e-Prescribing solution

somberastonishingAI and Robotics

Nov 13, 2013 (3 years and 9 months ago)

66 views
























R
R
R
E
E
E
Q
Q
Q
U
U
U
E
E
E
S
S
S
T
T
T



F
F
F
O
O
O
R
R
R



P
P
P
R
R
R
O
O
O
P
P
P
O
O
O
S
S
S
A
A
A
L
L
L




E
-
Prescribing

Solution


May 12
, 2008

Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
2




Request For Proposal


Project Name:

E
-
Prescribing

Composed By:

Pam McMillon

Job Title:

Project Manager

Creation Date:

December 2007

Revision Date:

January 2008


Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
3





Section 1

Overview

1.1

P
urpose for this Request for Proposal (RFP)


The intent of the Request for Proposal (RFP) is to solicit sealed proposals for application software that
best meets the requirements of the University
of

Texas M.D. Anderson Cancer Center (M.D. Anderson)
for a t
op tier
E
-
Prescribing solution

System. The software vendor must have a demonstrated ability to
provide real time
E
-
Prescribing solution

software that will integrate with the existing proprietary Electronic
Medical Record (EMR) system. The system has .NET
framework and the modules are written in C##.

1.2

M. D. Anderson Cancer Center Background Information


1.2.1

Mission

The mission of the University of Texas M.D. Anderson Cancer Center is to eliminate cancer in Texas, the
nation, and the world through outstanding

programs that integrate patient care, research, and prevention,
and through education for undergraduate and graduate students, trainees, professionals, employees and
the public.

1.2.2

Vision

We shall be the premier cancer center in the world, based on the exce
llence of our people, our research
-
driven patient care and our science. We are Making Cancer History

.

1.2.3

Core Values

Caring:

By our words and actions, we create a caring environment for everyone.

Integrity: We work together to merit the trust of our co
lleagues and those we serve.

Discovery: We embrace creativity and seek new knowledge
.

1.2.4

Philosophy

M.D. Anderson is a specialized center devoted to the care of the cancer patient and to the discovery of
solutions for cancer problems. We strive to comb
ine the activities of patient care, research, education,
and prevention to benefit not only patients receiving care, but also future generation. This is our
commitment:



To place at the center of our concern the welfare and rights of individuals who bear th
e burden of
cancer and to provide for their physical, spiritual, social and rehabilitative needs.



To provide the most advanced therapy to achieve cure, extend and enhance the quality of life,
provide comfort, relief of pain and preservation of human dignit
y.

Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
4






To foster clinical laboratory investigations, which, responsibly conceived and scientifically sound,
establish an environment of learning, encourage quality practice, foster new knowledge and create
the prospect of eradicating cancer.



To value and res
pect the distinctive role and expertise of each member of our multidisciplinary team.



To employ the highest standards of ethics and quality and promote excellence in fulfilling our
responsibilities.



To be conscientious stewards of the resources essential f
or cancer therapy and research and never
allow financial considerations or rewards to dictate the quality of care or the conduct of research.

1.3

Institutional Information Systems

1.3.1


Software

The current state of Pharmacy technology and processes is

initiated by the medication order. Inpatient
and Ambulatory Treatment Center (ATC) medication orders are typically transmitted via the fax order
system to the respective Pharmacy area. In the Pharmacy, orders are reviewed and transcribed into
Centricity
®
, the pharmacy information system.

Orders entered through Centricity are sent to either Pyxis MedStations
®
, batched and sent to the
McKesson Robot
-
Rx
®
, batched and sent to internal or third party IV preparation areas, or labeled as
STAT for immediate pre
paration and delivery.


Retail pharmacies receive prescriptions via walk
-
ups, fax, pneumatic tube system, or Prescription Online
Line (POL). Prescriptions are entered and adjudicated into Centricity
®

Pharmacy and processed through
the ScriptPro SP200
®

rob
otic system using its closed
-
loop capabilities.

Inventory ordering varies by pharmacy location. The Retail and ATC pharmacies order medications
directly from a drug wholesales AmerisourceBergen (ABC) and are delivered to the ordering area for
processing.

