Request for Proposals (RFP) for HIPAA Risk Analysis and Security

RFP Number: 2559

Date 07/28/2021

Request for Proposals (RFP)

for

HIPAA Risk Analysis and Security Assessment Services

All communication regarding this RFP must be to: Nishant Kondamudi

Director of Solicitations

Strategic Sourcing

New York City Health + Hospitals

50 Water Street, 5th Floor

New York City, New York 10004

Office: 646.815.3201

Cell: 332.215.1558

kondamun@nychhc.org

RFP Number: 2559

Date 07/28/2021

I. RFP Timeline

Date

Time (EST)

RFP Release:

08/09/21

n/a

Pre-Proposal Conference Call RSVP:

(by emailing the person designated on the first

page of this RFP)

08/16/21

12:00 PM

Mandatory Pre-Proposal Conference Call:

Conference Call Dial-in Number:

(844) 621-3956

Access Code:

172 449 1077#

08/17/21

2:00 PM

Proposer Questions Due:

08/19/21

3:00 PM

Close of Question Period / Answers Due:

08/24/21

5:00 PM

Proposal Due:

09/07/21

3:00 PM

Anticipated Contract Start:

12/1/21

n/a

RFP Number: 2559

Date 07/28/2021

II. NYC Health + Hospitals

New York City Health and Hospitals Corporation (NYC Health + Hospitals) is an integrated health care

system of hospitals, neighborhood health centers, long-term care, nursing homes and home care – the

public safety net health care system of New York City. NYC Health + Hospitals is committed to the health

and well-being of all New Yorkers and we offer a wide range of high quality and affordable health care

services to keep our patients healthy and to address the needs of New York City's diverse populations.

www.nychealthandhospitals.org

RFP Number: 2559

Date 07/28/2021

III. Project Description

NYC Health + Hospitals is looking for a vendor to provide annual information risk analysis and

security assessment services for all of its facilities, entities, units, programs, and data centers, with

a focus on electronic sensitive data including but not limited to electronic Protected Health

Information (“ePHI”) as defined by the implementing regulations of the Health Insurance Portability

and Accountability Act (“HIPAA”) of 1996.

The requested risk analysis and security assessment services are broken down into the following

seven activities:

1. HIPAA Enterprise-wide Risk Analysis (Application & ePHI Focused)

2. HIPAA Compliance Assessment, including the Office for Civil Rights (OCR) Audit Protocol

3. Management Plan for addressing identified risks

4. Application Security - Penetration Testing and Configuration Controls Review

5. Infrastructure Security - Internal Penetration Testing

6. Infrastructure Security – Perimeter / Demilitarized Zone (DMZ) Penetration Testing

7. Vendor Risk Assessment

Further details regarding the seven activities above are discussed in Section V. Scope of Work.

RFP Number: 2559

Date 07/28/2021

IV. Minimum Criteria

The proposer must meet and attest that it meets all of the following minimum qualifications in order to

participate in this RFP (see Section VIII.B.4):

• MWBE Utilization Plan, Waiver, or MWBE Certification (see Section VIII.B.10);

• Firm must have performed risk analysis and security assessment services at a minimum of five large

health care systems;

• At least 2 references from former and/or current clients that have worked with vendor within the

past 3 years;

• Must hold, in good standing, HITRUST or other equivalent certification; and

• Must meet NYC Health + Hospitals’ IT Security requirements (document attached)

Please provide confirmation and supporting documentation that you meet each of these minimum criteria.

RFP Number: 2559

Date 07/28/2021

V. Scope of Work: Risk Analysis and Security Assessment Services

The statements in this section cover the scope required to fulfill the System’s HIPAA and Security Risk

Assessment program. The vendor must outline the methodology to be utilized for the enterprise-wide risk

analysis and security assessment services, and management plan as described below.

Note that for each of the activities (1 – 7) below, the following statements should also be applied:

• Reports for each activity (1 – 7) must be provided and include detailed findings of vendor analysis,

assessment, and recommendations – essentially, technical and executive reports per location, as

well as an enterprise-wide risk analysis report, and a risk management plan for NYC Health +

Hospitals – in Excel, PDF and Word formats. Reports should cover the project scope, executive

summary, confirmation status of each information security control with recommendations for

improvement, and an overall management plan designed to address the identified risks.

