NYeC RFP – Two Factor Authentication Page 1 of 20Request for ProposalsStatewide Two Factor Authentication SolutionIssued: September 17, 2012Proposals Due: October 18, 2012A Letter of Intent to Respond (LOI) to this RFP is required(See Section 4.1)
NYeC RFP – Two Factor Authentication Page 2 of 20Contents1. Purpose of Request for Proposals (RFP) 31.1 Background on NYeC 31.2 Current State of Systems that may Access SHIN-NY Data 41.3 Terms used within the RFP 52. RFP Scope Statement 82.1 Two Factor Authentication Use Cases 92.2 In Scope Items (Visual) 103. Proposal Instructions 113.1 Proposal Contents 114. Submission Details 174.1. Timeline 174.2 Submission Method 174.3 Proposal Evaluation Criteria 17Attachment A: Letter of Intent to Respond (LOI) 19Attachment B: NYeC Master Services Agreement 20
NYeC RFP – Two Factor Authentication Page 3 of 201. Purpose of Request for Proposals (RFP)As New York State (NYS) Regional Health Information Organizations (RHIOs) continue to grow, so doesthe need to keep pace with security controls and patient privacy concerns to protect the integrity,confidentiality, and availability of Protected Health Information (PHI) as it is transferred over the NYSHealth Information Exchange (HIE). New penalties for confidentiality breaches in violation of the HealthInsurance Portability and Accountability Act (HIPAA), as amended, as well as strict federal regulationsgoverning e-Prescribing of controlled substances, are driving the need for improved e-Authenticationcapabilities across the Statewide Health Information Network for New York (SHIN-NY).New York eHealth Collaborative (NYeC) is seeking a vendor for the implementation of a Statewide TwoFactor Authentication (TFA) Solution. In addition to the specific requirements for the solution in this RFP,NYeC would like proposers to consider the following: The solution must comply with the National Institute of Standards and Technology Special Publication(NIST SP) 800-63-1 Level 3 requirements. The solution should increase the ability to share information across the SHIN-NY while keeping thenumber of authentication tokens used by an individual to a minimum. NYeC understands that while necessary in several instances, hard tokens present an addedinconvenience to the end users and is seeking a solution that can provide suitable soft token options. NYeC understands that when constructing such a system, the workflow, processes and human-acceptance factor are just as important as the technical authentication solution deployed. Since largecentralized and federated authentication solutions can be challenging to implement, vendor responsesshould consider how their approach can balance security with adoption and overcome implementationobstacles, such as solution acceptance, integration within the variety of systems that will access SHIN-NY data (such as RHIO Clinical Viewers, EMRs, etc.).1.1 Background on NYeCNYeC (http://www.nyehealth.org) is a public-private partnership that serves as a focal point for healthcare stakeholders to build consensus on state health Information Technology (IT) policy priorities and tocollaborate on state and regional health IT implementation efforts. Working collaboratively with the NewYork State Department of Health and other key constituents, NYeC is developing the Statewide HealthInformation Network for New York (SHIN-NY), a statewide network of health information technology toallow providers to share patient health information in a timely and secure manner, which will lead toimproved health care quality and reduced health care costs. Founded in 2006 by healthcare leaders,NYeC receives funding from state and federal grants to serve as the focal point for HIT in New YorkState. NYeC facilitates an interoperable health information exchange through the SHIN-NY, supportingthe establishment of health information policies, standards and technical approaches and aidingstakeholders at the regional and local levels to implement such policies and standards. NYeC’s goal is forpatients and their healthcare providers, wherever they need and provide treatment in New York State, tobe able to obtain fast, secure, accurate, and accessible information.The SHIN-NY will enable the health information exchange. As more providers adopt HIT, there is agreater opportunity for sharing patient data between those entrusted with patient care. The creation,expansion, security and management of this network is an important undertaking for New York State; aconnected HIT system in New York will offer better, safer, and faster treatment for all patients. Ashealthcare technology adoption grows, new policies must be written and technology expanded. Anessential undertaking of NYeC is to develop and improve policies, set standards, and insure complete
NYeC RFP – Two Factor Authentication Page 4 of 20patient privacy and security. A key element in support of these goals is the creation of a Statewide TFASolution.1.2 Current State of Systems that may Access SHIN-NY DataRegional Health Information Organizations (RHIOs)All RHIOs will be accessing SHIN-NY data either via a Service or Connect Model. Currently, NYS RHIOsare at various stages of implementation of TFA solutions and single factor token solutions in accordancewith NIST SP800-63-1. While some RHIOs have implemented TFA solutions, the majority of RHIOs havenot. Several RHIOs are currently exploring two factor technologies that can satisfy security needs whileat the same time meet user acceptance needs. The following chart illustrates the average level ofimplementation of TFA solutions and compliance with NIST SP 800-63-1 requirements across the eleven(11) NYS RHIOs. The chart lists NIST 800-63-1 implementation criteria on the vertical axis and theaverage level of implementation on the horizontal axis.