The Central Inpatient Pharmacy (Central) generates separate ABC orders, but Pharmacy’s
Inventory Control section manages the receipt and distribution of those orders. Inpatient satellite
pharmacies generate replenishment orders through Omnicell Pharmacy
Central
®
. Inventory Control
personnel check stock levels and order stock for the Central IV room daily. Other than Pyxis
®

C
-
II Safe


transactions, most inventory transactions do not have a closed loop safeguard.

The Division of Pharmacy currently uses multiple technology solutions for conducting business and
providing medication safeguards:



McKesson Robot
-
Rx
®

was the first robotic tec
hnology deployed by the Division of Pharmacy and
has been in service since 1994. In order to utilize the robot, the Division of Pharmacy purchases
more expensive, commercially available, robot
-
ready packages in addition to manually
repackaging approximate
ly 3,000 robot
-
ready medications daily.


The robot dispenses approximately 5,000 unit dose medications daily to inpatients. However, this
outdated technology currently has capacity to manage only 65% of all qualified inpatient unit
doses.


Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
5




As per a typi
cal hospital based cart
-
fill environment using robotics, a significant number of unused
patient medications are returned to the pharmacy for crediting and restocking. At our institution,
this manually intensive process accounts for approximately 33% of al
l medications dispensed
from inpatient pharmacies.



In 1992, the Division of Pharmacy deployed unit
-
based cabinets on each nursing unit throughout
the hospital. This provided nurse
-
vended medications, allowing the best possible patient care.
Most medica
tions stocked in MedStations
®

are controlled substances or PRN (as needed) drugs.
These are the most commonly used and are administered in patient care areas.




Pyxis MedStations
®

cabinets were deployed hospital
-
wide in 1992 in inpatient and outpatient
are
as giving nurses access to medications conveniently available in patient areas. Most
medications stocked in MedStations
®

are controlled substances or PRN (as needed) medications
commonly prescribed and administered in patient care areas. Pharmacy also use
s Pyxis
MedStations
®

and Pyxis C
-
II Safe

within Pharmacy areas as a means to manage perpetual
inventory on controlled substances and designated high
-
dollar medications. These products offer
true closed
-
loop perpetual inventory for narcotics. Although eff
ective in providing secure storage
of certain medications, unit
-
based cabinets are limited in the number and scope of drugs they can
accommodate thus making them an excellent compliment to inventory carousels within areas that
warehouse large volumes of pr
oduct.


Software used on current equipment will no longer be supported by the vendor after 2007.
Additionally, the current equipment’s physical configuration does not support medication security
and patient medication safety as well as currently marketed
cabinets.



The ScriptPro SP200
®

robotic dispensing technology was implemented in 1998 in the R2 Retail
Clinic Pharmacy because it provided special retail pharmacy functionality. Subsequently, all retail
pharmacies were converted to SP200 robotic dispensi
ng. The SP200
®

offers accuracy when
filling retail prescriptions with such features as vial selection, labeling, and bar
-
coded product
identification. In 2005, the retail pharmacies deployed the SP Central Workflow
®

System, which
complements the SP200
®

b
y coordinating the prescription workflow and, through the use of
enhanced logic, ensures correct prescription dispensing to retail patients.




Omnicell Pharmacy Central
®

(OPC) medication carousels were implemented in late 2003 to
provide improved medication

management in Pharmacy Inventory Control (formerly Pharmacy
Bulk Stores). The horizontal paired carousels provide the benefits of bar code technology to
enhance medication safety, pick
-
to
-
light technology that speeds the stocking and order fulfillment
pr
ocesses, and perpetual inventory. All remote Pharmacy locations can perform a demand pick
to Inventory Control, which eliminates paperwork and provides a detailed audit trail of the
requested item(s), the name of the person making the request, and the inv
entory location.
However, OPC does not integrate with any of Pharmacy’s current technology nor the institution’s
drug wholesaler. This stand
-
alone equipment does not provide drug ordering restrictions and
inventory management capabilities throughout the
Pharmacy’s supply chain.




Centricity
®

Pharmacy (formerly BDM RxTFC
®
) was implemented in December 2004 for the
Inpatient and ATC pharmacies. A year later, the retail pharmacies were implemented on the
system, which provided institutional clinicians a sin
gle platform for viewing a patient’s medication
profile through the ClinicStation system. Most patient medication billing is performed in
Centricity
®

Pharmacy and billing files are sent nightly to Patient Business Services for processing.
Centricity
®

Pha
rmacy is interfaced to a variety of external systems including, but not limited to
Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
6




Pyxis
®
, CARE ADT (Siemen’s Invision HIS), ClinicStation, and McKesson’s Robot
-
Rx
®
. Future
development is underway for an inbound orders interface and inbound lab value view
ing.




