The subject of the public procurement relates to the projects of the Contracting Authority titled “Cybersecurity of IS Vyškov Hospital I.” and “Cybersecurity of IS Vyškov Hospital II.”, which are co-financed from the resources of the Integrated Regional Operational Program – Call IV. - Cybersecurity – SC 1.1. Vyškov Hospital is one of the healthcare facilities in the South Moravian Region, where an analytical survey was conducted to map the level of security against the threats of cyber attacks in the hospitals of the Region and, based on it, to propose necessary measures to increase security. As part of the analysis, the identification of the boundaries of ISZS was carried out and a comparison of the actual state in the area of cybersecurity against the requirements of the law and regulation No. 82/2018 Coll. on security measures, cybersecurity incidents, reactive measures, the elements of submissions in the field of cybersecurity, and data disposal (regulation on cybersecurity, VyKB). The current state was assessed not only from a technical perspective but also from a process and operational point of view, as the correct setting of these elements within the organization has a significant impact on the overall level of security. Based on the conducted analytical survey, a number of shortcomings were identified across all analyzed areas, with the results of the analysis indicating that the hospital environment is highly vulnerable to types of attacks that have recently targeted healthcare facilities. The Contracting Authority aims to procure supplies and services under this public procurement to ensure compliance of Vyškov Hospital as an operator of information and communication systems, which processes, mediates, and stores sensitive data with the requirements of the Cybersecurity Act and its implementing regulation. The technical measures proposed by this project aim precisely at ensuring compliance with the requirements of the law, thereby contributing to the prevention of threats of cyber and security incidents. The result of the project will therefore be an enhancement of the protection of the applicant's information and communication systems against cyber attacks. The Contracting Authority expects that all fulfillments provided by selected suppliers based on this tender will be delivered to the Contracting Authority and progressively implemented in accordance with the relevant current regulations on cybersecurity and trends in this field. For all of the above, the Contracting Authority has assessed that for the completeness and interdependence of both partial projects, which substantively cover the provision of the desired level of cybersecurity for the Contracting Authority, it was concluded that this goal cannot be achieved appropriately by separating the subject of performance into separate tender procedures, where, in extreme cases, there could be a situation where it would not be feasible to realize the subject of the projects due to absent elements that logically connect to each other. Vyškov Hospital, a contributory organization, has adopted a joint public procurement procedure for the implementation of the projects “Cybersecurity of IS Vyškov Hospital I” and “Cybersecurity of IS Vyškov Hospital II” based on their significant substantive, technological, and functional interconnections. Both projects together form one integrated security functional unit, whose goal is to ensure the cyber resilience of the hospital. The implemented components/activities/solutions of the individual projects are directly interlinked – functionally, logically, and chronologically according to the implementation schedule – and create an interconnected whole requiring unified management, configuration, and administration.
LOT-0001
Part 1 – Tools for application, network, and physical security
The subject of Part 1 of the public procurement is the comprehensive supply and implementation of several partial solutions leading to the establishment of the basis of the Contracting Authority's cybersecurity infrastructure. The Contracting Authority anticipates the implementation of the following partial activities (to be described later), and has established a presumed timeline for implementation. For clarity, the Contracting Authority indicates either Project I. or Project II. next to the name of each activity (in the table for simplification simply “I.” or “II.”), which will affect the invoicing obligation of the selected supplier in relation to activities and items performed or supplied to the Contracting Authority within the given activity.
LOT-0002
Part 2 – Ensuring the physical security of the data center.
The subject of this part is the comprehensive supply and implementation of a fully automatic, highly efficient fire extinguishing system for enclosed spaces into three separate rooms (server rooms). The main criteria are reliability, extinguishing speed, low maintenance costs, and environmental friendliness. Furthermore, the Contracting Authority requires the delivery of a reliable, integrated access and security system for three separate rooms (server rooms) with a central control unit. The Contracting Authority emphasizes the ease of (self) management of access permissions and flexible settings according to the needs of the Contracting Authority's facility. The subject of performance in this part will be: a) Supply and implementation of an automatic fire extinguishing system, b) Supply and implementation of the access security system, c) Other services specified in Appendix No. 1ba of this procurement documentation. The participant's offer will also include providing service support for the offered solution for 5 years from the delivery and implementation of the solution, to the extent specified in Appendix No. 1ba of this procurement documentation. The requirements of the Contracting Authority for the fulfillment of this part of the public procurement are further specified in Appendix No. 1ba of this procurement documentation. By submitting an offer for this part of the public procurement, the participant confirms that the offered fulfillment is fully in accordance with the requirements established by this procurement documentation and simultaneously Appendix No. 1ba.
LOT-0005
Part 5 – Supply and implementation of identity management, authentication, and account management solutions.
The subject of performance in this part of the public procurement is the implementation of three partial activities, which are the supply, implementation, and servicing of the following solutions: a) identity management system, b) single sign-on and two-factor authentication system, c) privileged account management tool, specified in greater detail in the relevant appendices (Appendices No. 1ea-ec) of the Procurement documentation.
LOT-0006
Part 6 – Device control.
The subject of this part of the public procurement is the purchase, implementation, and servicing of a system for managing and controlling peripheral devices (e.g., USB drives, external hard drives, printers) on company endpoint devices (PCs, laptops). The system must enable effective control over which peripheral devices may access sensitive data and provide full auditability and protection against data leakage. A robust solution must offer prevention of device breaches, device classification, and file action management, as well as allocation of privileged access – all in one device control solution to protect the Contracting Authority against cyber threats. Detailed licensing requirements and the delivered solution itself are specified in Appendix No. 1fa of the Procurement documentation.
