Sample IT Technology Security Review Form for a Healthcare Provider

Below are some considerations for a form that you might build for considering SaaS or other technology solutions like Tallyfy for healthcare services, hospitals and hospital groups.

Please note this disclaimer. I’m affiliated with Tallyfy — a workflow and BPM platform which differentiates through incredible ease-of-use, customer-facing features and flexibility to drive adoption in modern teams.

This is purely a sample, and I am not responsible for omissions and usage.

General Information

Form completed by:

Date completed:

Sponsoring Manager / Director and Group:

COMPANY Business Analyst:

COMPANY Owner / Group:

Application name / URL:

Vendor name / URL:

Business purpose:

Project number (provide number and URL to Daptiv and make sure we have access):

Is this application an enterprise standard or region specific:

Does this application replace an existing application?

Is the application already in use or proposed?

If upgrade to an existing application provide the AIR / SIR URL:

Data type / classification (PHI, Financial, Credit Cards, Public):

Has a contract and / or BAA with the vendor been signed:

Provide the vendors architecture diagram showing all tiers and connectivity, administrators guide, installation guide and security documentation with this document.

Will any data be migrated or imported to the application?

What interfaces will be used to/from other applications?

Application Installation Type

Install Type (On Premise or SaaS, ASP, hosted):

If SaaS who is the hosting provider and what certifications does the hosting provider hold:

If SaaS would COMPANY’s data be on a shared or dedicated system:

If SaaS is the data exclusively owned by COMPANY:

If On Premise, can the supporting hardware be located at our data center:

Is any of the hardware provided by the vendor?

Application delivery (Web, Client/Server, Citrix, etc.):

Is there separate Front and Back end access URL’s?

Authentication and Administration

Application Logon Authentication type (Native, SLDAP, Kerberos, and SAML):

If native authentication what are the password capabilities:

Support for Role Based Access Control (RBAC Extent):

How is Single Sign On (SSO) supported?

Describe Active Directory integration with and without AD Groups:

Describe application administrative functionality:

Describe the process to add and remove users and rights:

Audit

Application Audit trail / log capabilities for users, administrators, systems and databases:

Where are the audit trail / logs located / stored:

Monitoring capabilities or requirements:

Support

Vendor remote support model and tools required:

How are patches deployed and frequency?

Are there any requirements or exclusions for standard Anti-Virus applications?

Workstation

Workstation OS and OS Versions supported:

Browsers supported / requirements:

Transport Encryption:

Session Time Out options:

Mobile

Mobile Client type supported:

Mobile OS and OS Versions supported:

Mobile application delivery:

Transport Encryption:

Session Time Out options:

Application Server

Application Server OS Version supported or required:

Does the application require any file shares?

Web Application Server

Web Server software supported or required:

How is the web server URL accessed (public or private):

What level of encryption is supported?

Web application vulnerability scan provided by internal or 3rd party and frequency:

Database Server

Database type (Oracle, SQL, MySQL, Pervasive):

Database Encryption:

Database Authentication:

If Native or local authentication, what are the password capabilities:

Network Requirements

Provide any special network configuration requirements for the following:

Firewall, Proxy, Wi-Fi, Wireless, cellular, telephony, VOIP, VPN, NAT, VLAN, Ports, IPSEC, DMZ, etc.

Please note this disclaimer. I’m affiliated with Tallyfy— a workflow and BPM platform which differentiates through incredible ease-of-use, customer-facing features and flexibility to drive adoption in modern teams.