Fax Order System (FOS) was implemented in 2003. It is an M. D. Anderson developed system
that allows Pharmacy to receive orders via a virtual fax machine (server) on any networked PC
workstation. A digitized image of orders is stored in the system w
ith a patient’s medical record
number offering easy retrieval capabilities. Although a major improvement over previous delivery
models, FOS is frequently slow, does not allow for the prioritization of orders, does not provide
query capabilities for new pa
tient orders, interferes with the efficiency of Centricity
®

Pharmacy,
and does not provide order status visibility to the person sending the order.




CARE or Siemen’s Invision
®

System is the primary health information system for patient
registration, admiss
ion, discharge and transfer (ADT) data, billing and patient scheduling. CARE
is interfaced to Centricity
®
Pharmacy and other clinical systems.




A National Data Corporation (NDC) point of sale (POS) system is used for cashiering in the Retail
Pharmacies.
It interfaces to Centricity
®

Pharmacy and provides bar code technology to help
close the loop in the dispensing process. A project currently underway will convert the POS from
an NDC product to ScriptPro
®

software that will integrate all Retail Pharmacy s
ystems.




Alaris Medley Guardrails
®

SmartPump technology was deployed in June 2006, which provides
clinically significant information to the nurse at the patient bedside. CQI (continuous quality
improvement) data is collected from each infusion device in r
eal
-
time.




Asset Trakker
®

is used for equipment management and patient billing for infusion devices. New
radio
-
frequency identification (RFID) technology is in its final phase of testing before institutional
deployment. RFID will allow real
-
time monitori
ng of equipment location with enhanced billing
accuracy while saving personnel time currently required to manually track devices.




Prescription On
-
Line (POL) is an internally developed prescription writing system used by the
retail pharmacies beginning in
1999. It interfaces with the CARE ADT system and allows
healthcare practitioners to submit prescriptions directly to Pharmacy.

Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
7





Audio Care
/
Web
Refill
--
Centricity
10
.
111
.
78
.
20
[
UTMAUDIOCARENT
]
Windows
2000
Server



RX lookup Program
;
pulls
Prescription
#;
Pricing info to
charge patients
Qry by prescription
#
/
Patient ID
#
via TCP
/
IP
Proprietary interface

POS
10
.
111
.
78
.
35
SCO Unix
Centricity
Centricity
10
.
111
.
88
.
39
-
41
AIX HACMP
This setup is repeated in
ACB
,
R
2
,
R
10
and Retail
pharmacies
Legend
:
Green lines
--

out from Centricity
Red lines

In to Centricity
Black lines
--

separate network
Switch
10
.
1
.
1
.
XX
POS is comprised of NDC
(
Zadall
/
Perse
)
and
CRC Hardware
/
POS Solutions
SP Check Point
Electronic
Signature
(
USB
)
Image Server
Windows Server
2003
ScriptPro Robot
Expanded Server
Windows Server
2003
Notice Boards
SP Station
(
Labels
)
Script Scanner
(
USB
)
Retail Pharmacy Current State
Claims Adjudication
(
Frame Relay
)

Order Entry
Software
Firewall
HL
7
Interface

Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
8




1.3.2 Electronic Medical Record Overview

ClinicStation is the institution’s self developed E
lectronic Medical Record. ClinicStation is the primary
clinical software in use at the institution, it currently integrates more than 40 systems, some commercial
and some self developed. The institution has placed great strategic focus on ClinicStation and

desires to
have it be the primary application required to support routine clinical operations. Relevant features include
a complete allergy record, a medication list and reconciliation function

and complete access to pharmacy
records.


Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
9






Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
10




ClinicStation
is designed using a Services Oriented Architecture (SOA) and specifically avoids replicating
data unless absolutely necessary. The client is a modular .NET application that consumes the services of
the SOA. The client does make limited use of third party c
ontrols within the overall client architecture.

The
institution maintains a robust software development capability in order to integrate commercial systems
into our SOA, and develop integrated client interfaces to new services.

