Health Care Information Systems

UI Health Care

Health Care Information Systems

Technical Operations

IT Assessment Questions

Revised: 5/5/16

The University of Iowa Hospitals and Clinics/UI Health Care (UIHC) has a full service information technology department (Health Care Information Systems). This document outlines a baseline of UIHCs technical services platform standards for review by vendors with regard to purchasing and implementing enterprise and departmental systems.

Answer all questions that apply to your solution. For items that do not apply to your solution indicate ‘Not Applicable’ or ‘NA’ as a response, and provide an explanation when necessary. These standards, if proven difficult or impossible given the vendor options, will provide enough substantiation to reject the given vendor option.

SUMMARY OF SOLUTION/SYSTEM

Provide a high level summary of the system or solution that is being proposed to the UIHC.

RESPONSE:

HARDWARE PURCHASING

All computer hardware is purchased separately from software. The UIHC has a process in place for computer hardware procurement.

Does your solution allow for the UIHC to purchase all hardware?

___ YES ___ NO ___Not Applicable

Please explain:

SOLUTION TYPE

Is your proposed system

___ A Cloud or Hosted solution only

___ An On-Premise solution only

___ A hybrid model that offers both Cloud and On-Premise solutions

CLOUD BASED OR HOSTED SOLUTION

What is the maximum latency your cloud or hosted application solution can tolerate and still function effectively?

RESPONSE:

What is the minimum bandwidth your cloud or hosted app requires to function?

RESPONSE:

What port(s) and protocol(s) are required for your cloud or hosted app to function properly?

RESPONSE:

Describe your Internet connectivity, including who yourInternet Service Provider(s) (ISP) is and the level of redundancy you have in place.

RESPONSE:

What does the ISP offer in terms of physical and systems security?

RESPONSE:

What security controls are in place from a facility perspective?

RESPONSE:

What uptime and performance Service Level Agreements (SLAs) does the ISP offer?

RESPONSE:

Does the ISP offer 24-hour customer service/support?

RESPONSE:

What options do we have for monitoring/visibility?

RESPONSE:

Is the ISP compliant with FISMA, PCI DSS, HIPAA, SOX, GLBA, NERC CIP, or other regulations that are relevant to our industry?

RESPONSE:

Do you provide a hosted sandbox/test environment for evaluation and user pilot?

RESPONSE:

What is your disaster recovery design if the software, data or content is corrupted or site is exploited?

RESPONSE:

What is your security exploit patching process?

RESPONSE:

What is your reimbursement for business impact due to service level failure including security exploit?

RESPONSE:

IDENTITY MANAGEMENT/AUTHENTICATION

UIHC uses various tools to manage system authorization.

Does your software utilize the use of an API or another programmable interface in order to support identity management access automation?

___ YES ___ NO ___Not Applicable

Please explain:

UIHC uses Microsoft Active Directory (AD) as our preferred authentication Single Sign On solution.

Does your system support application authentication using AD?

___ YES ___ NO ___Not Applicable

UIHC uses self-signed certificates to enable secure Lightweight Directory Access Protocol(LDAP) authentication.

Does your solution support secure LDAP and the loading of self-signed certificates?

___ YES ___ NO ___Not Applicable

If not through AD/LDAP, describe the authentication mechanism; include minimum requirements.

RESPONSE:

How do users and security settings get created in your system?

RESPONSE:

In previous installations, who is typically the one to create the users, profiles, and security settings?

RESPONSE:

OPERATING SYSTEM

Does your software run on a Windows or Linux Operating System?

RESPONSE:

If Linux:

UIHCusesRed Hat Linux, either 5.11, 6.6 or 7.0astheirpreferred Linux operatingsystem.

NOTE: Within the major Red Hat releases, ex: 5.X, 6.X, 7.X Red hat guarantees API compatibility, meaning that an application ‘certified’ to run on a 6.1 will run on any 6.X release. While CentOS is simply a re-compile of Red Hat sources and is functionally the same, it comes with no support and will not be used by UIHC.

Will your solution work on this platform/OS?

___ YES ___ NO ___Not Applicable

UIHCutilizesRed Hat’s Yum Update service via the University Satellite Server as our update‐managementsolution.This can be either manually or be scripted and rebooted. The updates will be applied on a monthly basis. This will require a monthly downtime of at least 30 minutes.

Willyoursolutionoperate inthisenvironment?

___ YES ___ NO ___Not Applicable

UIHCusesKerberos authentication for local users on the Linux system.

Doesyoursolutionwork with this authentication?

