NYU Hospitals Center Facial Recognition

Facial Recognition

Request for Proposal

April 21st 2016

Presented by:

NYU Hospitals Center

Table of Contents

1. Introduction 3

2. Milestone Calendar 4

3. Required RFP Response 4

4. Proposal Due Date, Delivery Instructions and Communication 4

5. Proprietary Information, Non-Disclosure 5

6. Costs Incurred 5

7. NYUHC Reserves Right to Refuse Any and All Bids 5

8. Effective Period of Prices 5

9. Functional Requirements 5

10. Technology Roadmap 12

11. Professional Services and Customer Support 12

12. Regulatory and Compliance 13

13. Training 14

14. Pricing 14

15. Implementation Timeline 14

16. Description of Company 15

17. Past Performance and References 15

18. Evaluation Criteria 16

1.  Introduction

NYU Hospitals Center (NYUHC), a world-class patient-centered integrated academic medical center, is one of the nation’s premier centers for excellence in health care, biomedical research, and medical education. NYU Langone Medical Center comprises three hospitals – Tisch Hospital, a 705-bed acute-care tertiary facility; Rusk Institute of Rehabilitation Medicine, the first rehabilitation hospital in the world with 174 beds and extensive outpatient rehabilitation programs; and the 190-bed Hospital for Joint Diseases, one of only five hospitals in the world dedicated to orthopedics and rheumatology – plus the NYU School of Medicine, one of the nation’s preeminent academic institutions which includes the Smilow Research Center, the Skirball Institute of Biomolecular Medicine, and the Sackler Institute of Graduate Biomedical Sciences. Campus transformation and other activities over the next few years will add additional capacity to the enterprise as well.

NYUHC is committed to making world-class contributions that place service to human health at the center of an academic culture devoted to excellence in research, patient care, and education

This RFP is being solicited for vendors to provide a flexible and extensible security platform that can be used to provide access control for various parts of the organization. It is anticipated that this platform will be integrated with our existing infrastructure and security processes and be able to utilize facial recognition technology to facilitate access.

NYUHC is seeking a supplier with:

·  Healthcare experience

·  Willing to supply an enterprise security solution solution

·  Proven track record in regulated environments

·  Monitoring and reporting capabilities

·  Guaranteed dedicated, high quality resources

·  Quick turnaround times for requests

·  Competitive pricing

·  Bring value to NYUHC

2.  Milestone Calendar

The following calendar of events is based on planned NYUHC activities and anticipated supplier delivery capabilities. It is presented for illustrative purposes only. These milestones will be reviewed as necessary at the time a contract is awarded to a Supplier.

Milestones / Date / Time
RFP Release Date / 4/21/2016
Additional Questions due / 4/28/2016 / 12:00 pm EST
Answers to Vendors due / 5/04/2016 / 12:00 pm EST
Proposals Due / 5/12/2016 / 5:00 pm EST
Vendor Meetings / 5/19/2016

Please also refer to section 15 below for further details on the Implementation Timeline and section 18 below for Evaluation Criteria.

3.  Required RFP Response

Suppliers are required to submit their Proposal in the specified electronic format. Supplier will submit their entire RFP response and all completed forms electronically via e-mail to NYUHC with supplier’s information and responses provided in the appropriate places therein. The required electronic applications formats are Microsoft Word and Microsoft Excel. Any supporting graphic or presentation-based slides may be submitted in a separate PowerPoint file. PDF format is not acceptable for any submitted text, graphics or slides.

4.  Proposal Due Date, Delivery Instructions and Communication

All Proposals are due by, May 19, 2016, no later than 5:00 P.M. EST.

Send your complete electronic response via email to

Bidders Note: All questions regarding interpretation or specifications must be submitted in writing to only. Under no circumstances shall supplier contact any employee of NYUHC. Any dialogue initiated by the bidder not addressed to contacts above will result in an immediate disqualification. Discussions on other business matters not related to this RFP are permitted.

5.  Proprietary Information, Non-Disclosure

Supplier shall have no rights in this document or the information contained therein and shall not duplicate or disseminate said document or information outside the supplier's organization without the prior written consent of NYUHC.

6.  Costs Incurred

All costs incurred in the preparation of the Proposal shall be borne by supplier. By submitting a Proposal, supplier agrees that the rejection of any proposal in whole or in part will not render NYUHC liable for incurred costs and damages.