The application supports ove
r
7000 simultaneous users, answering more than 1.8 million service calls per hour during busy periods.
Peak

volume of queries for patient information is approximately 20 per second.



Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
11




1.3.3

Networks


M.

D.

Anderson operates a c
ampus
-
wide Ethernet data communications backbone that connects all
campus locations for purposes of electronic mail and other collaboration, access to web
-
based resources,
and access to numerous application systems and databases. Key details about our netw
orks include:

Over 60,000 ports with 30,000 currently active nodes,

Over 600 LAN switches, 1,200 wireless access points and 30 routers, and

Connectivity provided to all Main Campus locations, South Campus locations, Science Park facilities
in Bastrop Count
y, Texas, as well as several outreach facilities across the Houston metropolitan area.

Network assets include: fiber and copper cable infrastructure, network switches and routers, SAN
switches, wireless access points, terminal servers, uninterruptible powe
r supplies (UPS), as well as
network sniffers, probes and other monitoring tools.

1.3.4

Enterprise Servers

M.

D.

Anderson has deployed over 800 servers operating under various operating systems. While
Microsoft 2003 Server, IBM AIX and Red Hat Linux platfo
rms are currently supported. It should be noted
that although not necessarily our preferred server solutions), many applications are Novell Netware,
Microsoft Windows NT and 2000, or Macintosh OS server based. The Institution has deployed a high
performanc
e computing cluster supporting genomics, population studies and other research activities,
along with a high availability computing cluster that supports financial systems.

For the research community, the Institution has deployed a high performance comput
ing cluster
supporting computational Biology, Genomics, Population studies and other research activities, along with
a high availability computing cluster that supports financial systems. The Institution has a 4
-
node HP
Itanium based Oracle10g cluster atta
ched to the EVA storage in the primary datacenter that is replicated
in the co
-
location center with a similar HP
-
EVA storage system. An application development/production is
deployed as well; clustered production systems, with separate development, test, s
taging systems, all
based on Redhat Linux.

We have deployed a large storage array network (SAN) installation within our primary data center,
managed using Tivoli Storage Manager. Several other large (Microsoft Windows) servers currently
support our campus
-
wide e
-
mail, collaboration, and groupware needs.

M.

D.

Anderson has implemented numerous Hewlett Packard servers in clustered, active/active,
active/passive or standalone (enterprise server) configurations. There are currently over 16,000
customers across
the campus connected to this large set of enterprise servers. M.

D.

Anderson is
currently migrating our server infrastructure to one based on Microsoft Exchange 2007, an enterprise
-
wide Active Directory, and Microsoft based file and print services.

A smal
l number of specialized departmental applications run on the Sun SPARC Station platform with
Sun OS (Unix) as the operating system.

Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
12




1.3.5

Desktop Computing Standards

M.

D.

Anderson currently supports over 23,500 desktop (and notebook) computers. Microsoft

Windows
XP has become the predominant desktop operating system, with approximately 2,500 Macintosh systems
OS based personal computers being used in select areas of the campus.

M.

D.

Anderson has adopted several desktop computing related standards, includ
ing Lotus Notes for
collaboration (electronic mail, calendaring, and collaboration), Microsoft Office (word processing,
spreadsheets, presentation graphics, and databases), as well as the Internet Explorer, Safari, and Firefox
web browsers. Other establish
ed standards include: Trend Micro OfficeScan, Adobe Acrobat Reader, the
Novell Netware client and ZENworks, and the Altiris Client Management Suite. (Both of the Novell
products will eventually be removed from our standards as Microsoft file and print serv
ices as well as
Altiris Client Management are implemented across the enterprise; furthermore, M.

D.

Anderson is
currently migrating from Lotus Notes to Microsoft Exchange based messaging.)

From a hardware perspective, M.

D.

Anderson currently acquires Wind
ows based systems from Dell
along with Apple systems based on the Macintosh operating systems, as well as HP desktop printers and
scanners. Finally, M.

D.

Anderson utilizes the Citrix environment for cross
-
platform access via institutional
standard desktop

computers.

Finally, M.

D.

Anderson has prepared a list of institutionally approved and supported desktop computing
products, along with other preferred software titles. The most recently published
M.

D.

Anderson
Information Technology Standards

document i
s provided as a detailed attachment.


