Specifications include, but are not limited to: The hosting provider for the Epic System should provide hosting services with capabilities that include, but are not limited to, the requirements below: a. Facility i. Geographic location within the contiguous United States. ii. Second separate regional location separated from the first location by at least 200 miles and still in the contiguous United States for Disaster Recovery or Business Continuity contingencies. iii. The Data Center must meet criteria for a Tier 3 Facility where IT components are powered with multiple, active and independent sources of power and cooling resources. iv. Provide and describe the total site square footage of the primary data center, including a number of building stories and location within the building. b. Cyber Security Liability Insurance. c. Security i. Data Center Environment (1) The data center security policy (Policy) must adhere to the following standards and certifications: Service Organization Control (SOC) 2 or ISO/IEC 27001/2/3 that support industry and regulatory requirements (e.g., Protected Health Information (PHI) (i.e., HIPAA) and Personally Identifiable Information (PII)). (2) Annual security audits must include the Policy being validated and updated. The most recent report shall be made available upon request. (3) Datacenter must provide physical security controls (e.g., entry and physical access to hosting infrastructure), and network security controls (e.g., firewalls, routers/switch access control lists, network user authentication authorization and accounting). (4) Describe in detail the technologies in-place to protect/isolate the customer’s assets in a multi-tenancy environment specifically: application(s), information/data, system, and infrastructure.
