Section 2 Bid No. 136722/CP
Section 1—Overview
Introduction
Purpose of this Request for Proposal
The intent of the Request For Proposal (RFP) is to solicit competitive sealed proposals for
application software that best meets the requirements of The University of Texas M. D. Anderson
Cancer Center (M. D. Anderson) for Distribution Services Tracking system.
Overview of M. D. Anderson Cancer Center
Mission
The mission of The University of Texas M. D. Anderson Cancer Center is to eliminate cancer and
allied diseases as significant health problems throughout Texas, the nation, and the world by
developing and maintaining integrated quality programs in patient care, research, education, and
prevention.
Vision
In return for an investment of public trust and support, the faculty and staff of M. D. Anderson will
provide the foremost leadership worldwide in the care of the cancer patient and the solution to the
cancer problem. This vision recognizes the enormous toll that cancer takes on society and expresses
the confidence that the knowledge and expertise exist at M. D. Anderson to fulfill this commitment.
Philosophy
M. D. Anderson is a specialized center devoted to the care of the cancer patient and to the discovery
of solutions to the cancer problem. We strive to combine the activities of patient care, research,
education, and prevention to benefit not only patients receiving care, but also future generation. This
is our commitment:
To place at the center of our concern the welfare and rights of individuals who bear the burden of
cancer and to provide for their physical, spiritual, social, and rehabilitative needs.
To provide the most advanced therapy to cure, extend, and enhance the quality of life, provide
comfort, relief of pain, and preservation of human dignity.
To foster clinical and laboratory investigations which, responsibly conceived and scientifically
sound, establish an environment of learning, encourage quality practice, foster new knowledge,
and create the prospect of eradicating cancer.
Request For Proposal
To value and respect the distinctive role and expertise of each member of our multidisciplinary
team.
To employ the highest standards of ethics and quality and promote excellence in fulfilling our
responsibilities.
To be conscientious stewards of the resources essential for cancer therapy and research and never
allow financial considerations or rewards to dictate the quality of care or the conduct of research.
Institutional Information Systems
Software
Shared Medical Systems (SMS) is the core of the hospital information system. Some modules of the
SMS software have been customized to meet the needs of M. D. Anderson. Also, a significant
number of applications were developed in-house prior to the introduction of SMS. In some cases,
these legacy applications are tailored to coexist with the SMS software. The SMS legacy
applications collectively are referred to as the CARE system, the majority of the departments have
their own departmental applications.
Other (non-SMS) mainframe and/or client-server based applications support critical functions in
Diagnostic Imaging, Laboratory Medicine & Pathology, Surgery, Anesthesiology & Critical Care,
Research, Human Resources, Payroll, Financial Services, Facilities Management, and many other
areas of the Institution.
Hardware and Operating Systems
Many of M. D. Anderson’s mission critical computer applications run on an IBM mainframe with a
MVS/ESA operating system. Some of the departmental applications run on one of six DEC
VAX/ALPHA minicomputers with a VMS operating system. The majority of the non-clinical
departmental applications are server based, running on IBM-compatible personal computers (PCs)
based on a Microsoft Windows operating system. Although there is still a substantial investment in
Microsoft Windows 95 based desktop systems, Windows NT has become our predominant desktop
configuration. Apple Macintosh personal computers, utilizing the System 7 operating system, are
declining in use throughout M. D. Anderson, though the majority of physicians use Macintosh
personal computers for some aspect of their work. A handful of departmental applications run on
Sun SPARC stations with Sun OS (UNIX) as the operating system. A significant increase in the
UNIX-based machines has occurred throughout M. D. Anderson over the past 18 months, and
C&CS now supports 8 UNIX servers.
Request For Proposal
Networks
Ethernet (10&100BaseT) is currently the predominant network topology with a comprehensive fiber
backbone. Since coverage of the backbone is 100%, all applications can be accessed from any
location within M. D. Anderson. While Novell NetWare has been the predominant Networking
Operating System (NOS) on about 100 file servers, Microsoft Windows NT is now being installed to
support many application needs throughout the Institution. Within the next two years, M. D.
Anderson intends to upgrade segments of the network topology to the Gigabit Ethernet at 1000
megabits per second.
Enterprise Servers
M. D. Anderson has implemented large Compaq servers in either a clustered or fully redundant
configuration. These servers support our standard Lotus Notes electronic mail system, many Notes
based work flow applications, and numerous Notes databases used in support of every mission area
of the Institution. There are currently over 8,300 customers across the campus connected to our set
of enterprise servers.
Desktop Computing Standards
M. D. Anderson has adopted several desktop computing related standards, including Lotus Notes for
collaboration (electronic mail, calendaring, and collaborative databasing), Microsoft Office (word
processing, spreadsheets, presentation graphics, and databases), and either of the Microsoft Internet
Explorer or Netscape Communicator web browsers.
Internet/Intranet
Any proposed solution must fit within the current internet and intranet environment.
