliance gaps, vulnerabilities, impacts, the assets affected, and recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the Northeast Florida Treatment Center
4/17/13 Page 11 of 12 Assess the physical and technical environment of the Northwest
Region, including identifying HIPAA compliance gaps, vulnerabilities, impacts, the assets affected, and
recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the Northwest Region
Assess the physical and technical environment of the Northeast Region, including identifying HIPAA compliance gaps,
vulnerabilities, impacts, the assets affected, and
recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the Northeast Region
Assess the physical and technical environment of the Suncoast Region, including identifying HIPAA compliance gaps,
vulnerabilities, impacts, the assets affected, and
recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the Suncoast Region
Assess the physical and technical environment of the Central Region, including identifying HIPAA compliance gaps,
vulnerabilities, impacts, the assets affected, and
recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the Central Region
Assess the physical and technical environment of the Southeast Region, including identifying HIPAA compliance gaps,
vulnerabilities, impacts, the assets affected, and
recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the Southeast Region
Assess the physical and technical environment of the Southern Region, including identifying HIPAA compliance gaps,
vulnerabilities, impacts, the assets affected, and
recommendations to mitigate the risks and levels of effort to accomplish each mitigation action.
HIPAA Compliance Analysis Results for the Southern Region
Summarize the statewide results, including any overarching HIPAA compliance gaps, vulnerabilities, impacts, and the assets affected that are not documented in the individual location reports and recommend mitigation actions for these overarching HIPAA compliance issues and levels of effort to accomplish each mitigation action.
HIPAA Compliance Executive Report
Please describe efforts to maximize the use of state residents, state products, and other Florida-based businesses in fulfilling the contractual duties under this RFQ.
4/17/13 Page 12 of 12 Vendors shall not increase their proposed cost for the specified deliverables for the scope of work defined in this RFQ during the term of any Purchase Order resulting from this RFQ and any renewals. DCF may request additional services for additional costs at its sole discretion. Any additional services for the term of any Purchase Order renewals or extensions contemplated by this RFQ shall be subject to the availability of state funding and the approval of the department’s Contract Manager.
Submission of RFQ Responses
Electronic responses are due to the Office of Information Systems Procurement Office no later than May 7, 2013 by 2pm ET. Responsibility for timely delivery rests with the Vendor. The Vendor
electronic mail response to this RFQ should be addressed with the SUBJECT line as “DCF – HIPAA Compliance Assessment Procurement” and delivered to [email protected]. All required documents may be included as an attachment to the email.
Any quote received after the required time and date specified for shall be considered late and non-responsive. Any late quotes will not be evaluated.
