CAMBRIDGE DIGITAL HEALTH LIMITED

Application for symptoms tracking and Information during IVF cycle

This app helps couples undergoing IVF track symptoms, health markers and lifestyle metrics. Reliable, tailored information offers insight, advice and encouragement, enabling good communication with HCP where appropriate. HCP can access data from their patients and can export this data to upload to EPR if required.

Features

• iOS and Android mobile app
• Webapp for user management as well as data input
• Remote access, cloud based desktop platform and native app
• User profile questionnaire
• Symptom log
• Tailored messages/notifications relating to symptoms experienced
• Useful resources and information
• Advanced user customisation and configuration capabilities
• Real time reporting, system usage and activity trends
• User in full control of their data

Benefits

• Easy recording of existing conditions and risk factors
• Easy recording of symptoms to view trends over time
• Receive tailored messages and reminders to encourage healthy habits
• Promotes awareness of risks and signs of complications
• Educates and informs on good health practices
• Analyse and review the effect of actions taken

£2.60 to £6.00 a user a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Framework

G-Cloud 12

Service ID

149103299029052

Contact

Natalya Butterworth
01223 967 369
info@camdm.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: The app works best on recent version of Android and iOS mobile devices. The exact compatibility constraints are regularly evolving as new versions of Android and iOS become available, so please contact us to get the latest information.
• System requirements:
  • No specific requirements in the standard version
  • Contact us if deploying on your own server

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Technical and customer support enquiries are usually dealt with within 1 working day.; See SLA for specific times agreed with buyer as this can be tailored to their individual needs.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: The support levels provided are defined in the pricing document.; ; A project manager is assigned to each buyer and will oversee the quality of the support and that it is meeting the agreed turn around time.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: For Healthcare professionals, contact is made by phone or email with the Hospital point of contact to get the hospital set up, they also receive a link to a demo video. The administrator can add all of their hospital users and patients need access. This is done on the admin dashboard of the web app. Users receive an email inviting them to download the app and login, which guides them in the process. Those with user rights access can then create new patient accounts. Patients can also download the app independently from the app store and choose to link their profile to that of the hospital. The hospital administrator for this project can accept or reject linking requests.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: At the end of the contract, data can be extracted as a csv file. Other formats can be created upon request as per SLA.
• End-of-contract process: At the end of the contract, the organisation is under no obligation to continue to use or pay for the services. The users of that organisation will receive an email 7 days before the end of contract notifying them that the access will soon come to an end. The app for their users will stop working when the contract ends. In the event that this was an oversight from the buyer, and that renewal fees are paid within 1 month, access can be restored without losing information.; ; Users can continue to use the patient-facing version of the app without any customised information from the hospital after then.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile app allows users to register and connect to their HCP. They can record feelings, symptoms, and receive regular automated (but tailored) messages. Users can manage the data sharing settings on their app.; ; The web interface is for hospital administrators who confirm that specific users is one of their patients. Administrators have access to a real-time analytics dashboard (usage only, and patient’s data).; Summary PDF can be downloaded from the admin dashboard with the option of having this in a specific format for automated upload to EPR.
• Service interface: No
• API: No
• Customisation available: Yes
• Description of customisation: The app can include hospital information (name, logo, ...) for the users linked with that hospital.; Hospital specific surveys and features can be included (or hidden) from app users.; ; Customisation requirements will be included in the buyer's specific SLA.

Scaling

• Independence of resources: Our servers are regularly monitored for response time fluctuations, and system load. Application testing is also used to ensure independence of resources. Backend services can be both scaled up and scaled out to meet increasing customer demand. Load balancing is used to ensure that users are not affected by the demand placed by others.

Analytics

• Service usage metrics: Yes
• Metrics types: The real time dashboard of the web interface allows the organisational administrators to see how many active users they have on the system, as well as having useful lists.; Any specific data that the buyer would like to access can be discussed and we will do our best to make this available to them. Buyers may wish to have access to APIs, regular report or report on request, this is all specified in each individual SLA.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: No
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: The main method of data export is the creation of individual PDF records for each patients which details their entries. Hospital administrators can download user metrics in CSV format.
• Data export formats:
  • CSV
  • Other
• Other data export formats: User led PDF of some sections of the app
• Data import formats: Other
• Other data import formats: Manual validation

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: SLAs are agreed on a per-customer basis, based on need.
• Approach to resilience: Resilience plans available on request.
• Outage reporting: Outages are currently reported via email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password
• Access restrictions in management interfaces and support channels: IP based restrictions; Country restrictions; user name and passwords; token based authentication
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Less than 1 month
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Less than 1 month
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Security governance policies are reviewed annually and reported at Board level for governance and approval. All policies and methods are distributed to staff and appropriate training and information given to them during their induction and during annual training. Any issues are reported to a director of the company for resolution as described by the policy.; ; Given the nature of this project, we specifically adhere to NHS IG Toolkit policies and processes.
• Information security policies and processes: Cambridge Digital Health’s processes are GDPR compliant. ; ; Information security policies and processes are reviewed annually and reported at Board level for governance and approval. All policies and methods are distributed to staff and appropriate training and information given to them during their induction and during annual training. Any issues are reported to a director of the company for resolution as described by our policies.; ; Given the nature of this project, we specifically adhere to NHS IG Toolkit policies and processes.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All changes must pass through our development pipeline as per our SOPs, which includes checks and balances at all stages from initiation to field deployment. ; Version control, extensive regression testing, canary releases to environments which support 'test' apps, progressive rollout (usually over a period of weeks across the server fleet) with ability for very fast rollback.; All of these activities are recorded electronically at each stage.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Information about potential threats is gathered form a variety of sources, including upstream suppliers of software tools, platforms and services, as well as in-house penetration testing. Main vulnerability testing is performed in house, including SQL injection as well as commercial vulnerability management software.; ; Risks are assessed using a standard "likelyhood * impact" scoring. Patches can usually be deployed in a matter of days.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential compromises are identified through a combination of regular log review using custom scripts, and data monitoring. We have additional protection offered by our server host, Cambridge University Hospitals.; ; How we respond dependant on the nature of the compromise, it could be IP blacklisting, or Fail to Ban or other relevant response depending on the nature of the compromise.; ; We aim to respond to any compromise on the same day.
• Incident management type: Supplier-defined controls
• Incident management approach: Users can report incidents to us via telephone or email. The incident is immediately reported to the relevant project manager and technical lead for the project on duty that day.; Each issue is evaluated, and a level of priority assigned to it. ; The project manager is responsible for tracking progress and communicating with the users if necessary.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Pricing

• Price: £2.60 to £6.00 a user a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF