CE Event Management Software
Request for Proposal Number:
Issue Date: December 4, 2017
Response Deadline: December 18, 2017
Scope of Work
The University of Kansas Medical Center (KUMC) is looking to purchase a software application to manage continuing education activities (Live, RSS, MOC, Enduring) for external and internal users.
Administrative
Any questions regarding this Request for Proposal, Vendor Questionnaire, or proposal format must be directed to:
Bryan Thomas, Director of PurchasingKUMC Purchasing3901 Rainbow Blvd. Mailstop 2034Kansas City, KS 66160Phone: 913-588-1115eMail: [email protected]
Due Dates:All proposals are due by 2:00 p.m. CST Monday, December 18, 2017. Any proposal received after the required date specified shall be considered late and non-responsive. Any late proposals will not be evaluated for award. Once all submissions have been received, they will be compiled and forwarded to the requester for review. You will be contacted directly by the Procurement Officer if they wish to interview your representatives.
Schedule of Events:Event DateRFP – Open for Bid December 4, 2017Proposal Due Date December 18, 2017Target Date for Proposal Review January 8, 2018Vendor Demonstrations and Follow Up January 8, 2018 – March 16, 2018KU Decision March 30, 2018
University of Kansas Medical Center
Proposal Submission:Award of the contract resulting from this RFP will be based upon the most responsive Vendor whose offer will be the most advantageous to KUMC in terms of cost, functionality and other factors as specified in this RFP.
KUMC reserves the right to:
Reject any or all offers and discontinue this RFP process without obligation or liability to any potential Vendor,
Accept a proposal other than the lowest priced offer, and Award a contract on the basis of initial offers received, without discussions or requests for best
and final offers
The response to this RFP will be incorporated into the final agreement between The University of Kansas Medical Center and the selected vendor(s) as an attachment. The proposal shall be submitted in Microsoft Word format as set forth below and will confine submission to those matters sufficient to define its proposal, and to provide an adequate basis for evaluation of the proposal.
1. Executive Summary2. Functionality3. Project Management Approach4. Detailed and Itemized Pricing5. Appendices
1. Executive SummaryThe Executive Summary should be a brief overview, and should identify the main features and benefits of the proposed solution.
2. FunctionalityInclude detailed technical expertise and product functionality. The proposal should reflect ability to meet each of the requirements listed below:
University of Kansas Medical Center
CE Event Management Software
No. Requirement Delivery Method Vendor CommentsRegistrationREG01 Ability to add options to an
event that result in an additional cost (i.e. dinner, merchandise)
□ Out of Box□ Configure□ Custom
REG02 Ability to accept online registration, including e-commerce, discount codes, group registrations, refunds, invoicing and check payments.
□ Out of Box□ Configure□ Custom
REG03 Multiple registration with safeguards against registration for concurrent sessions
□ Out of Box□ Configure□ Custom
REG04 Ability to edit/add to registration information after an initial registration is completed
□ Out of Box□ Configure□ Custom
REG05 Ability to accommodate Early Bird and regular registration fees based on a deadline registration date.
□ Out of Box□ Configure□ Custom
REG06 Automated customizable e-mail registration confirmation with receipt.
□ Out of Box□ Configure□ Custom
REG07 Ability to customize registration form to include special needs of participants (dietary restrictions, special ADA requirements).
□ Out of Box□ Configure□ Custom
REG08 Ability to assign QR code or □ Out of Box
University of Kansas Medical Center Page 3
bar code for electronic check in on-site □ Configure
□ CustomREG09 Ability to assign QR code or
bar code for electronic check out
□ Out of Box□ Configure□ Custom
REG10 Ability to print customizable badges and other sign in materials with QR or bar coding (vendors should be specific about which the offer - QR / bar coding)
□ Out of Box□ Configure□ Custom
REG11 Ability to use one QR code on a name badge to scan in attendance for multiple days
□ Out of Box□ Configure□ Custom
REG12 Ability to register guests of participants that is excluded from PARS reporting
□ Out of Box□ Configure□ Custom
REG13 Ability for participants to audit courses without receiving CE credit - excluded from PARS reporting.
