Healthcare Gateway Ltd

MIG Primary Care Data Set Service

MIG is secure middleware technology providing a two way exchange of patient data between different healthcare organisations. MIG Primary Care dataset service caters for the real time retrieval and display of patient record information for a pre-defined dataset related to a specific condition or pathway


  • real-time retrieval and display of detailed patient record information
  • detailed information relating to a specific condition or pathway
  • no data repository
  • service discovery to locate a patient and ascertain whats available
  • integrated embedded view within consuming system
  • fully auditable
  • ability to share local or nationally
  • Cost effective
  • managed service


  • immediate access to patient data in real time
  • fully auditable
  • 24/7 access to live patient data
  • scalable solution to support large or small deployments
  • simple technology, quick and easy to deliver
  • view medical information relevant to specific condition or pathway
  • reduction in duplication of effort and errors in patient management.


£5,000.00 a unit a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

2 7 9 5 7 8 8 2 9 3 8 2 4 4 3


Healthcare Gateway Ltd Andrea French
Telephone: 08456012642

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Health information exchange, portal, electronic medical records, electronic patient records, integration engines, healthcare clinical systems, patient apps.
Cloud deployment model
Hybrid cloud
Service constraints
• Core systems being EMIS Health, Vision, TPP or Microtest
• Full streaming to Vision 360 for Vision sites
• PDS and/or MIG Trace, Extended Patient Trace
• Sharing Agreements in place with relevant endpoints as per content model
• Healthcare Gateway have a monthly maintenance window for 1 hour per month on a Wednesday between the hours of 12:00 and 13:00.
System requirements
Health and Social Care Network or N3 access required

User support

Email or online ticketing support
Email or online ticketing
Support response times
Users can report an incident to our service desk via JIRA service desk, telephone or email. We respond to questions immediately using an automated response when a ticket is raised online using a JIRA service desk. Email response time is within 30 minutes.

At weekends questions are still issued an automated response but questions are not actioned until next working day
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Support levels
All incidents/service requests are recorded within the service desk system and allocated a priority depending on severity. When an incident is reported to the Healthcare Gateway Service desk, the team will create an incident log and assign a priority level which will dictate the target incident resolution time. The priority is derived from the assessment of the impact and urgency of the reported issue.

The priority levels and target resolution times are as follows:
level 1 - 4 hours
level 2- 8 hours
level 3 - 16 hours
level 4 - 48 hours
level 5 - 144 hours

Healthcare Gateway use reasonable endeavours to resolve each incident in accordance with the relevant target resolution time as described. The counter will run within the support hours relevant to the priority of the incident. Incidents will be closed once resolved, or where a suitable work around has been provided.
Healthcare Gateway deliver a standard support contract as part of any contract agreed with customers. The support levels are included as part of the MIG service annual licence charge
Support available to third parties

Onboarding and offboarding

Getting started
HGL apply a tried tested approach to the deployment of MIG services. Within this context all the project management activity is based upon a tailored plan to meet the individual project requirements, taking into account the varied system estate and resource allocation, which can determine the rate and complexity of the implementation.

HGL will appoint a project lead to progress the project implementation of the services ordered. The HGL Project lead will organise a project initiation call or meeting with the customer. This expected outcome from this meeting is to discuss and agree the following:
• Roles and Responsibilities
• Commercial Review
• Project dependencies including Supplier Accreditation and Information Governance Agree the Project Plan
• Discuss the HGL Implementation Process
• Support and Service arrangements
• Training Requirements

HGL will provide an Implementation Plan outlining the activities required by all stakeholders to enable a successful deployment; the HGL project manager will update this plan as the project progresses. The HGL project manager will ensure regular checkpoint calls are scheduled with all stakeholders to discuss progress, raise risks and/or issues and review progress in line with the implementation though the go live of the service
Service documentation
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Microsoft Excel
  • Microsoft Word
End-of-contract data extraction
As the MIG is a bi-directional brokering service it does not hold or store and any data, therefore at the end of the contract there is no data for a customer to extract. The only element that our customer may request is a CSV file which confirms their configuration for example what connectivity there was between organisations . This will be available on request at no extra charge
End-of-contract process
At the end of a contract the Specialist Dataset service will be decommissioned. As no data is stored in the MIG service, no data extraction is required. We simply remove the consuming and providing organisations that come under the contract from our sharing agreement configuration using the MIG management portal. There is no additional charges incurred by the customer.

Using the service

Web browser interface
Application to install
Designed for use on mobile devices
Service interface
What users can and can't do using the API
Via our API, customers can locate patient information using NHS number or patient demographics. Across multiple care settings and systems, users obtain details about where the patient is registered and what data is available. User select what information they which to retrieve from care setting or system, this can be taken as structured or unstructured patient data depending on system. Data is then shared in real time and presented to accredited MIG client systems based on local sharing agreements.

Healthcare Gateway have in place a robust accreditation process for partners who wish to connect to our API. Partners will be provided access to our development pack and sandpit environment. Dedicated support is given by our technical integration team. Once connectivity has been achieved, partners will attain MIG accreditation status.

Changes cannot be made to the MIG schemas to accommodate bespoke solutions. The MIG messaging interface is the foundation of the service we provide and facilitates interoperability through the use of a shared standard.
API documentation
API documentation formats
  • HTML
  • Other
API sandbox or test environment
Customisation available


Independence of resources
Our infrastructure provides highly optimised services which have been designed to be horizontally scaled over a vertically scaled infrastructure. Each service call is initially load balanced across our service infrastructure to several potential service nodes so that any load is spread evenly across them. The number of these service nodes has been chosen to far exceed our current load capacity expectations so that any spikes in service usage or long running requests won’t impact our expected response times.
All of our infrastructure components have been carefully chosen to be the best of breed where performance, scalability, and resilience are concerned.