7.  NYUHC Reserves Right to Refuse Any and All Bids

Nothing in this RFP shall create any binding obligation upon NYUHC. Moreover, NYUHC, at its sole discretion, reserves the right to reject any and all bids as well as the right not to award any contract under this bid process. NYUHC reserves the right to award portion of this bid. NYUHC reserves the right to adjust the evaluation criteria after finalizing the scope and pricing requirements after the supplier demo meeting. The winning bidder has the option to repurchase the existing equipment and will have to provide credit on the new purchase. All bids should be governed by NYUHC standard Policy and Procedure and Terms and Conditions.

8.  Effective Period of Prices

All pricing Proposals by supplier will remain fixed and firm through December 31st, 2017.

9.  Functional Requirements

All questions need to be answered in this RFP document.

9.1.  Introduction

NYUHC currently uses a range of solutions to ensure that the environment is appropriately secured. These range from the use of physical locks, electronic door release systems, biometric controls, and others. Access and identity are centralized into a single platform which provides the onboarding, management, auditing and reporting capabilities required by institutional policies and procedures.

As an organization that provides services to the general public, ease of access for our patients, visitors and staff is very important to NYUHC. This open access needs to be balanced with maintaining the security of the environment as there are many areas within the organization that require restricted access for safety or security reasons. To this end, NYUHC is looking at implementing a system whereby access to certain areas is controlled through the use of a facial recognition system. This system should be able to determine the individual’s ability to access a particular area and provide feedback in real time with extremely low false positive or false negative rates.

Preference will be given to those solutions that are based on industry standard technologies however novel methods of providing this capability would also be looked on favorably.

9.2.  Business Requirements

Supplier Answer: Indicate your compliance with each requirement and document any exception.

  1. NYUHC has a requirement for a security solution that can scale to tens of thousands of users utilizing many dozens of access points distributed across multiple sites and locations.
  2. Any solution must have a good user experience to ensure a high compliance rate. Please provide details on usability testing, real world customer feedback and behavioral changes that may be required by implementing your solution.
  3. Other access control requirements may be added depending on updated business requirements.

9.3.  System Architecture

Supplier Answer: Indicate your compliance with each requirement and document any exception.

  1. Please provide a complete description and architectural overview of the solution. Indicate where third-party solutions are required to provide additional capabilities and include all hardware and software necessary.
  1. Please describe how the solution scales across multiple facilities.
  2. What is the technology being used? How do you utilize existing standards in video, imaging, system, storage and networking technologies?
  3. What technology platform is the system built on? Please provide recommended infrastructure specifications based on the requirements set out in this RFP. Please include all system, storage and network components necessary.
  4. What are the capacity limits of your system? What is the process and additional cost of expanding the system as requirements grow?
  5. What load balancing or high availability functions are supported?
  6. Please provide a comprehensive description of your best practices for a true disaster recovery solution that consists of a core data center and a disaster recovery data center.
  7. Please outline system capabilities regarding Recovery Time Objectives and Recovery Point Objectives.
  8. What is the licensing model used by your solution?
  9. Please describe all enterprise monitoring solutions your product can integrate with.
  10. Does your solution provide an API and, if so, what features/capabilities are supported?
  11. Based on the number of people entering our facility, the system must be able to accommodate over 36,000 users in any single 24-hour period and be able to support a throughput of at least one person per second during peak hours.
  12. Besides meeting the above capacity requirements, assume an annual 5% growth rate and provide enough capacity for the first year.

9.4.  Infrastructure

Supplier Answer: Indicate your compliance with each requirement and document any exception.

  1. Please specify all hardware and software requirements of the required solution.
  1. Can the client purchase the required hardware from a third party?
  2. Please describe options for mounting the security control system. Include dimensions, power and networking requirements.
  3. How would major release updates/upgrades be handled for the solution, including the backend infrastructure and devices located at access points?
  4. Provide the frequency of software updates and the method of delivery.
  5. What level of server redundancy is supported, and is failover an automatic or manual process? Please describe the failover process in detail.
  6. Describe the networking capabilities that are either supported and/or required to implement the solution, including cabling specifications, management, routing, load balancing, firewalls, etc.
  7. What are the scalability aspects of the system? Please provide an indication of the capacity required to process a set number of individuals.
  8. What database platforms do you support/require?
  9. Do you have an archival strategy for old data, or is all of the data retained in the main database?

9.5.  Facial Recognition

Supplier Answer: Indicate your compliance with each requirement and document any exception.

