ICS Operations Limited

ICS Diagnostics: Cardiac Diagnostic Services

• Provision of technology-enabled, onsite and remote, Cardiac Diagnostic services
• Cardiology services can access our clinical network via our cloud software technology, to increase capacity, access reporting and reviewing support, access training and feedback, and access independent clinical governance support.

Features

  • Cloud-based technology, allowing easy reporting, reviewing, storage and accessing
  • Full service (Scanning and reporting)
  • Remote Reporting service
  • Reviewing service
  • Training and Mentoring service
  • Peer Review service
  • Urgent Staffing service
  • Specialist BSE accredited echocardiographer(s) to run high-quality, high-volume echo clinic(s)
  • Clinical information securely uploaded and stored within cloud environment
  • Guaranteed same day report turnaround

Benefits

  • Easy flexible access to clinical information securely via web browser
  • View, report and refer scans and reports easily by email
  • HL7 integration back into existing systems
  • Access BSE clinical support - nationwide network of specialist clinicians
  • Capacity support with efficient, high-volume lists onsite
  • Reporting, reviewing, clearing of backlog support via BSE reporting bureau
  • Training and mentoring support from experienced clinicians onsite and remote
  • Improve service clinical governance and quality assurance through reviewing channels.
  • Increase service capacity
  • Guaranteed same day report turnaround

Pricing

£1 to £1200 per unit per day

Service documents

G-Cloud 11

114526473610179

ICS Operations Limited

Ian McKenzie

01992 305 711

bid.team@ukics.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Very clear support processes in place for clinical, administration, and technical queries.
Clear clinic or reporting bureau hours, outlined and confirmed in service agreement before a contract commences.
Service available 24/7, except during periods of scheduled maintenance. The Supplier will provide advance notification of scheduled maintenance no less than 7 Business Days prior to the time maintenance will begin.
System resides on client-maintained hardware; therefore, the Supplier cannot make a guarantees regarding uptime, as this is dependant on client networks.
Please see SLA for further information.
System requirements
  • PC / VM Server to install application for DICOM Gateway
  • Reports to be returned by HL7 integration
  • HL7 interface will need to be created by the Trust
  • VPN connectivity
  • Requirement to whitelist URL for cloud environment
  • Antivirus whitelist of specific folders related to software possibly required.
  • Viewer specifications are in place for all reporting stations used.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We acknowledge with 2 working hours, resolve low-level issues
within 24 working hours, medium-level issues in 48 working hours
and technical issues within 14 working days.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels We supply in and out of hours support with specific support processes in place for clinical, administration and adhoc queries.

Support is included in the pricing.

Yes we will provide a technical lead who will be point of contact throughout engagement.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started • Depending on the service specification being used, onsite training, user documentation and online help is available for users to use the system.
• Onsite training is included through pricing, but remote training is also included to further support/training time.
• User documentation, online training and project management leading up to service go-live can be supplied through a variety of channels and formats.
• Training is tailored to meet your needs, training methods can include; online video tutorials, remote login, telephone, webinar and onsite instruction.
• Remote support and training can be provided through US or Ireland Client Support teams.
• Depending on the service specification being used, onsite training, user documentation and online help is available for users to use the system.
• Onsite training is included through pricing, but remote training is also included to further support/training time.
• User documentation, online training and project management leading up to service go-live can be supplied through a variety of channels and formats.
• Training is tailored to meet your needs, training methods can include; online video tutorials, remote login, telephone, webinar and onsite instruction.
• Remote support and training can be provided through US or Ireland Client Support teams.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Excel
  • Word
End-of-contract data extraction Data migration can be provided at contract end at a fixed cost. Long terms data archiving with access post contract end can also be provided.

