Kainos Evolve Limited

Evolve EMR-as-a-Service

Award-winning Evolve Medical Record platform supports Digital Maturity programmes through removal of paper from the care process. Secure, audited storage and management of patient documentation, promoting paperless working through digital workflows and electronic forms. Provided as a fully managed service, delivered securely using Microsoft Azure’s cloud.


  • Digital patient records and electronic document management.
  • Electronic forms and workflows enables paperless working.
  • Instant access to patient records via mobile devices and desktops.
  • Highly configurable and scalable, used daily by 150,000 clinicians.
  • Interoperability with EPRs based on HL7 standards including Spine.
  • Fully managed service, delivered securely via the cloud.
  • End-to-end network, server, database, application management.
  • ISO27001 and ISO20000 accredited.
  • Cloud hosting through Microsoft Azure.
  • Deployed in the cloud with advanced security measures and tooling.


  • Supports digital maturity and paperless working.
  • Supports the Government’s 2020 personalised health and care agenda.
  • Improved information sharing and collaboration across systems and care teams.
  • Information access at point of care supports better decision making.
  • Free up IT staff for other priorities, improve clinician efficiency.
  • Reduced management overhead – Kainos end-to-end service.
  • Maximised availability – resiliency and DR built in.
  • Reduced risk – protected by Azure and enhanced operational security.
  • Reduced risk – experts in cloud engineering for HM Government.
  • Reduced risk – real world experience migrating mission critical services.


£650 per person per day

Service documents


G-Cloud 11

Service ID

2 3 4 5 7 2 1 3 9 8 8 8 1 6 8


Kainos Evolve Limited

Gareth Black



Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Full details of Evolve EMR-as-a-Service are included in the attached service definition document.
System requirements
  • SQL Server licensed by the Customer for on-premise and cloud.
  • Appropriate internal network, external network and connections.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our standard support response times range from 60 minutes to 5 days depending on the incident categorisation and prioritisation as defined in a tailored service level agreement (SLA) per service.
The tailored SLA also defines the agreed hours of support service availability which can range from 24x7 to weekdays 09:00 to 17:00.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
For many of our support clients we configure private chat groups to allow the client real-time access to the support team.
However, we have not performed any web chat testing with assistive technology users.
Web chat accessibility testing
For many of our support clients we configure private chat groups to allow the client real-time access to the support team.
However, we have not performed any web chat testing with assistive technology users.
Onsite support
Yes, at extra cost
Support levels
Our mature cloud support service blends continued service improvement with defect resolution, to ensure user needs, business goals and performance targets are realised, and user satisfaction is maximised.

We offer a range of support levels (3rd & 4th line) which are aligned to client’s support requirements and defined in a tailored service level agreement. Our support methodology is based on the rigour of ITIL and the flexibility of Agile principles and a Dev Ops culture. This blend results in a robust break-fix service and pragmatic service targets which are ITIL-aligned and underpinned by our ISO 9000, ISO 20000 and ISO 27001 accreditation.

Support is included as part of the service cost.

A typical support team is led by a technical account manager who is responsible for day-to-day support and allocation of support requests to multiple cloud support engineers. This approach provides a resilient support service with sufficient cover to ensure all support requests are managed in an effective and efficient manner.
Support available to third parties

Onboarding and offboarding

Getting started
We have introduced carefully selected on-line help and tutorials to allow new users to get accustomed to the solution quickly.
Service users have access to on-line help within the majority of the screens to explain their purpose and assist in making best use of solution functionality.
Optional onsite training is available on request.
Service documentation
Documentation formats
End-of-contract data extraction
Kainos shall make the Evolve Web API available to provide the Customer with the capability to extract data from within Evolve.
End-of-contract process
Upon the end of the contract Kainos will provide the Customer with a temporary extension to the licence for the Evolve Web API (including documentation), free of charge to facilitate the migration process.

After the end of the contract the Evolve service will be provisioned for a period of one month to enable the Trust to extract the required data from Evolve. Following extraction of the data, disposal schedules can be configured to trigger the destruction of the electronic records stored within Evolve. Configuring retention and disposal schedules is a topic covered in the Evolve for Records Managers training course. Evidence of destruction would be provided via audit logs of the disposal process.

Kainos will provide this assistance on a time and materials basis (at the applicable rate card).

Expenses incurred in conjunction with these services, including the use of third party equipment or services e.g. third party hosting charges required for transition, will be chargeable to the Customer.

Using the service

Web browser interface
Supported browsers
Internet Explorer 11
Application to install
Compatible operating systems
  • IOS
  • Windows
Designed for use on mobile devices
Differences between the mobile and desktop service
Evolve for iPad has been optimised for mobile devices running on the iOS platforming, leveraging native iOS capability including offline working and security.
Service interface
Description of service interface
See service definition document.
Accessibility standards
None or don’t know
Description of accessibility
Evolve EMR is compliant with stringent accessibility requirements, such as those stated in the US DoD 5015.2 standard. It has a high level of compliance with the W3C Web Content Accessibility Guidelines. Many out-of-the-box components use Microsoft products as the user interface, and as such inherit host software’s accessibility features. Microsoft is highly committed to accessibility excellence and complies with Section 508 for accessibility as well as other international standards.
The Autonomy RM Developer Toolkit provides several open APIs supporting the widest possible range of integration options. This enables integration of Evolve with third-party software, such as specialist accessibility packages.
Accessibility testing
During the development of Evolve EMR, the user voice was the focus of the User Stories used to design the solution. This solution design is user-centric to drive through the importance of ease of use, and to allow users to quickly and easily find the clinical information they need.
Evolve has a team of highly experienced usability experts who have conducted extensive usability testing with a wide range of end users including users of assistive technology. Further details available on request.
What users can and can't do using the API
Evolve EMR has a fully functional API - all user functions can be managed through the API.
Roles, groups and scope are used to limit user access to specific API functions.
API documentation
API documentation formats
  • HTML
  • ODF
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
What -
A high level of configurability allows individual customers to customise to their own specific requirements and to introduce functionality at a rate that suits them.