NYeC RFP – Two Factor Authentication Page 5 of 20Current State of EHR EnvironmentThe selected Statewide TFA Solution must have the capability to integrate and interact with existing EMRand EHR solutions. In their response, proposers must state if their solution is supported for eachEHR/EMR vendor listed below and provide any necessary details (see section 3.1 D.4 for details).The following list identifies the known EHR and EMR solutions in place across the NYS RHIOs:Vendor Name Vendor NameAdvantaChart Infor*Med CorporationAllscripts MacPractice IncAmazing Charts McKessonAprima MCS - Medical Communication Systems, Inc.Athenahealth MDLand InternationalCerner Med A-ZChartLogic Inc MedcomSoftComChart MEDENTCompuGroup Medical Medical Office OnlineConnexin MeditabCPSI (Computer Programs and System Inc.) MEDITECHCriterions NCG Medical SystemsCureMD Corporation NextGen Healthcare Information Systems IncData Strategies, Inc. OptumInsightDigiChart Practice FusionDOC-TOR.com Prime Clinical SystemseClinicalWorks Quest DiagnosticsEHR Clinical Solution SequelMede-MDs SOAPware IncEncounterPro Healthcare Resources Inc Spring Medical SystemsEpic SRSsofteScribeHost STI Computer Services IncGE SuiteMed LLCGlenwood Systems Universal EHR SolutionsGreenway Medical Technologies Inc1.3 Terms used within the RFPTerm DefinitionClinical Viewer A web-based portal for access to RHIO clinical data. The RHIO members log in to theportal for access to patient data, available patient documents, consent details, medicationdetails, alerts, messages, etc. The Clinical Viewer allows RHIO members to accesspatient information available across all the participating hospital and provider locations.E-prescribing Defined by the eHealth Initiative as "the use of computing devices to enter, modify,review, and output or communicate drug prescriptions." Although the term e-prescribingimplies the use of a computer for any type of prescribing action, there are a wide range of
NYeC RFP – Two Factor Authentication Page 6 of 20Term Definitione-prescribing activities with varying levels of sophistication.ElectronicMedical/HealthRecords(EMR/EHR)The electronic systems providers use to store patients health information. These havereplaced the paper records that providers traditionally used. An EMR/EHR contains datagathered from a variety of clinical services, including laboratory data, pharmacy data,patient registration data, radiology data, surgical procedures, clinic and inpatient notes,preventive care delivery, emergency department visits, billing information, and so on.FederatedIdentityManagementThe linking of a person’s electronic identity and attributes across multiple distinct identitymanagement systems.HealthInformationExchange (HIE)The sharing of clinical and administrative data across the boundaries of healthcareinstitutions and other health data repositories. Many stakeholder groups (payers,patients, providers, and others) realize that if such data are shared healthcare processeswould improve with respect to safety, quality, cost, and other indicators.HealthInformationTechnology (HIT)The use of computers and computer programs to store, protect, retrieve, and transferclinical, administrative, and financial information electronically within healthcare settings.Identity andAccessManagement(IAM)A framework that includes business processes and technical solutions that facilitate themanagement of electronic identities from creation to removal. IAM includes: identityverification, onboarding processes, account management, access controls and auditing.Meaningful Use The American Recovery and Reinvestment Act of 2009 specifies three main componentsof Meaningful Use:1. The use of a certified EHR in a meaningful manner, such as e-prescribing.2. The use of certified EHR technology for electronic exchange of health informationto improve quality of health care.3. The use of certified EHR technology to submit clinical quality and other measures.Multi-FactorTokenA token that uses two or more factors to achieve authentication. For