□ Out of Box□ Configure□ Custom
REG14 Allow guest profiles that do not require full profile for non-credit events - excluded from PARS reporting.
□ Out of Box□ Configure□ Custom
No. Requirement Delivery Method Vendor CommentsAdministration/EvaluationsADMIN01 Ability to create complex
events with concurrent sessions and multiple fee options, such as optional social events and products.
□ Out of Box□ Configure□ Custom
ADMIN02 Ability to duplicate recurring events. □ Out of Box
University of Kansas Medical Center Page 4
□ Configure□ Custom
ADMIN03 Ability to track multiple credit requirements - i.e., to recognize multiple credentials for one person (RN, EMS) and record all certification hours awarded for all credit types.
□ Out of Box□ Configure□ Custom
ADMIN04 Ability to track multiple clock hours for a course (50 min - 1 hr, 60 min - 1 hr, etc.)
□ Out of Box□ Configure□ Custom
ADMIN05 Ability to award certificates for multiple credit types - Need to be able to differing amount of credit per credit type, per session/course. Ability to add multiple signatures to a certificate (for multiple accred. Bodies).
□ Out of Box□ Configure□ Custom
ADMIN06 Ability to manage exhibitors online (Email invite, complete online applications, payment, confirmation, communications, accounts receivable).
□ Out of Box□ Configure□ Custom
ADMIN07 Customizable online evaluations/tests (pre and post), including multiple question types, for live or enduring materials and independent studies
□ Out of Box□ Configure□ Custom
ADMIN08 Ability to save and duplicate evaluation templates □ Out of Box
□ Configure□ Custom
ADMIN09 Ability to schedule reminder emails for evaluation/testing emails sent to participants and also ability to set
□ Out of Box□ Configure
University of Kansas Medical Center Page 5
deadline to complete the evaluation/testing
□ Custom
ADMIN10 Speaker management - upload/download forms and information such as: disclosure, conflict of interest, honoraria, travel expenses, CV, audiovisual requests, presentation materials, handouts & slides
□ Out of Box□ Configure□ Custom
ADMIN11 Speaker management - Prompt speaker to fill out necessary forms
□ Out of Box□ Configure□ Custom
ADMIN12 Speaker management - Ability for staff to track what is complete/incomplete
□ Out of Box□ Configure□ Custom
ADMIN13 Ability to track/keep copies of previous versions of faculty forms
□ Out of Box□ Configure□ Custom
ADMIN14 Capture topic/specialty for each speaker in order to create a comprehensive list of speakers for future searching.
□ Out of Box□ Configure□ Custom
ADMIN15 Filter speakers lists (RE ADMIN14) by averaged evaluation scores over time
□ Out of Box□ Configure□ Custom
ADMIN16 Mobile technology to allow participant to register, check-in, access session agendas, complete evaluations/tests, and access certificate/transcript - either by mobile app or mobile friendly website
□ Out of Box□ Configure□ Custom
ADMIN17 Ability to have unlimited administrators □ Out of Box
University of Kansas Medical Center Page 6
□ Configure□ Custom
ADMIN18 Ability to create online accredited programs by linking to or uploading online presentations (audio, video) that includes options for registration with payment and links to evaluation, post test and credit certificate issuance (Learning Management System)
□ Out of Box□ Configure□ Custom
ADMIN19 Ability to live stream events through Learning Management System.
□ Out of Box□ Configure□ Custom
ADMIN20 Ability to send MOC applications or worksheets to reviewers in order for reviewers to add comments and have system notify admin user when complete.
□ Out of Box□ Configure□ Custom
ADMIN21 Regarding applications: based on a QI project, reminders would be sent to applicant if project is not completed by a certain deadline. Ability to do this for several additional forms with a parent-child relationship to the initial application.
□ Out of Box□ Configure□ Custom
ADMIN22 Automated messages sent to admin user when each step is completed and to end user when target deadline is not met.