How -
Out-of-the-box and customised templates within the solution provide a highly flexible customisation approach. Customers can create their own electronic forms and workflows to meet ever-changing requirements without the need for developers.

Who -
Business users can customise Evolve EMR, programming skills are not required. Electronic forms and workflows can easily be customised or created by administrators using available data sets.


Independence of resources
Evolve EMR in the Cloud runs on a dedicated, highly scalable cloud hosted platform, and as such, a key requirement is that the solution fully supports demands of multiple concurrent deployments.


Service usage metrics
Metrics types
- Service Availability.
- Patient access.
- User activity.

All delivered via a mix of graphical reports.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Any sensitive data is encrypted both at rest using AES-256 symmetric key encryption. This applies to all Azure storage types used by the Evolve solution that are used to store sensitive data e.g. virtual machine disks, storage accounts, etc. All data written to Azure Storage is encrypted through AES encryption and is enabled for all new and existing storage accounts and cannot be disabled.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
CSV and HL7 exports are supported as standard.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
The Evolve architecture is designed for continuous operation, and a target availability level of better than 99.9% is anticipated (excluding planned maintenance). Planned maintenance episodes are minimised as much as possible and are only required in exceptional circumstances – non-disruptive approaches to software release, patching, database maintenance are used to maximise the availability of the solution.

Resilience techniques such as load balancing, replication of data and duplication of server roles are employed to minimise the impact of component failure. Extensive monitoring and alerting tooling are deployed at all tiers; this enables issues to be quickly identified and addressed, often without end-user impact.
Approach to resilience
Available on request.
Outage reporting
- API.
- Email alerts.

Identity and authentication

User authentication needed
User authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
Access is controlled via username and password authentication, linked to Active Directory.
Access restrictions in management interfaces and support channels
Access is controlled via username and password authentication, linked to Active Directory.
Access restriction testing frequency
At least once a year
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
Originally: 11/03/2011; Latest Issue: 03/01/2017.
What the ISO/IEC 27001 doesn’t cover
Information security outside of the design, development, testing and support of IT solutions.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Data Security and Protection Toolkit (NHS IG Toolkit)

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Kainos is ISO 27001 certified and operates an Information Security Management System which undergoes an external BSI certification audit annually to ensure continued compliance with this standard.
All Kainos staff comply with the Kainos Information Security Policy, in addition to any other standards specified within the Kainos Information Security Management System. Staff are briefed on policies and processes via awareness training and must adhere to these at all times.
As an ISO27001 certified company Information Security is an important consideration for Kainos; in line with our responsibilities it is our policy to ensure that:
- Information will be protected against unauthorised access.
- Confidentiality of information will be assured.
- Integrity of information will be maintained.
- Regulatory and legislative requirements will be met.
- Business continuity plans will be produced, maintained and tested.
- Information security training will be available to all staff.
- All breaches of information security, actual or suspected, will be reported to, and investigated by the Kainos Information Security Manager and communicated appropriately to customers.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We have an established configuration and change management approach in line with our ISO 20000 service management process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our operational management team monitor metrics from our vulnerability management software in addition to the service provided from our hosting provider.

- Maintain a list of assets that are assessed against industry notifications
- Manage subscriptions to vulnerability notification services
- Regular use of vulnerability scanning software
- Use of external managed security services that assess threat vectors and provide proactive advice/intelligence
- Regular internal and independent testing of infrastructure and applications
- Operate an internal security working group that proactively publishes information about vulnerabilities and best practices.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
- Use of specialist intrusion detection systems
- Regular security testing and baselined results
- Proactive analysis of security and system event data
- Response to an incident is dependent on perceived impact, threat and exposure – it could range from no response being necessary through to full incident response involving senior business individuals and law enforcement agencies
- Security incident management process is implemented
- Security related incidents assessed and responded to in line with support processes .
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Pre-defined processes:
Kainos Support Services is certified by the British Standards Institute as operating an IT Service Management System that complies with the requirements of ISO 20000.
We have an established incident management process as part of ISO 20000.

Reporting Incidents:
Users can report incidents directly via our dedicated Service Desk, by email or online via the Kainos Incident Management System (KIM).

Incident Reports:
Evolve produces timely, reliable, accurate reports for informed decision making, effective communication and quality management. Kainos provides the client with formal monthly reporting detailing performance against the SLA and agreed Key Performance Indicators (KPI).

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£650 per person per day
Discount for educational organisations
Free trial available

Service documents

Return to top ↑