___ YES ___ NO ___Not Applicable

Does the application run as root?

RESPONSE:

If the application runs as root, explain why this is needed.

RESPONSE:

If the application needs a separate UID, explain the requirements.

RESPONSE:

Does your company require a login

___ YES ___ NO ___Not Applicable

If YES, do you need root/pseudo access?

___ YES ___ NO ___Not Applicable

If YES, please explain why.

RESPONSE:

UIHCuses IBM TSM for UNIX/Linuxasourenterprisebackupsolution.

DoestheapplicationworkwithIBM TSM?

___ YES ___ NO ___Not Applicable

AretherespecialbackupconsiderationsthatcannotbeaddressesbytheIBM TSMproduct?

___ YES ___ NO ___Not Applicable

Please explain:

Does the application allow for quiesce of any databases for clean backups?

___ YES ___ NO ___Not Applicable

Please explain:

UIHCmonitorsits UNIX/Linux environment withIBM ITM. This monitors FS / CPU / Memory etc.

Canyoursoftwareco‐existwiththeseandsimilarmonitoringagentsonthehostsystem?

___ YES ___ NO ___Not Applicable

If Windows:

UIHC utilizes Microsoft’s Windows Server Update Service (WSUS) as our update-management solution. The servers are configured to accept all relevant updates and auto-restart at the completion of the scheduled updates.

Can your solution operate in this environment?

___ YES ___ NO ___Not Applicable

UIHC uses IIS as its preferred web server.

If you require a web server, but do not use IIS, explain why your solution deviates from this.

RESPONSE:

UIHC uses EMC Avamar as our enterprise backup solution.

Does your application work with this backup solution?

___ YES ___ NO ___Not Applicable

Are there special backup considerations that cannot be addressed by the Symantec NetBackup product?

___ YES ___ NO ___Not Applicable

Please explain:

UIHC monitors their environment with a combination of tools such as SCOM (for Windows), Dell OpenManage (for hardware), vCenter Operations Manager (for VMware), and Accelops (for additional systems monitoring).

Can your software co-exist with these and similar monitoring agents on the host system?

___ YES ___ NO ___Not Applicable

SERVER HARDWARE CONFIGURATION

UIHC uses VMware v5.5 as their preferred hypervisor.

Does your system support virtualization with VMware?

___ YES ___ NO ___Not Applicable

UIHC uses Dell hardware with redundant components such as power supplies, processors, and network interface adapters.

Will your solution work using Dell hardware?

___ YES ___ NO ___Not Applicable

If NO, and your solution requires the use of different hardware, who is the vendor?

RESPONSE:

How is support handled?

RESPONSE:

Who is responsible for the monitoring and management of this hardware?

RESPONSE:

UIHC uses Windows Server 2012 R2 as its preferred operating system.

Is there a reason why this operating system version would not work with your solution?

___ YES ___ NO ___Not Applicable

Please explain:

UIHC uses adapter teaming with their server deployments.

Does your solution handle adapter teaming?

___ YES ___ NO ___Not Applicable

Are there any special configuration settings that should be considered?

___ YES ___ NO ___Not Applicable

Please explain:

Describe the supported method(s) for automated updates of server-side application components (for new application versions, bug fixes, etc). List supported methods for each type of server within your solution, including Citrix Presentation Server / XenApp, and explicitly state which server-side components must be manually updated.

RESPONSE:

NETWORK ARCHITECTURE

Provide a block diagram showing systems and network architecture, data flows, etc.

RESPONSE:

UIHC does not permit extensions of its communications backbone (i.e. additions of third party AP’s, switches, firewalls, etc.).

Can your solution be implemented in this type of environment?

___ YES ___ NO ___Not Applicable

Detail all network communication port and protocols utilized.

RESPONSE:

The UIHC communication backbone contains numerous networks across geographic locations. Individual VLAN’s that do not traverse telecommunication rooms or locations.

Does the solution have any specific architectural restrictions regarding VLAN’s, IP address subnet sizes for the device and/or servers?

___ YES ___ NO ___Not Applicable

Please explain:

Describe the solution's interaction/integration with DHCP and DHCP products, including requirements and limitations.

RESPONSE:

Does your system require DHCP reservations or static assignments?

___ YES ___ NO ___Not Applicable

Please explain:

Describe the solution's interaction/integration with DNS and DNS products, including requirements and limitations.

RESPONSE:

Does the solution use any wireless communication methods? (Infrared, Blue Tooth, Radio Frequency, etc.)