example, a privatekey on a smart card that is activated via PIN is a multi-factor token. The smart card issomething you have, and something you know (the PIN) is required to activate the token.Protected HealthInformation (PHI)Any information about health status, provision of healthcare, or payment for healthcarethat can be linked to a specific individual. This is interpreted rather broadly and includesany part of a patients medical record or payment history.Regional HealthInformationOrganization(RHIO)A non-governmental organization that exists as a New York State not-for-profitcorporation to enable interoperable health information exchange via a common StatewideHealth Information Network for New York (SHIN-NY). RHIOs participate in settinginformation policies through a statewide policy framework and governance process,implementing policies and ensuring adherence to such policies with a mission ofgoverning its use in the public’s interest and for the public good to improve healthcarequality and safety and reduce costs. To fulfill this mission, RHIOs require commitmentfrom multiple healthcare stakeholders in a geographic region, including physicians,hospitals, long term care and home care providers, patients, insurers, purchasers andgovernment. RHIOs are responsible for enabling interoperability through which individual
NYeC RFP – Two Factor Authentication Page 7 of 20Term Definitionstakeholders are linked together – both organizationally and technically through the SHIN-NY – in a coordinated manner for health information exchange and quality and populationhealth reporting. Clinicians and other entities wishing to access data from outside theirorganization connect to a local RHIO to enable data exchange. The RHIOs across NewYork State will be connected to each other via the SHIN-NY technical infrastructure.Service RHIO A RHIO whose technical infrastructure is managed by NYeC. NYeC is responsible for alltechnology associated with RHIO activities and manages upgrades and softwareenhancements.Connect RHIO A RHIO whose technical infrastructure is managed by the RHIO itself. It is connected tothe SHIN-NY and is able to send data to and receive data from other RHIOs but itssystems are individually managed.Single FactorTokenA token that uses one of the three factors to achieve authentication. For example, apassword is something you know. There are no additional factors required to activate thetoken.Statewide HealthInformationNetwork for NewYork (SHIN-NY)A statewide health information exchange that allows for data sharing between cliniciansand other entities within and across regions of New York State using standardinteroperability protocols. The technical infrastructure will connect both Connect andService RHIOs in order to allow clinicians and consumers to make timely, fact-baseddecisions that will reduce medical errors and redundant tests and improve carecoordination and the quality of care. Participating organizations connected to the RHIOsinclude medical facilities, ambulatory care centers, physician offices, labs, long term carecenters and nursing homes.Statewide TwoFactorAuthenticationSolutionA TFA mechanism that will allow individuals to authenticate in order to access SHIN-NYdata. The statewide solution will be provided to those who do not have a valid two factorsolution implemented within their own system but who require access to SHIN-NY data.Those with valid TFA mechanisms in place will not be required to use the solutionprovided by the state. The statewide solution will include identity management includingidentity proofing, certificate management and token distribution.Two FactorAuthentication(TFA)An authentication method that requires the user to present at least two factors to verifytheir identity. Acceptable authentication factors fall into three categories: knowledge(something that the user knows), possession (something the user has) and inherence(something the user is). A valid two factor solution will require factors from two of thethree categories.
