ICS Operations Limited

ICS Diagnostics: Cardiac Diagnostic Services

• Provision of technology-enabled, onsite and remote, Cardiac Diagnostic services
• Cardiology services can access our clinical network via our cloud software technology, to increase capacity, access reporting and reviewing support, access training and feedback, and access independent clinical governance support.

Features

• Cloud-based technology, allowing easy reporting, reviewing, storage and accessing
• Full service (Scanning and reporting)
• Remote Reporting service
• Reviewing service
• Training and Mentoring service
• Peer Review service
• Urgent Staffing service
• Specialist BSE accredited echocardiographer(s) to run high-quality, high-volume echo clinic(s)
• Clinical information securely uploaded and stored within cloud environment
• Guaranteed same day report turnaround

Benefits

• Easy flexible access to clinical information securely via web browser
• View, report and refer scans and reports easily by email
• HL7 integration back into existing systems
• Access BSE clinical support - nationwide network of specialist clinicians
• Capacity support with efficient, high-volume lists onsite
• Reporting, reviewing, clearing of backlog support via BSE reporting bureau
• Training and mentoring support from experienced clinicians onsite and remote
• Improve service clinical governance and quality assurance through reviewing channels.
• Increase service capacity
• Guaranteed same day report turnaround

£1 to £1200 per unit per day

Service documents

• Pricing document (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)
• Modern Slavery statement (pdf)

Framework

G-Cloud 11

Service ID

114526473610179

Contact

ICS Operations Limited

Sam Tennant

01992 305 711

bid.team@ukics.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Very clear support processes in place for clinical, administration, and technical queries.; Clear clinic or reporting bureau hours, outlined and confirmed in service agreement before a contract commences.; Service available 24/7, except during periods of scheduled maintenance. The Supplier will provide advance notification of scheduled maintenance no less than 7 Business Days prior to the time maintenance will begin.; System resides on client-maintained hardware; therefore, the Supplier cannot make a guarantees regarding uptime, as this is dependant on client networks.; Please see SLA for further information.
• System requirements:
  • PC / VM Server to install application for DICOM Gateway
  • Reports to be returned by HL7 integration
  • HL7 interface will need to be created by the Trust
  • VPN connectivity
  • Requirement to whitelist URL for cloud environment
  • Antivirus whitelist of specific folders related to software possibly required.
  • Viewer specifications are in place for all reporting stations used.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We acknowledge with 2 working hours, resolve low-level issues; within 24 working hours, medium-level issues in 48 working hours; and technical issues within 14 working days.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: We supply in and out of hours support with specific support processes in place for clinical, administration and adhoc queries. ; ; Support is included in the pricing.; ; Yes we will provide a technical lead who will be point of contact throughout engagement.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: • Depending on the service specification being used, onsite training, user documentation and online help is available for users to use the system. ; • Onsite training is included through pricing, but remote training is also included to further support/training time. ; • User documentation, online training and project management leading up to service go-live can be supplied through a variety of channels and formats. ; • Training is tailored to meet your needs, training methods can include; online video tutorials, remote login, telephone, webinar and onsite instruction. ; • Remote support and training can be provided through US or Ireland Client Support teams.; • Depending on the service specification being used, onsite training, user documentation and online help is available for users to use the system. ; • Onsite training is included through pricing, but remote training is also included to further support/training time. ; • User documentation, online training and project management leading up to service go-live can be supplied through a variety of channels and formats. ; • Training is tailored to meet your needs, training methods can include; online video tutorials, remote login, telephone, webinar and onsite instruction. ; • Remote support and training can be provided through US or Ireland Client Support teams.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • Excel
  • Word
• End-of-contract data extraction: Data migration can be provided at contract end at a fixed cost. Long terms data archiving with access post contract end can also be provided.; ; All data within the 8-year archiving period will remain accessible to the Client regardless of contract end, negating the need for additional cost to migrate data.
• End-of-contract process: We work to agreed contract terms. At the end of a contract, we simply cease to receive clinical data into the cloud, and cease to undertake any clinical services for the customer. ; All data is archived for the required period of 8 years. This is included in the service we provide, and within the contract price.; Any data required to be exported to another system will incur additional cost, to be agreed on request.; Our service is designed to be easy-to-use: at contract end, client accounts can be deactivated or changed to allow data-viewing only (without the ability to add/amend data) of the archive database for the remaining archive period.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: Yes
• Compatible operating systems:
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Service is available to view via mobile devices, however, due to the nature of the content, high-quality images are required, and therefore the proposed service does not include use of mobile-based services.
• Service interface: Yes
• Description of service interface: The service interface for Ultralinq is called Uplinq. Uplinq runs as a service in Windows, and searches pre-defined folders to identify unprocessed files, encodes the files into multimedia images and then uploads the encrypted components into the Ultralinq viewer using 256 AES end to end encryption
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: WE have tested our interface to ensure it meets the requirements of WCAG 2.1 AAA
• API: No
• Customisation available: No