___ YES ___ NO ___Not Applicable

Please explain:

If wireless RF is used, is an FCC license required to operatedevices within our facility?

___ YES ___ NO ___Not Applicable

Describe in detail the solution's wireless capabilities. (802.11A,B, G,N)

RESPONSE:

Describe in detail the solutions wireless encryption and authentication capabilities. (WPA2-PSK, WPA2-Enterprise, AES, etc)

RESPONSE:

Describe the applications and monitoring networking requirements. Both wired and wireless.

RESPONSE:

Can the device be monitored via SNMP, WMI, Syslog?

___ YES ___ NO ___Not Applicable

If YES, which and what version?

RESPONSE:

Are the SNMP community strings hard set or configurable?

RESPONSE:

Does your platform support Quality of Service?

___ YES ___ NO ___Not Applicable

If YES, explain in detail how your traffic is marked (control, payload, etc).

RESPONSE:

Does the platform/solution utilize multicast or directed broadcast for communications? Include additional details on the nature of this traffic (PIM Sparse Mode, PIM Dense Mode, any mechanisms for forwarding directed broadcast traffic to other networks, etc.).

RESPONSE:

Does the platform/solution support IPV4 public and private (RFC 1918) addressing?

___ YES ___ NO ___Not Applicable

Does the platform/solution support IPV6?

___ YES ___ NO ___Not Applicable

Provide any EAP/Supplicant capabilities of the platform/solution.

RESPONSE:

CLIENT SOFTWARE APPLICATION

Does your application support being installed on non-Default Web Site, and custom wwwroot path?

___ YES ___ NO ___Not Applicable

Provide a proposed implementation plan consistent with the provided UIHC configuration and architecture.

RESPONSE:

How are updates to the software deployed?

RESPONSE:

Does your solution require any third-party software (i.e. Java, Flash, Quicktime, Visual Studio, .Net Framework, etc.),

___ YES ___ NO ___Not Applicable

If YES,identify what software is required and what versions are approved?

RESPONSE:

Describe how they are patched (interval, management tools, etc.)

RESPONSE:

Do you agree to accept and support all security updates released for dependent 3rd party components?

___ YES ___ NO ___Not Applicable

Describe any data export functions.

RESPONSE:

What formats are available?

RESPONSE:

Describe any data archiving functions.

RESPONSE:

Describe the systems auditing capabilities.

RESPONSE:

Describe user auditing functions.

RESPONSE:

What capacity does your software have to provide remote access to the application to users?

RESPONSE:

Describe any mobile device integration.

RESPONSE:

To what extent are you involved during installation?

RESPONSE:

From your experience, how many resources would be required by us to implement this project (one staff member for two weeks, etc.)?

RESPONSE:

DESKTOP HARDWARE CONFIGURATION

UIHC uses Dell desktop hardware with the minimum specification being an Intel I5 processor with 4GB memory all the way up to the current manufacturer specification.

Will your solution work in this environment?

___ YES ___ NO ___Not Applicable

Please explain:

Does your system require client software to be deployed to workstations in order to access the data?

___ YES ___ NO ___Not Applicable

If YES, do you have an MSI package available?

___ YES ___ NO ___Not Applicable

Please explain:

Is your client software supported on Macintosh OS?

___ YES ___ NO ___Not Applicable

UIHC uses Windows 7 x64 bit Enterprise and Mac OS X current and 1 previous (i.e. 10.10 and 10.9) versions as their preferred operating systems.

Does your solution at a minimum support these OS’s?

___ YES ___ NO ___Not Applicable

What additional OS versions are supported?

RESPONSE:

UIHC uses Microsoft Internet Explorer 11 and Firefox or Chrome versions that are kept up to date as preferred web browsers for Windows and the current version of Safari or Firefox as preferred web browsers for Mac.

Is there a reason why any of these web browsers would not work with your solution?

___ YES ___ NO ___Not Applicable

What additional browser versions are supported?

RESPONSE:

UIHC utilizes Microsoft’s System Center Configuration manager (SCCM) as our Windows update management solution with full updates being released every 3rd Friday of the month with out-of-band (critical) patches delivered as necessary.

Can your solution operate in this environment?

___ YES ___ NO ___Not Applicable

Do you agree to accept and support all Microsoft released security updates?

___ YES ___ NO ___Not Applicable

UIHC utilizes Secunia to patch third party applications such as Adobe Flash, Shockwave, Acrobat, Apple QuickTime, Mozilla Firefox, Java and other applications.

Can your solution operate in this environment?

