ORCHA Health Ltd

ORCHA Digital Health Accreditation, Dissemination and Professional Activation Platforms and Services

ORCHA’s Platforms and Services provide a full solution to the challenges of embedding Digital-Health solutions into day-to-day Healthcare delivery systems. Powered by the worlds most advanced Digital-Health Review/Accreditation solution, the suite includes tailored Digital-Health Libraries with advance search/filter options and solutions that support Professionals to embrace this exciting new frontier


  • Existing library of over 3,500 Apps (May 2018)
  • Thousands of new apps added each year across 300+ categories
  • New versions of reviewed Apps are automatically re-reviewed
  • Unique review approach based on key standards & best practice
  • Tailorable libraries enabling a focus on your key needs/populations
  • Open APIs allow direct integration into existing platforms & assets
  • Unique App Matching capabilities driving 'right App first time' results
  • Simple and intuitive professional recommendation/prescribing solution
  • App licence management and distribution capabilities
  • Full implementation support and campaign management provided


  • Drives the uptake of digital health Apps in your populations
  • Empowers professionals to embrace and drive digital activation
  • Maximises 'right App, first time' results and longterm stickiness
  • Allows the tracking of patient, population and professional mHealth activation
  • Provides an accreditation and regulatory compliance framework
  • Delivers a constant market monitoring and horizon scanning solution
  • Helps to raise digital literacy for patients and clinicians
  • Assists in patient outreach and population health management
  • Part of a wider digital campaign - to change mindsets
  • Patients and the public gain a trusted digital adviser


£10000.00 per licence per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

1 2 3 9 2 5 9 1 4 5 9 1 1 8 2


ORCHA Health Ltd

Tim Andrews



Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints ORCHA's App Library is available 24/7/365, while allowing for necessary planned maintenance. The system is updated on a regular basis, and is fully tested before being released to the production server.
Browser access must be based on the approved list.
Mobile device access must be based on supported mobile operating systems (iOS or Android).
Mobile device management is not included.
System requirements
  • ORCHA is a browser-based solution.
  • We support all major browsers, current version minus two.
  • The ORCHA API solution uses a JSON format.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Client queries within 24 hours.

Technical issues - Please see Terms and Conditions
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support No
Support levels ORCHA provides Tier 2 support to client IT teams, and the cost for this is included in the main contract price.
An account manager is allocated to the client once the initial contract has been agreed.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial scoping and set up of an ORCHA microsite involves branding it with the client logo, with the opportunity to then tailor site visuals and language to support user engagement. ORCHA offers templates and documentation (e.g. communications strategies and collateral) to guide this process and ensure that the website is engaging for the particular target demographic.

For general users of the website, there are on-screen cues, there is an FAQs section, and there is a video which explains how to navigate the site to search, filter, and find the best apps for their needs. In addition to this, there is a function to ‘Contact Us’ for help. Outside of the site, ORCHA provides each client with bespoke physical and digital collateral/assets designed to engage the target demographic.

For ‘ORCHA Pro Account’ users using the site to support their care delivery, this existing support is extended to facilitate engagement with ORCHA’s additional ‘Pro’ functionality, not least the facility to ‘recommend’ specific apps to specific individuals. To support this, ORCHA offers a mixture of stakeholder presentations, face-to-face onsite training, online training webinars, and ‘train the trainer’ sessions to build internal capacity; as well as an additional ‘walk through’ style video.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction ORCHA can do this upon request.
End-of-contract process After termination or expiration of the contracted services under the terms of the agreement or at your written request, ORCHA will delete or otherwise render inaccessible the production Services, including your content stored on our (cloud) servers, in a manner designed to ensure that it cannot reasonably be accessed or read, unless there is a legal obligation imposed on ORCHA preventing it from deleting all or part of the client's hosted environment.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are small differences in resolution for the mobile version (lower) and the navigational structure is necessarily different. All functional features are the same.
Service interface No
What users can and can't do using the API The API allows clients to pull unformatted and formatted App data that delivers most of the functionality of a standard ORCHA App Library.

