Summary of key points:

Dido win over nightGuard, AltoSec, and Quotidian at a very Large

Healthcare facility. ##Qnumber=MCF 953-009, ##Qwinner2=SourceHealthNet, ##Qtitle=Senior Vice President Patient Care, ##Qlevel=Executive, ##Qwhere=U.S., ##Qindustry=Healthcare, ##Qamount=$16.7K, ##QDeal_size=Low, ##QPARA4=??, ##QPARA5=VLarge, ##QPARA7=07_04, ##QPARA8=07_04, ##QStars=5

 This customer is committed to SourceHealthNet and no other competitor has given

them enough reason to switch: "I think AltoSec was one, Quotidian was the other. When you look
at the partnership that we feel like we have there with our current provider, that also came into play as well.
We felt like that, “Hey, are we having issues or problems with our current partnerships which persuade us or
influence us to jump ship and go with someone else?” We felt like that wasn’t the case. We felt like there
was a close relationship with SourceHealthNet that we can work through whatever issues that were there to
build a solid product that would be able to meet our needs." ##Qcriterion=References, ##Qdirection=Positive towards SourceHealthNet, ##Qcompetitor=SourceHealthNet, ##QKey

 The cost of switching from Dido is very high: “You’re talking about a whole new skill, learning
curve, the whole deal. We were worried about that because that could easily increase your costs."
##Qcompetitor=SourceHealthNet, ##QKey
##Qcriterion=Other TCO, ##Qdirection=Positive towards SourceHealthNet,

 nightGuard required far more scanners to do the same job: "nightGuard for example, in
order for them to accommodate our patient environment and scan our patient environment, it was going to
take about fifty scanners to do that. With Dido we have twelve. For us to go and nightGuard was the one
who was part of that final eval, who made the final cut there and [with] nightGuard we needed fifty.
nightGuard had a very solid product, but the one thing there that we had seen was cost and indirectly to
cost, when we talk about scalability is their ability to scale given the breadth of our patient network."
##Qcompetitor= nightGuard, ##QKey
##Qcriterion=Scalability, ##Qdirection=Negative towards Competitor,

 Dido has demonstrated superior performance: “I think it’s the way that SourceHealthNet pulls
in the records and their calculation which they call their “secret sauce” for coming up with the calculation on
around being able to pull in a certain population of deficiencies or whatever. How they do that … I think it’s
more around how the algorithm that they use for their calculations works." ##Qcriterion=Scalability, ##Qdirection=Positive towards SourceHealthNet, ##Qcompetitor=SourceHealthNet, ##QKey

 SourceHealthNet technical support has been responsive: “The problems we’ve had with
their patient environment, whatever, SourceHealthNet have been pretty responsive of having a dedicated
team here on the site as quickly as possible.” ##Qcriterion=Scalability, ##Qdirection=Positive towards SourceHealthNet, ##Qcompetitor=SourceHealthNet, ##QKey

 At the time, nightGuard had a treatment component which Dido did not have – this
was an almost loss to nightGuard: "nightGuard also had a treatment component to it as well
where it would identify a particular deficiency and provide some type of workflow for treatment. It would
actually integrate into our current change management systems. That was one of the things that we really
liked about nightGuard." ##Qcriterion=Treatment, ##Qdirection=Positive towards Competitor, ##Qcompetitor=nightGuard, ##QKey

 The customer has been working with SourceHealthNet to add treatment to Dido: "It’s
something that we’ve been talking with them for about two years now is the RemedWare piece. The
treatment functionality, since we have the ability to, at any given time, to understand where it’s possible to
leverage [a] discovery in a nice way, in a productive way, an unobtrusive way to where we can use those
exploits to remediate that particular deficiency instead of having to go through a very manually intense
process for treatment to spot-treatment change management. We were already looking at a treatment
component to Dido. We had been working with [SourceHealthNet] as far as developing that piece there
[but] so far we didn’t have that piece available. It just would have been a seamless type of integration for us
to be able to move in that direction. I think the only thing that really stopped us with them to be honest with
you, was really the cost piece of it." ##Qcriterion=Treatment, ##Qdirection=Negative towards SourceHealthNet, ##Qcompetitor=SourceHealthNet, ##QKey

