Clarification to Bidders Batch no.: 3 RFP No. 38/S/HAAD/PT/ Patient ID Authentication Clarification issue date : 17-Jan- 2015

Transcription

1 Q. S/R Questions & Answers 1. Q. Page 12 of the RFP requests that the service should Procure, configure and deploy related hardware and communication infrastructure at the HAAD specified data Centre, can HAAD please clarify if costing for this infrastructure should be provided by the bidder? Or will HAAD procure the infrastructure?? A: Yes, it should be provided by bidder. Bidder should supply and deploy whole solution with proper rack space, physical connectivity, sufficient storage, monitoring and performance systems 2. Q: Will all networking equipment such as load balancers, switches etc., which are considered as standard equipment within a data Centre required to be supplied by the bidder or will HAAD provide this hardware?? A: Bidder will be able to use HAAD network and security infrastructure only, all remaining solution should be provided and deployed, managed by the vendor for three years. And also Bidder will be responsible for any expansion, enhancements and integration with existing HAAD infrastructure. 3. Q: Page 13. Article 3 Results to be achieved by delivering this project Sample Healthcare entity application that integrates to the HAAD standard proxy API, Can HAAD provide the scope of sample healthcare application that needs to be developed? Should the sample application be a web application that can integrate with the HAAD standard proxy API and no other capability such as health information management needs to be developed by the bidder? A: The objective of the sample end-user application is to help the Healthcare Entities to integrate their systems with HAAD standard proxy API. It should provide a working example of the use of all functionality available within the HAAD Standard proxy API with documented source code. The application needs to demonstrate the connectivity and 1 / 8

2 data access functionalities only. 4. Q: Page 14, Article 4.What is the scope of enhancements and new integrations for health care entities once the initial project is rolled out? Should this be included in the 3 year support and maintenance period or is the scope of the support phase only support for the existing build? If the scope of the support should include service enhancements, is the vendor expected to provide a certain amount of enhancement hours during a 3 year period? A: Yes 5. Q. Page 14. Article 6 Scope of Work Section C- Project description and deliverables (j) Procurement of 200 card readers and biometric sensor devices: please clarify the biometric sensor devices that need to be procured by the bidder? Is the installation of the readers and sensors the responsibility of the bidder or is it the responsibility of the health care entity with supporting documentation? A: Yes, Bidder should provide End to End (E2E) solution. 6. Q. Page 14. Article 6 Scope of Work Section C- Project description and deliverables (k) during the 3 year maintenance period, should the solution be supported with resources based in the UAE, or can the bidder use a combination of resources in the UAE and other offshore and near shore locations? A: We expect the vendor to provide the service using onshore model within UAE. 7. Q: Appendix B: Helpdesk service: Can HAAD please clarify that the scope of the level 1 service is to support HAAD users and the health care entity users, or does the scope also cover Registration staff from the various health care entities? The scope of the support and staff required to support the service will increase of the bidder should support all registration staff queries from the health care entities. A: Bidder is solution provide so he will support all user 24/7/365 days 2 / 8

3 8. Q: Annex I Customer References: Can a bidder include international references in north America and Europe where they have implemented similar ehealth and national authentication solutions in combination to GCC customers A: Yes 9. Q: Can you please clarify the amount of the bid bond? In text, the amount mentioned is One thousand Dirham while the numeric value states 100,000. A: Check with procurement. 10. Q. Please provide more details on EIDA system, what API/Web services are exposed for us to integrate with that system? A: EIDA will provide necessary documentation and support. The supplier is expected to be familiar with the technology used by EIDA or demonstrate their ability to familiarize themselves with this technology within the project timeline. Also, please refer to the emirates ID website for further details. Probably this one could be useful. 11. Q. As mentioned Authentication System needs to expose standard proxy API, is there a set of rules defined for these API's or will this be decided as per the requirement and design phase? A: The question is not clear. Please refer to the Business Requirements Document (Appendix A to the RFP). If any additional set of rules for the API is needed, it will need to be defined in the in the requirements and design phase. 12. Q: The end user applications used by hospitals etc. were developed with some set of standards or they will be responsible for customizing their application to consume the authentication API's? A: The integration of the End-User Applications with Standard Proxy API is not in the 3 / 8

