WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 1 of 12
Request for Proposal
for
PCI Program Establishment and Execution
for
Wake Forest Baptist Medical Center
Response Deadline: January 15, 2016 - 3:00EST
Wake Forest Baptist Medical Center
Office of Strategic Source
Medical Center Boulevard
Winston-Salem, NC 27157
WAKE FOREST BAPTIST MEDICAL CENTER
1.
REQUEST FOR PROPOSAL
Page 2 of 12
Introduction
Wake Forest University Baptist Medical Center, a nonprofit North Carolina corporation, herein
referred to by the corporate trade name of Wake Forest Baptist Medical Center (WFBMC), is
one of the nation’s preeminent academic medical centers. It is an integrated health care system
that operates 1,004 acute care, rehabilitation and psychiatric care beds, outpatient services, and
community health and information centers. The Medical Center has 21 subsidiary or affiliate
hospitals and operates more than 120 outreach activities throughout the region, including
satellite clinics, health fairs, consulting services, and medical director services. It provides a
continuum of care that includes primary care centers, outpatient rehabilitation, and dialysis
centers. Although its primary service area is a 24-county region in northwestern North Carolina
and southwestern Virginia, WFBMC in the year ending June 30, 2010, served patients from 96
(of 100) North Carolina counties, all 50 states, the District of Columbian, and several foreign
countries.
On July 1, 2010, WFBMC became a legally integrated Medical Center. Under this structure,
WFBMC (through its Board and consolidated management team) operates all aspects of Wake
Forest Baptist Medical Center (also known as North Carolina Baptist Hospital) and Wake Forest
School of Medicine (also known as Wake Forest University Health Sciences).
The system’s main components are: a. Wake Forest School of Medicine; b. Wake Forest Baptist
Health, the integrated clinical operations that include Lexington Medical Center, Davie Hospital,
Brenner Children’s Hospital, physician practices, and other clinical facilities; and c. the Piedmont
Triad Research Park, which includes downtown research offices and facilities.
More information about WFBMC can be found at http://www.wakehealth.edu
2.
Objective
WFBMC intends to obtain the most current level of PCI-DSS Compliance and as such is seeking
to establish a contract with a qualified information security and compliance service company
(hereafter, the VENDOR) to develop a PCI Program for becoming compliant with the Payment
Card Industry Data Security Standards (PCI DSS). Scope and requirements are outlined below.
3.
Scope
WFBMC is requesting Proposals to establish an operational PCI Program that continually
reviews, manages and executes payment / credit card security processes and controls that are
consistent with applicable PCI DSS requirements and testing procedures.
Per the merchant levels noted by the PCI Council, WFBMC is currently classified as a level 3
which requires us to conduct appropriate SAQ’s (Self-Assessment Questionnaire) and Quarterly
External ASV (Approved Scanning Vendor) scans. WFBMC does not anticipate being required to
produce a formal Report on Compliance (ROC), and is requesting the selected VENDOR to
conduct a comprehensive PCI Security Risk Assessment as necessary to meet the requirements
as outlined in the PCI-DSS standard.
WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 3 of 12
At a minimum, the proposal shall include:

An Initial Security Risk Assessment (ISRA) with a Gap Analysis and recommendations for
improvements.

An evaluation of payment / credit card security processes and controls consistent with
applicable PCI DSS requirements and testing procedures.

Development of corrections and/or compensating controls to address all discovered
areas of non-compliance and control weaknesses during the assessment.

Recommendations for addressing Attestations Requests as received from Processors,
Banks or other parties as mandated by PCI-DSS Compliance.

Identification and development of policies, standards, processes and procedures.

Identification of the necessary WFBMC resources required to effectively maintain a PCI
Compliance Program as necessary to meet the on-going demands of achieving PCI-DSS
Compliance.

Complete a Final Security Risk Assessment (SRA) by May 1, 2016. The VENDOR will
provide training materials that can be used to internally train staff on compliance
practices. WFBMC may request recurring annual compliance recertification.
For purposes of this document, WFBMC is defined primarily by the list of entities below.
Submitted proposals must provide services to all entities listed below. Respondents are
expected to thoroughly explain in their proposal any exemptions or modifications request to
this requirement.
-
North Carolina Baptist Hospital
Brenner Children’s Hospital
Wake Forest School of Medicine
Wake Forest University Health Sciences
Wake Forest University Physicians
Lexington Memorial Hospital
Davie County Hospital
The WFBMC includes two (2) Point of Sale (POS) flavors; Patient Payments via an EPIC based
WakeOne system and Retail POS Merchants (for example; Eye Care, Weight Mgmt, Cafés, Gift
Shops, Pharmacy, Hotel and Parking). Both card present and card “not” present exist.
The architecture/infrastructure consists of those typically found in the Healthcare industry;
wired and wireless networks, intrusion detection and similar security devices, client/server,
applications.
WFBMC also utilizes with a variety of banks, processors, gateways and other 3rd party vendors
to satisfy the processing of credit card transactions.
WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 4 of 12
WFBMC will provide additional details of the environment (network, equipment, applications,
etc.) once the Procurement Director Jonathan Kepley has received your Intent to Bid, and a
Mutual Non-Disclosure is signed.
4.
VENDOR Requirements and Capabilities