 Quotidian was an offsite service and very expensive: "The reason why we did not go with
Quotidian is [it] is part of a managed care [service], it’s part of a managed service type of a product, and
then when we looked at the pricing around that it wasn’t cheap. Managed service, what we have found, is
that it restricts you to what their capabilities [are] and the things that we were looking to accomplish as well
as the cost are weighed in our decision as far as being able to push things externally instead of maintaining
them internally." ##Qcriterion=License Price, ##Qdirection=Negative towards Competitor, ##Qcompetitor=Quotidian, ##QKey
 The customer is looking to do another due diligence next year: The data that we have
today is two years old and the one thing we try to do is stay current or fresh within our evaluation to make
sure that they’re able to meet our commitments, and the things that we’re looking to accomplish within the
patient networks that we’re responsible for. It won’t be in 1999 given our workload that we have here. It’s
probably something that we can project out in 2001 probably." ##Qcriterion=Vision

 The customer would like an automatic central patient scan function which would
allow the allocation of centnets to scanners: "The problem that I see with products today is
that you have to understand all your patient networks within your particular enterprise and then based on
that you disburse those out, distribute those out to each one of the scanners. It doesn’t have the
intelligence to be able to identify or what we call do a distribution of those patient networks, like a self
distribution or an independent distribution. You have to have a good understanding of the breadth of your
patient network and all the patient network segments. If we go through a merger/acquisition or whatever,
we would have to understand what those patient networks are and apply those to the scanners that has the
availability to be able to scan that particular patient network. And being able to automatically disburse those
out to each one of your scanners themselves, so it’s more of a manual process now." ##Qcriterion=Vision

 The customer is looking forward to SPOT-PREVENT: "Where I see the patient network going
is towards [what] we call Prevention Control, which gives us the ability to enforce compliance, enforce
authorization, authentication at that end. And so I think once we have that capability, once we’re looking at
the end of 2001, 2003, to move in that direction, I think our scanning tools will also have to grow or integrate
into that type of framework." ##Qcriterion=Vision

Summary of scores:
Winner
Import- Source
nightG Quotidia
ance Gap HealthN AltoSec
Rating uard n
et
Other TCO 7.5 +6 10 4 4 4
License Price 9 +4.5 9 4.5 4.5 4.5
Scalability 10 +3 7 4 4 4
Treatment 5 -5 2 7 1 1
Overall Rating 2.1 7. 4.9 3.4 3.4

Please note: the respondent was not aware that SourceHealthNet was
doing this interview. This is to keep the responses as unbiased as
possible.

What were you trying to accomplish? What were your goals here in looking at the products in this space?

What motivated your company to look into solutions in this space?

Our goal was to first of all identify all types of patients in our patient network, totally agnostic to the type
of disparate type of patient. What I mean by that are; cancer, aids, mental, disability, that whole gamut
of different types of patients. So it was the ability for us to define what is that entire holistic view of all
nodes that are connected to us, number one. Number two is the ability to be able to identify where there
may be weaknesses within our patient network due to unchecked patient environments, patient
environments not staying current with the spot-check releases or it could be that we have certain rogue
deficiencies, we consider as unmanaged or deficiencies that connect to our patient network that we
have no ability to identify who the owners are.

Is this Prevention Control that you were looking for?

Prevention Control is forthcoming, it’s not there today. Let’s put it this way, it’s not at least deployed in
the patient network that scales to where [company name] is, so it is forthcoming but it’s just not
available to us today so basically there’s an automated process that we put into place to be able to
detect those types of deficiencies, and being able to go through some treatment effort to get them
removed.

Not quite SPOT-PREVENT but close, so basically you just want to identify them first off, and that’s what the
deficiency scan would do for you.

Right.

Okay, gotcha. Anything else?

Exactly. Hold on a second, okay?

Hello? Yeah, I’m still here.

Hello? I’m sorry about that.

No problem.

