Minerva is a secure, extensible cloud-based platform that enables interoperability, care coordination and patient engagement. It aggregates data from systems across care settings to create a shared, longitudinal patient record. It provides out-of-the-box applications for patients, GPs, clinicians and care coordinators, and is customizable for unique workflows and use-cases.
- Clinical data aggregation providing a longitudinal patient record.
- FHIR based storage and APIs. Supports HL7.
- BPMN based workflow management engine.
- Multi-channel notification and alert engine.
- Secure instant messaging and video conferencing facilities supporting remote consultation.
- Captures Patient Reported Data through secure questionnaires and data uploads.
- Patient portal and clinical portal with secure, role based access.
- Fully customisable widget-based user interface with embedded analytics.
- Care Plan Management and Adherence for care coordination.
- Supports a customisable patient consent model.
- Display a unified patient record gathered from multiple care settings.
- Scalable and open API based Digital Health Platform
- Provide near real time analytics, reports and dashboards.
- Built on FHIR interoperability standard: improved cloud and mobile support.
- Enhance productivity of clinical staff and care coordinators.
- Improve patient experience and overall patient satisfaction.
- Reduce care gaps and enhance patient engagement.
- Easily implement digital transformation strategies while avoiding system complexities.
- Drive more patient-centric strategies to improve outcomes at marginal cost.
- Reduce IT management overhead with zero install web applications.
£5 per user per year
My Personal Health Records Express
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Minerva platform can be optionally deployed as a web based care management portal, integrated with the healthcare provider's EMR or any other health IT system across the provider network. This will allow care pathway management of patient across multiple providers with an unified access to patient’s complete medical history.|
|Cloud deployment model||Private cloud|
We have a dependency on the buyer's EMR vendor to provide standard/non-standards based interface to their system for accessing patient records. Similar resources would be needed for any third party integrations as well.
To ensure there is no service disruption, for all planned maintenance, a communication is sent out to the client 2 weeks prior with multiple reminders. A well documented risk assessment is done prior to any planned upgrade and a mitigation strategy is worked out in consultation with the client. All maintenance activities are carried out during non-production times.
|System requirements||User machine needs to have the supported browser installed|
|Email or online ticketing support||Email or online ticketing|
|Support response times||MphRx will provide 24x7 L3 application support with agreed SLAs. MphRx’s support team can be reached on E-Mail, Toll free contact number and an Online Ticket Reporting System (OTRS). OTRS which will be used by the customer to raise and track support issues. The response and resolution times are based on the severity levels of issues reported.|
|User can manage status and priority of support tickets||No|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Severity 1 incident: Response time: 15 minutes; Resolution time: 4 hours;
Severity 2 incident: Response time: 1 hour; Resolution time: 6 hours;
Severity 3 incident: Response time: 24 hours; Resolution time: 1 week;
Severity 4 incident: Response time: 48 hours; Resolution time: Within applicable time frame as mutually agreed between MphRx and the client
Response time and resolution time is average calculation per month.
|Support available to third parties||Yes|
Onboarding and offboarding
We follow a structured on-boarding and service deployment process involving following activities:
1) Discovery of requirements – documentation of patient flow and data flows, establishing any technical barriers and defining which touch points support open standards/ ITK and which do not.
2) Configuration design – deeper analysis of the touch points and systems involved to document the message pay loads, define rules and map trigger events for workflows and services.
3) Integration – developing the interfaces using HL7, FHIR, Open API or proprietary methods. This also involves white labeling the end user applications and configuring roles, user information, setting up authentication mechanisms as well as configuring workflows.
4) Testing – We install the platform instance on test environments and conduct unit tests using dummy data and tools, followed by UAT to validate workflows, notifications and alerts, error handling and UI customizations.
5) Migration – migrating legacy data into the platform. Post this, the platform is made available on the production environment.
6) Training – following trainings are provided as part of each implementation: Integration and Configuration Training, API and Custom Development Training, Support and Management Training and End-user Support Training. These are provided as electronic documentation, webinars or in-person sessions
|End-of-contract data extraction||The patient data available on Minerva platform is shared with the buyer as FHIR base data objects which can be migrated to the client in the form of JSON, CSV or HL7. In case, the platform also archived DICOM images, they are available for migration using the DICOM protocol.|
In the event of termination or expiration of the agreement, we will de-activate the platform services as well as access to the end user applications. The client shall pay any outstanding balance to MphRx upon termination. Any invoices that are sixty (60) days delinquent will result in service termination.