VENDOR shall have experience with complex payment environments including but not
limited to card present, card not present, manual key entry, ecommerce, gateways, etc.

The VENDOR’s network vulnerability scan tool must be compliant with the current PCI
ASV requirements.

The VENDOR shall provide services to assist in identification and elimination of false
positives as a result of the external network vulnerability scans. The VENDOR shall rescan to validate that the false positives have been cleared.

The VENDOR shall be able to define multiple scan profiles, exclude specific IP addresses
and ranges of IP addresses and identify blackout periods during which scans will not be
conducted.

The VENDOR shall be able to manage and track (owner, status, etc.) the vulnerabilities
identified by the network scans. Access to the scans shall be limited to specific IT
personnel.

The VENDOR’s penetration testing must include both network layer penetration testing
and application layer penetration testing.

VENDOR shall detail which of the following position and certifications from the PCI
Security Standards Council (SCC) are employed by the VENDOR:
o
Certified Information Security Assessor (CISA)
o
Certified Information Systems Security Professional (CISSP)
o
Certified Information Security Manager (CISM)
o
GIAC Penetration Tester (GPEN)
o
PCI Qualified Security Assessor (QSA)
o
PCI Payment Application Qualified Security Assessor (PA-QSA)
o
PCI Approved Scanning Vendor (ASV)
o
PCI Point-to-Point Encryption program (P2PE) certification

VENDOR shall note which employees will be utilized in support of this contract and if
any have been placed in “Remediation” by the PCI SSC and why.

All VENDOR employees shall be in good standing with the PCI SSC.

The VENDOR shall note if and where subcontractors will be used during the term of this
agreement.

VENDOR shall provide how often the certified PCI Assessors are required to attend
training to keep them apprised of all current PCI regulations/requirements.
WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 5 of 12

VENDOR shall provide the names of employees who would be assigned to the team
performing services for this engagement.

VENDOR should show the ability of maintain continuity of employees, or available
replacements assigned to the team.

VENDOR shall affirm that no employee or subcontractor assigned to this engagement
have been convicted of a felony.

WFBMC reserves the right to interview and reject any of the assigned members of the
proposed project team before a VENDOR is selected.

During the course of the contract, WFBMC reserves the right to dismiss any VENDOR
employees or subcontractors immediately and without notice for any reason.

VENDOR should note in the proposal and shall be able to demonstrate at least five (5)
years’ experience in performing related assessments / consulting preferably in
healthcare and academic venues of similar size to WFBMC.

VENDOR shall provide a project-based fixed-fee Proposal by phases and include a
proposed schedule/project plan which encompasses the following phases:
Phase 1 = Define and establish an ongoing (operational) PCI compliance program for WFBMC.
Phase 2 = Gap Analysis, Initial Security Risk Assessment, Remediation (Correction)
recommendations
Phase 3 = Remediation of noncompliant findings
Phase 4 = Re-evaluation and Final Security Risk Assessment
Phase 5 = Future annual re-attestations and compliance
* Proposal must identify resources required (including WFBMC staff), along with assumptions
supporting the proposed schedule / project plan.

The VENDOR shall recommend direction for obtaining PCI-DSS compliance (and
attestations) as the environment changes; e.g. WFBMC will be changing processors,
gateways, POS equipment and other associated components during the contract terms.
This may require the VENDOR to collaborate with WFBMC’s external processors,
gateways, and other vendors that provide services in scope for obtaining PCI-DSS
compliance.

Upon award, the selected VENDOR will be required to designate one primary point of
contact to collaborate and coordinate all work with the WFBMC Project Manager. At
this time a comprehensive, final schedule will be developed; Phase 1.

VENDOR shall respond to questions and provide PCI DSS requirements clarification,
when requested by WFBMC, for the duration of the agreement. It is understood that
WFBMC may seek the VENDOR’s opinion or interpretation of a PCI DSS requirement.