□ Out of Box□ Configure□ Custom
ADMIN23 Ability to make customizations to KUMC system and not have to wait until it is added as an update for all clients
□ Out of Box□ Configure□ Custom
University of Kansas Medical Center Page 7
ADMIN24 Customer support response of 24 hrs or less for urgent matters
□ Out of Box□ Configure□ Custom
ADMIN25 Clear communication from vendor regarding product updates & timelines, as well as downtime if product will be unavailable during an update.
□ Out of Box□ Configure□ Custom
No. Requirement Delivery Method Vendor CommentsReportingREPORTS01 Ability to create events that
capture all ACCME requirements needed for PARS annual reporting for ACCME providers and for that reporting to be automated for electronic transfer.
□ Out of Box□ Configure□ Custom
REPORTS02 Automatic system update of ACCME requirements □ Out of Box
□ Configure□ Custom
REPORTS03 Ability to create events that capture all Allied Health requirements needed for annual reporting for providerships and for that reporting to be automated for electronic transfer.
□ Out of Box□ Configure□ Custom
REPORTS04 Ability to generate various program reports and export select data into Excel formats
□ Out of Box□ Configure□ Custom
REPORTS05 Must be able to produce a Budget Summary Report by event that includes all revenue, all expenses and program net loss or income
□ Out of Box□ Configure□ Custom
REPORTS06 Must be able to produce a □ Out of Box
University of Kansas Medical Center Page 8
report by individual event that includes all registration information by registration type (physician, nurses, complimentary, etc.)
□ Configure□ Custom
REPORTS07 Must be able to produce a report by event that includes all registration information by individual (name, sessions, amount paid, date registered, etc.)
□ Out of Box□ Configure□ Custom
REPORTS08 Evaluation and outcomes reporting capabilities by program and for multiple programs by year
□ Out of Box□ Configure□ Custom
REPORTS09 Must be able to produce attendance lists □ Out of Box
□ Configure□ Custom
REPORTS10 Ability to generate overall budget (revenue, expenses, balance for all activities)
□ Out of Box□ Configure□ Custom
REPORTS11 Ability to generate report that shows status of application on run date - MOC Specific
□ Out of Box□ Configure□ Custom
No. Requirement Delivery Method Vendor CommentsFinanceFINANCE01 Ability to capture all types of
revenue for an event, including: Registration, Exhibitor, Grant (commercial & non-commercial)
□ Out of Box□ Configure□ Custom
FINANCE02 Must be able to track all expenses for an event □ Out of Box
□ Configure□ Custom
University of Kansas Medical Center Page 9
FINANCE03 Must be able to track income and expenses by funding sources.
□ Out of Box□ Configure□ Custom
FINANCE04 System must be able to invoice and track A/R's for rebilling purposes.
□ Out of Box□ Configure□ Custom
FINANCE05 Ability to send alerts or place holds on accounts (participants & exhibitors) because of balance due from previous events/years.
□ Out of Box□ Configure□ Custom
FINANCE06 Cancellation fees to show on activity budget □ Out of Box
□ Configure□ Custom
FINANCE07 System must be able to invoice and track A/R's for rebilling purposes.
□ Out of Box□ Configure□ Custom
FINANCE08 Ability to invoice when program net = balance due □ Out of Box
□ Configure□ Custom
No. Requirement Delivery Method Vendor CommentsInterfacesINTERFACE01 Provide widgets or scripts
for seamless integration of course listings to display on KUMC Continuing Education (KUMC CE) web page. The display of course listings generated must include: Course Title, Course Date(s), Course Description, Course
□ Out of Box□ Configure□ Custom
University of Kansas Medical Center Page 10
Location, Registration link so users may easily complete registration for courses in the CE event management system.
INTERFACE02 Ability to sort the display fo courses in a listing by date, ascending or descending should be an option.
□ Out of Box□ Configure□ Custom
INTERFACE03 Ability to limit the display of courses in a listing by type should be an option.