• All activities/results must be mapped to HIPAA, HITRUST MyCSF, NIST Controls (800-53),

ISO27001 & NIST Cyber Security Framework, and OWASP Top 10 Application Security Risks (where

applicable for applications).

A baseline must be created so that future analyses/assessments can measure deviations from the baseline,

and compare NYC Health + Hospitals with health care industry averages.

1. HIPAA Enterprise-wide Risk Analysis (Application & ePHI Focused) - Conduct an enterprise-wide risk

analysis, management, and evaluation to meet HIPAA Security Rule §§ 164.308(a)(1)(ii)(A) & (B) and

164.308(a)(8) requirements across the entire NYC Health + Hospitals system, including hospitals, clinics,

corporate offices (including subsidiaries), data centers, and MetroPlus - i.e. conduct an accurate and

thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and

availability of electronic protected health information (“ePHI”) created, received, maintained, stored, or

transmitted by NYC Health + Hospitals, identify security measures sufficient to reduce the risks and

vulnerabilities to a reasonable and appropriate level, and conduct a technical and nontechnical

evaluation, based upon the standards implemented under the Security Rule, in response to

environmental or operational changes affecting the security of ePHI. The risk analysis should include

ePHI in all forms of electronic media, regardless of the medium in which it is created, received,

maintained, stored or transmitted, or the source or location of the ePHI, and should track the movement

of such ePHI within the System. Additionally, the risk analysis must meet all Promoting

Interoperability/HITECH risk analysis requirements. This activity should be application-focused, and the

results must include prioritized risks to all electronic sensitive data especially ePHI that is created,

received, maintained, stored, transmitted or processed by the applications, medical devices,

infrastructure (network, workstation, server, web, database, mobile devices etc.), and users. Such risk

RFP Number: 2559

Date 07/28/2021

analysis will include an assessment of threats to the ePHI and the vulnerabilities present in the systems

or hardware that create, receive, store, maintain, process or transmit ePHI.

The risk analyses must be in line with NIST guidelines including but not limited to NIST SP 800-66, NIST SP

800-30, NIST SP 800-53 and other guidance available from the U.S. Health & Human Services Office for Civil

Rights (“OCR”) such as:

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.

pdf.

In addition, the Promoting Interoperability security risk analysis should be performed in accordance with the

requirements in 45 CFR § 164.308(a)(1), including addressing the security (to include encryption) of ePHI

data created, received, transmitted, or maintained by certified electronic health record technology (CEHRT)

in accordance with requirements in 45 CFR § 164.312(a)(2)(iv) and 45 CFR § 164.306(d)(3).

2. HIPAA Compliance Validation Assessment including the OCR Audit Protocol - Perform on-site

assessments of all NYC Health + Hospitals locations, including hospitals, clinics, corporate offices

(including subsidiaries), data centers, and MetroPlus, each year to ensure the System’s compliance with

the Privacy, Security, and Breach Notification Rules, and all sub-elements such as HITECH additions, the

Omnibus Rule, and the OCR audit protocol – see, https://www.hhs.gov/hipaa/for-

professionals/compliance-enforcement/audit/protocol/index.html.

Review existing privacy and security policies and procedures from a HIPAA and best practices standpoint and

provide recommendations where deficiencies are found.

3. Management Plan for addressing identified risks – Develop a comprehensive management plan that

addresses all the risks identified in the enterprise-wide risk analysis, and how to mitigate them. The plan

should rank the risks according to their criticality.

4. Application Vulnerability Assessment - Thorough penetration test and questionnaire-based

assessments of 100 enterprise applications over three years (client server, mobile and web-based

applications) to uncover all vulnerabilities and weak configuration controls associated with the

applications and supporting infrastructure (endpoints, workstations, servers, network, medical devices),

and highlight the applications that are readily exploitable, along with evidence of vulnerability actually

being exploited during testing. This exercise must also identify vulnerabilities which are not possible to

detect using automated vulnerability scanning activity. The results must include an application specific

threat model (reference Microsoft threat modeling).