NYeC RFP – Two Factor Authentication Page 8 of 202. RFP Scope StatementNYeC is seeking to make available for the participating RHIOs, providers, and patients a Statewide TFASolution used to validate the identity of individuals prior to accessing SHIN-NY data via the RHIO ClinicalViewer, a connected EMR/EHR, or a connected third party application (such as a mobile device). NYeCalso intends for the Statewide TFA Solution to be utilized for the I-STOP legislation which will “Requirepractitioners to review a patients controlled substance prescription history on the system prior toprescribing” (for details see: http://www.ag.ny.gov/sites/default/files/press-releases/2012/ISTOP%20REPORT%20FINAL%201.10.12.pdf). This service will be provided as a singlestatewide shared service that provides a standard TFA solution which will support and easily integrateinto the existing applications accessing SHIN-NY data. (Note: the Statewide TFA Solution will NOT needto integrate or interact with systems and solutions that have a native TFA option and can pass a SAMLassertion to NYeC.)Key components of the authentication solution are the provision of Identity and Access Management(IAM) related services and components such as the issuance of certificates, identity proofing, tokenmanagement, governance, and other outsourced IAM services and how they integrate with the vendor’stwo factor solution.In addition to serving authentication needs of users accessing SHIN-NY data, the Statewide TFA Solutionmay be utilized for the following additional purposes: Patients requesting to electronically download PHI into a Personal Health Record Patients accessing their PHI via a Patient Portal Providers writing e-Prescriptions including the dispensing of controlled substances Access to Medicaid data for Health Homes Access to e-MOLST or Advanced Directive documentation for both patients and providers Patients providing electronic consentThe need for an enterprise-level well-designed and capable Statewide TFA Solution is critical to thesuccess of many other NYeC and HIE goals, such as: Security efficiency – ability to minimize the time, costs and resources necessary to implement andsupport the IAM needs of the SHIN-NY and its users Security effectiveness – ability to meet all legal and regulatory needs Security acceptance – ability to balance strong security controls with usability and acceptance andadoption of the solution Mitigation of risks to breaches of PHI Enablement of:– Broader sharing of EHRs across RHIOs and across the SHIN-NY– Secure growth of patient portals
NYeC RFP – Two Factor Authentication Page 9 of 202.1 Two Factor Authentication Use CasesThe Statewide TFA Solution will be required when a user attempts to access data from the SHIN-NY aswell as the possibility of using the Statewide TFA Solution when a user attempts to use other functionalitysuch as: e-Prescribing, e-MOLST or Advanced Directives, and Medicaid data for Health Homes. A usermust first be identity proofed and issued credentials and access tokens before access to the system canbe granted. Specific workflow and implementation steps will be dependent on the organization andsystems involved. All users will be required to be authenticated using a NIST SP 800-63-1 Level 3compatible authentication mechanism. Once the user has been authenticated, a SAML assertion mustbe passed for interoperability operation.Proposers should detail their ability to provide solutions for the following three (3) categories of accessmethods.(Note: The Statewide TFA Solution will NOT need to integrate or interact with systems and solutions thathave a native TFA option and can pass a SAML assertion to NYeC. The use cases below apply only tothose implementations where SHIN-NY is being accessed by a system that does not have a TFA solutionthat meets NIST Level 3 standards.)1. User accesses the SHIN-NY through a system (EHR or other - such as a hospital informationsystem, HIE, a Connect RHIO Clinical Viewer, etc.) that allows access to the SHIN-NY. The EHRor other system vendor should be able to work with the selected Statewide TFA Solution vendorto implement a solution within the EHR system as needed. The selected Statewide TFA Solutionvendor will provide widgets for EHR vendor integration and the EHR (or other system) vendor willbe required to integrate the TFA solution.2. User accesses the SHIN-NY through a Service RHIO Clinical Viewer. The selected vendor willwork with NYeC to implement the Statewide TFA Solution within the Service RHIO that the useris connected through. NYeC will be responsible for needed changes to Service RHIO systemsfor solution implementation.3. User accesses the SHIN-NY through a third party application (through smart phones, tablets,etc.). The application vendor should be able to work with the selected Statewide TFA Solutionvendor to implement a solution within the EHR system as needed. The selected Statewide TFASolution vendor will provide widgets for EHR vendor integration and the application vendor will berequired to integrate the TFA solution.SAML Validation will be a functional service of the NYeC system for all passed SAML assertions.