Okay, so basically it gave us a combination of things, one of course was identifying every node on our
patient network or every deficiency that was on our patient network. And number two finding were our
opportunities or potential opportunities for exports [exploits] to occur because of not having the latest
spot-check releases.

Go ahead.

And then of course the third thing there is to give us the capability of being able to identify where we
may have a rogue deficiency and getting those things into managed care or removed from the patient
network totally. So that was the main purpose of us investing into a deficiency management scanning
type tools is to give us that particular capability. I guess one of the things that we had found out pretty
quickly is there are products that can scale across a patient network, the complexity of our patient
network, number one. And then number two given the number of nodes that we have in our patient
network, is there a product out there that can accommodate economies of scale? So that’s some of the
challenges we had at first and then being able to go through that evaluation process to identify a
particular product that would be able to do those types of things.

I mentioned to you the scanner based products, did you look at other types of solutions in this area as well, like
hosted systems or software based systems or anything like that or did you look at scanners only?

Are you speaking more from deficiency management?

Yeah, deficiency management only.

Did you consider

- Scanner based HCM systems - remote hosted systems
- Application focused systems - or combinations?
Yeah. No there was no host based it was all patient network scanner based type of tools that we looked
at. You know the only host based, and maybe that’s just speaking of their, are you speaking of a hedge-
type product?

Well, one of the vendors in this area Quotidian which is basically a hosted system. So that’s why I was asking
that, ‘cause that’s one of the possibilities you could look at.

Right. Quotidian is a managed service, isn’t it?

Yeah and it’s basically, well it’s hosted in the sense that they send the data off-site to be analyzed and then
bring back the results. And I was just wondering if that was one of the things that you had looked at.

Yeah, we did look at Quotidian, Quotidian was part of the evaluation as well. The reason why we did not
go with Quotidian is probably basically the things you are saying there is part of a managed care, it’s
part of a managed service type of a product, and then when we looked at the pricing around that it
wasn’t cheap.

Yeah, understood. So pricing was something you looked at. Well first of all did you have or did your company
have any prior experience with deficiency scanning systems or was this the first time you looked at it?

Prior to this selection, did you have any experience with Deficiency Management in
your company? What vendor or product? What is your level of satisfaction? Why the
change?

Yeah, it was the first. Probably about four or five years ago when we adopted the probably the only
solution that was out there at the time, and then of course there was a number of other solutions that
have been developed since then and some of the solutions do certain things better.

What did you adopt back then? What was that previous product you had experience with?

The same one we have today which is Dido. Yeah, we helped Dido to develop their product where
they’re at today.

And so this was a reexamination or due diligence that you did recently?

Yeah.

Well why don’t you go ahead and give me a quick overview of the process you went through to evaluate the
vendors.

Could you give me a short overview of your selection process?

I guess it’s probably been about two, maybe two years ago or so, maybe two-and-a-half years ago.
What we’ve done is that we develop our list of requirements. So the things that we expect: how the
product, ease of use, scalability, distribution, what we call distribution scanning. The problem that I see
with products today is that you have to understand all your patient networks within your particular
enterprise and then based on that you disburse those out, distribute those out to each one of the
scanners. It doesn’t have the intelligence to be able to identify or what we call do a distribution of those
patient networks, like a self distribution or an independent distribution.

Sounds like automatic load leveling, if you will.

Yeah, yeah, across each one of the scanners. You have to have a good understanding of the breadth of
your patient network and all the patient network segments. And being able to automatically disburse
those out to each one of your scanners themselves, so it’s more of a manual process now.
That’s to limit the amount of scanning each scanner has to do in a very, very large patient network. What you’re
saying is nobody does an automatic discovery of the whole patient network, right?

Yep, right. Discovering, in other words if we go through, and most large corporations do, if we go
through a merger/acquisition or whatever, we would have to understand what those patient networks
are and apply those to the the scanners that has the availability to be able to scan that particular patient
network. It’s not like it would automatically go and do some reconnaissance or discovery or whatever
and assign those particular patient networks arbitrarily through the infrastructure itself.