The API can be used on an unformatted and on a formatted basis to integrate the ORCHA App Library and App Finder functionality directly into existing websites, Apps or platforms.
API documentation Yes
API documentation formats PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation The ORCHA App Library and App Finder can be configured and customised in a variety of ways. This includes:

- Choice of site look and feel, branding and URL/s
- Choice of featured or targeted App categories or areas of focus
- Choice of what types of Apps are displayed by reference to their score, who they were designed for and their compliance with specific key standards
- Choice of activation approaches for patients, populations and professionals

These customisable features are delivered as part of the standard site set-up process and can be delivered within a matter of days.

Users cannot directly customise other elements of the software, but can request that ORCHA do so (at additional cost).


Independence of resources Servers are load balanced and have significant unused capacity. ORCHA normally operates around 2% of the CPU utilisation, hence allowing for throughput to safely increase by a factor of 35 without any service interruption. This allows ORCHA to safely cope with all current spikes in usage, and seamlessly on-board new clients.


Service usage metrics Yes
Metrics types ORCHA provide a full array of site usage reports and data dashboards derived from an array of internal and external analytic tools
This is provided to the client organisation as part of the contracted agreement.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach End users cannot export their data.
ORCHA can provide usage and search data to client organisations upon request.
Data export formats CSV
Data import formats Other
Other data import formats There is no import facility

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability ORCHA uses AWS (based in the UK), and their stated uptime is 99.99%.
This does not include scheduled/ planned maintenance carried out by ORCHA.
Approach to resilience Hourly backups are taken of the main database. The code is backed up on every new build, and is source controlled. Snapshots are taken of the servers monthly, to capture latest configuration changes. All single points of failure are identified and remediation is in place.
Outage reporting Email alerts are sent to clients as soon as any outage is notified by AWS.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Privileged access to ORCHA's production environment is highly restricted and only designated senior technical staff have direct access to it. Access to the AWS management console requires a 2 factor authentication.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach ORCHA takes a holistic approach to information security,with a multilayered defense security strategy applied across all of its systems. We look to protect data at all stages of its journey from capture (via the website) through transmission and storage, to eventual destruction (as applicable). We are ICO registered, and use AWS as our hosting provider, which is accredited to a series of international standards.
Information security policies and processes ORCHA conforms to all current GDPR and data protection legislation. We have a Data Privacy Policy which is available via the website. All staff contracts contain data confidentiality clauses, and they are trained in this regard during their induction process. Access to data is controlled via a role-based access system, and logs are maintained to ensure compliance with internal policies.
Any issues with non-compliance would be raised via the CIO to the COO and then to the Board, and dealt with in line with the existing policies.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes to our database, application, architecture and environment are authorised, reviewed and fully logged. We use a combination of JIRA and an internal wiki (Confluence) to document bug fixes, change requests and releases, upgrades, maintenance and other elements that might impact our production environment.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Server security patching is conducted monthly or as required when a patch is released by a manufacturer. Information about threats is gathered from various sources including: developer bulletins, security mailing lists and other internet sources.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Our AWS infrastructure continuously monitors for errors and proactively corrects them before they become an issue. This ensures that the support team can work to investigate problems before they are reported by the end user. In addition, there is a supporting second data centre in the unlikely case of a service failure.
Incident management type Supplier-defined controls
Incident management approach ORCHA's incident management approach utilises a helpdesk approach. Users can can contact it with their incidents of issues, usually via email, and it is routed to the most appropriate person within the organisation to respond to (within 2 working days). Depending on the nature of the incident, ORCHA would follow its relevant policy; e.g. a data breach would be dealt with in accordance with the data privacy policy; A technical failure on the site would trigger the DR plan.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10000.00 per licence per year
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