Technical Architecture. Section 1. System Infrastructure & Scalability. Yes No Comments

Transcription

1 Technical Architecture Section 1. System Infrastructure & Scalability Requirement 1) Hardware configuration operates on industry standard Intel servers such as IBM or HP. 2) Operating system environment supports, the following minimum system requirements, Microsoft Windows 2000/XP Professional and Microsoft Windows 2003 Server. 3) System can be configured with complete redundancy with no single point of failure as well as Active-Passive set-up where both nodes will be handling different types. 4) Use clustering software to load balance and demonstrate quick, automatic failover across all servers. 5) Support a web-based interface. 6) Support Citrix. 7) Recommended hardware platform provides capability for hot swappable, mirrored/raided disk drives. 8) Support the ability to conduct routine backup procedures without the users having to be off the system. 9) Support a variety of point of care and input devices, specifically: Signature Capture Hand held/portable - Radio Frequency Laptops Touch Screen Pen Voice Recognition Keyboard/Mouse Page 1

2 PDA Requirement 10) System is based on a relational database management system. 11) Delivery options for in-house environment (ICO) as well as a host-based environment (SaaS). 12) System has "master files" where universal information can be entered once and accessed by other applications. 13) Data elements can be viewed, printed, interfaced, updated, reported on and/or listed as needed. 14) Required fields are user-definable. 15) Provide Common Reporting Tools and Analytics that are compatible with recognized, industry standard reporting tools such as Microsoft SQL, Crystal Reporting. 16) Vendor provides load testing tools and load testing as part of their implementation. 17) System is scalable to accommodate additional utilization, users, transactions and/or additional local/remote sites. 18) Support multiple environments including test, production and training. 19) Provide a data dictionary. 20) Database tools are provided to allow enduser access for queries and extraction or output of data into other file formats. 21) Allow for server virtualization. 22) Management of client/pc software is centrally managed. 23) Application can be monitored via common enterprise monitoring systems. 24) Application provides an alerting and monitoring utility. 25) Application exposes data via Web Services. 1. Does your solution employ a true Service Oriented Architecture (SOA)? Explain Page 2

3 2. In the context of a true SOA, explain how your data and service modeling is done and what advantages it provides to the customer. 3. Describe the vendor s approach to data integrity and redundancy. 4. Describe the vendor s approach and tools for backup, recovery and SAN/NAS recommendations. 5. Detail the number of environments that are recommended for implementation and their purposes, ex. Test, Development, QA, Production? 6. Describe the process of environment management and migrating from one environment to another. 7. What is the source code for the application written in? 8. How many application releases per year does the vendor provide? 9. How are minor and major releases communicated and provided to the client? 10. Detail the printing process for the application. Page 3

4 Section 2. Network Capabilities Requirement 1) Each server must have an appropriate Network Interface Card (NIC) to connect to the Local Area Network. 2) In Ethernet environments, all servers should be placed on dedicated 100 Mbps Full-Duplex switch ports for maximum throughput and performance. 3) System can be integrated into a wireless environment 4) Wireless protocols such as a, b, or g should be used. 5) The recommended WAN connection should be a Frame Relay or ATM network. A fractional-t1, T1 or greater network of appropriate bandwidth must be installed. 6) Critical data (security/authentication data) is passed between various layers using 128 bit encryption. The browser/server communication can also be set using standard SSL based authentication. 7) Capable of using IP and the standard network protocol. 8) Support secure TCP/IP remote access for users (e.g., PPTP, SSL, Kerberos, etc.). 9) Required network devices can be managed from a central location. 10) Support Network Load Balancing to offer higher throughput for increased user load. 11) Support Layer 3 switching 1. Please describe your LAN/WAN network requirements. 2. On the Wide Area Network, what is the minimum bandwidth requirement? 3. Describe in detail the remote access methods you currently support for your application and how you would support devices at remote locations. 4. What cellular protocols does the system support? Page 4

5 5. What are the throughput response time requirements? Section 3. Security Requirement 1) Support Role Based Access. 2) Support task-based and object-based user authorization profiles. 3) Provide an audit trail that can be used to identify transactions or data accesses that have been performed by: Function Terminal Patient User 4) Provide audit log reporting features. 5) Log all unsuccessful logons and lock out users after a certain number of unsuccessful attempts as defined by the customer. 6) Provide a time out feature that automatically signs off a user if a workstation has been left unattended for a user-defined time period. 7) Support Active Directory and/or LDAP. 8) Report on access levels by patient, user, and location. 9) Provide functions to restrict access to specific patient records for individual users. 10) Support electronic signature. 11) Authenticate user based upon a minimum of one-factor authentication utilizing one or more of the following in combination with a User ID: Page 5

6 Password Requirement Biometric Identification Proximity Controls (RFID) Token (e.g., Secure ID) 12) Provide interoperability with patient context (CCOW). 13) Permit creation of temporary user accounts with specific expiration timeframes. 14) Permit the security administrator to specify that User IDs and passwords must contain a combination of alphabetic, numeric, and special characters. 15) Permit the security administrator to specify that passwords must adhere to strong password guidelines. 16) Permit the security administrator to specify a minimum password length that will be enforced by the system. 17) Force a user to select a password at initial sign-on and when the password has been reset. 18) Prohibit the reuse of User IDs and passwords per user based upon security administrator controllable setting. 19) Support the encryption of the password file and password information. 20) Permit the security administrator to set events that are considered security violations as well as provide real-time notification of any violations. 1. Discuss the system s ability to define and control user and role profiles within and across facilities. 2. Describe the system user name and password structure and the ability to enforce it. 3. Discuss the authentication process including encryption and wireless devices. 4. How does your system support single sign-on? Page 6