All data within the 8-year archiving period will remain accessible to the Client regardless of contract end, negating the need for additional cost to migrate data.
End-of-contract process We work to agreed contract terms. At the end of a contract, we simply cease to receive clinical data into the cloud, and cease to undertake any clinical services for the customer.
All data is archived for the required period of 8 years. This is included in the service we provide, and within the contract price.
Any data required to be exported to another system will incur additional cost, to be agreed on request.
Our service is designed to be easy-to-use: at contract end, client accounts can be deactivated or changed to allow data-viewing only (without the ability to add/amend data) of the archive database for the remaining archive period.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install Yes
Compatible operating systems
  • MacOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Service is available to view via mobile devices, however, due to the nature of the content, high-quality images are required, and therefore the proposed service does not include use of mobile-based services.
Accessibility standards WCAG 2.1 AAA
Accessibility testing WE have tested our interface to ensure it meets the requirements of WCAG 2.1 AAA
API No
Customisation available No

Scaling

Scaling
Independence of resources We have dedicated support functions in place to ensure all required support is provided in line with contracted timelines.
Each contract has a designated project team, and key contacts once live. We can therefore manage resource accordingly to ensure that demand doesn’t exceed supply.
Software has no storage limits.

Analytics

Analytics
Service usage metrics Yes
Metrics types Service usage metrics include;
• Performance Reports:
o Appointment completion rates
o Did not scan (rejection) rates
o Number of failures to provide monthly reports by the provider
o Report completion rates
o Turnaround times from receipt of study to report
• Quality Reports which include
o Incident Reports
o Percentage of reports (internal) peer reviewed for quality assurance
o Number of diagnostic errors: Rate of false positives and false negatives
o Percentage of Independent clinical audit (external)
o On- call remote reporting response rate
o Turnaround times on reports from Reviewing Service /Training and Mentoring and Peer Review Service
Reporting types
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data export is complete securely via the infrastructure provider.
Data export formats
  • CSV
  • Other
Other data export formats
  • MP4
  • DICOM
  • PDF
  • PNG
  • JPEG
  • ISO
  • ZIP
Data import formats Other
Other data import formats
  • DICOM
  • PDF
  • PNG
  • JPEG
  • AVI
  • MP4

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks Using a secure DICOM Gateway installed within the Customer’s network.
The Secure DICOM Gateway will decode the DICOM file, and create three files:
1. An XML file with all the DICOM metadata.
2. A multimedia file (JPEG for still images, MP4 for multiframe images).
3. A thumbnail file (JPEG).
The files are upload to ICS Diagnostics’ cloud environment using HTTPS via TLS.
Reports
Reports can be transferred back to the Customer via HL7 or via a secure email link.
A secure VPN can be established to transfer HL7.
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability UltraLinq platform will be available 24/7, except during periods of scheduled maintenance. The Supplier will provide advance notification of scheduled maintenance no less than 7 Business Days prior to the time maintenance will begin.
UpLinq resides on client maintained hardware; therefore, the Supplier makes no guarantees regarding uptime.
The full service clinics will be available as per agreed hours with customer. Report back to the Customer on the same Business Day.
If reporting is to be provided by the same scanning resource, then the reporting will be returned to the Customer the following Business Day.
Remote Reporting service will be available for a Day Shift (8am to 6pm, Monday to Friday) and an Evening Shift (6pm to 11:30pm) and Out of Hours (11:30pm to 8am, Monday to Friday and all-day Saturday and Sunday).
Reviewing service will be available for a Day Shift (9am to 5pm, Monday to Friday).
Please see ICS Diagnostics SLA for more information.
Approach to resilience We use Ultralinq’s data centre Amazon Web Services. This information is available on request.
Outage reporting Outages are reported using email alerts.
The Full service, Remote Reporting service and Reviewing service depends on the Cloud-based Echo System for availability.
Ultralinq may encounter unscheduled downtime due to events beyond the Supplier’s control (service-continuity events). The Supplier commits to 99.0% monthly uptime. The Supplier’s data centre partner, Amazon Web Services, commits to 99.99% monthly uptime. The Provider and Supplier considers all intervals of unscheduled downtime as critical.
The reliability of the UpLinq relies heavily on the IT ecosystem in which it is installed. The Supplier makes no guarantees on the reliability of UpLinq given the variability of the Customer ecosystems.
Since UpLinq connects to the same web servers as UltraLinq, any downtime affecting UltraLinq will affect UpLinq. The only situations where UltraLinq is up and UpLinq is down will involve Customer connectivity issues.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels User profiles and restrictions will determine level of access as provided and vetted.
Access is controlled by ICS Diagnostics, so we can clearly define who has permission to clinical information, and at what level.
Different permissions can be granted depending on different levels of required access, and this is all controlled within the admin back-end of the system.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for User-defined
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 EY Certifypoint
ISO/IEC 27001 accreditation date 15/12/2017
What the ISO/IEC 27001 doesn’t cover Technology utilised by ICS Diagnostics is certified as ISO27001 compliant.
ICS Diagnostics are currently reviewing ISO27001 certification, however, ICSG (the parent company of ICS Diagnositcs) is ISO27001 certified.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials certification