Additional Information about the Current Software Environment
Distribution Services is responsible for the receiving and processing packages and accountable mail
for the entire institution. Due to current volume and operational needs, the present tracking system
does not meet our needs. As an illustration of this, we are unable to include the purchase order
number in the tracking system because the additional burden to the system caused by this information
would increase the already substantial system downtime. Due to our increased volume, we
consistently experience down time with both the software and hardware that not only causes reduced
productivity but also the loss of data that is vital to our operations.
An upgrade to the current technology will enhance our ability to establish a chain of custody for
packages and increase accountability from arrival at the dock to delivery to the end user. This
increased accountability will assist in increasing security and minimizing employee fraud by providing
an up-to-the minute verifiable audit trail. A upgraded system system will give us the opportunity to
be proactive with features that include advance shipping status from selected vendors and e-mail alerts
Request For Proposal
in response to customer inquiries for specific tracking numbers. With current technology, we enter
information in both the tracking system and into the materials management system. An upgraded
system will provide the future possibility of an interface with the materials management system to
eliminate this dual entry.
Web-accessibility for end users to check on the status of packages will provide immediate feedback
and reduce the number of calls regarding an expected package. An added benefit will be a reduced
requirement for filing space due the proof of delivery being available on-line. This translates into a
reduction in the number of customers calling with shipment status inquiries. Additionally, enhanced
reporting capabilities will eliminate manual productivity reports for receiving and delivery personnel.
It is expected that an upgraded system will eliminate or significantly reduce the amount of down time
experienced and provide a backup during system failure. Additionally, reliable and durable hardware
designed to withstand the physical, active environment associated with a receiving dock should be
provided. An improved system will assist in identifying areas to improve productivity and enhance
our level of customer service. Also, because the volume of packages that are processed through the
system information must be frequently archived. This requires additional steps to retrieve information.
And finally, system down time has increased resulting in inefficiencies in retrieving tracking data.
The system in its current configuration has reached the limitations of what the software can provide.
Currently, there is a need to add the Faculty Center and the South Campus Research Building I
(SCRBI), but without an additional investment in software and hardware for the current software we
cannot add these satellite locations. In the near future, there are four additional receiving locations—
Basic Science Research Building (BSRB), Ambulatory Clinic Building (ACB), Cancer Prevention
Building (CPB), and South Campus Research Building II (SCRBII)--that will also require the package
tracking system. The implementation of an upgrade to the current system is critical to the successful
opening of these additional buildings.
Departmental Statistics
DEPARTMENTAL STATISTICS FOR DISTRIBUTION SERVICES
DESCRIPTION QUANTITY ANTICIPATED ANNUAL GROWTH
MDACC Employees 12,000 + Staffing for 5 new buildings
Users on the Current System 7 18 additional stations needed to
support current (5) and future
(13) needs with ability for 100+
concurrent users to view package
information via the web.
Buildings 5 (plus delivery to approximately 5
20 other buildings and satellite
Request For Proposal
DEPARTMENTAL STATISTICS FOR DISTRIBUTION SERVICES
DESCRIPTION QUANTITY ANTICIPATED ANNUAL GROWTH
locations)
Packages Processed 300,000 (approximately) Anticipated growth = 25% based
on projected growth from last
FY
Section 2—Scope of Work
General
The system proposed by the Respondent shall meet the requirements outlined herein. This section of
the RFP is divided into three general parts:
1. General System Specifications
2. Security Specifications
3. Functional and Technical Requirements
The Respondent is to reply fully to each question and requirement in this section.
General System Specifications
Equipment Acceptability
Equipment must be available for general sale or lease on the date specified for receipt of proposals.
The minimum useful life span of the proposed equipment must be at least five years from the date of
acceptance. All equipment proposed shall be of the latest design, system organization, and
technology. The Respondent is to provide equipment specifications and pricing in the Pricing
Schedule section of this RFP.
Software Acceptability
All system and application software proposed and specified as currently available must be
demonstrable in a production environment or otherwise be so indicated. The degree of success of
the software to meet the requirements outlined in this RFP will be decided by M. D. Anderson. The
Respondent is to provide software license, implementation and installation, and maintenance pricing.
Request For Proposal
System Description
Specify which of the following customer interface are supported by the system.
Microsoft Windows 95 or NT 4.0
Macintosh OS 7.x
OS/2 Presentation Manager
X-Windows
Character based
―Windowed‖ character based
Which of the above customer interface(s) represent the preferred interface mechanism(s) for
the system proposed.
Describe the benefits of the selected customer interface(s) over the alternatives.
Describe features available in the system to provide customer defined, rules based, decision
support.
Provide examples of how customer defined rules (decision support) can span various clinical
areas (e.g., Pharmacy, Laboratory, or Radiology) and evaluate patient data from each area to
identify conflicts and/or contradictions.
Indicate the methods by which customer defined rules can be altered when customer definable
conditions are met.
1.
2.
Request For Proposal
3.
4.
5.
Describe the methods that have been used to incorporate flexibility into the proposed system.
Indicate in what ways the software logic is parameterized or table driven for convenient
modification. Be specific about logical values that may be changes without program
modifications and how such changes are accomplished.
Describe the features available to perform ad hoc queries.
Describe the extent to which the format of patient inquiries or reports can be tailored to the
needs of the customers.