□ Out of Box□ Configure□ Custom
INTERFACE04 The widgets or scripts must be compatible for use in the Ingeniux CMS that hosts the development of the KUMC CE web pages
□ Out of Box□ Configure□ Custom
No. Requirement Delivery Method Vendor CommentsData Fields & SecurityDATA01 Administrator ability to set
user access and security by activity and by task
□ Out of Box□ Configure□ Custom
DATA02 Ability to partition between AHEC/KUMCCE/other activities for distribution lists
□ Out of Box□ Configure□ Custom
DATA03 Ability to capture the following types of data: Member/ParticipantMember/Participants ID (Created by system)SalutationFirst NameM.I.
□ Out of Box□ Configure□ Custom
University of Kansas Medical Center Page 11
Last NameSuffixDegreeProfessional TitlePositionCredit eligibility - assigned by system based on credential(s) Specialties (long list with check boxes)
CredentialsNPINursingAllied Health Professional License number(s)- Multiple fields (up to 5)OrganizationHospital (Drop Down)?DepartmentEmail AddressHome addressAddressAddress 2Address 3CityStatePostal CodeCountyCountryWork addressAddressAddress 2Address 3CityStatePostal CodeCountyCountryPreferred address check boxWork Telephone numberExtensionMobile Telephone numberHome Telephone Number
University of Kansas Medical Center Page 12
Fax telephone numberAssistant's NameAssistant's TelephoneAssistant's EmailPreferred First NameSpouse NameBirth Month & DayInduction Date (created by system)Paid ThruSpecial accommodations - Food Allergies, ADA to show on registration reportComments System notes (generated by system for user activity)Active/inactive check boxOpt in/out - emailsACTIVITYCode (CM18####)Activity NameLocationCounty LocationBegin Date (Multiple)Ending date (Multiple)Begin Time of program (Multiple)End Time of Program (Multiple)Activity Type (drop down) Live, Enduring, RSS, QI for Portfolio pgm, etc.Description (overall goal of program)In Joint Providership/Direct SponsorshipObjectivesUpload Brochure/BannerCredits types per session(s)Session titleTarget AudienceLength of programProvidership numberCredit hours
University of Kansas Medical Center Page 13
Speakers ListHours of instruction by speaker (Nursing and other)GrantsSupportCommercial Sponsor (Contribution Amt or In-Kind)Accreditation StatementPARS ReportingOutcomes (PARS Questions)Interprofessional Education Collaborative ABMS/ACGME/IOM# of Physicians who completed activity# of Other Learners who completed activityHours of instruction (CME)Risk Evaluation and Mitigation StrategyRegistrationList Products and pricing descriptionDownloadable registration formPolicies and cancellation MOCProject TitleType of QI Effort The number of physicians expected to participate in the QI activityPhysician Affiliation with KU School of Medicine ABMS medical Specialties addressed as part of this QI SubspecialtiesProvide anticipated number of Physician Assistants ParticipatingProvide anticipated number of Residents/Fellows participatingProvide anticipated number
University of Kansas Medical Center Page 14
of Nurses participatingProvide anticipated number of Allied Health Professionals participatingActivity start dateActivity end dateActivity explicitly addresses on of the following (drop down with choices provided)Project is funded internally Project is funded externally Does funding come from the organization budget What department or program is this QI activity most closely associated?How does the activity align with your clinical system priorities Is the project associated with larger statewide or national initiatives?If yes to the previous question please explainWhich two Institute of Medicine Quality Dimensions of patient care are addresses
Which two ACGME/ABMS competencies are addresses (practice based learning and improvement and systems based practice are both assumed) Relevant topics (all that apply) for this quality improvement effort What is/are the identified problem(s)/gaps in quality that resulted in the development of the activityIdentify the primary underlying cause(s) of the gap, if known or
University of Kansas Medical Center Page 15