Scaling

• Independence of resources: We have dedicated support functions in place to ensure all required support is provided in line with contracted timelines. ; Each contract has a designated project team, and key contacts once live. We can therefore manage resource accordingly to ensure that demand doesn’t exceed supply. ; Software has no storage limits.

Analytics

• Service usage metrics: Yes
• Metrics types: Service usage metrics include;; • Performance Reports:; o Appointment completion rates; o Did not scan (rejection) rates ; o Number of failures to provide monthly reports by the provider; o Report completion rates; o Turnaround times from receipt of study to report; • Quality Reports which include; o Incident Reports; o Percentage of reports (internal) peer reviewed for quality assurance; o Number of diagnostic errors: Rate of false positives and false negatives; o Percentage of Independent clinical audit (external); o On- call remote reporting response rate; o Turnaround times on reports from Reviewing Service /Training and Mentoring and Peer Review Service
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data export is complete securely via the infrastructure provider.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • MP4
  • DICOM
  • PDF
  • PNG
  • JPEG
  • ISO
  • ZIP
• Data import formats: Other
• Other data import formats:
  • DICOM
  • PDF
  • PNG
  • JPEG
  • AVI
  • MP4

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Using a secure DICOM Gateway installed within the Customer’s network.; The Secure DICOM Gateway will decode the DICOM file, and create three files:; 1. An XML file with all the DICOM metadata.; 2. A multimedia file (JPEG for still images, MP4 for multiframe images).; 3. A thumbnail file (JPEG).; The files are upload to ICS Diagnostics’ cloud environment using HTTPS via TLS.; Reports; Reports can be transferred back to the Customer via HL7 or via a secure email link.; A secure VPN can be established to transfer HL7.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: UltraLinq platform will be available 24/7, except during periods of scheduled maintenance. The Supplier will provide advance notification of scheduled maintenance no less than 7 Business Days prior to the time maintenance will begin.; UpLinq resides on client maintained hardware; therefore, the Supplier makes no guarantees regarding uptime.; The full service clinics will be available as per agreed hours with customer. Report back to the Customer on the same Business Day.; If reporting is to be provided by the same scanning resource, then the reporting will be returned to the Customer the following Business Day. ; Remote Reporting service will be available for a Day Shift (8am to 6pm, Monday to Friday) and an Evening Shift (6pm to 11:30pm) and Out of Hours (11:30pm to 8am, Monday to Friday and all-day Saturday and Sunday).; Reviewing service will be available for a Day Shift (9am to 5pm, Monday to Friday).; Please see ICS Diagnostics SLA for more information.
• Approach to resilience: We use Ultralinq’s data centre Amazon Web Services. This information is available on request.
• Outage reporting: Outages are reported using email alerts.; The Full service, Remote Reporting service and Reviewing service depends on the Cloud-based Echo System for availability. ; Ultralinq may encounter unscheduled downtime due to events beyond the Supplier’s control (service-continuity events). The Supplier commits to 99.0% monthly uptime. The Supplier’s data centre partner, Amazon Web Services, commits to 99.99% monthly uptime. The Provider and Supplier considers all intervals of unscheduled downtime as critical.; The reliability of the UpLinq relies heavily on the IT ecosystem in which it is installed. The Supplier makes no guarantees on the reliability of UpLinq given the variability of the Customer ecosystems.; Since UpLinq connects to the same web servers as UltraLinq, any downtime affecting UltraLinq will affect UpLinq. The only situations where UltraLinq is up and UpLinq is down will involve Customer connectivity issues.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: User profiles and restrictions will determine level of access as provided and vetted.; Access is controlled by ICS Diagnostics, so we can clearly define who has permission to clinical information, and at what level. ; Different permissions can be granted depending on different levels of required access, and this is all controlled within the admin back-end of the system.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: EY Certifypoint
• ISO/IEC 27001 accreditation date: 15/12/2017
• What the ISO/IEC 27001 doesn’t cover: Technology utilised by ICS Diagnostics is certified as ISO27001 compliant.; ICS Diagnostics are currently reviewing ISO27001 certification, however, ICSG (the parent company of ICS Diagnositcs) is ISO27001 certified.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials certification

