To: Board of Supervisors
From: Anna Roth, Health Services Director
Report Title: Purchase Order with Solutions Simplified
☒Recommendation of the County Administrator ☐ Recommendation of Board Committee
RECOMMENDATIONS:
APPROVE and AUTHORIZE the Purchasing Agent, or designee, to execute on behalf of the Health Services Director, a purchase order with Solutions Simplified, in an amount not to exceed $912,000 for the purchase of Zscaler internet traffic protection software and services, and an agreement with Zscaler, Inc. for the period from July 1, 2024 through June 30, 2027.
FISCAL IMPACT:
Approval of this action will result in expenditures of up to $912,000 over a three-year period and will be funded by Hospital Enterprise Fund I revenues.
BACKGROUND:
1. Contra Costa Health (CCH) firewalls provide limited monitoring of internet traffic, which can lead to firewalls running at 80% utilization. This creates increased risk of undetected “bad” internet activity that CCHS cannot monitor or respond to.
2. CCH is a Covered Entity and required to comply with the HIPAA Security Rule to identify and manage its resources as part of maintaining compliance. This includes the following specific requirements:
• § 164.312(b): Audit controls (Required). Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
• § 164.308(a)(1)(ii)(D): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
On January 10, 2024 the Purchasing Agent approved the use of Simplified Solutions.
Approval of this End User Service Agreement (EUSA) allows Zscaler to provide services through June 30, 2027. The agreement limits the liability of Zscaler to the amount paid by the County in the twelve (12) months preceding any claim, except for claims arising out of a breach of confidential information, which is subject to a liability cap of three times (3X) the total fees paid or payable to Zscaler during the twelve (12) months preceding the claim. Under the agreement, the County is obligated to indemnify Zscaler from and against any claim brought by a third party against Zscaler arising from or related to Customer’s violation of the Agreement.
CONSEQUENCE OF NEGATIVE ACTION:
If this action is not approved, CCH risks non-compliance with HIPAA and The Security Rule for incomplete monitoring and risk of undetected and unauthorized activity. For example, risky user behaviors such as of public Wi-Fi use may take place, and there is limited ability to block risk-based internet traffic at the device.