  1. What algorithms and/or techniques does your platform use to identify individuals? How does it handle multiple people attempting to pass through the same access point (e.g. tailgating)?
  2. Does the system use additional techniques aside from facial recognition to determine an individual (e.g. measurements of other parts of the body, gait analysis, etc)?
  3. What are the False Positive and False Negative rates for your system?
  4. How quickly does the system capture, analyze and determine access? Please provide detailed metrics.
  5. Please describe how your system is able to handle changes in facial characteristics, especially facial hair, glasses, head- and neck-wear, impact on aging, etc.
  6. Did your solution participate in the NIST Facial Recognition Vendor Test (FRVT) or Face In Video Evaluation (FIVE)? If so, please provide details. If not, has your solution been involved in comparable independent third party studies?
  7. Does your system conform to ISO/IEC 19794-5 (“Biometric data interchange formats – Part 5: Face image data”), ANSI/NIST-ITL 1-2001 Update:2015 (“Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information”) or other equivalent standards?
  8. Does your product allow for tracking of individuals? Does this capability operate across multiple views (e.g. different angles, rooms, locations, etc)?
  9. Does your system require any special imaging techniques to capture the initial image of an enrolled individual (e.g. stereoscopic cameras, 3D imaging, etc)? Please provide exact specifications for all required images, including the resolution and size of the resultant images.
  10. Are there minimum lighting requirements for your system to operate effectively? Please describe optimal, minimum and maximum environmental characteristics for your system.

9.6.  Operational Requirements

Supplier Answer: Indicate your compliance with each requirement and document any exception.

  1. Please provide an overview of the user provisioning lifecycle, including enrollment (image capture), updates, temporarily disabling individuals and retirement from the system.
  2. Describe the user enrollment process in detail.
  3. What workflow features are available in your product? How customizable are these features?
  4. Does the system provide its own automation capability or is a third party application required?
  5. How can other systems integrate into the system to obtain additional information or features? What interfaces are supported? How are these interfaces secured?
  6. What metrics are captured by default and what third-party systems, if any, would be needed to provide additional details?
  7. Describe the reporting and analytics capabilities of the system.
  8. The solution must have a single management interface that can support all administrative functions.
  9. Monitoring and alerting capabilities such as user defined thresholds, sending alerts to other management systems, failure notification, etc are critical. This should include proactive monitoring for the application (back end) components and access control devices including capacity, hardware and performance issues.
  1. Access to the management interface should be secured with strong authentication and authorization controls in place, including directory integration and role-based access controls.
  2. What mitigation plans are in place to handle system downtime(either planned or unplanned)?
  3. NYUHC requires 24x7, one (1) hour response remote support for the solution and on-site support is required within four (4) hours. On-site spares for critical components should also be included.
  4. The vendor commits to training four (4) full time NYUHC employees in all aspects of configuring and managing the solution in order to bring them to a proficient operational level. Full documentation should be provided, including hardware and software support information, and advanced administration and troubleshooting guides.

9.7.  Security

Supplier Answer: Indicate your compliance with each requirement and document any exception.

  1. Given the importance of such a system, can you describe in detail how your system is hardened against malicious attacks?
  2. What tamper-resistant features does your system have?
  3. How are communications between system components secured and how is data stored on the server secured?
  4. Does your system comply with the NIST 800-series guidelines for computer security?
  5. When the system is unavailable for any reason, does the system have fail-open or fail-close capabilities? Can this feature be customized depending on the location?
  6. For emergency situations (e.g. Code-alerts, fire alarm, active shooter, etc), what capabilities does the system have to be immediately reconfigured? Are there multiple profiles available to be assigned as needed?
  7. In situations outlined in parts 5 and 6 above, can the system provide tracking for those exiting the facility? This would be used to complement existing processes and procedures for handling personnel left in a particular area during such events.
  8. What rights/capabilities/responsibilities do system administrators have? Are there multiple levels of administrator privileges?
  9. Does the solution interact with directory services like Active Directory, Kerberos, LDAP or RADIUS? If so, list level of integration and functionality.
  10. Does the solution integrate with other Enterprise single sign-on solutions such as Oracle OAM/IAM?
  11. The system must support the ability to generate security alerts based on pre-defined criteria, including detecting specific individual(s).
  12. Please describe in detail the log messages generated by the solution. Does your solution integrate with SIEM solutions such as Loglogic?
  13. Provide detailed information around how to meet regulatory compliance demands.

9.8.  Software and Licensing

Supplier Answer: Indicate your compliance with each requirement and document any exception.