NYeC RFP – Two Factor Authentication Page 10 of 202.2 In Scope Items (Visual)The following diagram details the needed components and structure for the TFA solution for access toSHIN-NY data. Proposers must detail their solution for components presented in blue.Identity Access ManagementIdentityProofingTokenAssignmentandManagementCertificateAssignmentandManagementSAMLValidationSAML Assertionpassed forinteroperabilityoperationStatewide Two FactorAuthentication SystemUser requests SHINYdata through systemutilizing theStatewide NIST level3 compatible TFASolutionEHR/Hospital /Connect QE ClinicalViewer/SystemAppService QE ClinicalViewerUserDirectory:User RolesandPermissionsPatientDirectory:User RolesandPermissionsSHINYKey:In ScopeOut of ScopeDescriptive
NYeC RFP – Two Factor Authentication Page 11 of 203. Proposal InstructionsProposers must respond to ALL items contained in section 3.1 below (A-L and sub-sections thereof), aswell as adhere to the page limits. Every page in the proposal, including all appendices, exhibits andattachments, must be numbered consecutively. Each section must be clearly labeled with the title, letterand number of the section. Proposals should be single-spaced, contain one-inch margins, and be typedin Times New Roman 12-point font.3.1 Proposal ContentsThe proposal contents must be organized in the following order: A. Cover Letter and Company Overview (1-page limit) – a brief overview of the vendor’sorganization and contact information to direct future inquiries regarding the proposal. The cover lettermust be signed by an officer authorized to bind the vendor to the terms of the proposal. B. Executive Summary (3-page limit) - a brief narrative that demonstrates the vendor’sunderstanding of the services requested by this RFP and the scale and complexity of this initiative.The Executive Summary should demonstrate the strengths of the vendor’s proposed approach, thekey features that distinguish its proposed solution to meet the requirements and the major benefits itoffers. C. Experience (2-page limit) – an overview of the vendor’s and any proposed subcontractors’relevant experience. If subcontractors will be used, identify instances where the vendor has workedwith the proposed subcontractors. D. Approach for TFA Solution Implementation (20-page limit) – a detailed description of theapproach the vendor proposes to use to implement its TFA solution, including detailed descriptions ofall solution components that will be outsourced and of any proposed subcontractors.1. Provide details on how the proposed TFA solution will integrate and work with existing systems thatdo not have a built-in TFA solution. The details must cover the use cases and systems describedin section 2.1 “Two Factor Authentication Use Cases” above:a) Include specifics on the methods (such as web services, Application Programming Interfaces(APIs), etc.) that will be provided by the TFA vendor to integrate the TFA solution with existingRHIO Clinical Viewers, EMR vendors, and connected third party applications (such as a mobiledevice).b) State specifically how well industry standards (OATH, RADIUS, LDAP, PAM, etc.) are used for2ndfactor integration interfaces with systems. Preference will be given to vendors whoincorporate industry standards within their solution.2. Identify the integration utilized between the various application components of all responsepartners that allow it to operate as a seamless cohesive solution. Identify the relationship betweenthe primary respondent and its partners.3. Detail the types of tokens accepted by the proposed TFA solution. Proposed solutions shouldencompass at minimum one hard and one soft token. Preference will be given to proposedsolutions with flexible token requirements.