The risk analysis must be in line with HIPAA Security Rule, NIST guidelines including but not limited to NIST

SP 800-30, NIST SP 800-53 and other guidance available from OCR guidance on risk analysis.

RFP Number: 2559

Date 07/28/2021

5. Infrastructure Security - Internal Penetration Testing - A penetration testing of all IP addressable

endpoints (or a sample size of at least 10%) including but not limited to workstations, servers, peripheral

devices, wireless devices/access points and network/security devices. There are approximately 110K IP

addressable endpoints out of which 50K are workstations/laptops. The testing must simulate each phase

of the attack lifecycle, identify gaps in the detective control agents, and gather logging and alerting

evidence to prove successful or unsuccessful detection.

The workstations operating system is primarily Windows 10 with some Windows 7 and a handful of Windows

XP, and the network devices are primarily Cisco.

There is a total of 4,000 servers with the following operating systems: Windows 2008, Windows 2012,

Windows 2016, Windows 2019, AIX, Linux.

This must be in line with Open Web Application Security Project (OWASP) and National Institute of Standards

& Technology (NIST) guidelines including but not limited to NIST SP 800-53.

6. Infrastructure Security - Perimeter/DMZ Penetration Testing - A thorough penetration testing of all

servers and network devices in the DMZ to uncover all vulnerabilities and highlight the ones that are

readily exploitable, along with evidence of vulnerability actually being exploited during testing. This

exercise must also identify vulnerabilities which are not possible to detect using automated vulnerability

scanning activity. There is a total of 450 such devices with the following operating systems: Windows

2008, Windows 2012, Windows 2016, Windows 2019, AIX, Linux, Cisco etc. The testing must simulate

each phase of the attack lifecycle, identify gaps in the detective control agents, and gather logging and

alerting evidence to prove successful or unsuccessful detection.

This must be in line with Open Web Application Security Project (OWASP) and NIST guidelines including but

not limited to NIST SP 800-53.

7. Vendor Risk Assessment - Conduct a thorough and detailed risk analysis and security assessment of 100

of the System’s vendors that are Business Associates of the System over the course of three years. The

assessment should provide assurance to NYC Health + Hospitals that the vendor is in compliance with

HIPAA, and that the vendor's security controls are in line with NIST and the System’s security controls.

The assessment should also include assisting NYC Health + Hospitals development of a Vendor Risk

Management program.

Supplemental Requirements

• The vendor must be able to demonstrate the following capabilities: Ability to employ an assessment

approach that leverages the:

o OCR Audit Protocol;

RFP Number: 2559

Date 07/28/2021

o Health Information Trust Alliance (HITRUST) Common Security Framework (CSF);

o Promoting Interoperability Program

o NIST SP 800-53;

o NIST 800-30;

o NIST 800-66;

o OWASP Top 10 Risks; and

o MITRE ATT&CK Framework

• Ability to provide detail and clarity to the HIPAA Security, Privacy and Breach Notification Rules as

well as organizational factors such as type and size/complexity for each control and functional area;

• Experienced assessment team with each member delivering service to NYC Health + Hospitals having

a certification (in at least one of the following): HITRUST, CISSP, CISA, CISM, SANS GIAC;

• Provide all assessment Findings and Recommendations in a format (example: .csv, .xls) that can be

imported into a GRC Tool;

• Provide competitive pricing for on-site assessment review of facilities including but not limited to: 11

hospitals, 5 long term care facilities, 7 diagnostic and treatment centers, 70+ clinics, and 2 Corporate

locations, including up to 4 data centers; and

• Assign a qualified project manager for the term of the engagement.

RFP Questionnaires:

In regard to this Scope of Work, each responding vendor is expected to provide the following information

for evaluation:

1. (Required) Fill column C and D on tab 1 (Requirements) of the attached spreadsheet.

2. (Required) Provide detailed methodology for each of the 7 assessment activities above as a separate

document, along with sample reports for each of the 7 activities identified in the Scope of Work.

Methodologies must include what steps will be taken to collect the information, identify threats and

vulnerabilities, assess current security measures, determine threat likelihood, impact of threat

occurrence, and the level of risk including any tools or technologies that will be used for the ris k

analysis.

