Professional Documents
Culture Documents
Instructions: Please provide a response to each comment listed. The University believes that the prospective bidder's previous experience, financial capability, expertise of personnel, and related
factors are important in assessing the bidder's potential to successfully fulfill the qualifications defined herein. Lack of comments to any items listed may render the bidder's proposal as non-
responsive.
Does Not Meet
Item No. Business Criteria and Other Information Requested Meets Qualification
Qualification
Provide a brief overview of your company, including but not limited
1.0 to, ownership over the last 5 years, number of years in business,
mission, vision, and business philosophy.
Comment
TAB 2B REFERENCES
Instructions: The vendor shall submit reference information for successful implementations at healthcare organizations with similar
requirements to UCLA.
INFORMATION REQUESTED REFERENCE #1 - ACADEMIC HOSPITAL #2 - MULTI-FACILITY HOSPITAL SYSTEM
Customer name
Street address
City/State/Zip Code
IT Contact Email address
IT Contact telephone number
Summary of project
Approximate volume of Web API Calls
Date of Customer Acceptance
Approximate value of installed solution
INFORMATION REQUESTED #3 - CALIFORNIA HOSPITAL #4 - OTHER LARGE-VOLUME CLIENT
Customer name
Street address
City/State/Zip Code
IT Contact telephone number
Summary of project
Approximate volume of Web API Calls
Date of Customer Acceptance
Approximate value of installed solution
TAB 3 - MANDATORY REQUIREMENTS
Instructions: The submitter should indicate whether or not each of the requirements can be met. Lack of comments to any items listed may render the bidder's proposal as nonresponsive.
The responder shall explain alternate solutions in the comment column.
Does Not Meet Meets
Item No. Mandatory Requirements Comment
Requirement Requirement
The systems proposed shall include all equipment, software, accessories, and features necessary
for a complete, operating, state-of-the-art system. All software shall have been validated by
1.0 prior use in healthcare applications (i.e., unless UCLA directs in writing, software supplied shall not
be of an investigational nature). All software provided shall be of the latest revision/version
commercially available at the time of installation and go-live.
The system must be able to meet privacy and security requirements to protect Protected
2.0 Healthcare Information and comply with HIPAA regulations. Name the prominent features of your
solution that contribute to this level of security.
The proposed system must support a multi-entity environment (e.g. Westwood Hospital, Santa
3.0 Monica Hospital, Neuropsychiatric Hospital, multiple hospital-based clinics). Describe the features
of your company's solution that help to achieve this goal.
The proposed system must have been successfully implemented at an academic medical
4.0
center of 200 beds or greater. Please name the academic medical center.
The system must be capable of full integration with UCLA's CareConnect (EPIC) Electronic
Health Record. Please name the health system most closely matching the size and complexity of
5.0
UCLA Health System at which your company's solution has been successfully integrated with the
EPIC E.H.R. Provide additional details in Tab 2B.
The system shall have the ability to support multiple simultaneous users. State how your
6.0 solution accomplishes this goal. What is the maximum number of users supported by the proposed
system? What is the highest number of users in actual use at current customer site?
All work related to UCLA's project shall take place within the United States. The vendor shall
7.0 confirm that no development, configuration or other work related to the solution shall be "off-shored"
to a foreign country.
The proposed solution shall provide an API Gateway. Describe the key and differentiating features,
8.0
The proposed solution shall provide an API Identity manager, Access Control and Security
9.0 enforcement. - Describe how the product implements identtity management, access control and
enforces security.
The proposed solution shall provide an API Service Manager. This feature should provide a quick
10.0 and easy access to enable the users to manage services and policies online. It may be a part of
API gateway. Describe the key and differentiating features,
The proposed solution shall provide an API Developer Portal - Describe the key distinguished
11.0
feature of the products developer portal.
