A State, through the Department of Administrative Services, Office of Procurement Services, for the State’s Department of Health is requesting proposals for:
Health Care Cybersecurity Readiness
RFP ISSUED: June 2, 2021
INQUIRY PERIOD BEGINS: June 2, 2021
INQUIRY PERIOD ENDS: June 23, 2021 at 8:00 a.m.
PROPOSAL DUE DATE: June 30, 2021 by 1:00 p.m.
THIS SOLICITATION CONTAINS AN EMBEDDED MINORITY SET-ASIDE COMPONENT
EXECUTIVE SUMMARY
BACKGROUND.
In October 2020, the Federal Bureau of Investigation warned healthcare institutions that cybercriminals may utilize various efforts to extort healthcare information systems aiming to cause disruption and potentially seek financial gain. This can occur through ransomware which can restrict the healthcare systems data to its verified users until the targeted system pays the ransom. This threat can greatly hinder a system's ability to respond during the current public health and healthcare surge. These threats could potentially limit the ability for healthcare organizations to communicate with its healthcare providing partners and outside entities, like the Department of Health. Discussion regarding how to reduce threats, identify duplicative communication, and continue standard/critical functions during health emergencies and non-emergent events will help stakeholders including healthcare coalitions understand opportunities to mitigate cybersecurity threats and reduce impacts.
OVERVIEW.
Healthcare and public health entities are potential targets for malicious cyberattacks that could result in disruption of healthcare services, particularly during a medical surge. This work will encourage additional action and support to prepare for and reduce potential impact of such attacks.
OBJECTIVES.
This project will convene healthcare and public health entities across the State to examine cybersecurity considerations associated with the interruption of Healthcare Infrastructure elements initiated by cyber disruptions. This facilitated discussion will identify opportunities for healthcare and public health organizations to reinforce healthcare or clinical infrastructure to reduce possible threats.
The webinar will focus on Hospital Preparedness Program (HPP) Capabilities:
1. Foundation for Health Care and Medical Readiness;
2. Health Care and Medical Response Coordination;
3. Continuity of Health Care Service Delivery; and
4. Medical Surge
Additionally, Public Health Emergency Preparedness (PHEP) Capabilities:
1. Emergency Operations Coordination;
2. Emergency Public Information & Warning;
3. Information Sharing; and
4. Medical Surge
WORK REQUIREMENTS
l. SCOPE OF WORK.
A. The Contractor must provide overall contract management for the tasks in the Contract, including the day-to-day management of its staff and coordinating with State staff as pertaining to their assignment to the Contract.
B. The Contractor must provide administrative support for its staff and activities.
C. Throughout the Contract, the Contractor must employ ongoing contract management techniques to ensure a comprehensive Work Plan is developed, executed, monitored, reported on, and maintained.
D. The Contractor will be responsible for performing all of the Work necessary to fulfill the requirements of this Contract.
E. Develop a timeline for the development of materials for Health Care Preparedness Cybersecurity Readiness virtual webinar(s) that include resources for participants, surveys, registration forms, evaluations, and any other information needed to facilitate the webinar(s) to be approved by the Agency. The timeline must also include the proposed event date to be approved by the Agency.
F. Attend/conduct conference calls every other week with the Agency, for planning, to provide action items for next steps, and follow up activities.
G. Develop draft resource packet for participants to utilize to increase understanding of risk mitigation steps, cyber security best practices and other key information. Draft documents must be provided to ODH more than 30 days before the virtual webinar to allow time for review and finalization. Final resource packet must be provided more than 10 days before the virtual webinar takes place.
H. Share initial communications for the event in coordination with the Agency no later than 60 days prior to the webinar.
I. Coordinate and facilitate virtual stakeholder webinar, to be no longer than one business day (8 hours), with healthcare professionals from all seven healthcare coalition regions and their public health counterparts within the state to improve the facilities' understanding of key cybersecurity concepts that identify strengths and weaknesses; promotes change in attitude and perceptions; and enhances the overall cyber response posture and collective decision-making process to include but not limited to, sending invitations, registration, resource development, agenda, minutes/notes, evaluation of meetings, and assessment of meeting. Note that the Agency will provide a list of participants and their contact information to the Contractor.
Additionally, this webinar will serve to:
1. Create an opportunity for public and private Healthcare Industry stakeholders to explore and address cybersecurity challenges.
2. Foster an understanding of the dependencies and interdependencies amongst information technology, business continuity, crisis management, and physical security functions.
3. Observe and evaluate cyber incident response protocols.
4. Identify shortcomings or gaps in demonstrated capabilities or current plans, policies, and procedures.
J. Develop materials to be distributed prior to or during the webinar to further facilitate learning, increase engagement, and provide resources for increased cyber awareness and risk mitigation.
K. Develop a briefing of webinar, participants, outcomes, ideas presented and recommendations for follow up activities.
L. Develop a pre-event survey and post-event evaluation survey to share with participants. Both surveys must be offered electronically, share raw data with legend in Excel format and be approved by the contract manager.