NYeC RFP – Two Factor Authentication Page 12 of 204. Identify and provide the necessary details on the EHRs/EMRs that are currently supported by theproposed solution from the list provided in Section 1.2, and any others that are not included in thelist. Vendors must identify all EHRs/EMRs that have implemented the proposed TFA solution andhow it was implemented. E. Identity and Access Management (IAM) Services (5-page limit) – Describe the IAM services,specifically:1. Ability to support Level 3 basis for issuing credentials for in-person and remote use cases.2. Ability to support Registration Authority actions at Level 3 for in-person and remote-use cases.3. Ability to support Level 3 Credential Lifetime, Status or Revocations requirements.4. Ability to implement token and credential revocation and destruction processes.5. Ability to provide a complete enterprise IAM service for establishing and maintaining identities asper NIST 800-63-1.6. Describe your recommended IAM Governance model and structure.7. Ability to support an IAM solution that will be expandable to include new forms of identityverification, assertion and authentication approaches.8. Details on integration of needed third party solutions with the proposed IAM capabilities. Includedetails on the agreement between the TFA vendor and the third party vendor as needed. F. Architecture (2-page limit) – provide a diagram (along with the necessary descriptions) of theproposed architecture for the overall TFA solution. This should incorporate all the in-scope itemsidentified in Section 2.2 above. G. Hardware Requirements (2-page limit) – identify the hardware needed to support the TFAsolution. Use the user count table in the Business and Pricing section below to provide details on theincremental hardware needs based on the number of users being supported via the TFA solution. H. Team (5-page limit) – detailed overview of the vendor’s and proposed subcontractors teammembers who will staff the project if vendor is selected. This section should identify all key teammembers by name and role (NYeC may at its discretion choose to interview some or all key teammembers during the selection process).Note: The team size and makeup should consider a strong desire at NYeC to complete theimplementation by the end of 2013.1. Organization Chart. In addition to identifying all of the vendor team members (includingsubcontractors) by their names (for key members) and roles, the chart should identify all roles,teams and governance groups that the vendor expects NYeC to provide for the implementation.2. Name, role and brief experience of the key members of the team (this should also include keysubcontractor positions).3. Descriptions for ALL roles identified within the Organization Chart.4. Resumes of all key members (to be included as an Appendix – the 5-page limit for this sectiondoes not include resumes). I. Other Services (5-page limit) – identify and provide details for other supporting services that will beprovided for the overall implementation and maintenance. These include:
NYeC RFP – Two Factor Authentication Page 13 of 201. Help Desk Services2. Knowledge Transfer Services3. Service Level Agreements (include standard SLA documents as an appendix)4. Token replacement, addition, and termination as well as password recovery5. Software Support (including upgrades and maintenance) J. Project Implementation Timeline (5-page limit) – provide a timeline for the overall implementationof the Statewide TFA Solution that includes the IAM implementation as well as the implementation ofthe use cases defined in section 2.1 above. Identify the key tasks, milestones and deliverables withinthe timeline. Any assumptions used in developing the timeline should be identified in this section. Ifthere are specific tasks that NYeC will be responsible for, they should be identified clearly within thetimeline. (Assume a January 7, 2013 start date)Note: The Project Implementation Timeline should consider a strong desire at NYeC to complete theimplementation by the end of 2013. K. Two Factor Authentication Solution Requirements (10-page limit) – proposers must addressall the requirements detailed in the table below.Two Factor Authentication Solution Requirement1. Confirm that the proposed TFA solution complies with NIST SP 800-63-1 at Level 3.2. Ability to support a variety of TFA types such as those defined in NIST SP 800-63-1 that may be permittedfor HIE access as well as the more restricted subset of two factor solutions that are required by DEA for e-Prescriptions for Controlled Substances.State how your solution can support two factor solutions for both business needs. HIE access may allowOut of Band two factor solutions while the DEA allows only FIPS validated hard cryptographic tokens.3. Ability for TFA solution to comply with NIST Special Publication 800-63-1, Electronic AuthenticationGuideline, December 2011 Authentication Guideline, (NIST SP 800-63-1).4. Ability to protect long-term shared secrets as per NIST SP 800-63-1 requirements.5. Ability to support Single factor (SF) One-Time Password (OTP) Device as defined by NIST in SP 800-63-16. Ability to support Single factor (SF) Cryptographic Device as defined by NIST in SP 800-63-17. Ability to support Multi-factor (MF) Software Cryptographic Token Cryptographic Token as defined by NISTin SP 800-63-18. Ability to support Multi-factor (MF) One-Time Password (OTP) Device as defined by NIST in SP 800-63-19. Ability to support Multi-factor (MF) Cryptographic Devices as defined by NIST in SP 800-63-110. Ability to support Memorized Secret Token as defined by NIST in SP 800-63-111. Ability to support Pre-registered Knowledge Token as defined by NIST in SP 800-63-112. Ability to support Look-up Secret Token as defined by NIST in SP 800-63-113. Ability to support Out of Band Token as defined by NIST in SP 800-63-114. Ability to support TFA for patients across a variety of patient portal instances. Please state which webplatforms and PHR systems your solution works with or is certified to work with.15. Ability to comply with the New York State Personal Privacy Protection Law(http://www.archives.nysed.gov/a/records/mr_laws_po6A.shtml)16. Provide two-factor system performance information for deployments of 100, 10K, 100K, 200K, 1M, and 10Musers.17. Ability to support multiple browser types. Describe any restrictions on browsers when integrating yoursolution.18. Ability to support centralized accumulation and management of audit data.