___ YES ___ NO ___Not Applicable

UIHCutilizes Casper Suite for Mac as our Macintosh update management solution. Updates are delivered to these systems on an as needed basis and could prompt for possible restart.

Can your solution operate in this environment?

___ YES ___ NO ___Not Applicable

INTERFACES

Describe the message coding standard and transport protocol supported (i.e. HL-7 and XML data interface through an Ethernet TCP/IP sockets connection).

RESPONSE:

What version?

RESPONSE:

UIHC utilizes Cloverleaf as its interface engine.

Can your system work with Cloverleaf, if any interfaces are required?

___ YES ___ NO ___Not Applicable

Please explain:

UIHC utilizes Connexall as its middleware solution for secondary alarm management.

Can your system work with Connexall, if any middleware is required?

___ YES ___ NO ___Not Applicable

Please explain:

Has your application ever been integrated with Epic before?

___ YES ___ NO ___Not Applicable

If YES, is it a real time interface to Epic?

RESPONSE:

What types of interfaces are available on your application?

RESPONSE:

DATABASE

UIHC uses Microsoft SQL Server Enterprise Edition as our preferred database solution. We run several data maintenance plans that shrink, reorg, check database integrity, update statistics, and perform full database backups.

Will these maintenance plans interfere with the effective operations of your database?

___ YES ___ NO ___Not Applicable

Please explain:

Do you have your own maintenance plan requirements?

___ YES ___ NO ___Not Applicable

Please explain:

What size database(s) and data growth rate is specified for an environment of our size?

RESPONSE:

If user counts change how do we calculate those specifications?

RESPONSE:

How is archival of data accomplished to facilitate efficient use of storage versus legal requirements and solution performance?

RESPONSE:

What additional features of MS SQL will need to be installed (i.e. Reporting Services, SSAS, SSIS, Full Text Indexing, etc)?

RESPONSE:

Is it required that user authentication/authorization be passed to the database, or does a service account access the database for all applications to database integration?

RESPONSE:

If MS Reporting Services is required, do you recommend the environment have separate physical servers for RDBMS vs. Reporting Services?

RESPONSE:

Is there any need for clients to connect directly to the SQL Server or does all communication with the SQL Server go through a web, application or other server?

RESPONSE:

ENTERPRISE STORAGE AND FABRIC MANAGEMENT

UIHC utilizes Brocade Fibre Channel SAN switches in a Core-Edge topology. Core switches and most edge switches are 16 Gb/sec capable with some racks only supporting 8 Gb/sec speed. All switches support auto-negotiate down to 2 Gb/sec.

Can your system work in this environment?

___ YES ___ NO ___Not Applicable

Please explain:

UIHC uses EMC VMAX enterprise class storage mainly for its WinTel environment and IBM SVC for its Epic and AIX systems.

Can your system work in this environment?

___ YES ___ NO ___Not Applicable

Please explain:

CIFS/SMB and NFS clients must be able to use IsilonOneFS storage infrastructure for file storage. NFS clients are encouraged to use DNS configuration in order to better handle node reboots on the NAS.

Can your system work in this environment?

___ YES ___ NO ___Not Applicable

Please explain:

All HBA driver/firmware and host software must maintain EMC or IBM supported levels and be kept up to date in order to run effectively.

Does your system meet these requirements?

___ YES ___ NO ___Not Applicable

Please explain:

Storage Virtualization services are available using EMC’s VPLEX distributed volume architecture and IBM’s Storwize Virtualization Center (SVC). IBM’s SVC is a more mature and robust system which allows for replication operations. Each system provides data center resiliency and Active/Active host I/O including ESX support.

Is data replication between data centers required?

___ YES ___ NO ___Not Applicable

If YES does the application support Synchronous mirroring?

___ YES ___ NO ___Not Applicable

Are point in time copies required?

___ YES ___ NO ___Not Applicable

If YES, how many?

RESPONSE:

Will the point in time copies need to be Application Consistent or Crash Consistent?

RESPONSE:

SAN Fabric health is monitored using Brocade Network Advisor product. This product allows UIHC to monitor host activity, initiator driver/firmware version, topology maps and firmware repository management.

Can your system work in this environment?

___ YES ___ NO ___Not Applicable

Please explain:

LOAD BALANCING AND HIGH AVAILABILITY

UIHC uses a combination of F5 BIG-IP product suite to provide hardware load balancing services and Microsoft Cluster Services (MSCS) to provide a highly available systems environment.

Do you use one or both of these services with your solution?