Guide to RFP for A Cloud Services Partner Focused on Security, Privacy and Compliance

So, you’ve decided you want to take advantage of the pubic cloud to transform and grow your organization. That’s a smart move. You’ve likely also decided you want a third-party partner to support your privacy, security and compliance needs, because you work in healthcare and those considerations are tablestakes. You may not need an RFP, but many people do, especially if you are bringing public cloud to your healthcare organization for the first time. There are several key considerations to bear in mind when opening your Cloud Services RFP. I’ll walk you through those in this guide, and I’ll also provide some important questions you’ll want to include in your RFP.

The first and most important thing to bear in mind is that healthcare is a highly regulated industry and the cloud is a constantly evolving platform, so there is a convergence of enormously important security and compliance concerns alongside expanding opportunities to use cloud native services to transform and innovate. You can use the cloud to optimize costs, scale with agility, and provide better protection for your organization than you can in an on-premise environment, but you’ll want healthcare-exclusive expertise because of the complex nature of healthcare regulatory frameworks. If you’re already in the cloud, you’re probably seeing some great opportunities, but may be losing sleep over concerns about the security of your PHI. Help is out there.

The first piece of advice I want to offer as you prepare to write your RFP is to be specific, but don’t box yourself or your RFP respondents out of opportunities you may not have considered.

Focus on the desired business objectives and outcomes you want to attain. Focus on performance, ask about both deliverables and how success of those deliverables are measured, and check references for expertise. Think about the details and be deliberate but try not to be overly prescriptive in how you frame your questions about how respondents can help you meet your business goals.

By focusing on the objectives, you’ll allow the respondents to bring forward solutions to your business challenges that you may not have considered. They will often share a new perspective that may evolve your design, execution, or even selection process of the RFP itself.

That said, you want a well-designed, thorough RFP and your procurement process must include due diligence. Not all cloud platforms are created equal. Get details. Do your homework.

Timelines and Expectations

An RFP is not going to get you to a cloud deployment in a matter of weeks. You’ll want to set realistic timelines within your organization as well as with your RFP respondents. Typically, the process looks similar to this:

Activity Timeline
  • Develop and Write Your RFP 30-60 days
  • Vet with Cross Functional Stakeholders 30 days
  • Distribute Your RFP – Reply to Questions 30-60 days
  • Review and Rank Your Responses Against Matrix 30 days
  • Invite RFP Responders to Present 14 days
  • Narrow the Field 5 days
  • Discuss Pricing and KPIs 14 days
  • Review and Route and Sign Agreement 30 days

Developing Your RFP

Start by identifying who needs to be involved from your team. For a cloud services RFP, I’d recommend the lead be the CIO or someone from the office of the CIO. When working with sensitive data, such as PHI, it’s important to get the Information Officer onboard with the approach from the start. You’ll also want to include the Director of Infrastructure, and / or the Director or VP of IT or CTO. If you have a Director of Compliance or CISO, include them as well as your lead or Director of Security. Some organizations are now bringing on Directors of Cloud Strategy, and you’ll want that position involved. You’ll also need a finance component; if your CIO has budget control, he or she may serve in that capacity. Otherwise, a Chief Financial Officer will be good to help write and review some of the questions around your CapEx or OpEx considerations and depreciation tiers. Finally, be sure to include someone from project management who can ask questions around delivery timelines, Service Level Agreements (SLAs) , Key Performance Indicators (KPIs), and other expectations.

It can take as long as you want to write an RFP, but I recommend setting a goal to have it written and reviewed in the same quarter, as public cloud capabilities, along with your requirements will change rapidly. There are suggested questions later in this document that you can use to begin to form your RFP. Have your team work on a shared document so everyone’s concerns are visible to the entire team. Have weekly check-ins with objectives / sections to discuss and resolve.

At the same time, you’ll want to charge someone on your team with collecting the names of organizations you’re going to reach out to. You may publicly post your call for proposals as well, but it’s good to do some homework and find the top 5-10 vendors that show promise. Have someone on your team browse their websites for key differentiators to inform your questions and enable you to compare areas of expertise in compliance, privacy and security for healthcare. For example, because you work in healthcare and are issuing an RFP, do a search of cloud providers who are HITRUST certified and vow to settle for nothing less, as many of your end customers and vendors will require it themselves. This will save you time and trouble on the back end because many of the controls and safeguards you’ll need in place to protect your PHI will already be assured by way of that vendor’s HITRUST certification.

At a high level, here are some important items to expand upon in your RFP:

  • Statement of your business objectives/goals in the cloud
  • Overview of your current state for that project or program
  • Overview of your current technical environment
  • Staffing areas of expertise and gaps so the respondent knows
  • Any workloads in the cloud already, i.e., DIY projects and on what platform
  • Platform preference, if you have one
    • For example, ClearDATA offers our platform of solutions and managed services on AWS, Google Cloud Platform and Microsoft Azure. If our potential customers don’t let us know which platform they prefer, we can look at their current state and business objectives and make suggestions for them.
  • Demonstration of the vendor’s / partner’s expertise

Questions to Include in Your RFP

Here are some more specific questions about security, privacy, compliance, and service level agreements any healthcare organization should consider incorporating into its RFP. These are not comprehensive, but will give you a good start in your evaluation.