NYeC RFP – Two Factor Authentication Page 14 of 20Two Factor Authentication Solution Requirement19. Ability to provide granular controls to manage the length of time that an authentication assertion is valid for.Can the solution support various identity assertion lifetimes for various applications and roles within theSHIN-NY?20. Ability to operate across data centers that are geographically spread out across the state. Address anynetwork or other technical related requirements for your proposed solution.21. Ability to support records retention requirements.22. Meets the DEA Requirements for Electronic Orders and Prescriptions (e-CFR Title 21: Food and Drugs,Part 1311 Requirements for Electronic Orders and Prescriptions). State and discuss any compliancecapabilities or experience with integrating your solution with e-Prescription services including support forcontrolled substances.
NYeC RFP – Two Factor Authentication Page 15 of 20 L. Business Model and Pricing1. Pricing model: explain the possible pricing model(s) available and provide component prices andvolume discounts. Available Enterprise Pricing Options including but not limited to adoption byNYeC of the vendors proposed solution as a statewide solution for all connected systems that lackthe required functionality should be explained here.2. Vendors must indicate if their proposed solution requires collaboration with any other entities notincluded as subcontractors and must clearly state if these are ongoing or new relationships.3. Costs for all required components (including services, software, hardware, and any other costs)must be included using the pricing table below. All areas are required to be addressed. If an areais non-applicable a reason must be provided as to why there is no price. If a cost for an area isincluded within other costs please mark the item as “included” and specify in the Commentscolumn where the cost is covered.Vendors may add additional rows within the table as required. This includes adding sub-components to an existing line to provide a more detailed breakdown of a cost or adding new rowsto identify a cost component not identified in the table. Please be sure to indicate the creation of anew sub-component or row within the Comments column and to provide an explanation for why itwas included.Solution Costs: Acquisition orrecurring Cost(if recurring,statefrequency)Per User Costs: Number of Users COMMENTS1-500 501-10K10K –100K100K –200K200k-1M1M-10M10M+Licensing CostsThird Party License Fees (please specifythird party organization as applicable)Identity Proofing CostsCertificate Management CostsImplementation CostsHelp Desk CostsTraining CostsKnowledge Transfer CostsMaintenance (24x7 Support)Professional Services CostsCustom Development CostsHardware and Server CostsAdministrative CostsOther: Please Specify
NYeC RFP – Two Factor Authentication Page 16 of 204. Financial Report- Due to the breadth and scope of the project, the proposer is required to submitits most recent audited financial statement and management letter. In the event that the proposeris a wholly owned subsidiary or is otherwise a subordinate of another entity, the most recentaudited financial statement and management letter of the proposing company is expected- not thatof the parent company.5. In-Kind Service details: Any “In-Kind” services and the value of those services should be noted inthis section. In-kind services are those services provided at no cost yet have an intrinsic value orworth. Descriptions of what is included in the cost including support model and hours of coveragemust be noted. If your cost excludes certain fees or charges, you must provide a detailed list of theexclusions with a complete explanation of the nature of those fees. While “In-Kind” services arenot a requirement of the RFP, proposers are encouraged to include them since they demonstrateto NYeC the proposers’ commitment to providing the highest value for the public funds being usedfor this effort.Token Purchase and ManagementCosts:Acquisition orrecurring Cost(if recurring,statefrequency)Per User Costs: Number of Users COMMENTS1-500 501-10K10K –100K100K –200K200k-1M1M-10M10M+Token Type 1 (please specify)Token Type 2 (please specify)Token Type 3 (please specify)Token Type 4 (please specify)(Add additional lines as necessary)External Costs: Cost DetailsAnticipated costs to third party (EHRand Application) vendors for integrationservices and support.Please specify costs that vary byintegration type. Costs to EHR vendors Costs to applicationdevelopers Hospital/practice incurredcosts