hypothesizedWhat is the specific aim of the QI effortWhat is the patient populationWhat is the population sampling strategyWhat is the title of this measureType of measure is this Source of measure Is this measure nationally endorsed What is the NumeratorWhat is the DenominatorWhat is the base line rateWhat is it the data source for this measure What is the target rateWhat is the time frame for achieving the targetBenchmark and SourceWhat is the intervention tool type Describe the planned intervention & how it relates to the aimHow will this intervention impact physician practiceHow will this intervention impact patient careDo you have another measure Was a patient survey completed? If pt surveys were completed how manyUpload a sample of the surveyWas a peer survey completed? If peer surveys were completed how many?Upload a sample of the
University of Kansas Medical Center Page 16
surveyIs IRB requiredIndicate the requirements for an individual to meaningfully participate in this QI effort. QI Progress to date:Measure baseline practice performance Implement Changes in care processRe-measure practice performance Assess and refine changes in care process Re-measure (after refining) practice performance FinanceBilling address for CC pmtsRegistration fee types and pricing Order # (created by system)Order DateRegistration purchasedPayment DatePromotion codesPayment Method (check, credit card, other)Payment reference #Refund dateRefund amountCancellation Fee (displayed on registration revenue)Status (A/R or Paid)Payer namePayment amountPayment type (Reg Fee, Commercial Support, Balance Due)Program Expense Types (Chart of account)Program Estimate Budget IncomeProgram Estimate Budget Expense
University of Kansas Medical Center Page 17
CommentsAccount type (KUEA or RFF)Transcripts/CertificatesCredit specific certificate textsSignature blocks
No. Requirement Delivery Method Vendor CommentsIntegration with KU Systems/StandardsS01 The application allows for
dual sign-in process, where KUMC employees sign on using Single Sign-On (CAS and/or Shibboleth) and external users create their own accounts outside of SSO.
□ Out of Box□ Configure□ Custom
S02 The application allows former KUMC employees to still access their accounts once they have left the University; their information flows from the SSO account into an external account that they create. No information is lost.
□ Out of Box□ Configure□ Custom
S03 Alternately, the application allows for new KUMC employees who previously had external accounts to keep that information once they are have Single Sign-On accounts at KUMC.
□ Out of Box□ Configure□ Custom
S04 Ability to accommodate custom KUMC branding standards (colors and fonts) for all forms, emails, etc.
□ Out of Box□ Configure□ Custom
University of Kansas Medical Center Page 18
No. Requirement Delivery Method Vendor CommentsLook and Feel/User ExperienceUI01 Ability for participants to
self-claim credits per activity with safeguard so max credit hours cannot be exceeded
□ Out of Box□ Configure□ Custom
UI02 Allow participant to mark sessions attended & system calculates CE credit.
□ Out of Box□ Configure□ Custom
UI03 Participants ability to create a unique profile □ Out of Box
□ Configure□ Custom
UI04 Participant self-service to access history, transcripts, complete evaluation, certificate retrieval and printing
□ Out of Box□ Configure□ Custom
UI05 Ability to customize and create email communication with participants, exhibitors, and speakers
□ Out of Box□ Configure□ Custom
UI06 Easy interface to manage internal participant lists (specialties, metadata terms, designation interest codes) to generate mailing lists and email lists, as well as upload outside lists
□ Out of Box□ Configure□ Custom
UI07 Ability to create an online detailed event page/brochure that displays event information on multiple tabs (event
□ Out of Box□ Configure□ Custom
University of Kansas Medical Center Page 19
info, faculty, accreditation, parking, hotel information and registration)
UI08 Allow guest profiles that do not require full profile for non-CE events
□ Out of Box□ Configure□ Custom
UI09 Clear instructions/process for forgot user name or password retrieval
□ Out of Box□ Configure□ Custom
UI10 Ability for users to opt-out (or be opted-out by KUMC staff) of mailing list
□ Out of Box□ Configure□ Custom
UI11 Ability to clone or copy previously sent email blasts
□ Out of Box□ Configure□ Custom
UI12 Safeguard against participants to register for same program twice.
□ Out of Box□ Configure□ Custom
UI13 Limit subsequent email blasts to unregistered participants
□ Out of Box□ Configure□ Custom
UI14 Ability for participants to track their progress in LMS
□ Out of Box□ Configure□ Custom
UI15 Please specify limitations on graphics size, number of attachments, size of attachment files in emails. Is rich text formatting available?