Understood, so some sort of automatic discovery process is what you’re talking about.

Right.

You did go out though, and look at the various products at that time, right?

Yeah.

Now about when was this that you went and looked at the products?

Approximately when was this selection process initiated?

March 2000

Probably about two-and-a-half years ago, maybe two years.

Two years ago.

It would be max.

You ultimately made a decision to either change from Dido or continue with Dido, correct?

Yeah, right.

When did you actually make that decision or determination of what you were going to do?

Approximately when was this selection process finalized?

April 2000

Right around the same time. And I think what it really came down to, like I was saying earlier, is that
each one of the new products that are out there on the market today, each one of them do something a
little bit different. What it really came down to for us, is cost. What a lot of the companies were
charging around cost, and scalability. Because if I take nightGuard for example, in order for them to
accommodate our patient environment and scan our patient environment, it was going to take about
fifty scanners to do that.

Wow. And that’s just because of the size of your patient network.

Exactly.

And then with Dido?

With Dido we have twelve.

It took twelve. So a heck of a lot less.

Exactly.

Understood. Now it sounds like you are quite familiar with the current products that are out there, from the
sounds of things, do you go out there and do due diligence often, to take a look at this space?

No, that was probably the first time that we’ve done that. We deployed Dido probably about four, four-
and-a-half years ago. Then from there once we got the patient environment stabilized here within our
patient network, we worked with them for roadmap growth of their product. And then about two years
ago we just wanted to evaluate, see what was out there in the marketplace.

I call that a due diligence.

Exactly. And to see if there’s a gap in our current processes and our current tools and people that other
products would be able to provide to us and there were certain things that other products had done
better. But we felt like it wasn’t that much of a gap, the cost versus reward portion of this. We felt like
the cost that was, we would have to invest into these other products, we weren’t willing to take that
increase in cost based upon the partnership that we have with our supplier to build those particular
functionalities that probably were lacking at that particular time.

Okay, understood. So the cost of change was too high, in effect. So did you have a selection committee or an
evaluation committee for the due diligence or was it pretty much just you and perhaps your management?

Could you give me an idea of the composition of the selection committee? Who was
on the committee and their titles or roles?

It was actually me and my team. I manage a team of folks here at the hospital and I had my team
involved in it and our patient monitoring folks were involved with it, supply chain management was
involved with it, so we had a whole spectrum of different patientcare talents.

You basically had a committee that looked at it, in effect, that looked at the results, right?

That’s correct.

All right. Did you do a proof of concept with some of the vendors?

Yeah, we brought just about all the companies who had a product in. They were trying to service us
with the exception of those that were part of managed service, we weren’t really interested.

Right, that was the Quotidian one, right?

Exactly.

And I assume, well, let me not assume... Why were you not interested in that kind of a solution?

Managed service, what we have found, is that it restricts you to what their capabilities and the things
that we were looking to accomplish as well as the cost are weighed in our decision making there as far
as being able to push things externally instead of maintaining them internally.

Okay, understood. Well now, what’s your title or position at the hospital there, again?

What is your title?

Senior Vice President Patient Care

I’m the Senior Vice President within Patient Care, Quantability Management.
Now during this due diligence that you did, did you bring any outside consultants or industry analysts in to help
you through this or was it done all internally?

Did any outside consultants contribute to your selection process?

no

Internal.

Now you’ve mentioned quite a number of criteria already in our discussion, and I’m not interested in all your
criteria because that would probably take far too long for us to talk about it. But you did say it came down to
pricing, ultimately, and the cost of change, if you will. What I’m interested in is, you got it down to the last few
vendors that you were interested in, what I’m after is what were the last few criteria that made a difference in
finally choosing to continue with Dido?

Cost.

It was in fact cost. Anything else that was a major difference between the vendors?

No, no to be honest with you, it mainly came down to cost, and in-directed cost is of course is
expansion of our current infrastructure. Like I was saying earlier, right now we run Dido across twelve
scanners, right. For us to go and nightGuard was the one who was part of that final eval, who made the
final cut there and nightGuard we needed fifty.