LOT-0003
Part 3 – Email gateway (Mail GW, SandBoxing).
This part of the public procurement for the establishment of an email gateway (MailGateway) aims to protect the SMTP communication of Vyškov Hospital. The system will serve to inspect and secure incoming and outgoing mail and allow for virtualized implementation as a standalone SMTP gateway. This solution will ensure that all email traffic will be redirected through the new solution without the need for deep intervention into the existing topology and infrastructure due to a change in the DNS MX record. Technical requirements • Platform: The MailGateway will be implemented in HA (High Availability) mode on supported virtualization platforms VMWare, KVM, and Microsoft Hyper-V. • High availability: the system will support high availability modes (Active-Active, Active-Passive), and the relevant licenses must be included. • Network interfaces: must support at least six virtual network interfaces. • Disk capacity: the system will support up to 4TB of allocatable disk capacity. • Throughput: the required minimum throughput is 220,000 emails per hour with continuous inspection using antivirus and antispam profiles. • Domains: the ability to configure protection for up to 400 domains with up to 50 inspection profiles per domain. • Operating modes: gateway (MTA), server, and transparent with the necessary licenses. Protection functions • Protocol support: IPv4, IPv6, SMTP authentication (LDAP, RADIUS, POP3, IMAP). • Antivirus and antispam protection: integrated protection with automatic updates to the signature/database, URL categorization, IP reputation, greylisting, behavioral and heuristic analysis, white/black listing. • Content analysis: ability to analyze attachments (PDF, MS Office) and eliminate hazardous elements. • Security features: support for setting limits on SMTP sessions, granular rule configuration, support for quarantine, support for TLS encryption, S-MIME, DKIM, SPF, DMARC, IBE. • Rate limiting and attachment analysis: protection against server overload and the ability to analyze the content of attachments, including PDF and MS Office documents. Management of the solution • Full management: access via HTTPS and CLI (SSH), the possibility of restricting administrative rights, integration logging, support for SNMP and syslog, support for archiving, REST API for integration into the existing infrastructure. The requirements of the Contracting Authority for the fulfillment of this part of the public procurement are further specified in Appendix No. 1ca of this procurement documentation. By submitting an offer for this part of the public procurement, the participant confirms that the offered fulfillment is fully in accordance with the requirements established by this procurement documentation and simultaneously Appendix No. 1ca.
LOT-0004
Part 4 – Access management and establishment of PKI.
The subject of Part 4 of the public procurement is the implementation of two partial activities, which are: a) Activity 1 – Implementation of a network access control tool (LAN and WLAN access control, including segmentation), b) Activity 2 - Establishment of PKI (tool for managing digital certificates and keys – Public Key Infrastructure).
Č4A1 – Implementation of a network access control tool The subject of this partial activity is the comprehensive supply and implementation of a tool for network access control including segmentation, which also includes the supply of two AAA servers for at least 1600 identities, all within the specifications set by the Contracting Authority in Appendices No. 1da of the Procurement documentation.
Č4A2 – Establishment of PKI The subject of this partial activity is the supply and implementation of a tool for managing digital certificates and keys, including related activities such as training of personnel, preparation of emergency plans and operating documentation, preparation of infrastructure on the side of the Contracting Authority, revision and approval of documentation, and subsequent transfer to routine operation. All of this within the specifications set by the Contracting Authority in Appendix No. 1db of the Procurement documentation.
LOT-0007
Part 7 – Risk management and management of service requests.
The subject of this Part of the public procurement is the delivery of a system for recording and technical management and risk management associated with the recording and use of assets, and also the delivery of a tool for managing service requests.
Č7A1 – Risk Asset Management The subject of performance of this activity in Part 7 of the public procurement is the delivery and implementation of an information system enabling the organization to establish effective management and technical records of all computer and other assets. It must assist ICT staff in resolving and documenting everyday operational tasks and in sharing and maintaining information related to IT infrastructure. It must provide important information for planning the renewal of IT resources and preparing budgets and must assist in managing business risks of legal or regulatory penalties associated with using illegal software in the company. General requirements: 1) The Contracting Authority requires the option to operate the entire solution as SaaS or on-premise, or to change its original decision in the future (the application must be the same for both SaaS and on-premise environments). 2) The Contracting Authority requires the option to operate the system in the MS Azure environment; the system must be approved and certified for operation in this environment. 3) A web client is required for routine activities (change of object location, change of object properties). 4) A web client is required to display assets assigned to users in the organization. 5) The entire solution, due to security, must be in a three-layer architecture without direct access of the client to the database. A certificate issued by a qualified certification authority confirming the scope of certifications established in Appendix No. 1ga of the Procurement documentation must be attached to the offer submitted by the participant for Part 7 of the public procurement. Further requirements of the Contracting Authority are specified in Appendix No. 1ga of the Procurement documentation.
Č7A2 – ServiceDesk, processes, ITIL The subject of performance of this part of the public procurement is the delivery of a software tool for efficient management of service requests. It must assist service department staff in resolving and documenting everyday operational tasks and in sharing and maintaining information related to service request management. The offered software must provide important information for planning service interventions, their evaluation, priority management, and comprehensive management of service teams. Further requirements of the Contracting Authority are specified in Appendix No. 1gb of the Procurement documentation.
LOT-0008
Part 8 – Analytical work in the field of security.