In addition to traditional terminal and workstations, indicate which types of peripheral devices
are supported.
1.
2.
3.
4.
5.
Describe how the content and organization of the information displayed can be tailored for the
individual customer or by practice specialty.
Describe the tools available to develop, modify, and test decision support rules.
Request For Proposal
Describe the tools available to modify end-customer screens and windows.
Technical Environment
Explain how the system utilizes file server nodes.
Indicate whether the system supports the following computing standards:
TCP/IP
SNA-APP LU 6.2
Decnet
SPX/IPX
NetBIOS
Define whether the system supports the following industry standards: (List relevant standards
here).
Describe the portability of hardware platforms and operating systems.
Connectivity
Describe what capabilities to use an ―interface engine‖ or ―data switch‖ with the system to
minimize interfacing efforts.
Request For Proposal
Describe the tools available to implement the required interface.
INTERFACE TOOLS
TOOL(S) DESCRIPTION
Explain how the system stores discrete data elements.
Describe the data management capabilities.
Explain how the system identifies and accesses data.
Identify the communications ―handshake‖ protocol.
Indicate how online communications from source systems are supported.
Indicate whether communications occur in batch or real time mode.
Batch
Real Time
Request For Proposal
Indicate any algorithms employed.
Provide a list of systems that have been interfaced.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Explain the network control features that can manage this system.
Operations
Describe the task routinely performed by computer operators. Indicate the number of hours
per day required for these tasks.
COMPUTER OPERATORS’ TASKS
HOURS
TASK(S) DESCRIPTION
ALLOTTED
Request For Proposal
COMPUTER OPERATORS’ TASKS
HOURS
TASK(S) DESCRIPTION
ALLOTTED
Describe the backup procedures.
Does the system provide incremental backups as well as full backups?
Yes
No
Is the system available to customers during the backup process? If not, indicate the length of
time that the system is unavailable.
Yes
No.
Explain any scheduled downtimes. Please enter the time in military format.
SCHEDULED DOWNTIME
DOWNTIME
DOWNTIME ENDS REASON FOR DOWNTIME
BEGINS
Request For Proposal
SCHEDULED DOWNTIME
DOWNTIME
DOWNTIME ENDS REASON FOR DOWNTIME
BEGINS
Describe the disaster recovery procedures.
Identify the fail-safe capabilities.
Configuration
Explain any limitations to the system configuration.
Identify the maximum number of supported terminals or workstations.
Identify the maximum number of simultaneous customers.
Indicate the number of concurrent customers that would be licensed for the proposed software
modules.
Specify the limits on expansion.
Request For Proposal
Specify any hardware or software constraints.
Indicate the maximum number of throughput capacity.
Describe the system performance guarantees.
Detail the physical and environmental requirements. Specifically indicate the following:
Electrical–include KVA ratings, quality of power, and grounding.
Air conditioning–specify BTU and CFM ratings for hardware and totals.
Humidity–acceptable range.
Requirements for electricity, air conditioning, and climate control under emergency
conditions.
Necessary computer room space in square feet.
Requirement for raised flooring.
Power source–special requirements, if any.
Indicate what terminal emulation software is supported or required.
Request For Proposal
Database
Describe the database.
Explain the database management system.
Describe the file access techniques.
Describe how the database supports referential integrity.
Explain the features for the expansion of files.
Explain the capability for adding storage capacity.
Describe the process required to restructure or reorganize the database.
Indicate the capacity to maintain a consistent vocabulary.
Describe the data locking schemes available.
Request For Proposal
Describe how cross-mapping capabilities could be extended to manage data.
Define the database security features.
Identify any third-party software that can interface with (List third party software programs).
Describe the multimedia capabilities.
Describe any monitoring tools.
Escrow
Specify the name, address, and telephone number of the company holding the software source
code in escrow.
Name of Company:
Address of Company:
Telephone Number:
Under what conditions may M. D. Anderson access the source code?
If source code is not in escrow, specify the Respondent’s willingness to place the source code
in escrow.
Request For Proposal
Product Development
Describe the general philosophy and design approach.
Describe the development efforts in progress.
Describe the future development plans.
Describe how customers can influence the direction, schedules, and priorities.
Describe the commitment that is to remain consistent with the regulatory requirements.
Specify the membership in standards setting committees.
List all previous releases of this product line, giving their estimated and actual release dates.
PREVIOUS RELEASES
ESTIMATED RELEASE
VERSION ACTUAL RELEASE DATE
DATE
Request For Proposal
PREVIOUS RELEASES
ESTIMATED RELEASE
VERSION ACTUAL RELEASE DATE
DATE
Define the stages in the development process.
STAGES OF DEVELOPMENT PROCESS
STAGE DESCRIPTION
Identify the version number of the system being proposed to M. D. Anderson.
Is this the most recent version number?
Yes
No
Explain how many customer sites are operating on the proposed version.
CUSTOMER SITES IN OPERATION
CUSTOMER SITE OPERATING SINCE
Request For Proposal
CUSTOMER SITES IN OPERATION
CUSTOMER SITE OPERATING SINCE
Indicate which regulatory agencies have reviewed the proposed product. In the second column
enter ―Y‖ if the listed agency has been reviewed or ―N‖ if the agency has not been reviewed.