1.3.6

Internet/Intranet Security

M.D. Anderson’s security mission is to ensure the integrity, confidentiality, and availability of critical
resources and assets while minimizing the impact of security procedures and po
licies upon business
productivity. Our mission is dedicated to enabling enhanced M.D. Anderson’s business and eCommerce
goals.

The following table depicts M.D. Anderson’s goals and operating principles around its institutional
security.



Goal

Operating Pr
inciple

Hardware Security

Ensure the availability and integrity
of M.D. Anderson’s hardware
resources. Prevent tampering,
damage, theft, or other interference
with the normal functioning of this
hardware and the data contained
therein.

Provide appropriat
e levels of
security and access control of M.D.
Anderson’s hardware. In
conjunction with vendors,
engineers, and operations staff
develop appropriate policies and
procedures to ensure the continued
reliable functioning of these
devices and systems.

Operat
ing System
Security

Enforce platform security as a basis
for authentications, access control
and other security disciplines.

Work with appropriate groups;
develop policies, procedures and
technology to ensure operating
Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
13





Goal

Operating Pr
inciple

system integrity.

Identification an
d
Authentication

Provide reliable access to M.D.
Anderson’s resources only for
current M.D. Anderson employees,
contractors, business partners, and
other authorized entities. Ensure
appropriate levels of access control
for all resources on an individual an
d
group basis.

Work with appropriate teams and
outside vendors; develop a reliable,
widely available system for strongly
authenticating users with a high
-
degree of trust and for granting
access to M.D Anderson resources
based on this technology.

Security

Audit

Ability to detect anomalous system
and network activity. Analyze and
report such security and maintain a
repository of the same.

Audit will be conducted to ensure
compliance with security policy.

Information Access
Control

Identify data ownership,

which may
access the data, and over what
automated information systems the
access should be granted.

Develop and maintain a framework
for providing access to information
based on M.D. Anderson’s
authentication infrastructure.

Network Security

Ensure the
availability and integrity
of M.D. Anderson’s data
communications networks. Detect
and respond to modification,
surveillance, damage, theft of
service, or other interference with
the normal functioning of these
networks and the data that travels
over them.


Work with network operations and
engineering to develop technology,
policies, and procedures to ensure
the continued correct functioning of
the data communication
infrastructure. Work with facilities to
ensure appropriate levels of
security for network n
odes and
access points, as well as for critical
process of the network
infrastructure.

Telecommunications
Security

Ensure the reliable function of
telecommunications services,
switches, voicemail systems, etc. for
legitimate users. Prevent outside
tamper
ing, modification,
eavesdropping, theft, and denial of
services.

Work with appropriate in
-
house
teams and service providers to
adopt appropriate technology,
policies, and procedures. Provide
appropriate levels of security for
physical telecommunications
i
nfrastructure. Educate users and
provide guidelines for appropriate
and secure use of
telecommunication services.

Encryption

Provide adequate means for M.D.
Anderson and its employees to
protect proprietary and confidential
data whether stored, in produ
ction,
or in transit. Support the
requirements of authorized M.D.
Anderson’s personnel and outside
Provide access to appropriate
hardware and software encryption
mechanisms given the sensitivity
and risk associat
ed with loss of the
data. Provide guidance and
oversight in management of
sensitive data, encryption keys, or
Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
14





Goal

Operating Pr
inciple

agencies to recover encrypted
information.

other resources.

Enterprise Anti
-
Virus
Security

Detect and prevent attempts to
introduce virus or other malicious
code into M.D. Anderson’s
info
rmation systems. Limit the scope
and impact of outbreaks when they
do occur.

Work with appropriate support
teams to deploy and maintain
operating anti
-
virus software and
tools. Stay current on recent
developments and outbreaks. Act
as a clearinghouse for
information
on virus incidents and resist the
spread of unsubstantiated rumors.

E
-
mail Security

Provide reliable, high performance
email systems for M.D. Anderson
employees and other authorized
personnel. Protect email,
configuration data, logging
inform
ation, etc. from destruction,
tampering, eavesdropping, or theft
by unauthorized entities.

Promote training and awareness of
proper use of email facilities.
Provide encryption solutions for
sensitive data being sent via email.
Work with appropriate groups

to
establish policies and procedures
for appropriate handling of email
and related data.