7 5. Does the system provide audit logs/error logs to detect unauthorized access or activity? 6. Describe the system components in place that support a user/ client s adherence to the HIPAA security regulations. Page 7

8 Section 4. Interoperability Requirement 1) Support the use of industry standard interface engines. 2) Provide pre-defined interfaces that expedite interface development time and automatic wizards that can be used to implement model definitions. 3) Support standard HL7 interfaces. 4) Support industry standards such as DICOM and XML. 5) Interface with legacy systems, departmental systems, repository systems, foreign systems, modalities and devices. 6) Software logic is parameterized or table driven for convenient modification by EPT, tables, and external database query. 7) Users can view a display of archived transactions and audit file as well as the transactions as they are being processed. 8) Includes flexible table features that enable a user to build tables for the translation of data. 9) Support the ability to conditionally map data and the ability to compare and group condition tests. 10) Provide a custom adapter development kit such as COM or API, making it possible for a user to create utilities and applications that can communicate directly. 11) The generation of alert messages can be configured by the time of day and day of week, for each interface via user-defined peak, off-peak and scheduled downtimes. 12) Alert messages can be sent to any device including, pagers and printers as well as to other interfaces. Alerts can also be configured based on change of interface status, idle time and excessive transaction backlog. Page 8

9 Requirement 13) Support data mapping and conditional routing. 14) The following data types are supported: ASCII, BLOB, EBCDIC, hex16, hex32, printable, raw, signed binary and unsigned binary. 15) Error Monitoring provides an alert subsystem which generates alert messages that are stored and viewable online and can be routed via various mechanisms such as and pagers. 16) Include a variety of monitoring and troubleshooting tools that allow for the immediate identification and correction of any problem you may encounter. These intuitive tools are easy to access via point and click or drag and drop features. 17) A field can easily be setup such that some values are translated and others are passed through without translation. 18) Templates exist for various protocol, connections types and interface ports. 19) Holds message waiting to be processed in memory and writes them to disk. Each message is flagged with a status that indicates whether it has been processed and received by the destination system. 20) Provide templates that allow users to assign attributes to a particular definition then copy these attributes for other similar builds are provided. 21) Support for IHE 1. Provide your definition and vision of interoperability and how you are incorporating interoperability within your solutions. 2. Describe your method for establishing HL7 connectivity as well as the version you support. 3. Describe your overall design approach to developing, testing, implementing and upgrading system interfaces. 4. Describe how you support systems without standard interfaces. 5. What tools does your system provide to allow monitoring and guaranteed delivery of your interfaces? Page 9

10 6. What interface engines have your existing clients used? 7. Describe the auditing capabilities to verify the counts of records sent or received by your system. Section 5. Software as a Service (SaaS) OVERVIEW Software as a Service (SaaS), also know as Cloud Computing, provides application software to customers as an on-demand service. SaaS vendors deliver software over the Internet by hosting the software themselves or through a third party Application Service Provider (ASP). While SaaS solutions include many costs, they are generally less expensive than traditional solutions hosted at your own facilities. For example, a SaaS solution minimizes upfront capital costs for hardware and ongoing costs for hardware and software support and maintenance. Because SaaS offers an attractive delivery approach, it is rapidly becoming available, and in some cases, vendors only offer this option. This non-traditional approach requires adding some new items to your RFP and removing others than are no longer applicable. A SaaS agreement should also include some specific contract provisions. Here are some examples of non-contract items to include in a SaaS RFP: Architecture Use of Rich Internet Application (RIA) technology. RIA features allow the SaaS application to execute functions locally on user workstations rather than via an Internet-based web server. This reduces connection time and delays communicating between your computer and the SaaS application. An application configured by the vendor to comply with your organization s web accessibility and presentation standards. Ownership of your data. Provision of a suitable method for retrieving your data in a format you can use with other applications or tools, should you terminate your relationship with the SaaS vendor. Automated load-testing tools as part of the vendor implementation. Examples of information SaaS RFPs do not include are as follows: Requirements for the proposed hardware platform, e.g., hardware model, system software or database software. Separately itemized hardware or system software costs. Separately itemized requirements for ongoing hardware platform maintenance and associated staffing and costs. Limited desktop configuration requirements, e.g., web browser support. Performance Reliability Page 10

11 Detail your performance metrics for Service Level Agreements (SLAs) for measuring application availability, performance, and network connectivity. Detail any tools offered to measure application availability offered to report on realtime or historical performance information (uptime, outages, degradations). Disclose any use of 3 rd party server hosting companies. How are sudden demand surges managed without adversely affecting system use? How is planned growth in demand managed without adversely affecting system use? Where are your data centers located? How are application and server upgrades conducted, scheduled, and communicated to the customer? Is off-line data access available in the event of a loss of connectivity? Detail your high availability capabilities. Attach a copy of your disaster recovery plan. Describe your backup and recovery capabilities that ensure prompt and complete data recovery. Security Detail how your organization would respond to a data security breach. Detail the number and roles of your data security personnel. Vendor maintains a well-document security infrastructure. Detail the level of auditing that is available and what access the customer has to audit logs. Describe any use of incident protection and detection software. encrypted data storage and transmission while compensating for performance implications. Vendor maintains infrastructure standards certification like International Standards Organization/International Electrical Commission (ISO/IEC 27002). An estimated response time from vendor support personnel when contacted regarding security issues. Can the customer s data be moved among multiple data centers? If so, how is the customer notified? Will you allow for the storage of a customer s data outside the United States of America? Do you provide for the delegation of user provisioning administration to the customer? What physical controls exist to manage the ingress/egress of the software production/delivery facility? Will the software code be placed in escrow and buyer assumption of hosting responsibilities if your company stops offering the application due to bankruptcy, etc.? If not, detail the situation for customers in the event that your company can no longer continue operations. Page 11

12 Page 12