Enterprise Inventory Management System

The vendor is required to provide that enterprise inventory management system to support 24 state operated psychiatric centers and approximately 310 outpatient programs that involve approximately 9,000 users.
- Include outpatient treatment programs, day treatment programs, assertive community treatment (ACT), residential services, correction-based operation (CBO) and sexual offender treatment program (SOTP).
- Service model - cloud solution:
• Software as a service (SAAS)
- Deployment model - cloud solution:
• Private cloud
• Community cloud
• Public cloud
- Applicable statutory/policy requirement:
• State information security policies
• HIPAA (nice to have)
- Include for services:
• Provide real-time inventory tracking and management
• Support multiple locations and inter-facility transfers
• Offer robust reporting and analytics capabilities
• Integrate with existing systems through
• Comply with state regulations for cloud services used by state agencies
- Cloud service model
• The solution must be provided as a software as a service (SaaS) model.
- Cloud deployment model: a cloud-based deployment for the inventory management system that balances security, compliance, scalability, and cost-effectiveness to private cloud, community cloud, or public cloud deployment models offers distinct advantages and must address specific needs:
1. Private cloud: A private cloud deployment would provide dedicated resources and the highest level of control over the infrastructure; this model is particularly suitable if:
• The highest level of data isolation is required
• Direct control over all aspects of the infrastructure is necessary
• Customization needs are extensive and specific to our organization
2. Community cloud: A community cloud model, shared among multiple state agencies or healthcare organizations, could offer a balance of control and cost-efficiency; this model may be appropriate if:
• Resource sharing among trusted organizations is acceptable
• There are common compliance and security requirements across the user community
• Costs can be distributed among multiple agencies or organizations  3. Public cloud: A public cloud solution from a major provider could offer the most scalability and potentially the most cost-effective option; this model could be suitable if:
• The provider offers healthcare-specific compliance features
• Adequate security measures and data isolation can be guaranteed
• The solution offers the required flexibility and scalability  a) Compliance: Adhere to state information security policies, standards, and relevant healthcare regulations.
b) Data residency: All data remains within the states.
c) Authentication and access control: integrate with state identity and access management (IAM) solutions and support role-based access control.
d) Data security: Implement appropriate security measures for medium-risk data, including encryption at rest and in transit.
e) Performance and scalability: Meet or exceed specified performance requirements and scale to support all 24 hospitals.
f) Interoperability: The required and integration capabilities specified
g) Disaster recovery and business continuity: provide robust backup, failover, and recovery capabilities.
h) Customization: Necessary customizations to meet the specific needs of our inventory management processes.
 i) Cost-effectiveness: Provide a solution that balances functionality, security, and cost.
 - Data categorization
a) Nature of data: while the system primarily manages inventory information for medical supplies and personal protective equipment (PPE), directly contain protected health information (PHI), the data is critical to hospital operations and patient care.
b) Operational impact: Unauthorized access, modification, or loss of this data could potentially disrupt hospital operations, indirectly affecting patient care and safety operational criticality elevates the risk level.
c) Strategic value: The inventory data provides insights into hospital readiness, resource allocation, and supply chain vulnerabilities strategic value increases its sensitivity.
d) Regulatory compliance: As a state agency system, it falls under state data protection regulations while directly subject to HIPAA, maintaining HIPAA-compatible security measures is advisable.
e) Security requirements: the system requires robust security measures, including:
• Strong access controls and user authentication
• Encryption of data at rest and in transit
• Regular security audits and monitoring
• Comprehensive backup and recovery procedures
f) Potential threats: the system could be a target for various threats, including:
• Cyber-attacks aiming to disrupt healthcare operations
• Insider threats (e.g., theft or unauthorized modifications)
• Industrial espionage seeking strategic information
- Data ownership
• The state office of mental health shall own all right, title, and interest in the data.
- Data location
• All data must be stored and processed within the states.
- Encryption
• Data must be encrypted at rest and in transit using industry-standard encryption methods.
- Security
• The system must comply with state information security policies and should be designed with HIPAA compliance in mind.
- Maintenance/support
• The vendor must provide ongoing maintenance and support, including regular updates and a responsive helpdesk.