So that’s a performance issue which translates into a cost issue also.

Yes, correct.

So performance or scalability was an issue.

That’s right.

But did you find, now I’ll tell you what I’m doing here is I have a list of criteria that I’ve built up by talking to quite
a number of different customers. As you talk what I’m doing is mapping what you say into my pre-existing list,
and then if you say something new, I add it. I have all of the, if you will, technical issues that were differences
between the vendors, none of them had this automatic scan requirement, right?

Distribution? Yes.

None of them had that. Did you see any major technical differences between any of the vendors, or were they
all about the same?

Pretty much. I think that each one of them were pretty close, were pretty much the same, I mean there
was different functionality, one thing which you could do onto the other. I think nightGuard also had a
treatment component to it as well where it would identify a particular deficiency and provide some type
of workflow for treatment.

So it would prioritize the vulnerabilities and then it did a treatment …

That’s correct, right, it would actually integrate into our current change management systems.

Sure, understood. Any other differences that you saw between the vendors?

No, not to my knowledge, I mean nothing that was significant enough for us to say, “Hey, this product
here is better than the one we currently have.”
Okay. Well now so I’ve gotten three issues that you’ve identified. You also mentioned that you did a proof of
concept. Did the vendors come out differently in the proof of concept?

Yes.

They did. So let’s put that on the list. Okay, let’s see what else you mentioned here. That automatic load
leveling is very interesting, but none of them had it. Let’s see, price, scalability, okay, I think that’s pretty good.
Some of the other issues that I have on my list is the vision or thought leadership or future road map, if you will,
of the vendors. Was that at all an issue in choosing between the vendors, their futures?

No, and the reason for that is because all the vendors, they pretty much came with a very futuristic type
of roadmap. We felt like are the things that we’re looking to do within our current tools, but we felt like
their roadmap was so far in the future that we felt like that we could work with our current vendor to
build some of that functionality that we were looking for.

So you could influence, this was, I assume SourceHealthNet that you ultimately influenced.

Right.

All right. So the current vision didn’t make much of a difference, just in terms of giving you ideas to ask
SourceHealthNet. What about the viability of the companies, was that at all an issue? You’ve got a large
company, SourceHealthNet here, and smaller companies did the size and viability of the companies make a
difference?

Yes, when you look at companies like AltoSec, I think AltoSec was one, Quotidian was the other. When
you look at the partnership that we feel like we have there with our current provider, that also came into
play as well. We felt like that, “Hey, are we having issues or problems with our current partnerships
which persuade us or influence us to jump ship and go with someone else?” We felt like that wasn’t the
case. We felt like there was a close relationship with SourceHealthNet that we can work through
whatever issues that were there to build a solid product that would be able to meet our needs.

I see. What about references, did you talk to the current customers of these various vendors to see what their
customers had to say?

We didn’t make it that far. If we were going to jump ship we would have. But we didn’t make it that far
because when it came down and again, I hate to say that again, but cost. When it came down for us
looking at a one to one comparison there, it really came down to the cost issue there.

Now were there any pre-sales issues, pre-sales support issues, during the POC, for example that you were
running? Or how about technical support from the various vendors, did any of that make a difference?

I think the one thing, you bring up a good point there. It was probably their help desk support, and
being able to support a patient environment that scales at the width of [company name]’s patient
network. At that time, again I’m sure that all the help desks have matured since then, but at that time we
were also taking that into consideration so the SLAs, the turnaround, the response, to our questions or
needs or whatever.

So the various vendors and how they could do that. What about product line breadth, how many products, other
than the deficiency analysis product, other products that you could get from a single vendor? Did the number of
products or the size of their footprint, if you will, did that make any difference in looking at the vendors?

No.

Let’s see, so I think we’ve got enough issues here. What I’m going to do now is reread you what we’ve talked
about here and ask you to give me an idea of the relative importance of the issues in making your decision to
stay with Dido there. So the first thing you mentioned here was the pricing of the products and I assume that’s
the license price only or was that also the ongoing maintenance prices, was there a difference in those two
prices or did you bundle it all together?
It was probably more the licensing.