3. (Preferred) Highlight in a separate document any experience dealing with the OCR and/or U.S.

Department of Health and Human Services with regard to HIPAA security rule compliance and/or

responding to queries and/or audits.

RFP Number: 2559

Date 07/28/2021

4. (Optional) Highlight any additional related offerings on tab 2 (Additional Offerings) of the attached

spreadsheet.

RFP Number: 2559

Date 07/28/2021

VI. Evaluation Criteria

The evaluation criteria shall be as follows:

Category

Weight %

HIPAA / Security Risk Assessment Experience

Assessment Methodology & Reporting

Key Personnel/Management

Cost

MWBE Utilization Plan or MWBE Status

RFP Number: 2559

Date 07/28/2021

VII. Contract and Payment

The term of the contract resulting from this RFP shall be for a term of three years with two (one) year

renewals at the discretion of the System.

Payment will be net 90.

Contract may be terminated by H+H for convenience with written 30-day notice.

RFP Number: 2559

Date 07/28/2021

VIII. RFP Process and Rules of Participation

RFP Process

1. Questions. Substantive questions regarding the Scope of Work must be received by email

before the date and time in the RFP Timeline and by the person designated on the first page of

this RFP. Questions not timely received by such person are not guaranteed a response. Emails

sent to the person on the first page of this RFP must include the RFP Number as written in this

document in the Subject Line.

2. Conference. Pre-proposal conference call shall be held at the time set forth in the RFP

Timeline. RSVP by emailing the person designated on the first page of this RFP.

3. Submission. Proposers shall submit the Proposal Package in digital format by the time and

date set forth in the RFP Timeline via email to the person(s) designated on the first page of this

RFP.

The Proposal Package email must include the RFP name and number.

RFP Number: 2559

Date 07/28/2021

Proposal Package Contents

1. Proposal Package size limit. The Proposal Package shall not exceed 20 megabytes.

2. Cover Sheet. A cover sheet containing the following information:

RFP Title

Vendor Name and Address

Principal contact person name and contact information

Number of addenda received

3. Table of Contents. The proposer must provide a table of contents with page numbers.

4. Minimum Criteria. The proposer must attest and provide a brief description of how the

minimum criteria are met.

5. Executive Summary. Provide a summary of no more than one page describing how you will

meet the goals of the RFP and a summary of the cost information.

6. Vendor’s Background and Organization: In this section provide the following

information:

Number of employees

Organization chart

Audited financial statement for the last 3 years

Background of principals

Recently completed similar size projects

A copy of any licenses relevant to this project

Duration you have been doing business in this service or product line

7. References. List of three current clients and one former client, including client email

addresses and phone numbers.

8. Technical Proposal. The Technical Proposal must address all issues in the Scope of Work

and include any other information you believe would be relevant. The technical proposal

shall not exceed 10 pages.

All proposals must contain a clear and comprehensive listing of costs. H+H is open to

RFP Number: 2559

Date 07/28/2021

gain sharing options for this RFP Gain sharing options must also contain a clear

description of how performance milestones will be achieved.

10. MWBE Utilization Plan (attached). NYC Health + Hospitals follows New York State Executive

Law Article 15-A which requires 30% participation of New York State Certified Minority or

Women-Owned Business Enterprises (MWBE) as subcontractors. An MWBE Utilization Plan

shall be submitted with the names of the MWBE subcontractors the proposer plans to use

to meet such goal. Alternatively, proposers may meet this requirement by being a certified

MWBE with the State of New York or the City of New York. Waiver of the 30% goal, total or

partial, may be given but only after good faith efforts have been demonstrated.

11. Doing Business Data Form (“DBDF”) (attached). In accordance with New York City Local Law

34 of 2007, the proposer must submit an accurate and complete DBDF. Failure to do so

will result in rejection of the proposal.

12. Vendor Security Requirements Checklist (attached). This document has been created to

highlight NYC Health + Hospital’s security requirements which should be understood by all

Proposers. It does not replace the requirement to complete a security review during the

new business or project initiation request process (i.e. Project In- Take) for awarded

Vendor. This can be provided in a Word document upon request.