In the far right column, enter an ―A‖ if approval was granted.
REGULATORY AGENCIES THAT HAVE REVIEWED PROPOSED PRODUCT
NAME OF REGULATORY AGENCY Y/N A
Warranty
Describe the warranty provided.
WARRANTIES
LENGTH OF
NAME OF WARRANTY DESCRIPTION OF WARRANTY
WARRANTY
Request For Proposal
WARRANTIES
LENGTH OF
NAME OF WARRANTY DESCRIPTION OF WARRANTY
WARRANTY
Specify how warranty problems are addressed.
Support and Maintenance
Describe the hardware maintenance and support services.
Explain whether services are provided under contract of based on time and materials.
Identify the hours of coverage.
Identify the terms of the maintenance contract.
Identify the response or repair time guarantees.
Request For Proposal
Describe the preventative maintenance policy and procedures.
Identify the primary location from which service will be provided.
Name of Company:
Address of Company:
Telephone Number:
Name of Contact:
Identify charges for maintenance or installation of enhancements and upgrades that are
performed outside of maintenance agreement hours.
ADDITIONAL CHARGES
SERVICE PROVIDED COST OVERTIME COST
Explain whether service/support is provided on-site or via dial-up communications.
Describe any condition or restrictions imposed on M. D. Anderson.
Describe the available development tools, debugging tools, and diagnostic program.
Request For Proposal
Describe any available support packages or services.
Indicate whether ―hotline‖ telephone assistance for general usage problems and inquiries is
available.
Yes
No
Specify the days of the week and hours when services are available. Enter time in military
format.
SERVICE AVAILABILITY
HOURS OF SERVICE
DAYS SERVICE
IS PROVIDED
FROM TO
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday
Request For Proposal
Identify the types of service provided.
1.
2.
3.
4.
5.
Clarify any limitations on the types of inquiries or problems covered.
Indicate the typical and maximum time to respond to requests for assistance.
Describe the established escalation procedures that would be instigated in the event that the
problem could not be resolved within an agreed upon time frame.
Indicate whether on-site consulting for special projects is available.
What mechanisms are available for tracking, analyzing, and reporting the calls and problems
reported by a client or multiple clients?
Indicate how elements can gain access to status reports and other information about the calls
and problems that they have reported.
Request For Proposal
Product Enhancements and Upgrades
Describe the version release history.
Provide the anticipated schedules for future releases.
ANTICIPATED FUTURE RELEASES
VERSION NUMBER / DESCRIPTION RELEASE DATE
Describe the pricing policies for customized features.
Describe the tracking methods for following the development cycle.
Indicate the cost for installing custom features.
Explain how custom features can be preserved during enhancements and upgrades.
Request For Proposal
Describe the process for installing enhancements.
Describe the conditions and restrictions on M. D. Anderson for developing enhancements.
Indicate whether the Respondent will guarantee upgrade compatibility of the proposed system,
with future releases of the software, for a minimum of five years. If no, explain.
Yes.
No.
Testing and Validation
Describe the internal testing and quality assurance process.
Discuss any impact to the operational system during the testing and validation phase.
Specify whether the configuration includes a testing region or environment.
Identify the support provided during installation.
Implementation Services
Describe the installation procedure.
Request For Proposal
Provide the profiles of project management and installation team members. Indicate the
number of previous installs each has completed.
PROFILES OF PROJECT MANAGEMENT / INSTALLATION TEAM
NUMBER OF
MEMBER, ROLE PROFILE
INSTALLATIONS
Specify which team member(s) will be assigned to this installation.
INSTALLATION TEAM
TEAM MEMBER JOB TITLE INSTALLATION DUTIES
Request For Proposal
INSTALLATION TEAM
TEAM MEMBER JOB TITLE INSTALLATION DUTIES
Describe the project management technique.
Installation Events
Discuss how implementation schedules are established.
Discuss how responsibilities are defined.
Explain the amount of input M. D. Anderson will have.
Provide a representative installation plan listing the tasks, responsibilities, and timetable.
Describe the available installation service level options.
Request For Proposal
Describe the on-site installation support that will be provided. List the type of person, number
of days, and activities to be performed.
ON-SITE INSTALLATION SUPPORT
NUMBER OF
TYPE OF PERSON ACTIVITIES TO BE PERFORMED
DAYS
Specify the resources that the Respondent expects M. D. Anderson to provide.
Documentation and Training
List the technical, reference, and customer manuals that will be provided. In the far right
column enter ―T‖ to indicate technical manuals, ―R‖ to indicate reference manuals, and ―U‖ to
indicate customer manuals.
PROVIDED DOCUMENTATION MANUALS
NAME OF MANUAL VERSION RELEASE DATE T/R/U
Request For Proposal
PROVIDED DOCUMENTATION MANUALS
NAME OF MANUAL VERSION RELEASE DATE T/R/U
Indicate the frequency of documentation updates.
Provide a brief outline of the contents of the manuals.
Provide representative examples.
Describe the media on which documentation is available.