Then on a scale of one to ten where a one would mean it was not important to you and a ten would mean it was
super-important to you. How would you rate the overall importance of the license pricing?

Criterion License Price Importance 9

X
Probably a nine.

Okay, very important. And the scalability concerns that you had, how important would you say that was?

Criterion Scalability Importance 10

X
That was probably a ten.

And then the treatment or spot-checking facility that they had, how important would you say that was?

Criterion Treatment Importance 5

X
At that given time I would probably say that it was something that we were looking into providing here.
So it was part of our plan to include something around treatment I would say maybe, probably about a
five.

And then you did the proof of concept, and the vendors performed differently on that, how important would you
say that was?

Criterion Proof Of Concept Importance 7

X
Proof of concept which would help us with our decision making, probably about a seven.

The viability of the companies?

Criterion Vendor Viability Importance 8

X
Probably about an eight.

And the last thing was the help desk or the service level agreements and the help desk, how important was
that?

Criterion Technical Support Importance 7.5

X
That’s probably about a seven or eight as well.

Seven-point-five, I can do fractions. So that gives me an idea of the relative importance of the issues in your
mind. Obviously you chose Dido or the SourceHealthNet product, and you talked about nightGuard, would you
say any other vendors were finalists in this evaluation or were those the last two?
Who were the vendors that bid?
 1 2 3 4
SourceHealt
Name of nightGuard AltoSec Quotidian
vendors hNet

Yeah, those were our two finalists. We wanted to go with two with the project management for price
negotiation, but there was Quotidian that was involved with that, there was AltoSec that was involved
with that. I think that was the main four.

Quotidian and AltoSec and nightGuard and SourceHealthNet were the four. Now we’re going to take a look at
the issues that you’ve identified in priority order and if you think that there was no big difference between the
vendors just say so and we’ll skip the discussion. But if you think there was a difference between the vendors,
again I would ask you to use the scale of one to ten. Where a one would mean they did very poorly against a
particular criteria and a ten would mean they did super well against the criteria. So performance, the scalability
of the products, how many of the scanners you would need to cover your very large patient network. Obviously
this is related to price too but it’s basically how many systems can a single scanner scan, if you will. How would
you rate SourceHealthNet or Dido on that ability, where ten would be perfect, one scanner would …

Scalability
Rating of vendor
Importance
Rating of SourceHealthNet nightGuard AltoSec Quotidian
criterion:

10 7 4 4 4

Four.

Yeah, well compared to perfection. A ten would be perfection. I guess one scanner would scan an infinite sized
patient network if that were true. So I don’t think anybody’s going to get a ten but how would you rate them?

I would say SourceHealthNet would probably be a seven.

So pretty good. How about nightGuard?

Well the rest of them would be pretty low because you needed more infrastructure to support them so I
would say the rest of them would probably be somewhere around a four.

For all three of them?

Yep, all three.

So basically SourceHealthNet was considerably faster than these other three vendors here. Any comment on
why SourceHealthNet was better, do you have any thought as to what they do better that gives them the better
performance?

I think it’s the way that SourceHealthNet pulls in the records and their calculation which they call their
“secret sauce” for coming up with the calculation on the algorithm around being able to pull in a certain
population of deficiencies or whatever. How they do that, I’m probably not as technical as my guys are,
they could probably tell you more around that piece of it, but I think it’s more around how the algorithm
that they use for their calculations works.
But that ultimately ends up with them being faster. All right, overall license price, how much they would charge
you for all this. Now this is a little different as far as pricing is concerned because a price of one would be
outrageously expensive, a price of ten would be practically free. A high number in my scale is always goodness,
kind of a little bit opposite from pricing. Now, given that scale, how would you rate the pricing of
SourceHealthNet or the other vendors?

License Price
Rating of vendor
Importance
Rating of SourceHealthNet nightGuard AltoSec Quotidian
criterion:

9 9 4.5 4.5 4.5

Probably about a nine. Yeah, compared to everybody else.

So what would you rate the other three vendors?

They’re probably around a four or five.