The proposed solution shall provide a Sandbox environment. Sandbox shall allow developers to
12.0 mimic the characteristics of the production environment and create simulated responses. Describe
the key and differentiating features,
The proposed solution shall provide for Analytics paradigms- Describe what analytic paradigms
are available. The API portal needs to provide access to reports and charts including:
18.0 • Predictive
• Real-time
• Historic
• Message Logs
The proposed solution should be able to integrate with SOA/ESB. Can your product seamlessly
integrate with any SOA/ESB architecture? Please explain and provide references examples of
19.0 clients with successful implementation. Include one such refereence in Tab 2B.
Deployment Flexibility- Product must support public cloud, private cloud and
hybrid deployments.
1.0
Describe the platform's support for on premises and cloud deployments, with
specific attention to feature parity, and central management of a hybrid
deployment modality
Multi-tenancy - Product must support multi-tenancy for both public and private
2.0 cloud deployments. Multiple teams should be able to work independently with
runtime isolation.
4.0 CI/CD -The platform should be able to integrate into continuous development and
deployment practice. Explain the features of your product that support this goal.
Multi-DC deployments- The product should support multi-DC deployments.
5.0 Explain if the product provides a centralized UI for multi-DC deployments or do
we need to manage them independently?
6.0 Zero downtime-rolling upgrades - The product should support zero downtime
patching and updates. Explain how does your product achieves this.
Intelligent Traffic Routing - The product should have the ability to do intelligent
7.0 traffic routing to give users the closest point of presence over wide geographical
areas.
API Discovery - The product should have features like Catalog, Search and
13.0
Provisioning. Explain in detail.
Alerting - Product should have a alerting mechanism in place. Please explain
14.0
product features.
Does the product have the ability customize the log content (log entry formatting,
including selective input parameters and authenticated user, etc)?
Reporting - Product should have some sort of reporting features.Describe what
16.0 types and level of reporting are available. Can we manipulate and create custom
reports using a web based GUI?
FHIR (Fast Healthcare Interoperability Resources ) - Product should support
17.0 FHIR APIs. Please explain the product's ability to support FHIR API calls and it's
interoperablity features
Does Not Meet Meets
Item No. B - API Gateway Requirements Comment
Requirement Requirement
Design/Documentation- Product should support OpenAPI (formerly known as
1.0
Swagger) or RAML to design APIs and generate documentation.
3.0 AP uniformity - The platform should enforce some sort of uniformity across API
creators/publishers. Does the product help create uniform, consistent, well-
formed APIs, even if the underlying backend systems weren't built that way?
Traffic Mediation - The product should support SOAP to REST (and vice versa)
4.0
mediation, data format transformation, legacy application integration
Policy management- Product should have a policy management feature.
Describe the product approach to policy management, and the relationship
5.0 between a backend API implementation, policy, and a packaged API product
(through addition of SLAs, QoS).
Can a custom policy be created ?
Branding Support - Customer should be able to brand the API as per it's need.
7.0 Please explain if the customer can skin and modify the portal without the vendor.
If yes, how? And to what extent?
Existing assets inclusion - Does the product have asset inclusion feature ? Can
8.0 your platform reference existing assets such as encryption libraries, schema
validation tools, data validation libraries, etc.
Fraudulent data injections - The product should be able to handle Fraudulent
9.0 data injections.How does your product support threat detection by detecting
fraudulent data injections at the API level?
10.0 Protection from traffic spikes - The product should be able to handle and
manage traffic spikes. Please describe your ability to protect from traffic spikes.
Rates and Quotas - Product should have a rate and quota limiting feature.
Please describe your ability to manage API consumption through quotas. Can
11.0 quotas be setup both by developers as well as by product managers post-
development? Can they be adjusted at runtime?
Proxy - Product should have proxy support. Please describe your ability to
enhance Proxy functionality through both configuration and code. Does the proxy
14.0 support compression? Does the proxy support HTTP & HTTPS? When
necessary, can the proxy talk to JMS based systems? Does the proxy support
dynamic routing (orchestration—or intelligent routing to a second system based
upon the response from a first system)?
Language support - The product should support some common Languages like
Java, Python, or JavaScript.
19.0 Which language does your product support ?
What's the support for existing tools and technologies like - Microsoft and java
development platform.
Governance - APIM product should have a governance feature. What are the
20.0 standard governance features available in the product?