Customer and System Training
Describe the training plan for the following groups of customers during installation:
TRAINING PLAN DURING INSTALLATION
CUSTOMER GROUP TRAINING DESCRIPTION
Request For Proposal
TRAINING PLAN DURING INSTALLATION
CUSTOMER GROUP TRAINING DESCRIPTION
Indicate how many personnel will be trained during installation.
Identify the location of the training.
Name of Company:
Address of Company:
Telephone Number:
Contact Person:
Identify the training materials that will be provided.
1.
2.
3.
4.
5.
Describe any computer-based training.
Request For Proposal
Other Considerations
Describe the capabilities to support multimedia including the following:
MULTIMEDIA CAPABILITIES
MEDIA TYPE SUPPORT FOR MEDIA TYPE
Text
Graphs
Voice
Voice Recognition
Still Video
Motion Video
Document Images
Respondent Attachments
Each Respondent should provide standard agreements for the following:
Hardware leasing and purchasing agreements
Software license agreements
Hardware maintenance and support agreements
Software maintenance and support agreements
Consultant agreements
Escrow agreement(s)
Request For Proposal
Security Specifications
System Auditing
Does an audit capability exist for the system that documents a chronological record of User
events at an application level, (e.g., logon, logoff, password change, creation, deletion,
opening/closing files, program initiation, actions by system operators/administrators/security)
against the system (created immediately concurrent with the user)? Is the record
individualized by User?
Does an audit capability exist for the system that documents a chronological record of internal
system housekeeping events?
Describe the audit process within the system related to failed attempts to access data.
Describe audit trail data storage and retrieval tools available within the system? (e.g. triggers,
filters, data retention periods, etc.). Does this storage and tool set consider a common format
and ―data store‖ so as to eliminate the need of multiple filters and reports for viewing
information from multiple processing platforms (e.g., MVS, NT, UNIX, Manual, Microsoft
Windows)? Is the storage on-line or archived? How is storage enabled for retrieval?
Do your required retention periods for audit trail data vary based on the type of date being
stored?
Are the audit records only available to the appropriate system administrators? How is this
done?
Request For Proposal
Does your audit capability allow for the system administrator to determine compliance with
existing policies and operational procedures?
Do you have a manual audit trail capability for non-electronic environments?
System Access
Can system administrators both easily update and access all User privileges?
Describe the process for responding to repeated failed attempts to access the system.
Describe any auto logoff/timeout features within the system. Does re-authentication involve
password-protected screen savers?
Describe unique user authentication mechanisms (e.g. Biometrics, Password, PIN, Callback,
Token system, etc.) within the system.
Describe the requirements governing password creation (e.g. static, dynamic, length –
minimum 6 characters, disallowed words, difference from ID, etc.), reset and expiry date
available within the system.
Does the application store and secure it's own authentication tables and password files? If so,
how are these stored? Plain text? Binary? Encrypted? If encrypted, describe the encryption
schema.
Request For Proposal
Is the password file secured from view by unauthorized persons (e.g. a shadow password file to
prevent ―cracking‖ the hashed password)? If yes, please describe.
Describe types and levels of emergency and regular access control within the system. (e.g.
user-based (minimally using user-name/password combination), role-based, context-based,
etc.).
Describe the system’s process for determining and managing user access as ―old‖ users leave
and ―new‖ users are added.
Describe how the application is protected from unauthorized/inadvertent modification.
Does the application support ―boundaries‖ for buffer overflow and race conditions so that ―out
of bounds‖ responses will be rejected?
System Breaches
How are security breaches detected? Can a sequence of events affecting information be
reconstructed?
Describe the mechanism(s) (e.g., rule sets, methodologies, etc.) within the system to identify
and report suspicious data access activity.
What process or mechanism is available which provides proof that there was no unauthorized
or trivial access to data?
Request For Proposal
System Navigation/Logic
Describe the system’s ability to prompt the user of a specific action to be taken or considered?
(e.g. warnings, instructions, banners, etc.)
Describe the system’s ability to detect and respond to an abnormal condition within the system.
(e.g. alarm, auto-shutdown, restart, etc.)
How is the application source code ―CM (Configuration Management)‖ protected from
unauthorized/inadvertent modification?
System Data Encryption
Does the system support Triple DES 128-bit encryption, the MDACC standard? If an
encryption schema other than Triple DES is utilized in the system, what is the method of
encryption (e.g., Diffie Hellmen, RSA, DES, RC4/RC2, MD5, RMI, https, ssh, Blowfish, SSL
V3, etc.)?
Describe record de-identification and re-identification capabilities within the system. (e.g.
block out fields/data, unblock fields/data, etc.).
Has the sensitivity of the data been defined (e.g., restricted, confidential, none, etc.)? If yes,
by whom?
How is encryption addressed in storage as well as in transit? (e.g., via TCP/IP connection, FTP,
etc.) How are the ID and password transported from the requesting client to the application
and/or database (e.g., if over TCP/IP, is at least SSL V3 being used)?
Request For Proposal
System Data Integrity
Describe data authentication capabilities available within the system that address altering or
destroying data in an unauthorized manner. (i.e. check sum, double keying, message
authentication codes, digital signatures, etc.)