Again, four-point-five for all three of them?

Yeah, their price was much higher compared to SourceHealthNet’s.

And that would be because of the number of licenses you would have to get to get to the same level, if you will.
Now, before I go on with another issue, here, the other thing you said that could be a factor here is you talked
about the internal costs of switching. In other words you would have a price you would have to pay to actually
change from one vendor to another, and that sounded like that was quite important to your decision, right?

Right.

Why don’t we add that here so internal, or I call it other TCO. On a scale of one to ten, how would you rate the
importance of those other costs that you would incur?

Criterion Other TCO Importance 7.5

X
That’s probably about an eight; seven, eight.

Okay, seven-point-five.

We were worried about that because that could easily increase your costs.

Yeah, quite a bit. So let’s talk about that now, obviously SourceHealthNet was the installed vendor, right? So
there wouldn’t be a price to stick with them, correct?

Correct.

So would that be then a ten, if you had to rate them, would you give them then a ten in that area because it
wouldn’t be a price to change?

It depends on how you look at it, right, because although we weren’t married to SourceHealthNet but of
course yes they were our preferred product or services that we would like to sustain here. But if the
others had been able to demonstrate or exhibit a huge gap of what their product can do based upon
what Dido was giving us, we were willing to take that particular conversion over to the other product.

If they had given you enough of a reason.

Exactly.

But they didn’t.

Right.

Okay. So again, did you calculate what that cost of change would be with the other three vendors?

Yes.

Why don’t you go ahead and rate them. If SourceHealthNet would be a ten, which would be no cost or change,
right? How would you rate the other vendors as far as what it would cost to do that, to change?

Other TCO
Rating of vendor
Importance
Rating of SourceHealthNet nightGuard AltoSec Quotidian
criterion:

7.5 10 4 4 4

Probably, oh man, you’re talking about a whole new skill, learning curve, the whole deal, right? So
you’re looking at maybe about a four.

About a four for each of them?

Yeah.

So substantially different from pricing. All right, back to the other issues. The viability of the vendors, did you
see much of a difference between how sure you were that these vendors would survive into the future?

Yeah, I would say that all of them again, without looking at some of the research work that our supply
chain management had done for what we call the red book, I think it’s called a red book or black book,
one of the two. But anyway, looking at that I don’t think there was too much of an issue there. I think all
of them were pretty viable companies.

Then no big differences there. How about in this issue of the technical support capability or the service level
agreements that you were looking for as far as response time and all that was concerned, was that much of a
difference between the vendors?

No.

They all gave you reasonable technical support. Proof of concept, was there any differences between the
vendors during the proof of concept?

No, I mean all of them pretty much were trying to win our business, so all of them pretty much stepped
up.
Now here’s an issue that apparently nightGuard would have done better on than SourceHealthNet, which is the
issue of the treatment. How would you rate the two vendors as far as treatment capabilities are concerned?

Treatment
Rating of vendor
Importance
Rating of SourceHealthNet nightGuard AltoSec Quotidian
criterion:

5 2 7 1 1

I would say nightGuard’s probably higher.

So how would you rate them, one to ten?

I would say probably without having all the details of what their product can actually do for integration
and to our current change process I would say probably about a seven.

How would you rate the Dido capability there?

Of treatment is probably, maybe a two.

And then the other vendors, did they have that functionality or were they missing that?

Let’s see here, I know nightGuard had it because that was the reason why they made the final two, I
don’t recall any of the others having it.

So they would get a one there?

Yeah.

And then Quotidian, you didn’t like the model that they had, right, which we don’t have on the list here but that’s
okay. I think we’ve talked enough about what they would do. All right, so obviously you chose to continue to
stay with the Dido product for the reasons you stated.

Which vendor was selected?

SourceHealthNet

Of all of these reasons that you stated what would you say was the primary reason why you decided to stay with
SourceHealthNet?

What was the major reason this vendor was selected?

Of all the reasons? Probably cost.

The cost, that’s what you said before. And that would be the reason also why you did not change to any of the
other vendors, right?