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Our robust suite of policies underpin our ISO27001, IG Toolkit and Cyberessentials accreditation. Our Information Security Management System has processes for all governance and security aspects, including staff training, data protection and retention, data transfer, hardware and access procedures. Senior Managers (e.g. HR, IT, Operations) form our Information Governance committee, which reports to the Board, ensuring a whole-group and multi-role focus, and reviews performance and procedures. Procedures for suspected/ actual information security incident (including near miss) mandate how each staff member should report, and what action is needed. We record all incidents on Datix to ensure a consistent approach to collecting information, and mandatory steps ensure escalation to appropriate managers, and undertaking investigations within agreed timescales. Our Clinical Director and Caldicott Guardian reports to ICO/ relevant third parties. Information Governance committee reviews incidents to verify actions were appropriate actions and lessons are learned. To ensure policies are followed, all staff undertake training on Information Governance during induction, ensuring a baseline of knowledge. Responsibility for Information Governance is included in staff code of conduct. This is reinforced by system protocols (e.g. mandatory password resets to approved complexity level). ISMS and documentation are available on intranet, not hard copy, ensuring version control.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Change management uses recognised project/change management principles. Key steps in change management processes include;; Evaluate: each systems, resource and component of the project.; Coordinate: who will approve change and processes to be utilised to configure change. Who will ensure changes are realised, and who will be accountable.; Security/risks: identification of security issues and project/change management risks - significant change to code impacts security reassessment; Plan: who will implement change, and process/timeline for change; Documentation: creation of appropriate documentation/resource, specific to change; Control: change control process documented and actions recorded to include lessons learned; Action: change implementation, and monitoring of milestones
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Ldentify threats and vulnerability through constant monitoring 24/7 using: ; • Nist vulnerability database - https://nvd.nist.gov/vuln/data-feeds; • PHP mailing lists - https://php.net/mailing-lists.php; • Flash security bulletins - https://helpx.adobe.com/security/security-updates/#/security-advisories; • Categorisation of vulnerability into groups; • Scanning assets regularly for known vulnerabilities; • Ranking risks of vulnerabilities; • Emergency patches and security updates within hours (depending on nature of the issue and amount of quality testing required to ensure stability of a fix); • Quarterly major release schedule; The UltraLinq system is ISO certified and considered a class2 medical device, therefore not patch is implemented without proper risk analysis and quality testing.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Realtime monitoring is in place to monitor potential compromises. Amazon Web Services communicates any identified data breach immediately it becomes aware. Escalation processes are in place to manage any situation where a compromise is identified.; The degree of compromise will determine resource allocation and urgency of response.; Our aim is to always address any identified actual or potential compromise immediately.
• Incident management type: Supplier-defined controls
• Incident management approach: The technology we use follows NIST Incident Response Lifecycle for security incidents and complies with the US HIPAA guidelines. Users report incidents per SLA. Various tools are used, with human analysis, to identify questionable events and workflows are in place for conducting risk assessments for discovered security incidents. Detection: Security team uses automated/manual processes to detect escalatable events. Alerts are configured for known-anomalies or abnormal conditions. Containment: incident-specific process Eradication: incident-specific process Restoration: Known good images/software are used for rebuilding/restoring. Follow-up: Lessons-learned meetings are conducted to identify successes/improvements.; Technology is also covered by ISO13485 certified quality management system.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £1 to £1200 per unit per day
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)
• Modern Slavery statement (pdf)