□ Out of Box□ Configure□ Custom
University of Kansas Medical Center Page 20
University of Kansas Medical Center Page 21
3. Project Management ApproachInclude the method and approach used to manage the overall project and client correspondence. Specifically, describe how the engagement proceeds from beginning to end.
4. Detailed and Itemized PricingInclude a fee breakdown by project phase and annual ongoing maintenance fees, Monthly Recurring Charge (MRC), per user charge, or any training or storage costs. Also, provide any reduced pricing options for multi-year contracts.
5. AppendicesA. References
Please provide two (2) current references, preferably from four (4) year higher education institutions (comparable in number of students to the University of Kansas Medical Center), including University name, contact name, title, e-mail address, telephone number that the University of Kansas Medical Center may contact.
B. Company Overview
Official registered name (Corporate, D.B.A., Partnership, etc.), Dun & Bradstreet Number, Primary and secondary SIC numbers, address, main telephone number, toll-free numbers, and facsimile numbers.
Key contact name, title, address (if different from above address), direct telephone and fax numbers.
Person authorized to contractually bind the organization for any proposal against this RFP.
C. Project Team Staffing (only on large projects)Include biographies and relevant experience of key staff. List the personnel who would work on this project along with their qualifications and relevant experience.
Evaluation Criteria:
The University of Kansas Medical Center may, at their discretion and without explanation to the prospective Vendors, at any time choose to discontinue this RFP without obligation to prospective Vendors.
The University of Kansas Medical Center will have no obligation to complete a purchase pursuant to this RFP, even in the event that a preferred vendor is selected. The only obligation for the University of Kansas Medical Center to purchase will arise from a fully executed agreement.
Bidders may be asked to prepare a presentation and demonstration after the RFP closing.
University of Kansas Medical Center
University of Kansas Medical Center
Vendor Questionnaire:
(Project will dictate whether or not this section is necessary.)
This questionnaire asks for information that will enable KUMC to determine how your hardware or software will work in our environment. Please provide an answer to each question.
For any requirement that cannot be met or you believe to be not applicable, provide written explanation and proposed mitigation actions or compensating controls.
Review the Definitions of Secure Information included in Appendix A. If this system/application will be used to store or process protected health information (PHI) then
the attached separate HIPAA Security Checklist for Applications/Devices must also be completed and submitted with this document.
Vendor Name Today’s Date
System/Application Name Software Version Operating System
Dept / Sponsor Contact Contact Title Department
Vendor Sales Representative Contact Title Telephone/Email
Vendor Technical Representative Contact Title Telephone/Email
Vendor Security Representative Contact Title Telephone/Email
State Contract # (if applicable)
NOTE: You do not need to complete the System Questions section of this questionnaire if the product will be hosted off-site (vendor SaaS).
University of Kansas Medical Center
System Questions Response Notes
Describe the primary function of the system.
Is there an appliance option for this system?
Y N NA
Can this be a stand-alone server? Y N NA
Does this system need proprietary hardware?
Y N NA
Can this system be virtualized? Y N NA
Is virtualization fully supported? Y N NA
What virtualization platforms are supported?
Has virtualization been fully tested?
Y N NA
If not a stand-alone server:
How many physical pieces of equipment are required?
What is the total amount of rack space required?
What are the power requirements?
What OS and version does it run (prefer Redhat Linux)?
What is the preferred OS?
Does it run under 32 or 64 bit?
Can the system be made fault tolerant? If yes, how?
Y N NA
What type of storage is supported or required (SAN, iSCSI, Fiberchannel, NSAS, DAS)
Can the system can be load balanced and how?
Y N NA
Does the system have networking real/time/latency requirements? (e.g. streaming voice or video)
Y N NA
What are network speed/bandwidth requirements?
What licenses are included: development,
University of Kansas Medical Center
System Questions Response Notes
testing, QA, production?
Does this system require individual licensing or shared licensing? If shared, does the system require a license server in our infrastructure? If yes, does the server need to be able to host physical USB dongles?
Y N NA
What load can the system handle (i.e., current users)?
