RFP Number: 2559
Date 07/28/2021
V. Scope of Work: Risk Analysis and Security Assessment Services
The statements in this section cover the scope required to fulfill the System’s HIPAA and Security Risk
Assessment program. The vendor must outline the methodology to be utilized for the enterprise-wide risk
analysis and security assessment services, and management plan as described below.
Note that for each of the activities (1 – 7) below, the following statements should also be applied:
• Reports for each activity (1 – 7) must be provided and include detailed findings of vendor analysis,
assessment, and recommendations – essentially, technical and executive reports per location, as
well as an enterprise-wide risk analysis report, and a risk management plan for NYC Health +
Hospitals – in Excel, PDF and Word formats. Reports should cover the project scope, executive
summary, confirmation status of each information security control with recommendations for
improvement, and an overall management plan designed to address the identified risks.
• All activities/results must be mapped to HIPAA, HITRUST MyCSF, NIST Controls (800-53),
ISO27001 & NIST Cyber Security Framework, and OWASP Top 10 Application Security Risks (where
applicable for applications).
A baseline must be created so that future analyses/assessments can measure deviations from the baseline,
and compare NYC Health + Hospitals with health care industry averages.
1. HIPAA Enterprise-wide Risk Analysis (Application & ePHI Focused) - Conduct an enterprise-wide risk
analysis, management, and evaluation to meet HIPAA Security Rule §§ 164.308(a)(1)(ii)(A) & (B) and
164.308(a)(8) requirements across the entire NYC Health + Hospitals system, including hospitals, clinics,
corporate offices (including subsidiaries), data centers, and MetroPlus - i.e. conduct an accurate and
thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health information (“ePHI”) created, received, maintained, stored, or
transmitted by NYC Health + Hospitals, identify security measures sufficient to reduce the risks and
vulnerabilities to a reasonable and appropriate level, and conduct a technical and nontechnical
evaluation, based upon the standards implemented under the Security Rule, in response to
environmental or operational changes affecting the security of ePHI. The risk analysis should include
ePHI in all forms of electronic media, regardless of the medium in which it is created, received,
maintained, stored or transmitted, or the source or location of the ePHI, and should track the movement
of such ePHI within the System. Additionally, the risk analysis must meet all Promoting
Interoperability/HITECH risk analysis requirements. This activity should be application-focused, and the
results must include prioritized risks to all electronic sensitive data especially ePHI that is created,
received, maintained, stored, transmitted or processed by the applications, medical devices,
infrastructure (network, workstation, server, web, database, mobile devices etc.), and users. Such risk