What were the major reasons the other vendors were not chosen?
Yeah, that’s correct. If it would have been any of the others it probably would have been nightGuard, I
mean nightGuard had a very solid product, but the one thing there that we had seen was cost and
indirectly to cost, when we talk about scalability is their ability to scale given the breadth of our patient
network.

If you were sitting across the table right now with the highest level managers in these four companies, is there
any advice that you would offer them about what they could do to get better and to earn your business?

What advice would you give to each vendor on how they could improve?

Yeah. One is cost.

Yeah, obviously, drive the cost down.

One is of course driving the cost down, and making the conversions as transparent, as much as
possible so that’s from a skill set, learning curve, as well as from a cost investment, TCO standpoint.
As well as the ability to not only meet our needs today but our needs in the future as well. And I think
that was one of the things that we really liked about nightGuard is because we were already looking at a
treatment component to Dido. We had been working with them as far as developing that piece there and
so it was seen and so far we didn’t have that piece available. It just would have been a seamless type of
integration for us to be able to move in that direction. I think the only thing that really stopped us with
them to be honest with you, was really the cost piece of it.

Right, because they would require so many more systems.

Yeah.

All right, any other advice, anything you would want to say to SourceHealthNet that they need to work on?

Yeah, and that is the treatment functionality, the ability since we have the ability to, at any given time, to
understand where there’s possible is the ability to be able to leverage that discovery in a nice way, in a
productive way, an unobtrusive way to where we can use those exploits to remediate that particular
deficiency instead of having to go through a very manually intense process for treatment to spot-check
change management.

Didn’t they just buy a company recently, SourceHealthNet, to do that sort of thing?

Yeah it’s called RemedWare, is it something like that, RemedWare?

Oh, yes Citadel. Their RemedWare product has the kind of functionality you’re talking about there.

Exactly.

So it sounds like they’re moving in the right direction for it.

That’s right. They’re only two years late, right?

Okay, well eventually.

Yeah, you’re right, but it’s something that we’ve been talking with them for about two years now is the
RemedWare piece. The other wish with the current acquisition that they just made there. And then of
course the other piece we were talking to them about four years now is the distribution scanning.

Right. That sounds like a very interesting, piece of function, especially for a very large patient network like your
own, that would definitely be very interesting, I would think.

Right, right.
Okay, any other advice you would offer them?

No, that’s basically it, I mean all the other things, the problems we’ve had with their patient environment,
whatever, SourceHealthNet have been pretty responsive of having a dedicated team here on the site as
quickly as possible.

Now you did this due diligence about two years ago. Are you thinking of redoing a due diligence at any time
pretty soon in the future?

I would say yes. Here’s the reason why, because the data that we have today is two years old and the
one thing we try to do is stay current or fresh within our evaluation to make sure that they’re able to
meet our commitments, and the things that we’re looking to accomplish within the patient networks that
we’re responsible for. I would say yes, but when I would say probably, it won’t be in 1999 given our
workload that we have here. It’s probably something that we can project out in 2001 probably.

So you will take a look at that point.

Yeah, and maybe even push out to 2003 and the reason why I think you stated up front, is where I see
the patient network going is towards we call Prevention Control, which gives us the ability to enforce
compliance, enforce authorization, authentication at that end. And so I think once we have that
capability, once we’re looking at the end of 2001, 2003, to move in that direction, I think our scanning
tools will also have to grow or integrate into that type of framework.

Okay, understood. So we pretty much talked about your experience after you made this decision continues to
be satisfactory from the sounds of things. Are there any other issues involved in this due diligence that we have
not discussed, or have we pretty well covered the issues with you?

Are there any other issues related to your decision which were not covered in this
survey?

No, I think that pretty much the experience that we’ve had here, going through our evaluations, our
proof of concepts and some of the lessons learned that we’ve had through there, I think that you pretty
much have it all.

Well I do appreciate you spending the time with me and I want to wish you the best of luck with
SourceHealthNet and with any future due diligence that you do do and whichever vendor you choose with that.
So thank you for your help.

All right, thank you.

Thank you, bye-bye.