4 scope of this project. However, the vendor will be responsible for training of end-user IT personnel and providing support of integration, such as answering technical questions and help in troubleshooting. 13. Q: Authentication system requires to have a monitoring tool to pin point the component of failure. Is there any existing monitoring tool available within HAAD that would be leveraged or would this be a capability provided by the bidder? A: It has to be provided by bidder in order to monitor all components and services 14. Q: Reference Point 16 in Security BRD mentions - Provide Secure web services for all transactions. Can you please elaborate what it means? A: As per HAAD InfoSec Policies and Regulatory standards all the communication / web services shall have secure channel such as HTTPS, encrypted communication channels/techniques, etc. 15. Q: Reference point 23 in Security BRD mentions the following - XML response electronic signed by validation gateway? What is required by the authentication service? This is controlled by EIDA A: The end-users of the Standard proxy API should be able to retrieve the electronically signed XML response. 16. Q: Reference Point 25 in Security BRD - Authentication system must provide an independent messaging service which can confirm authentication system status? Can you please clarify what kind of service is required? A: Please refer to the Business Requirements Document, section 6.2. Notifications / Alerts Requirements 17. Q: Reference Point 28 in Security BRD - Can you please indicate the end user systems to which integration is required and the expected flow for the end-user accessing applications? 4 / 8

5 A: Please refer to the Business Requirements Document, section 5. Business Processes TO-BE 18. Q: Reference Point 30 in Security BRD - Audit log must provide a user friendly interface for ad hoc report generation. Is creation of custom reports in scope? If so, can you provide the number of reports that are required? A: It will be discussed later in the requirement gathering phase. 19. Q. Reference Point 33 in Security BRD - Authentication system must provide successful authentication when ID card is expired? Will EIDA return yes A: EIDA will provide necessary documentation and support. The supplier is expected to be familiar with the technology used by EIDA or demonstrate their ability to familiarize themselves with this technology within the project timeline. 20. Q: Reference Point 37 in Security BRD - Authentication System must provide to interfacing end user application patients photo image from chip on ID card? Does this refer to the authentication service reading the photo from the ID card and displaying it to the end user while also storing it as required? A: The end user should be able to retrieve the photo image from the card itself it is outside the domain of the standard proxy API. Standard Proxy API will be used only to authenticate the biometric of the patient and return the digitally signed XML. 21. Q: BRD indicated fingerprint scans. What product is currently being used for capturing fingerprints? A: For the list of EIDA approved biometric readers, please refer to the Business Requirements Document Appendix III 5 / 8

6 22. Q: Where the Proxy API will install. A: HAAD Standard Proxy API (Webservice based) should be install on the HAAD server. The end user application will consume in their environment/servers. 23. Q. If it will host at HAAD datacenter and will access through internet, what will be the mechanism to read card data and biometric device data at point of registration terminal (end client application). A: Bidder should refer to article 3 of this RFP 24. Q. As mentioned in Section B of tender document (page 12/30), HAAD hosted end user application will be available via Internet, how to Emirates ID card and bio metric finger print device will load the data from devices. A: The information stored on the card and the process of its retrieval is controlled by EIDA. EIDA will provide necessary documentation and support. The supplier is expected to be familiar with the technology used by EIDA or demonstrate their ability to familiarize themselves with this technology within the project timeline. 25. Q: What is the application programming language used for HAAD s core ERP? A: Out of scope for this project. 26. Q: On the requested Emirates ID/biometric authentication, how are these values to be provided to HAAD system. For e.g. during patient registration process, our proposed application shall identify the patient details based on the data available from his/her Emirates ID given at the counter. A: Please refer to the Business Requirements Document, section 5.2. Authentication Process Diagram 27. Q: Verifying the validity of the card and the fingerprint data requires reading of 6 / 8

7 biometric data from the Emirates Id and then compare the same with the individual carrying the card. This requires connectivity with EIDA s validation gateway. A: Yes 28. Q. Would you like to use the Emirates Id data both while First time Patient registration and while providing Patient care ( Subsequent Visits)? A: It is envisaged that the Emirates ID authentication will be used in every visit (encounter) with Healthcare Provider, i.e. the first time registration and subsequent visits. 29. Q. Will HAAD obtain permission from EIDA to facilitate reading of Biometric Data inside the Emirates Id chip without which we will only be able to read the demographic data of the person and physical verification is the only way to record the Patient data? A: Yes. In addition, EIDA will provide necessary documentation and support. 30. Q: How to provide information (Authentication Pass/ Fail) to HAAD s internal system after verifying the data? A: The question is not clear. Please refer to the Business Requirements Document (Appendix A to the RFP). Any further clarification of requirements will need to be carried out as part of the project scope. 31. Q. Does HAAD system accept inclusion of any dll s or web services developed by us for this project for the purpose of Emirates ID authentication or verification? No specification were defined for end user sample application, what it will be and how it will be. A: Bidder has to follow the EIDA defined API and Validation gateway guidelines. As we mentioned that End User Application is internal to the entity/healthcare provider thus it can be web based or client server. 7 / 8

8 32. Q. NOC Services if required to meet SLA in page #20 to 23 and Page # 17 for that We need please list of servers, network devices, databases & applications to be monitored by NOC. A: At this stage we cannot disclose such details. End of Clarification no. 03 ***************************************************** 8 / 8