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our robust suite of policies underpin our ISO27001, IG Toolkit and Cyberessentials accreditation. Our Information Security Management System has processes for all governance and security aspects, including staff training, data protection and retention, data transfer, hardware and access procedures. Senior Managers (e.g. HR, IT, Operations) form our Information Governance committee, which reports to the Board, ensuring a whole-group and multi-role focus, and reviews performance and procedures. Procedures for suspected/ actual information security incident (including near miss) mandate how each staff member should report, and what action is needed. We record all incidents on Datix to ensure a consistent approach to collecting information, and mandatory steps ensure escalation to appropriate managers, and undertaking investigations within agreed timescales. Our Clinical Director and Caldicott Guardian reports to ICO/ relevant third parties. Information Governance committee reviews incidents to verify actions were appropriate actions and lessons are learned. To ensure policies are followed, all staff undertake training on Information Governance during induction, ensuring a baseline of knowledge. Responsibility for Information Governance is included in staff code of conduct. This is reinforced by system protocols (e.g. mandatory password resets to approved complexity level). ISMS and documentation are available on intranet, not hard copy, ensuring version control.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Change management uses recognised project/change management principles. Key steps in change management processes include;
Evaluate: each systems, resource and component of the project.
Coordinate: who will approve change and processes to be utilised to configure change. Who will ensure changes are realised, and who will be accountable.
Security/risks: identification of security issues and project/change management risks - significant change to code impacts security reassessment
Plan: who will implement change, and process/timeline for change
Documentation: creation of appropriate documentation/resource, specific to change
Control: change control process documented and actions recorded to include lessons learned
Action: change implementation, and monitoring of milestones
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Ldentify threats and vulnerability through constant monitoring 24/7 using:
• Nist vulnerability database - https://nvd.nist.gov/vuln/data-feeds
• PHP mailing lists - https://php.net/mailing-lists.php
• Flash security bulletins - https://helpx.adobe.com/security/security-updates/#/security-advisories
• Categorisation of vulnerability into groups
• Scanning assets regularly for known vulnerabilities
• Ranking risks of vulnerabilities
• Emergency patches and security updates within hours (depending on nature of the issue and amount of quality testing required to ensure stability of a fix)
• Quarterly major release schedule
The UltraLinq system is ISO certified and considered a class2 medical device, therefore not patch is implemented without proper risk analysis and quality testing.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Realtime monitoring is in place to monitor potential compromises. Amazon Web Services communicates any identified data breach immediately it becomes aware. Escalation processes are in place to manage any situation where a compromise is identified.
The degree of compromise will determine resource allocation and urgency of response.
Our aim is to always address any identified actual or potential compromise immediately.
Incident management type Supplier-defined controls
Incident management approach The technology we use follows NIST Incident Response Lifecycle for security incidents and complies with the US HIPAA guidelines. Users report incidents per SLA. Various tools are used, with human analysis, to identify questionable events and workflows are in place for conducting risk assessments for discovered security incidents. Detection: Security team uses automated/manual processes to detect escalatable events. Alerts are configured for known-anomalies or abnormal conditions. Containment: incident-specific process Eradication: incident-specific process Restoration: Known good images/software are used for rebuilding/restoring. Follow-up: Lessons-learned meetings are conducted to identify successes/improvements.
Technology is also covered by ISO13485 certified quality management system.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £1 to £1200 per unit per day
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