Additional Forms (attached). Upon contract award the proposer will be required to

submit the following:

Vendor Demographics Form with W9 Equal

Employment Opportunity Report

PASSPort Registration (for contract values over $1M)

RFP Number: 2559

Date 07/28/2021

Rules of Participation

1. Communication with NYC Health + Hospitals. From the date this RFP is issued until the

award of contract, proposer and its staff shall direct all communications relating to this

RFP solely to the persons set forth on the first page of this RFP. Emails sent to the person

on the first page of this RFP must include the RFP Number as written in this document in

the Subject Line.

2. Solely within its discretion, NYC Health + Hospitals may withdraw this RFP prior to award

of a contract, postpone this RFP, reject all proposals, award in part, or choose not to

award a contract as a result of this RFP.

3. Addenda. NYC Health + Hospitals may issue addenda to this RFP to correct or clarify the

solicitation. It is the proposer’s responsibility to ensure that it has received all addenda.

Prior to submitting the Proposal Package the proposer should check with the contact

person on the first page of this RFP.

4. Minimum Criteria. Please provide a signed attestation confirming that you meet such

minimum criteria and the evidence supporting the qualification.

5. Mistakes. NYC Health + Hospitals may waive or modify any mistakes in proposals that are

deemed to be not material.

6. NYC Health + Hospitals shall not be bound by any oral or written representations,

statements or explanations other than those made in this RFP or in formal written

addenda issued to this RFP.

7. Proposal. The proposal is a written offer and shall be irrevocable for six months. The offer

may not be withdrawn after the submission deadline.

8. Modifications to or withdrawals of a proposal after the submission deadline shall not be

considered.

9. Costs. NYC Health + Hospitals shall not be liable for any costs incurred by proposers in the

preparation of proposals or for any work performed in connection therewith.

10. Negotiations. NYC Health + Hospitals may award a contract on the basis of initial offers

received. The Proposal Package should therefore contain the proposer’s best terms from a

programmatic and cost standpoint. NYC Health + Hospitals may choose to negotiate all

RFP Number: 2559

Date 07/28/2021

proposers or a limited pool of proposers and award a contract to one or more proposers.

11. Conditions of Award. All proposed awards will be subject to compliance with NYC Health +

Hospitals legal requirements, vendor responsibility determination, and approval by its

internal governing bodies.

12. Confidential or Proprietary Information. NYC Health + Hospitals is a public entity subject to

New York State’s Freedom of Information Law (FOIL). Confidential material shall be clearly

marked by the vendor and be easily separable or redacted, and will not be disclosed unless

required by Freedom of Information Law or other applicable state or federal laws.

13. NYC Health + Hospitals Terms and Conditions, Form 110-96 (attached). NYC Health +

Hospitals does not accept any changes to the terms and conditions set forth as mandatory

within Form 110-96. Any exceptions taken to such mandatory terms may result in rejection

of the proposal.

Any exceptions to the terms and conditions must be set forth in writing, with reasons for

such objection, and alternate language suggested, or are otherwise waived.

14. Business Associate Agreement (“BAA”) (attached). The selected vendor must agree

to execute the BAA without modification.

RFP Number: 2559

Date 07/28/2021

Page 18 of 19

Evaluation

1. Evaluation Committee. An Evaluation Committee shall be formed and

comprised of a minimum of five persons who will evaluate the proposals.

2. Scoring. The Evaluation Committee shall score and weight responsive proposals

of proposers that meet the Minimum Qualifications in accordance with the

scoring criteria set forth above in this RFP. As part of the evaluation process

there may be a request for additional information from all or a subset of

proposers that might result in additional scoring.

3. Presentations. The Evaluation Committee may require all or a short list of

proposers to give one or more oral or visual presentations in support of their

proposals and/or otherwise demonstrate the information contained therein.

RFP Number: 2559

Date 07/28/2021

Page 19 of 19

Proposal Package Checklist

Proposal Submission

MWBE Utilization Plan, Waiver, or Certificate

Doing Business Data Form

Vendor Security Requirements Checklist