NYeC RFP – Two Factor Authentication Page 17 of 204. Submission DetailsAll communication regarding this RFP must be in writing and addressed to:RFPContact@nyehealth.org. The subject line of all communications must include: TFA Proposal andyour company name.4.1. TimelineRFP Issued: September 17, 2012Letter of Intent to Respond due: September 24, 2012; 11:59pm EDTWritten Questions due: September 24, 2012; 11:59pm EDTQ&A Vendors Conference Call: October 2, 2012; 3:00 – 5:00 pm EDTWritten Responses to Q&A Available no later than: October 5, 2012Proposals Due: October 18, 2012; 11:59pm EDTRequested Vendor Demonstrations/Presentations Held: November 16, 2012Award Notification: November 30, 2012Anticipated Contract Start Date: January 7, 2013 In order to effectively manage the process, NYeC is requiring all interested vendors to submit a Letterof Intent to Respond (LOI) to RFPContact@nyehealth.org no later than 11:59pm EDT onSeptember 24, 2012. LOIs must contain the email address of the vendor’s contact person.Submitting an LOI will not bind a vendor to submitting a proposal, but will be used to notify the vendorof any changes, including the Q&A Vendor Conference Call number, changes to the above timeline,and any additional information related to this RFP. (See Attachment A - Letter of Intent to Respond). All questions must also be submitted via email to RFPContact@nyehealth.org and must be receivedby 11:59pm EDT on September 24, 2012. Responses to questions received by this deadline areexpected to be posted on the NYeC website no later than October 5, 2012. Proposers are advised that the Authorized Contact Person for all matters concerning this RFP is theRFP Contact email address. Proposers may not contact any NYeC staff, NYeC board members, theNYS Department of Health staff, NYC Department of Health and Mental Hygiene staff, or any otherstakeholder regarding this project in the period between the issue of this RFP and the notice of award.Any oral communication will be considered unofficial and non-binding with regard to this RFP andsubsequent award.4.2 Submission Method Proposal submission method (email) to: RFPContact@nyehealth.org Include “TFA Proposal” and your company name in the subject line Format: PDF and MS Word4.3 Proposal Evaluation CriteriaProposals will be evaluated based on the following criteria: Use of Industry Standard Integration methods Logging, auditing, and reporting capabilities The ability to support multiple authentication solutions
NYeC RFP – Two Factor Authentication Page 18 of 20 Demonstrated ability to provide a successful pilot of the vendor’s proposed solution with keyEMR/EHR systems Experience and skill sets of the proposed team Financial strength of the company Cost and In-Kind Services
NYeC RFP – Two Factor Authentication Page 19 of 20Attachment A: Letter of Intent to Respond (LOI)InstructionsThe LOI form must be completed and returned to notify NYeC that you intend to respond to this Requestfor Proposals (RFP). Any information relating to this RFP will be emailed to the person designated as thepoint of contact (POC) on this form. Email the completed form to RFPContact@nyehealth.org .Letter of Intent to RespondOur organization intends to respond to the NYeC Request for Proposals for the Statewide Two FactorAuthentication Solution.Organization Name:Address:POC Name:POC Title:POC Email:POC Telephone:
NYeC RFP – Two Factor Authentication Page 20 of 20Attachment B: NYeC Master ServicesAgreementThe selected vendor will be required to execute the NYeC Master Services Agreement (MSA) providedseparately with this RFP. The contents of the MSA are non-negotiable. Vendors have a responsibility toreview the requirements carefully.