How does the product support API Lifecycle governance?
Extrenal and Internal users - The product should be able to publish API's to
21.0 external and internal customers. Please explain how are these managed
independently?
Visblity and Access - The product should be able to manage API visibility and
22.0 restrict access to consumers. Please explain if this configuration in the platform
or built as part of the APIs enablement?
Data Inclusion - - Does the product have the ability to create rules for data
inclusion and exclusion based on the:
- authenticated user
24.0 - header of the request
- certain data values in the request
- certain data values in the response
Out of box reports - The product should provide some sort of out-of-the-box
reports.
Please explain:
1.0
-If there is a UI which allows for drill down on each of the charts?
-If the tool provides a wizard for creating custom reports?Can thse custom
dashboards be used to perform root-cause analysis?
-If the reports be created on-demand?
- What tools are available out of the box to do various kinds of trend analysis(like
2.0 performance) and inspection of anomalies?
- Please explain if the data for analytics collected asynchronously (so as not to
impede runtime traffic)?
- Does the analytics data, once collected, provide an API for easy access and
export?
- What level of operational visibility can the solution provide based on API traffic
flowing through the system?
-Is there a service for attaining business level insights based on the contextual
data?
Data Protection- The product should provide data security.Describe the system
2.0 support for Data encryption, Data masking etc for PCI/PII compliance.
Does the product has any integeration with a DLP(Data loss prevention)
API Identity - describe the other features used in your product like - -
3.0 Authentication & Authorization, API key, OAuth, SAML, LDAP, proprietary IAM,
multifactor, token translation & management etc
Threat protection -
The product should be secure against some of the below mentioned
threats.Describe the platform's support for security threat protection. :
• JSON Message Threat
• XML Message Threat
4.0 • SQL Injection
• Javascript Injection
• Pattern Matching
• Virus infection
• Cross Site Scripting
• Insecure Direct Object References (IDOR)
• Bad Session / Authentication Handling
IP white & black listing - The product should be able to support IP white &
black listing when connecting with API consumers.
5.0
Does the product integrates with a SIEM (Security information and event
management) solution, to issue such alerts ?
Security Certifications - Please explain what are the standard industry security
6.0
certifications available for your product?
Security Mechanisms- Please Explain the mechanisms you use to support API
7.0
security (e.g. tokens, encryption, policy systems).
Oauth - The product should have a OAUTH support. Please describe your
8.0 expertise with OAuth (including major customers you have supported). Which
versions of OAuth are supported?
Authorization- Describe the platform's support for authorization:
• XACML
• App Contract
• License-based
• 3rd party Identity & Access Mgmt integration
Ensure that the Gateway can effectively identify all security principals
13.0
CORS - Does the proxy provide support for CORS?
XML or JSON attacks- The product should be safe from XML or JSON attacks.
14.0
Please explain how your product achieves this.
15.0 RBAC - The product should support RBAC. Please explain how does the solution
handle role based access controls to ensure different members of the API team
can perform their roles effectively without affecting other teams?
HIPAA compliant - The product should be HIPAA compliant. Describe the
16.0
primary features which support such compliance.
Operational level security- The product should support security at API
16.0
operational level. (Ex: can do GET, but not POST or PUT)
Does Not Meet Meets
Item No. E - Developer Portal Comment
Requirement Requirement
1.0 How are assets manifested in the developer portal for developer use?
Developer On Boarding- The product should facilitate seamless developer on
2.0 boarding. Please describe how the tool facilitates on-boarding. Is this portal
available as a completely on-premises solution?
Developer Registration & IaM integration - The product should
3.0
supporteIdentity and Access Management for developer registration.
Interactive Documentation- The product should allow creation of interactive API
4.0 documentation to allow API consumers to easily try out published APIs. Please
explain some key features of your product.
The designated Project Manager will work in cooperation with UCLA department
representatives and UCLA's Computer Services representatives. Individuals designated by
1.1
the vendor will remain in place throughout the project except to the extent illness or injury
makes such continuity impossible.