Describe how code sets are received, validated and upgraded within the system. (e.g. ICD-9,
CPT-4, NDC, CDT, future ICM-10 and CPT-5, etc.).
Web Security
Is Java or Java Script used? If yes, please describe security criteria, use of Java applet(s),
enabling of Java Security Console, development/use of accepted ―trusted applet‖
methodologies and applet(s) signature.
Is active content filtering enabled? If yes, please describe how active filtering is accomplished
with web-based input and output (including both Internet and Intranet)? What active content
filtering tool is used and how is it configured (i.e. security settings)?
Please respond to the section below if access to Protected Health Information (PHI) is a
consideration with this system.
Access to Protected Health Information (PHI)
Have the rules for access to Protected Health Information (PHI) been defined? If yes, by
whom and how are these rules secured? Who can change the rules and how can they be
changed?
Request For Proposal
Describe how rules regarding access to PHI can be customized within the system.
Describe the systems ability to set flags/alerts on PHI, such as patient accounts. (e.g. amended
data, ―No release of information‖, inpatient vs. outpatient data, etc.)
Has the access for sensitive PHI been analyzed and made secure over the entire connectivity
spectrum (e.g. server, host, network, application, database, dataset, web)?
How is the PHI in the database partitioned so that only certain users can see what they have
been designated to see by the PHI owner?
Describe how PHI (e.g., psychotherapy note) is categorized and protected within the system at
the record level, document type level and password level.
Does the system have the capability to identify the PHI, the action, the who, (i.e., User ID), the
what against that information, the purpose of the access, the success of the event, the specific
(where possible) data accessed, and the date/time stamp for that action?
When accessing PHI, will the provider facility, the requestor’s unique user ID and the accessed
patient’s database record name be audited and recorded in addition to the requirements in (7)
above?
Describe system capabilities to support HIPAA standards for identifiers, such as:
Health Care Providers (NPI – National Provider Identifier) – proposed: 10 digits with
check digit;
Request For Proposal
Employers (EIN – Employer Identification Number) – proposed: 9 digit-no check digit
(possibility of being IRS Taxpayer Identification Number);
National Health Plans (Plan ID) – proposed: 10-digit number with check digit.
Please respond to the section below if use of an Application Service Provider (ASP) model is being
considered.
Application Service Provider (ASP) Considerations
Provide a detailed network architecture diagram, including:
Main components of the ASP solution
Any communication channels between ASP and MDACC (i.e. port numbers, protocol
type, private link or over Internet, etc)
Firewall architecture (hardware/software vendors and patch process and business rules
update change mgmt process)
Intrusion detection products
Operating system platforms, databases, and applications
Network layout
What is your process for securing operating system platforms on which the application
components reside?
What controls are in place to ensure that the latest version of the Operating System (OS) is
installed with all the necessary and latest security patches and fixes?
Request For Proposal
Describe your OS update process, including service level agreements related to security hot fix
deployments.
Do you receive security vulnerability advisories from organizations such as CERT, Betray,
etc? If yes, what actions are taken on these advisories?
Describe how administrators/data owners both from MDACC (if required) and ASP get access
to the servers for maintenance and updates.
Describe your incident response process, including notification to MDACC of incident.
Describe your process to totally erase or destroy any and/or all copies of MDACC data should
the need arise (e.g. permanent dissolution of business relationship)..
Describe how the devices (e.g. servers, routers, and firewalls) host MDACC data (e.g.
dedicated or shared with other customers). If the devices are hosting other customer data, what
has the ASP done to ensure that other customers cannot access MDACC data?
Does the ASP have published security policies and procedures that can be shared with
MDACC?
Has the ASP undergone a penetration or vulnerability assessment of your environment
performed by a recognized third party? If so, can the ASP provide a copy of the assessment
results? If not, would the ASP be willing to have an assessment conducted?
Request For Proposal
Does any component of this application require you to outsource to another vendor?
If yes, provide the vendor(s) name.
If yes, has ASP’s vendor undergone a penetration or vulnerability assessment of your
environment performed by a recognized third party? If yes, can the vendor provide a copy of
the assessment results? If no, would the vendor be willing to have an assessment conducted?
Describe the ASP’s separate physical/logical environments for development, testing and
production, as applicable.
Does the ASP have a documented and established change control program? If yes, please
provide a copy.
Describe how the ASP will protect customer data from staff, such as employee and contractors,
who should not have access to the data?
Identify any other parties who would have access to the sensitive company data other than the
authorized company personnel.
Describe the ASP’s backup procedures for routine/regular backups of customer data or the
entire data center to an off-site facility.
Request For Proposal
Does the ASP have a disaster recovery plan? If yes, please provide a copy.
Has the ASP ever participated in an SAS70 or similar audit by third party? If yes, please
provide copy of auditor’s report.
Functional and Technical Requirements
All statements made regarding the detailed functional and technical requirements in response to this RFP
shall be considered as contractual commitments in the event that the Respondent’s system is selected.
Respond to each of the items in the following section to ensure that the functionality of the
Distribution Services as proposed and priced in this RFP response is accurately reflected. Use
the table below to respond with the following codes.