Service usage metrics
Metrics types
Healthcare Gateway service metrics by way of a monthly report to customers on request . This demonstrates the total number of transactions for the reported period by organisation. This also includes a breakdown of those successful and failed transactions along with raw data for the period.
Enhanced reporting is available at an additional charge
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
As the MIG is a bi-directional brokering service it does not hold or store and any data, therefore at the end of the contract there is no data for a customer to export.
Data export formats
Other data export formats
Not applicable no data to export
Data import formats
Other data import formats
Not applicable no data upload required

Data-in-transit protection

Data protection between buyer and supplier networks
Private network or public sector network
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
We do not guarantee any level of availability, we use reasonable endeavours to provide at least 99% availability in respect of the relevant service during its standard support hours.
Service availability shall be represented as a percentage, calculated as follows:
• actual minutes in month – planned downtime minutes = total service minutes
• total service minutes – unplanned downtime minutes*100% = Availability

Service availability is measured at the end of each calendar month.
For the avoidance of doubt, issues and downtime caused by the acts or omissions of the customer or any third party caused outages or disruptions will be taken into account by HGL on an appropriate basis when determining the availability measure achieved.
Users are not refunded in the event of HGL not meeting SLAs
Approach to resilience
We operate the service from two data centres, to provide disaster recovery if one data centre was to fails. Our application infrastructure is designed to provide resilience through multiple deployments of application nodes within each data centre. Each application node consists of multiple containers where we deploy our application services. This micro-service-based architecture pattern provides resilience through isolation as any failing service is highly unlikely to affect other running services on the same application node.
Each application node can communicate with each other using a network of brokers, which provides safety if a broker should fail. The technology we use utilises reliable messaging so that any failed message transport is retried until either successful or failed for later analysis.

All application nodes are backed by a cluster of databases where data is replicated between them and in the event of any failure, failover can take place to an alternative database.

Databases use tiered storage structure to provide a facility to take snapshots at regular intervals to secondary storage so that, in case of any failures, we can restore all data to the last snapshot.
Outage reporting
All outages and/or scheduled maintenance are reported to stakeholders using the Atlassian Status Page Software. This software is the method used for all Services provided by Healthcare Gateway by default all updates are also set to update the Service Delivery Twitter feed.
Stakeholders sign up for this reporting service using the webpage and from their can choose how they receive the alerts (email, text or RSS feed) specifically for them and how often.
The page is updated manually be the Service Delivery team at each stage of an outage (issue, monitoring, resolved) then a root cause analysis provided if appropriate. The API of this software is also linked to our Social Media account on Twitter should the stakeholder prefer this method of communication.

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Restricted access to our management interfaces is provided by a firewall IP whitelist. Once the firewall has established a users IP as valid, a user must also have valid username/password credentials to access any of the web portals developed for various elements of our infrastructure.
Further to this, we limit the ability to provide maintenance to a limited number of technical staff and whose access has been approved by heads of departments and elevated by a change process to a platforms team for review. The maintenance staff can only access lower levels of our infrastructure by using SSH public-key authentication.
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Less than 1 month

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
BSI Group
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
A 14.2.7 Outsourced Development
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Crest accredited cyber essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Crest accredited cyber essentials 0027705268311508
Information security policies and processes
Healthcare Gateway follow ISO 27001 methodology and are independently certified to the ISO/IEC 27001: 2013 standard.
Healthcare Gateway are committed to establishing, implementing, operating, monitoring, reviewing and maintaining an Information Security Management System.
Healthcare Gateway have an overarching information security policy with clear aims and objectives set throughout the business with robust processes in place, which are as follows;
• Information security risk assessment process that assesses the business harm likely to result from a security failure and the realist likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and controls currently implemented;
• Defined security controlled perimeters and access controlled offices to prevent unauthorised access, damage and interference to business premises and information;
• Data classification and exchange guidelines, including compliance with regulations;
• Development and maintenance of an appropriate business continuity plan to counteract interruptions to business activities and protect critical business processes;
• Information security awareness guidance for all company employees;
• Incident management and escalation procedures for reporting and investigating security incidents and;
• A senior management team that supports the continuous review and improvement of the companies Information Security Management System.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
This is controlled by our Development policy (HGLPD9) where all releases and development work is risk assessed. This process is controlled and managed by the Development team, Product Owner and Clinical Safety Officer. Services are managed during the lifecycle by monitoring their usage, this task is performed by our Product team.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We follow our secure development policy which outlines a development process that covers secure development coding guidelines. Each development work item is validated by a definition of done which includes having an assessment by an external clinical safety officer. The clinical safety officer is responsible for classifying each work item according to criteria defined by our Safety Hazard Log and, if a vulnerability is identified, then the emergency release process is followed. This is assessed by a change advisory board and the system will be patched at a time and date specified by the change advisory board (within 24 hours)
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We perform regular PEN tests by external contractors that assess the accessibility of our application programming interfaces (API) against current security standards which are covered by Cyber Essentials, PCI Security Council Standards, CHECK, Crest, and TigerScheme accreditation's. Our PEN tests are scheduled every year or upon any major API changes and any issues are categorised from low to critical. Any issues that are identified as high or critical are address immediately. All other issues are assessed and prioritised by the seriousness of their nature and if any clinical safety is involved and then scheduled into our normal development life cycle.
Incident management type
Supplier-defined controls
Incident management approach
Healthcare Gateway have a predefined process in place for all incidents. Users will report this incident via a set template giving a description and severity of the incident this is then handled by the information security officer who will report back to user when the incident has been logged and resolved. During handling the information security officer will resolve the incident via the correct department and put in service improvement if required to prevent re-occurrence.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)


£5,000.00 a unit a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.