Qualified respondent will provide qualified and sufficient manpower and resources to facilitate
1.3
the project in the time frame allocated.
Please list the job titles of employees that would be assigned to the project and the estimated
1.4
percentage of their work hours that would be devoted to UCLA's project.
Personnel assigned to the project will remain a part of the project throughout the duration of
1.5 the project as long as the personnel remain employed by the contractor or subcontractor,
unless replaced by the contractor at the request of UCLA Health System.
Project Manager will work closely with UCLA to develop implementation schedules and
2.0 quantity of work necessary for each phase of the project required. What is the average
amount of time required for implementation? What is the minimum amount of time required?
List any competing orders from other customers across the country with potentially parallel
2.1
delivery and implementation time frames.
Provide a sample project plan and timeline for a UCLA Health System implementation with an
3.0
anticipated start date in the 3rd quarter of 2017.
The project plan should also contain an executive summary (no more than two pages in
length) on how your company would approach an implementation at UCLA Health System.
3.1
Explain your standard preparation/process for pre-implementation. Describe other on-site and
off-site project management support provided.
Describe:
1) Recommended connectivity
5.1
2) Load balancing recommendations
3) Redundancy recommendations.
Describe how storage will be configured to support requirements. What is the minimum space
5.2
requirment for the product's configuartion ?
Describe any software, firmware or other processes that need to be set up for reporting and
management of the subsystem. Include the following:
1) Any products that need to be installed
5.3
2) Any additional servers required to run management/configuration/reporting software
3) How system reports problems and requirements for set up
4) How system is configured and whether any additional hardware or software is required.
It is required that this equipment support upgrades to the processing environment, both
hardware and software. Please explain the support profile for this product, including:
1) How quickly does your company respond to hardware and or software changes from other
5.4
vendors that may require changes to the subsystem
2) How are upgrades to the subsystem validated such that it will not be disruptive to the
current production environment?
With your submittal please provide a sample copy of your training and implementation
2.0
materials.
Please identify the office which would provide UCLA support and provide
2.0
the location and time zone.
The vendor shall be capable of connecting to client sites remotely to assist
3.0
with implementation and training if needed.
The Vendor shall respond to client questions to acknowledge receipt of
4.0
question and provide an estimate as to when a reply can be expected.
The vendor shall maintain and make available regular client support staff
6.0
from 8 AM to 5 PM Pacific Time. State the typical coverage time.
The vendor shall maintain and make available an emergency client support
staff to be contacted outside normal business hours (8 AM to 5 PM Pacific
7.0
Time). Please describe emergency contact procedure and any upcharges
associated with after-hours emergency service.
The vendor shall maintain and make available current application web
8.0
resources, publications, references and training materials, etc. to clients.
The vendor shall maintain a web list where clients can post questions and
10.0
exchange information and ideas with other clients.
2 USER LICENSES
9 DEVELOPMENT ASSISTANCE
10 YEAR 1 SUPPORT
SERVICES SUBTOTAL
PROPOSED SOLUTION ACQUISITION TOTAL
YEAR 2 SUPPORT
YEAR 3 SUPPORT
YEAR 4 SUPPORT
YEAR 5 SUPPORT
2 USER LICENSES
10 DEVELOPMENT ASSISTANCE
11 YEAR 1 SUPPORT
SERVICES SUBTOTAL
PROPOSED SOLUTION ACQUISITION TOTAL
SUBSCRIPTION/LICENSE (YEAR 2)
SUBSCRIPTION/LICENSE (YEAR 3)
SUBSCRIPTION/LICENSE (YEAR 4)
SUBSCRIPTION/LICENSE (YEAR 5)
YEAR 2 SUPPORT
YEAR 3 SUPPORT
YEAR 4 SUPPORT
YEAR 5 SUPPORT
FOLLOW-UP TRAINING 1
SUBSEQUENT YEARS SUBTOTAL
5-YEAR COST OF OWNERSHIP
LICENSE FEE FOR AVAILABLE OPTIONAL TIER UNIT COST
LEVELS (SPECIFY USER COUNT IF AVAILABLE)