Intranet/Extranet/Internet
Security

Ensure reliable communications
between individuals within M.D.
Anderson based on the principle of
least access. Support authoriz
ed
access from outside of M.D.
Anderson while preventing damage,
destruction, and theft of M.D.
Anderson resources.

Working with appropriate groups,
develop policies, procedures, and
technology that can be used to
safely provide access in
accordance with M
.D. Anderson’s
business needs. Monitor and react
to threats from various sources.

Media Security

Maintain reliable, redundant, and
safe packaging of sensitive data on
storage media and provide for
secure access of this media only by
authorized personnel.

Ensure proper
destruction of old or
decommissioned data.

Working with appropriate groups,
develop policies and procedures
for ongoing storage and archive of
data. Identify roles and
responsibilities. Provide adequate
physical and environmental
security f
or storage media. Make
appropriate continuity plans prior to
natural or other disaster.


Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
15




1.3.7

Information Security and Compliance Requirements

M.

D.

Anderson has a comprehensive information security program that includes an
ongoing risk assessment, dis
aster recovery planning, as well as incident prevention and
management. Supporting incident prevention and management efforts are a variety of
security tools, including desktop and server anti
-
virus, intrusion detection and
prevention systems, multiple fir
ewalls, etc. Additionally, an identity management
program, currently based on Shibboleth and Novell eDirectory, is in place across the
enterprise. Finally, M.

D.

Anderson is currently implementing Microsoft Active Directory
with central LDAP
-
based authenti
cation as part of a large infrastructure upgrade project.

M.

D.

Anderson has established the following
information security guidelines based on
regulatory requirements and security best practices:

Administrative Safeguards

Proper auditing should be in plac
e and comply with M.

D.

Anderson Policy. Auditing logs
should be retained and reviewed regularly according to M.

D.

Anderson Policy. Logs for
systems containing electronic protected health information must be kept for a period of 6
years.

Applications sh
ould provide a means to allow granular access to the system in order to
facilitate the user’s ability to perform only the actions necessary to carry out their job
duties.

Account administration functions should be informed of terminated employees in a time
ly
fashion. User accounts creation, modification and deactivation is to be managed
(centrally) by the Accounts Services Team in the Information Security Department.

Access to M.

D.

Anderson’s information resources requires assignment of unique User IDs
an
d passwords for each system user. Granting of vendor accounts must follow
M.

D.

Anderson’s Security Network Connections Agreement.

All systems, including those approved by the Food and Drug Administration (FDA) must
have a method defined by which they can

be patched/updated in a timely manner in
order to respond to new security vulnerabilities. At a minimum, a system should support
the use of current institutional standards such as the Trend Micro client and the Altiris
agent.

Applications should “lock”
accounts after no more than 5 incorrect logon attempts have
taken place, in accordance with M.

D.

Anderson Policy.

Applications should ensure adherence to established M.

D.

Anderson password policies and
naming conventions.

Critical applications should pro
vide for alternate modes of operations and/or disaster
recovery capabilities when necessary.

Vendors will be required to provide a service level agreement to include the assurance of
reasonable time frame for addressing security related issues.

Physical Sa
feguards

All servers related to the application should be able to be housed in a secure facility such as
the M.

D.

Anderson data center.

Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
16




Final disposition of electronic confidential and restricted confidential information, and/or the
hardware or electronic

media on which it is stored must occur in a manner compliant
with institutional policy and relevant security and privacy regulations.

Technical Safeguards

Applications should support “strong” authentication and not pass user IDs and passwords
across the n
etwork in “clear text.” Although encryption of transmission within the
M.

D.

Anderson network is not a requirement, it is strongly recommended.

Applications should facilitate a process for emergency access during either planned or
unplanned outages. If

the system administrator is not available, then there should be
procedures for obtaining necessary electronic protected health information during an
emergency.

Applications should provide a method to automatically “log off” users after 15 minutes of idle
time.

Applications should accommodate measures to effectively address where data is stored but
also how it is transmitted between locations, including the use of encryption to
adequately protect electronic protected health information (ePHI).

Systems provi
ding public access should have an interface front end placed in the
Demilitarized Zone (DMZ). If authentication to the system is required, then such
authentication should be encrypted. The back end system will be placed on the
appropriate segment of the
network. A Virtual Private Solution (VPN) should be
deployed if the system is being accessed by a third party vendor.