What is the recommended configuration for X number of users?
What monitoring can be used (SNMP and what version)?
What training options are available for maintaining the system?
Application Questions Response Notes
Accessibility
Is the product tested for compliance with Section 508 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act?
Y N NA
Does the product comply with the WCAG (Web Content Accessibility Guidelines) 2.0 Level AA?
Y N NA
Is manual usability testing conducted periodically to ensure the pages are accessible to individuals with disabilities?
Y N NA
Has the company completed a VPAT (Voluntary Product Accessibility Template) and will you provide it to us?
Y N NA
Authentication
University of Kansas Medical Center
Application Questions Response Notes
Which authentication methods are available? CAS, Shibboleth, LDAP, Active Directory, other.
How are users authorized to use the application?
How are groups/roles managed?
Can groups/roles be controlled from outside the system (e.g. LDAP or Active Directory groups)?
Y N NA
User Access
Is user access browser based? If yes, indicate what browsers are supported.
Y N NA
Is user access client based? If yes, what OS does the client require?
Y N NA
Are other methods of remote access allowed? If yes, indicate what methods.
Y N NA
How are user accounts provisioned in the system?
Access Control
Is this system designed to be directly accessible from the entire Internet?
Y N NA
Does the system automatically log users off after a specified period of inactivity?
Y N NA
Does system authentication and authorization integrate with a central user identity vault (LDAP, Active Directory, etc.)? If yes, indicate which.
Y N NA
Will all user login credentials be transmitted in an encrypted format?
Y N NA
Will passwords/PINS be entered into non-displayed fields (masked)?
Y N NA
Will the vendor need remote support access to the system? If yes, describe the method.
Y N NA
Programming
University of Kansas Medical Center
Application Questions Response Notes
What languages are involved (prefer Java or PHP)?
What kind of Web containers are used? Apache, Tomcat, others?
Is the application JSR 168 or 286 compliant (uPortal)? If yes, indicate which.
Y N NA
Do you provide APIs so that Dashboard can be constructed for utilization on our portal? If so, are there any additional licensing costs for this? If not, are we allowed to access the data, so that we may construct dashboards?
Y N NA
Do you agree to place in escrow (with mutually agreeable entity) the source code for current and two previous versions of the software being proposed, with client being responsible for the account?
Y N NA
Mobile
Is the application accessible via a mobile device? If yes, what devices are supported (e.g. ios/iphone, android, etc.)
Y N NA
Is this a mobile app, or a mobile-friendly website?
App
Website
Neither
How quickly will the application adapt to the latest mobile technology?
Data Management
Where is the data storage location? (Hosted or on-premise)
If this application will contain HIPAA-regulated data, will vendor sign a BAA (Business Associate Agreement)?
Y N NA
How will data associated with this service be backed up? Is this our responsibility or the vendor’s?
Include SLA information on:
University of Kansas Medical Center
Application Questions Response Notes
Recovery Point Objective (RPO) – the maximum tolerable period in which data might be lost from an IT service due to a major incident OR in the event of a system failure, how much data can a service afford to lose?
Recovery Time Objective (RTO) – the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity OR how long a service can be down before data is restored.
Does vendor have a disaster recovery plan? Is there off-site storage of data, generators, etc.? Provide details of plan.
Y N NA
Attach a copy of your Business Continuity Plan.
How will vendor return all copies of data to the University at termination of agreement?
Can vendor return the actual hard drive to the University for disposal?
Y N NA
Does vendor have breach notification policy & procedures in place? If so, provide them.
Y N NA
PCI
If the application supports eCommerce, is it PCI compliant?
Y N NA
What PCI standards are followed?
Data Storage
What databases are supported? Include vendor and version (prefer Oracle or MySQL).
Data is moved in and out of the system using:
University of Kansas Medical Center
Application Questions Response Notes
JSON? XML? CSV? Data exports/imports?
Y N NA
Open database? Y N NA
Web Services (REST, SOAP)? Y N NA
API? Y N NA
Other (If yes, explain) Y N NA
Will passwords/PINS be stored in an encrypted format?
