Specifications include, but are not limited to: Cloud service provider will provide County with a fully managed/hosted MEDITECH environment running on infrastructure owned and operated by CSP and located in a national data center.; 1. Project goal and objectives – Bidder must be able to provide the requisite capacity of servers, storage, and backups based on the requirements of this project, which also includes replication and retention of ARMC’s Meditech data into another highly resilient Data Center to protect ARMC Meditech historical data in the event of any disaster at the primary site.; 2. Deliverables/Requirements: a. Professional Services – Management of project scope, timelines, and resource utilization against budget. Attend project meetings and coordination of resources for the project.; b. Virtual Desktop – Vendor must provide a Virtual Desktop Infrastructure (VDI) Service which runs from ARMC’s thin client device or PC and provides the Customer with full access within MEDITECH application suite.; c. Configuration - Configure the hosting environment according to industry best practices and requirements and/or retention policies of ARMC for historical Meditech patient data.; d. Establish an Internet-based Virtual Private Network (VPN) connection between the Customer and the data center, including a backup connection in the event that the primary circuit fails.; e. Applications Support: i. Coordinate plan to consolidate the environment followed by a migration from the current hosting environment.; ii. Provide 24 x 7 x 365 monitoring and support for the entire hosted environment including the underlying server infrastructure listed in Attachment K.; iii. Establish a Secure Connect connection in support of MEDITECH connecting to the hosted environment.; 3. Project Approach – The cloud service provider must provide examples of past projects following the cybersecurity standards and other national and industry-specific standards.; a. Maintaining Servers: All systems storing Meditech patient data must have: i. Antivirus software that is regularly updated (if available for the operating system).; ii. Firewall software, either the default firewall included with the operating system or a thirdparty package.; iii. Intrusion detection software (this can be coupled with the firewall software).; iv. Integrity monitoring software that will monitoring critical system files.; v. System passwords must conform to the rules stated in the San Bernardino County standard password policy.; b. System Maintenance Requirements: i. Operating systems and applications must be regularly updated with vendor-supplied critical security patches within one month of the patches being published. All patches must be tested before they are deployed.; ii. Physical security to these systems must be restricted and monitored.; iii. System logging must be enabled and reviewed regularly. For example, for Windows systems, the System, Application, and Security logs must be enabled. The audit history must be maintained for one year, with at least three months available for immediate analysis. Application logging for Web and database applications must be enabled and actively monitored.; iv. System clocks must be synchronized via Network Time Protocol (NTP).; v. Hosting systems must be scanned for vulnerabilities quarterly. This scan includes scans for vulnerabilities in the virtual desktop operating system as well as in any services running on the system, such as Web applications; c. Securing Servers: i. Servers (see Attachment K) must be housed in a facility located within the United States that restricts PHYSICAL ACCESS such that: 1. Only those staff members whose job requires such access can gain access to the systems; 2. All accesses are logged and/or monitored through card access systems, video cameras, etc.; 3. Visitors are logged and have a token indicating they are visitors; 4. Back-up media is logged, stored within a secure environment, and destroyed based on a predetermined schedule