VENDOR shall utilize industry standard security controls to secure and monitor their
environment to ensure protection of WFBMC’s data.
WAKE FOREST BAPTIST MEDICAL CENTER

5.
REQUEST FOR PROPOSAL
Page 6 of 12
The VENDOR shall estimate all travel and expenses in the Project Plan (Section 7
“Proposal Response Content”).
Deliverables
The VENDOR shall develop a project plan to scope, deliver, track and report on the following
used Project Management best practices:
Phase 1 = Define and establish an ongoing (operational) PCI compliance program for WFBMC.
The selected VENDOR shall develop an overall PCI Compliance Program that is tailored for
WFBMC and the Health Industry. The program at a minimum, shall help WFBMC identify,
manage, remediate risks, areas of noncompliance, attestations, data owners, WFBMC staff
and their responsibilities, policies, standards, processes and procedures, and provide
recommendations on how to obtain PCI reduced scope certification.
Phase 2 = Gap Analysis, ISRA, Remediation (Correction) recommendations
The Gap Analysis shall be comprehensive and at a minimum, include all types of network
scans, vulnerability assessments and penetration testing of the infrastructure, applications,
POS platforms, and processes as per the PCI-DSS requirement.
The selected VENDOR shall produce and electronically submit an ISRA with a gap analysis
identifying areas of noncompliance to the standards. The ISRA shall contain high-level
remediation recommendations or compensating controls needed to meet the standard. The
gap analysis shall list non-compliant elements in order of priority needed to be remediated,
and include recommended steps of correction. Screen shots, log excerpts, and other
technical evidence should be included, when applicable.
Phase 3 = Remediation of noncompliant findings
The VENDOR shall assist WFBMC with implementing corrective measures, attestations and /
or the addition of compensating controls to ensure WFBMC becomes compliant with
currently applicable PCI-DSS standards. The VENDOR shall recommend or provide a resource
to actively assist with these efforts as needed.
Phase 4 = Re-evaluation and Final SRA
The VENDOR shall develop and issue a Final SRA and provide an electronic copy of said report
by May 1, 2016.
Phase 5 = Future annual re-attestations and compliance
VENDOR shall assist WFBMC in identifying functional staffing roles that should receive
training so WFBMC will remain compliant with current and evolving standards. VENDOR will
assist with development of materials WFBMC can use to internally train appropriate staff
members. Actual training sessions will be conducted by WFBMC.
WAKE FOREST BAPTIST MEDICAL CENTER
6.
REQUEST FOR PROPOSAL
Page 7 of 12
WFBMC Responsibilities
WFBMC shall:
 Provide a Program Manager to oversee the VENDOR’s Program or Project Manager who
is managing the VENDOR’s resources.
 Provide existing security policies, standards, processes and/or procedures.
 Provide necessary documentation of the existing in-scope network configuration,
servers, workstations, applications, POS platforms and security devices.
 Provide access to departments’ staff available for interviews.
 Provide timely and accurate information.
7.
Proposal Response Content
Please respond to this RFP by addressing each of the service offerings listed below.
Program Management
 Describe your experience and history with establishing, managing and executing PCI
Compliance Programs; more notable in a Healthcare environment.
 Describe your approach and methodology for each Phase in Section 5 “Deliverables” and
how you will successful complete each deliverable.
 Provide a high level Project Plan with anticipated resources, timeframes and man-hours.
The project plan should indicate where resources are remote. If selected, you (VENDOR)
will be required to develop and submit the detailed Project Plan (based on the previously
provided high level project plan) with the resources, durations, timeframes, man-hours,
WBS (work breakdown schedule) and such to the WFBMC Program Manager for review
and approval prior to commencing activities.
 Describe your weekly and monthly reporting process (written/electronic reports,
dashboards etc.) that the Program will deliver and provide an example of a typical report
you would provide to WFBMC.
 Provide an actual project plan (best and worst case) for delivering a similar project in a
Healthcare environment.
 Provide two references preferable in a Healthcare or Academic environment for services
similar to the scope and scale as WFBMC. WFBMC should be allowed to contact these
references.
Resource Management
 Describe the names and experience of all resources that will be assigned and/or engaged
with this agreement. Note which resources if any will be remote.
 Describe your Company and Employee certifications as outlined in Section 4 “VENDOR
Requirements and Capabilities” of this RFP.
WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 8 of 12
 What methodologies will be used to monitor and maintain the quality of the 5
deliverables as outlined in Section 5 “Deliverables”?
 If WFBMC is at a merchant level 3, is a QSA required and why? If you recommend a QSA,