Y N NA
Can this application be hosted? If so, where?
Y N NA
How can this application be monitored? If yes, by what (e.g. Zenoss)?
Will all access to the database system be auditable?
Y N NA
Do database rights and user accounts enforce the principle of least privilege?
Y N NA
Will Sensitive Information be stored in an encrypted format?
Y N NA
Security Administration
Can the system export log files to a central logging repository (e.g. syslog)?
Y N NA
Does the system provide reports of users/groups and their access levels?
Y N NA
Does the system provide varying levels of access within the application (e.g. role-based access)?
Y N NA
Does the system provide the capability to restrict access to particular records within the system based on userid?
Y N NA
What is the strategy for logging access to the system – and how long are the logs retained? Is there a cost for us to obtain the logs?
Activity Logging
University of Kansas Medical Center
Application Questions Response Notes
Does the system log unauthorized access attempts by date, time, user id, device and location?
Y N NA
Does the system maintain an audit trail of all security maintenance performed by date, time, user id, device and location?
Y N NA
Does the system log all accesses to end user interface and backend data storage systems?
Y N NA
Networking Compatibility
Does the system support encryption of externally transmitted Sensitive Information?
Y N NA
Can the system be placed behind a firewall? Y N NA
Are ports used by the application statically definable and predictable?
Y N NA
What ports are used by the application?
Can the system only be accessed remotely via a secure protocols (SSH, SSL, HTTPS, etc.)?
Y N NA
Written Documentation
Vendor must supply documentation of the format, schema, and data stored by the application.
Does the vendor have written administrative policies & procedures for technical, Physical & Administrative Safeguards? If so, what?
Y N NA
What technical support documentation is available and where is it located?
Is the vendor willing to sign a Confidentiality Agreement as prescribed by the University?
Y N NA
Is the vendor willing to sign a Business Associate Agreement as prescribed by the University (for HIPAA and FERPA)?
Y N NA
University of Kansas Medical Center
Application Questions Response Notes
Certifications
Has the application been audited by a third party against any industry standard IT security certifications? If so which?
Y N NA
Vendor Support
What platform does vendor do application development on?
What is the vendor support model?
Tier 1/2/3?
What are the support hours?
Are we expected to do first/second level support then call?
Design and Dependencies
Please supply a design block diagram (high level block diagram of service interconnections)
What are your technology dependencies (assumptions about our environment)?
What are your software dependencies (e.g. specific version of Java)?
Patching/Updates/Releases
What is your product SDLC?
When is the next scheduled release of your product?
How often do you issue patches and updates?
What testing and verification of OS patches are done?
What is involved in performing an upgrade
Cloud
Describe in detail how you interact with customer IT teams, and how this process works.
How do we get backups of our data?
University of Kansas Medical Center
Application Questions Response Notes
When/if this contract ends, provide details on how we get all of our data back, and how the data is destroyed in your location.
Describe what analytics are available and how we get them.
How do we monitor your solution?
Sensitive Information:
The following types of information are considered “Sensitive” by the University of Kansas Medical Center Information Resources, Information Security, and University Compliance & Privacy Offices
Data covered by state and/or federal law requiring the University to restrict access and release Non-directory student records as defined by Family Education Records Privacy Act and
University Student Records Policy (including grades, transcripts, private contact information etc) Social Security Numbers (e.g. faculty, staff, students, alumnae, parents, applicants, etc.) Financial aid and/or scholarship information Human Resource records that contain personally identifiable information about employee
performance, health, and/or benefits Identifier or numbers for students, staff, or faculty KUMC ID numbers Passwords or PIN numbers Digital Signatures Individually identifiable health information (IIHI) protected by state or federal law (including but
not limited to “protected health information” as defined by HIPAA) Individually identifiable information created and collected by research projects Financial account & transaction information (e.g. banking information, credit card transaction
information, credit/debit card information, Track 2 information, etc.) Research data Library transactions (e.g. list of patrons, donors, users, circulation, etc.) Information covered by non-disclosure or confidentiality agreements
University of Kansas Medical Center