Sample IT Technology Security Review Form for a Healthcare Provider
Below are some considerations for a form that you might build for considering SaaS or other technology solutions like Tallyfy for healthcare services, hospitals and hospital groups.
Please note this disclaimer. I’m affiliated with Tallyfy — a workflow and BPM platform which differentiates through incredible ease-of-use, customer-facing features and flexibility to drive adoption in modern teams.
This is purely a sample, and I am not responsible for omissions and usage.
Form completed by:
Sponsoring Manager / Director and Group:
COMPANY Business Analyst:
COMPANY Owner / Group:
Application name / URL:
Vendor name / URL:
Project number (provide number and URL to Daptiv and make sure we have access):
Is this application an enterprise standard or region specific:
Does this application replace an existing application?
Is the application already in use or proposed?
If upgrade to an existing application provide the AIR / SIR URL:
Data type / classification (PHI, Financial, Credit Cards, Public):
Has a contract and / or BAA with the vendor been signed:
Provide the vendors architecture diagram showing all tiers and connectivity, administrators guide, installation guide and security documentation with this document.
Will any data be migrated or imported to the application?
What interfaces will be used to/from other applications?
Application Installation Type
Install Type (On Premise or SaaS, ASP, hosted):
If SaaS who is the hosting provider and what certifications does the hosting provider hold:
If SaaS would COMPANY’s data be on a shared or dedicated system:
If SaaS is the data exclusively owned by COMPANY:
If On Premise, can the supporting hardware be located at our data center:
Is any of the hardware provided by the vendor?
Application delivery (Web, Client/Server, Citrix, etc.):
Is there separate Front and Back end access URL’s?
Authentication and Administration
Application Logon Authentication type (Native, SLDAP, Kerberos, and SAML):
If native authentication what are the password capabilities:
Support for Role Based Access Control (RBAC Extent):
How is Single Sign On (SSO) supported?
Describe Active Directory integration with and without AD Groups:
Describe application administrative functionality:
Describe the process to add and remove users and rights:
Application Audit trail / log capabilities for users, administrators, systems and databases:
Where are the audit trail / logs located / stored:
Monitoring capabilities or requirements:
Vendor remote support model and tools required:
How are patches deployed and frequency?
Are there any requirements or exclusions for standard Anti-Virus applications?
Workstation OS and OS Versions supported:
Browsers supported / requirements:
Session Time Out options:
Mobile Client type supported:
Mobile OS and OS Versions supported:
Mobile application delivery:
Session Time Out options:
Application Server OS Version supported or required:
Does the application require any file shares?
Web Application Server
Web Server software supported or required:
How is the web server URL accessed (public or private):
What level of encryption is supported?
Web application vulnerability scan provided by internal or 3rd party and frequency:
Database type (Oracle, SQL, MySQL, Pervasive):
If Native or local authentication, what are the password capabilities:
Provide any special network configuration requirements for the following:
Firewall, Proxy, Wi-Fi, Wireless, cellular, telephony, VOIP, VPN, NAT, VLAN, Ports, IPSEC, DMZ, etc.
Please note this disclaimer. I’m affiliated with Tallyfy— a workflow and BPM platform which differentiates through incredible ease-of-use, customer-facing features and flexibility to drive adoption in modern teams.