explain how such resource will be utilized and what specific roles, responsibilities and
deliverables the QSA provide?
PCI Compliance
 How will you use the methodologies to ensure a consistent interpretation of the PCI DSS
standard with the multiple VENDOR resources being used?
 Is it possible to obtain a “reduced PCI scope” from the PCI Standards Council and if so,
how will you go about accomplishing that?
 If you recommend solutions to achieve such reduced PCI scope, how do you guarantee
such reduced PCI scope can be obtained?
 Are you vendor agnostic and do you have any interest in the products or solutions that
will or may be recommended?
 If non-compliant issues are discovered by either party, describe the process by which you
will bring WFBMC back to a compliant status.
 What Internal/External and Web Penetration Testing methodology do you use and will
you re-test for any non-compliant items identified in the initial Penetration Test or Gap
Assessment?
 What is your testing methodology and rules of engagement and will you provide a clearly
outlined testing consent form?
 What obstacles have you experienced that prevent a company from achieving full PCI
Compliance? How do you plan to overcome such obstacles?
 Describe your experience with risk and compliance; HIPAA/HITECH, State Privacy Laws,
NIST, etc.
Costs
 Provide the Deliverable costs in the table below:
Deliverables
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Additional Services
TOTAL
Start
Date
MM/DD/YYYY
Finish
Date
MM/DD/YYYY
Cost
Travel and
Expense
Vendor shall ONLY bill for Actual travel expenses; more specifically adhere to WFBMC’s standard
policy and expense thresholds for reimbursement
WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 9 of 12
Vendor shall invoice WFBMC monthly; payment terms are net 30 days.
8.
RFP Response Timeline
Proposing vendors will be allowed to review the RFP and submit questions to WFBMC, develop
the RFP response, and submit it with all correspondence to Jonathan Kepley
jkepley@wakehealth.edu
 December 21, 2015 – Conducted Introductory Session
 December 22, 2015 – Received VENDOR’s Intent to Bid
 Dec 23, 2015 – Distribute RFP to VENDOR’s
 January 5, 2015 – Questions Due
 January 8, 2016 – Question Responses to VENDOR’s
 January 15, 2016 – VENDOR RFP Response Due
 By end of January – VENDORs notified of selection
9.
Bid Requirements and Specifications
The following are WFBMC requirements from the selected vendor. Please provide a response to
each specification and explain how you will achieve these requirements. Products or Services
that are not provided as core to the offering must be specifically indicated as such and
associated pricing provided.
 The contract term is < specify start/finish dates >. Agreed upon pricing structure will
remain FIRM for the duration of the agreement. Either party may terminate the
agreement by providing 30-60 days written notice. The agreement will not automatically
renew after the initial contract term.
 VENDOR is required to report immediately to WFBMC any activity that might affect the
business relationship between their company and WFBMC (i.e. any material claims or
federal/state exclusions which may adversely affect vendor’s ability to provide the goods
or services required by this RFP).
 The VENDOR shall enter into a Master Services Agreement (MSA) with WFBMC prior to
finalizing the terms and agreements required for this contract.
10. Bid Requirements and Specifications
Please provide any additional offerings that would increase the value of the relationship
between yourself and WFBMC through improved services or reduced costs to WFBMC (include
fee-for-service and no additional charge offerings as appropriate).
WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 10 of 12
Attachment A
VENDOR Respondent Signature Form
The form below must be signed by a duly authorized officer of respondent and must accompany
respondent’s proposal. A signature below provides your guarantee that all statements made in your
proposal are accurate and being offered without obligation or other pre-condition to Wake Forest
Baptist Medical Center.
Authorized Signature:
Date:
Printed Name:
Title:
Company Name:
Mailing Address:
Telephone: (
)
-
Email:
Licensed to do business in the State of North Carolina? ☐ Yes
☐ No
Is your business listed on the Office of Inspector General’s (OIG) List of Excluded
Individuals / Entities? ☐ Yes ☐ No
WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 11 of 12
Attachment B
List of References
Please list two references to which you have supplied products / services within the last three years.
At least one of the references should be an Academic University or Medical Center site.
Organization Name:
Address:
Contact Person:
Contact Telephone: (
)
-
Contract Email:
Time period of services provided:
Description of services provided:
Organization Name:
Address:
Contact Person:
Contact Telephone: (
)
Contract Email:
Time period of services provided:
Description of services provided:
-
WAKE FOREST BAPTIST MEDICAL CENTER
REQUEST FOR PROPOSAL
Page 12 of 12
ATTACHMENTS C & D
Wake Forest Master Services Agreement and
Wake Forest Non-Employee Policy and Travel Requirements
*
END OF DOCUMENT
*