QUESTION RESPONSE CODES
CODE DESCRIPTION
Y The standard system provides thus feature. This requirement can be demonstrated at an
installed client site in general release. Indicate the version number in the comment field.
B This requirement is currently in beta testing. Indicate beta site and expected general release
date in the comment field.
D This requirement is currently under development or is in alpha testing. Indicate general
release date in the comment field.
M This requirement is not in the standard system, but there is no charge for a change to meet
this specification. Indicate the date of availability to M. D. Anderson in the comment field.
C This feature is available at cost additional to that specified in Pricing Schedule. Indicate the
cost in the comment field.
F This feature can be configured at no additional cost, using the standard system.
N This requirement is not available.
T This requirement is available through a third party software supplier. Indicate the supplier
Request For Proposal
QUESTION RESPONSE CODES
CODE DESCRIPTION
in the comment field.
Note: Where the specification is only partially satisfied by the standard of proposed custom changes,
specify in the Comments column which parts are satisfied and which parts are not.
FUNCTIONAL AND TECHNICAL REQUIREMENTS
REQUIREMENT RESPONSE COMMENTS
Describe your system’s package tracking
capabilities from carrier drop-off at dock to
final customer destination in the institution,
including all change of ownership.
Describe your email notification processes
to inform customer when package arrives
on our dock (with information about
expected delivery time, numbers to call for
special handling requests, tracking
information, etc).
Does your email notification process
interface with Lotus Notes?
Describe your technical requirements for
email notifications.
Does you product provide a web based
tracking system for customers to inquire
about the status of a package?
Describe the search criteria that can be
used for web based searches of package
location (internal tracking number, carrier
tracking name, customer name, etc).
Does your system provide the functionality
to allow M. D. Anderson personnel to
modify screens displayed through a client
Request For Proposal
FUNCTIONAL AND TECHNICAL REQUIREMENTS
REQUIREMENT RESPONSE COMMENTS
interface? If so, please describe.
Describe your systems functionality to
allow M. D. Anderson personnel to modify
screens displayed through a client
interface.
Does your system provide the functionality
to allow M. D. Anderson personnel to
modify screens displayed through a web
interface?
Describe your systems functionality to
allow M. D. Anderson personnel to modify
screens displayed through a web interface.
Describe handheld technology used (Palm,
Symbol, Pocket PC, etc) with your system.
Describe your handheld technology
warranties.
Describe the expected lifespan of your
handheld technology.
Describe your customer service phone
center processes, including SLA’s.
Does your customer service center provide
web based interactive support?
Describe your customer service center’s
web based interactive support capabilities.
Does your customer service center have a
web based knowledge-base available to
customers?
Describe your customer service center’s
web based knowledge-base available to
customers.
Request For Proposal
FUNCTIONAL AND TECHNICAL REQUIREMENTS
REQUIREMENT RESPONSE COMMENTS
M. D. Anderson has a need to support
tracking and delivery of 1500+ packages
daily to our 12,000 employees. Please
describe your largest implementation
including number of packages delivered
and number of transactions per day.
Describe your delivered processes for
maintaining employee location
information.
Is downtime required for the maintenance
of employee location information?
How much downtime is required for the
maintenance of employee location
information?
Does your system provide the ability to
support multiple receiving docks?
How many receiving docks is your system
capable of supporting?
Describe the steps necessary to add
additional receiving docks and/or receiving
personnel in your system.
Provide details on system modifications
needed and additional costs incurred as a
result of adding new receiving docks
and/or receiving personnel.
Describe how your system is able to
support package categorization and custom
labeling based on unique requirements of a
medical facility (Perishable, Control,
Special Handling, etc).
Describe delivered reporting capabilities.
Request For Proposal
FUNCTIONAL AND TECHNICAL REQUIREMENTS
REQUIREMENT RESPONSE COMMENTS
Describe the processes and requirements
necessary for M.D. Anderson staff to build
additional reports for use by client based
users through your supplied interfaces.
Describe the processes and requirements
necessary for M.D. Anderson staff to build
additional reports for use by web based
users through your supplied interfaces.
Are there any requirements for purchasing
hardware (servers, handhelds, handheld
cradles, printers, etc) from your
organization?
Describe any requirements for purchasing
hardware (servers, handhelds, handheld
cradles, printers, etc) from your
organization.
Are there any requirements for purchasing
supplies (ink, toner, labels, etc) from your
organization?
Describe any requirements for purchasing
supplies (ink, toner, labels, etc) from your
organization.
Describe the support and turnaround time
provided for hardware issues.
Describe the support and turnaround time
provided for software issues.
Describe the processes required for
integration of your system with the Lawson
Materials Management System.
Is your system capable of utilizing vendor
provided EDI (ANSII X12) data to
enhance the receiving process?
Request For Proposal
FUNCTIONAL AND TECHNICAL REQUIREMENTS
REQUIREMENT RESPONSE COMMENTS
Please describe the functionality provided
for each EDI transaction set you support.
M.D Anderson would like to maintain
three years of tracking data online and
easily accessible. Describe your ability to
provide this and any impact it may have on
system performance.
