REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
July 23, 2024
FROM
ANDREW GOLDFRACH, ARMC Chief Executive Officer, Arrowhead Regional Medical Center
SUBJECT
Title
Subscription Services Agreement with Varonis Systems, Inc. for Security Software
End
RECOMMENDATION(S)
Recommendation
Approve Subscription Services Agreement with Varonis Systems, Inc., including non-standard terms, for security software to protect and control access to patient data in the amount of $2,432,755 for the period of July 23, 2024, through July 22, 2029.
(Presenter: Andrew Goldfrach, ARMC Chief Executive Officer, 580-6150)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Provide for the Safety, Health and Social Service Needs of County Residents.
FINANCIAL IMPACT
Approval of this item will not result in the use of Discretionary General Funding (Net County Cost). The cost of $2,432,755 is funded by State Medi-Cal, Federal Medicare, private insurances, and other departmental revenue. Funding sources may change in the future pending any legislative activity related to the repeal and/or replacement of the Affordable Care Act. Adequate appropriation and revenue are included in the Arrowhead Regional Medical Center (ARMC) 2024-25 budget and will be included in future recommended budgets.
BACKGROUND INFORMATION
This Subscription Services Agreement (Agreement) will allow ARMC to continue to utilize Varonis Systems, Inc. (Varonis) software licenses currently provided by Nth Generation Computing, Inc. (Nth Generation) to enhance its current systems with Varonis as the current contract software licenses will be expiring. Varonis is a software platform that continues to track, visualize, analyze and protect protected health information (PHI), personally identifiable information (PII), secure data storage and payment card data, and reduce vulnerabilities.
Varonis Software is one of the essential cybersecurity resilient products that provides analytics derived from their software licenses to facilitate ARMC’s ability to monitor unstructured data within the file servers. Furthermore, this technology allows ARMC to analyze PHI and PII including tracking data movement to account for any potential abnormal or suspicious activity.
This software platform monitors the data and provides alerts upon unauthorized access to the sensitive information. The system also helps to identify and prioritize sensitive information based on user profile and behavior. In addition, Varonis can make cybersecurity recommendations based on inconsistent controls and authorizations, processes, and analyze folder and file access permissions to determine risk factor to mitigate overall cybersecurity risk.
Varonis’ new and enhanced licensing will include Managed Data Detection and Response team (MDDR) services which monitors all potential threats to the file servers 24 hours/365 days, which will significantly increase ARMC’s security posture and ability to respond efficiently to a cybersecurity event.
The Agreement is Varonis’ standard commercial contract, which includes terms that differ from the standard County contract and omits certain County standard contract terms. While the parties negotiated certain contract terms to County standards, Varonis would not agree to all County standard terms. The non-standard and missing terms include the following:
1. Varonis may assign the Agreement without notice to the County and without the County’s approval.
• The County’s standard contract requires that the County must approve any assignment of the contract.
• Potential Impact: Varonis could assign the Agreement to a third party or business with which the County is legally prohibited from doing business due to issues of Federal debarment or suspension and conflict of interest, without the County’s knowledge. Should this occur, the County could be out of compliance with the law until it becomes aware of the assignment and terminates the Agreement.
2. Varonis’ maximum liability to the County is limited to the amount of fees received by Varonis in the 12 months prior to the event that gave rise to the claim, excluding Varonis’ indemnification obligations, gross negligence, willful misconduct and fraud.
• The County standard contract does not include a limitation of liability.
• Potential Impact: Claims could exceed the liability cap and the Agreement amount leaving the County financially liable for the excess.
ARMC recommends approval of the Agreement, including non-standard terms, to allow ARMC to comply with laws and regulations, ensure the protection of patient information and continue to provide quality medical services to County residents as cybersecurity and data privacy is a constant threat to our environment.
PROCUREMENT
The Purchasing Department supports this non-competitive procurement due to equipment/system compatibility. Varonis is a manufacturer of the security protection software and is only sold through Nth Generation. This software is compatible with ARMC systems such as networks, servers and file structures. Varonis software is crucial in assisting with security, auditing, reporting, PHI, PII, and other at-risk information.
REVIEW BY OTHERS
This item has been reviewed by (Bonnie Uphold, Supervising Deputy County Counsel, 387-5455) on June 28, 2024; Purchasing (Veronica Pedace, Buyer III, 387-2464) on July 1, 2024; ARMC Finance (Chen Wu, Budget and Finance Officer, 580-3165) on July 2, 2024; Finance (Jenny Yang, Administrative Analyst, 387-4884) on July 2, 2024; Innovation and Technology (Robert Pittman, Chief Information Security Officer, 388-5510) on July 11, 2024; and County Finance and Administration (Paloma Hernandez-Barker, Deputy Executive Officer, 387-5423) on July 5, 2024.