Other Requirements

Test functions should be kept either physically or logically separate from production
functions.

Where appropriate, id
entification logon banners shall have warning statements that include
the following topics: (1) unauthorized use is prohibited, (2) usage may be subject to
security testing and monitoring, (3) misuse is subject to criminal prosecution; and (4) no
expectat
ion of privacy except as otherwise provided by applicable privacy laws.

A risk analysis shall be conducted prior to rollout of a solution to determine the level of
security that needs to be implemented to protect the information as required by policy or
st
atutory regulations. The assessment should address the confidentiality, integrity and
availability of the information. The implementation of controls used to mitigate identified
risks should be appropriate and cost effective.

Systems must be deployed in

an area where adequate limited access controls are
maintained and monitored.

Where technically feasible, applications and directories are required to be connected to the
M.

D.

Anderson’s deployed identity management infrastructure.

Implementation of syste
ms solutions must accommodate required application availability,
dependencies with other systems, as well as requirements for data recovery, physical
access and disaster recovery, in a manner that complies with all institutional, state and
federal mandates
.

End user interfaces must comply with accessibility standards, guidelines and regulations.

Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
17




Systems that process, transmit or store cardholder data must comply with all Payment Card
Industry (PCI) standards and regulations.

Systems that maintain, transmit
or store Social Security Numbers must comply with Policy
#166 of The University of Texas System Administration Policy Library, available online at
http://www.utsystem.edu/policy/ov/uts166.html.

Systems that maintain, transmit or store digital research data

must comply with Policy 167 of
The University of Texas System Administration Policy Library, available online at
http://www.utsystem.edu/policy/ov/uts167.html

1.4

Institutional Statistics

CATEGORY

2006

ACTUAL

Inpatient Beds

576

Outpatient Centers

360

Annual Outpatient Clinic Visits

927,400

Annual New Patient Accounts

27,000

Patients Treated Each Year

8
0,000

Average length of stay for Inpatient

7.5 days

1.5

Departmental Statistics

DESCRIPTION

QUANTITY

Total number of
Prescriptions filled

23,000

Billab
le
Prescriptions


17,600

Number of system users


50


Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
18




Section 2

Scope of Work

2.1

General

The system proposed by the Respondent shall meet the requirements outlined herein. This section of the
RFP is divided into three general parts:

General System Speci
fications

Security Specifications

Functional and Technical Requirements

The Respondent must reply fully to each question and requirement in this section.

2.2

General System Specifications

2.2.1

Equipment Acceptability

Equipment must be available for genera
l sale or lease on the date specified for receipt of proposals. The
minimum useful life span of the proposed equipment must be at least five years from the date of
acceptance. All equipment proposed shall be of the latest design, system organization, and

technology.
The Respondent is to provide equipment

specifications and pricing in the Pricing Schedule section of this
RFP
.

2.2.2

Software Acceptability

All system and application software proposed and specified as currently available must be demonstrable

in a production environment or otherwise be so indicated. The degree of success of the software to meet
the requirements outlined in this RFP will be decided by M. D. Anderson. The Respondent is to provide
software license, implementation and installati
on, and maintenance pricing.

3

Vendor Questionnaire


The “Vendor Questionnaire” attachment presents questions related to basic vendor information required
by M.D. Anderson. Please answer each question completely, concisely, and accurately. Incomplete
answe
rs will be considered as “blank answers” and will be disregarded.

Attachment Instructions: Please download this file to your computer, complete the questionnaire, and
upload the completed file into the Procuri tool.


Request For Proposal



Revised:
11/14/2013

UTMDACC
-

Confidential

Page RFP
-
19




Questions are presented in the follow
ing sequence:



General Vendor Profile



Research and Development



Client Information



System Advantages/Benefits



Solution Architecture



Hardware



Software



Network/Telecommunications



Peripherals



Product Customization



User Interface



HL7 Interface / Connectivity



Dat
abase/File Structure



Application Functionality



Report Generation and Tools



Security



Testing and Validation



Implementation



Support/Ongoing Maintenance and Upgrades



System Performance



Documentation and Training



Miscellaneous



Escrow



Contractual/Warranty Specifications



Additional Information



Additional Technical Specifications