- Infrastructure support services
• 24/7 infrastructure support is required, with clearly defined SLAs for response and resolution times.
- Business continuity/disaster recovery (BC/DR) operations
• The vendor must provide a comprehensive BC/DR plan ensuring minimal disruption to service in case of an outage.
- Authentication tokens
• The system must adhere to state information technology services authentication standards; this includes:
1. Support for state identity and access management (IAM) solutions
2. Integration with the state's single sign-on (SSO) system
3. Support for multi-factor authentication (MFA) as required by state its policies  • Includes providing detailed documentation on how the system will:
1. Integrate with ny.gov id
2. Support SSO functionality
3. implement required MFA mechanisms
4. manage user roles and permissions in alignment with state policies
5. ensure all authentication processes meet or exceed state its security standards
- Application program interface (API)
• the system must provide robust, well-documented APIS to allow integration with existing hospital systems.
• the API implementation should adhere to the following industry best practices and standards:
a) API types and protocols:
1. restful APIS: the system should primarily use restful APIS, following http/https protocols.
2. soap APIS: support for soap may be required for integration with legacy systems.
3. GRAPHQL: consider supporting GRAPHQL for more efficient data querying, especially for complex inventory reports.
b) Data formats:
1. Json: Primary data format for request and response payloads.
2. Xml: Support for xml may be required for certain integrations.
c) Authentication and security:
1. OAuth 2.0: implement OAuth 2.0 for secure API authentication and authorization.
2. API keys: provide API key management for simpler integrations.
3. Https: all API endpoints must be secured using TLS/SSL encryption.
4. Rate limiting: implement rate limiting to prevent API abuse.
d) Documentation and developer support:
1. OpenAPI (swagger) specification: provide comprehensive API documentation using OpenAPI 3.0 or later.
2. Interactive documentation: offer an interactive API console for testing and exploration.
3. Code samples: provide sample code in common programming languages for API usage.
e) Versioning and lifecycle management:
1. Implement clear API versioning (e.g., v1, v2) to manage changes and updates.
2. Maintain backwards compatibility for at least one previous major version.
3. Provide a deprecation policy and timeline for sunsetting older API versions.
f) Performance and scalability:
1. Design APIS to be stateless to improve scalability
2. Implement caching mechanisms to enhance performance.
3. Ensure APIS can handle high concurrency for real-time inventory updates.
g) Specific functionality:
1. Inventory crud operations: APIS for creating, reading, updating, and deleting inventory items.
2. Stock level queries: APIS to check current stock levels, including low stock alerts.
3. Order management: APIS for creating and managing supply orders.
4. Transfer management: APIS to facilitate inter-facility transfers.
5. Reporting: APIS to generate and retrieve various inventory reports.
6. User management: APIS for managing user accounts and permissions.
h) Error handling and logging:
1. Implement consistent error responses with clear error codes and messages.
2. Provide detailed logging for APIS calls to aid in troubleshooting and auditing.
i) Healthcare standards compliance:
1. hl7 FHIR: consider supporting hl7 FHIR standards for healthcare-specific integrations.
2. HIPAA compliance: ensure all APIS adhere to HIPAA security and privacy requirements.
j) Webhooks and event-driven architecture:
1. Implement webhooks to allow real-time notifications for inventory changes, low stock alerts, etc.
2. Support pub/sub patterns for event-driven integrations.  - Implementation of cloud solution
• System setup and configuration
• Data migration from existing systems
• Integration with other hospital systems as required
• User training and documentation
• Go-live support
- Recurring services
• Regular system updates and upgrades
• Helpdesk support
• Performance monitoring and optimization
• Security patching and updates
- The inventory management system must include the following features:
• Real-time tracking of medical supplies and across all 24 hospitals
• Ability to set and monitor inventory thresholds, with automated notifications for low stock levels
• Inter-facility transfers capabilities, allowing hospitals to request or send supplies to other facilities
• Granular reporting and analytics on inventory levels, usage patterns, and potential theft indicators
• User-friendly interface for staff to request supplies from their facility's storehouse
• Role-based access control to ensure users can only access appropriate inventory data.
- Questions/Inquires Deadline: February 20, 2025