Describes requirements for obtaining the
database schema/model for your product.
Describe your systems ability to support
the handling of special packages (ability to
setup a watch for a special package, special
delivery notifications and instructions, etc).
Describe system security requirements for
providing users access in to the system.
Describe the various levels of authority
that can be granted to users based on
job/functional requirements.
Section 3—Pricing Schedule
Each Respondent must specify whether Distribution Services meets the functional criteria within this
document. If the Respondent represents the function as being supported, all hardware and software
or other items required, irrespective of the Respondent involved, to make the feature operational
must be included in the cost quotes. Otherwise, M. D. Anderson will deem the feature to be a
standard part of the Distribution Services and the feature will be provided to M. D. Anderson at no
additional cost. The Respondent shall also specify whether the prices quoted include freight charges.
Request For Proposal
Hardware and Software Costs
Specify the cost of each component by model number. The effect of any educational or other
price reductions should be clearly noted.
HARDWARE AND SOFTWARE COSTS
MODEL
COMPONENT COST REDUCTION COMMENT
NUMBER
Specify the total freight costs. All charges for freight shall be FOB M. D. Anderson.
Specify the cost of the operating system software for the proposed build/configure and the
number of licensed customers included in the quote.
Cost of Operating System:
Number of Licensed Customers:
Request For Proposal
Provide the cost of each module required; in order to meet the functionality requested.
MODULE COSTS
MODEL NUMBER COST COMMENT
Specify what pricing alternatives are used for software licensing:
Per individual customer
Per department
Unlimited customers or site license
Source code purchase
Indicate the term for which the software licenses apply:
Perpetual use
Renewable - specify number of years of use.
Request For Proposal
If the numbers of workstations were to increase in the future, in the far left column of the table
below, state what software modules would require an increase in customer licenses. In the
center column, indicate the cost of the license per customer for each software module affected.
In the far right column, indicate the cost of a license for an unlimited number of customers.
MODULES REQUIRING AN INCREASE IN CUSTOMER LICENSES
NUMBER OF COST PER COST UNLIMITED
SOFTWARE MODULE
WORKSTATIONS CUSTOMER CUSTOMERS
M. D. Anderson intends to use the HCI interface engine to write interfaces to the Distribution
Services. Provide the costs for any assistance that will be needed to allow M. D. Anderson to
effect on-line, real-time communications and data transfer between the Distribution Services
and the HCI interface engine.
List any other cost that would be incurred by M. D. Anderson with interfaces using the HCI
interface engine.
State the pricing policies related to interface design, development, installation, and support.
State all billing terms for hardware, software, or other proposed products and services.
Request For Proposal
Escrow Costs
Specify the annual cost, if any, for escrow services.
Specify the cost for acquiring the source code from escrow.
Support Costs
Provide the hardware and software maintenance costs for the Distribution Services and all
foreign system interfaces requested, based on:
SUPPORT COSTS
DAYS OF COVERAGE HOURS OF COVERAGE HARDWARE COST SOFTWARE COST
5 days/week ( M-F ) 10 hours/day ( 8am-
6pm )
7 days/week 24 hours/day
Request For Proposal
Specify any additional charges that M. D. Anderson would incur for maintenance and support,
such as re-billing for telephone and travel expenses.
1.
2.
3.
4.
5.
Specify the billable rate for providing maintenance or support services outside the contract
hours.
Describe any additional fees that might be incurred relative to product support.
Specify the billable rate for on-site consulting.
Specify whether travel expenses would be re-billed.
Yes.
No.
Specify the charges for which M. D. Anderson would be responsible, associated with the
installation of Distribution Services, including:
M. D. ANDERSON PAYMENT RESPONSIBILITIES
SERVICE PROVIDED COST COMMENTS
Project Management Services
Request For Proposal
M. D. ANDERSON PAYMENT RESPONSIBILITIES
SERVICE PROVIDED COST COMMENTS
Customer Training and Travel
Expenses
Customer Manuals
Hardware and Software
Documentation
Respondent Installation Personnel
Travel and Expenses
Hardware Installation
Software Installation
Enhancement and Upgrade Costs
Describe the process by which new version releases are installed. Include media used,
documentation and support supplied, average time to implement, on-site requirements, and any
additional cost for software upgrades only.
If new releases are available for additional charges, specify the costs.
NEW RELEASES
RELEASE DATE MODULE NAME VERSION NUMBER COST
Request For Proposal
NEW RELEASES
RELEASE DATE MODULE NAME VERSION NUMBER COST
Describe any charges associated with modifying Distribution Services to keep it consistent
with changes and regulatory requirements in the healthcare industry.
Installation
Describe any installation service level options that are available. List the price for each.
INSTALLATION SERVICE LEVEL OPTIONS
INSTALLATION SERVICE DESCRIPTION COST
Request For Proposal
INSTALLATION SERVICE LEVEL OPTIONS
INSTALLATION SERVICE DESCRIPTION COST
Training
Describe any training offered, including location and materials. List all fees.
TRAINING OFFERED
COURSE DESCRIPTION / MATERIAL
COURSE LOCATION COST
PROVIDED