Security Questions
  • How do you vet new security vendors? Share details about your vendor assessment process.
  • Do you have Business Associate Agreements in place with all of our security vendors that process, store, or transmit PHI? Ask even if it is an unlikely scenario like an application monitoring vendor, in which storing, processing, or transmitting PHI would be unlikely.
  • Do you have a 24×7 Security Operations Center (SOC) offering? What is its makeup? Provide details with regard to staffing, response SLAs locations etc.
  • What technologies do you use for, or along with associated MOP (method of procedure):
  • Vulnerability Scanning
  • Penetration Testing
  • Malware/Antivirus
  • Availability Monitoring
  • Application Monitoring
  • SIEM (Security and Information Event Management)
  • Event and Application Logging
  • Operation System and Application Patching
  • Security Monitoring
  • Device Management
  • What is your documented process for Day Zero security vulnerabilities, both internally and externally?
  • What is the Security response SLA?
  • Does your cloud solution have a registry of cloud services along with its risk assessment? How many cloud services are tracked in the registry/knowledge base?
  • How is data encrypted within your solution, BOTH at rest and in motion? Please provide details.
Privacy Questions
  • What is your incident management process? Attach documents that illustrate or describe the process in detail.
  • Are usage logs sent off-premises for analysis? If so, how do you protect sensitive data (user names and IP addresses etc.) within the logs?
  • Are usage logs automatically ingested from their sources (proxies, firewalls, SIEMs)?
  • Can your solution detect data exfiltration attempts? If yes, please describe how.
  • What historical duration do you hold log data to provide visibility and analysis?
  • Can we complete a penetration test?
  • When do you disclose my secure data to other parties, and if/when, how do you notify or consult my organization?
Compliance Questions
  • Who are your 3rd party compliance assessors and what is their associated contact information?
  • What compliance certifications do your organization hold?
  • Can you send all relevant security and compliance certificates including SOC 2, SOC 2 Type II, HITRUST (other applicable based on use case like PCI)?
  • When was the last time each was tested by a third party?
  • What are the key priority gaps that were identified in your compliance audits that your organization is working to address?
  • What is the cadence of your 3rd party audits and who is involved from your organization?
  • Describe your disaster recovery and business continuity plans, procedures, testing cadence, and recent results.
  • Has your product been part of a product evaluation by a leading analyst firm (e.g. Gartner, Forrester?) Please provide details and a link to the report.
  • Does your solution provide pre-built templates for IT teams to enforce policies required for compliance with HIPAA, GDPR, PCI DSS, HITECH etc.?
Services and SLA Questions
  • Please provide 5 references that are using your security, privacy and compliance solutions.
  • What are your response SLAs, based on severity (ITL aligned)?
  • Do you have resolutions SLAs, based on severity (ITL aligned) and if so, what are they?
  • How is your services team staffed (24×7 example, onshore/offshore, redundancy, locations)?
  • How do customers open tickets (phone, email portal – list all) to get assistance and start the SLA clock?
  • What service tiers to do you offer customers?
  • Do you have different services offerings for different healthcare use cases (e.g. PHI, non-PHI, test, dev, etc.)?
  • What professional services offerings do you have (e.g. cloud migration, data ingestion, DevOps, CICD planning and build out, etc.)

Issuing the RFP

Now you’re ready. Before you issue the RFP, if you have contracts with analysts, such as Forrester or Gartner, be sure to gather their feedback to identify gaps in your requirement gathering and questions. Then, meet with your team and determine what questions you will entertain from respondents during the Open Period and decide who will be the person to take and respond to these questions in a timely manner. Make that evident in your RFP and align the team on a matrix for evaluating the RFP responses before you issue the RFP. Then, press send. We recommend allowing 30-60 days for responses. The goal is to be as open as possible with respondents before the deadline date in order to get the most thorough and comprehensive view into what they can offer you. Once the deadline has passed, you’ll want to cease any communication with respondents while in the initial review process, other than to inform anyone who asks that the RFP responses are under review and finalists will be contacted the week of (insert your date). Be certain someone on your team is assigned to collect the RFPs, log the date they were received, and begin to populate your spreadsheet or other tool/app with responses so you can align them to your matrix for a strategic and effective review.

Selecting Your Partner

After you review the responses, bring in your favorites and ask additional questions. This is also the time to have them expand upon on the answers to the questions in your RFP, having them cite examples of recent work that was similar. Check the references they provided.

Once you narrow the field and are prepared to talk KPIs and final pricing, the RFP response and your matrix go to the CIO or your legal counsel and the lead on the vendor side. Then, make your selection, sign your agreements, and prepare for your migration—or scaling if you are already in the cloud.

At ClearDATA, we have provided industry-leading compliance, security, and privacy to hundreds of healthcare organizations, from some of the nation’s largest hospital systems to small life sciences research firms. We will be with you each step of the way and can also point you to additional services and solutions that fill needs within your organization. To learn more about how ClearDATA can help you transform your organization with our platform built on a foundation of HITRUST, contact us to speak with a consultant.