Terminating the entire platform services usually takes 10 working days.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Our suite of clinical applications(patient and physician portals) are browser based with a responsive web design and can be accessed on any desktop or mobile device. Hence, there are no differences between mobile and desktop services. However, since our native mobile apps have been optimized for mobile devices, the user experience on mobile apps might differ with the web application.|
|Accessibility standards||None or don’t know|
|Description of accessibility||Minerva platform services are accessible via suite of web and mobile (iPhone/Android) applications that the patient or care-giver can use to access the patient's unified record (including encounters, episodes, conditions, allergies, results, documents, images, care plans, etc.) and manage patient care. These applications are secure, HIPAA compliant and can be white-labeled as per buyer's requirement. These applications are compliant with the Common User Interface(CUI) guidelines mandated by NHS Information Standards Board for healthcare IT systems. Additionally, the user interface layer is modular and can be changed to comply with future CUI recommendations.|
|Accessibility testing||Our applications follow the CUI guidelines mandated by NHS Information Standards Board. However, we have not done interface testing with users of assistive technology.|
|What users can and can't do using the API||
Minerva platform is built to be open and extensible, exposing its data sets and functionality through FHIR based secure RESTful APIs. This allows third-party developers or in-house IT teams to develop and commission custom applications/services. Hence, while buyers are able to use Minerva's existing applications suite (patient and physician portals), any new requirements or business processes that arise can also be rapidly set up using Minerva's APIs.
With Minerva's FHIR APIs, users can view current and historical patient records, make updates to patient records, create a new patient profile and search across all patient records based on some filter criteria. However, users cannot delete any patient records, only deactivate them so they are no longer visible to external applications.
|API documentation formats||HTML|
|API sandbox or test environment||Yes|
|Description of customisation||
Minerva platform is built to be open and extensible, exposing its data sets and functionality through FHIR based secure RESTful APIs. This allows third-party developers or in-house IT teams to rapidly develop and commission custom applications/services. Thus, buyers can use these APIs to rapidly develop/commission custom applications as per their specific use case without any dependency on us.
Additionally, Minerva's suite of clinical applications (patient and physician portals) can be easily configured as per user requirements. Its role based access control system can be configured to restrict access to both data as well as functionality based on user-defined rules. In has a built-in workflow configuration tool to configure patient workflows, clinical task workflows, and care pathways for specific disease conditions. The platform also has a complex event processing engine that allows to create configurable event triggers. These triggers can be configured for specific rules (such as upcoming appointments, new results for tests, out of range observations etc.) and for specific notification channels including email, SMS and in-app alerts.
|Independence of resources||Minerva platform is modular and designed to be horizontally scalable. It can be run across multiple servers in parallel mode to ensure high scalability and availability. The persistence layer (MongoDB and Hadoop) are industry standard distributed databases that can be scaled and shared to support large and diverse data sets. The middleware services (workflow engine, business services) can be distributed and load-balanced for high availability and horizontal scaling.|
|Service usage metrics||Yes|
The audit trail capabilities of Minerva platform allow us to store all user logins and actions in a central audit trail database. We use this database to report on service usage metrics as per user requirement. Some of the key metrics we report are:
1. User Accounts (Physicians and Patients): Count of total users accounts and active accounts, user login activity, password reset requests etc.
2. User Activity: Number of studies viewed/downloaded, report print requests, external study uploads, sharing of medical reports, etc.
3. Mobile App Activity: Mobile app downloads, Mobile app login activity, etc.
4. Service Uptime
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Patient data is stored as native FHIR (HL7 standard) objects in Minerva’s Mongo DB. Any systems that are compliant with FHIR standard can directly access the data for restoration and migration purpose. Additionally, this data can be migrated to the client in the form of JSON, CSV or HL7. In case the platform also archived DICOM images, they are available for migration using the DICOM protocol.|
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||
|Data protection between buyer and supplier networks||
|Data protection within supplier network||IPsec or TLS VPN gateway|
Availability and resilience
SLAs are typically based on a 99.9% warranted availability.
Agreed SLAs and any associated service discounts for unscheduled downtime will depend on the range of service options selected by the client and their required hours of operation and will be agreed per client and documented within the Call-off contract.
|Approach to resilience||
All infrastructure components have been built in fully resilient pairs. With fully resilient networking links between all components and to external third parties including multiple ISPs. For host availability we use VMware’s HA failover for redundancy.
High Availability resilience is also built into the database configuration for the applications. Further information regarding this is available on request.
All infrastructure is monitored on the network 24/7. Should there be an outage monitoring alerts are sent to the operations team via e-mail and SMS.
Identified client contacts are informed by email.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
• Minerva provides a rule-based access control layer (Citadel) that validates access to both patient data and functionalities
o Rules can be configured to a Resource level, providing granular access rights management to administrators
o Integrates with existing Authentication and Authorization frameworks using LDAP, Oauth and SAML protocols
• Configurable Patient Consent Management and Data Sharing capabilities
• Centralized Audit Trail for every user action on the platform
• Built-in break-the-glass workflows for emergency access with configurable escalation matrices.
• In-built support for two factor authentications using text and email notifications.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||IAS|
|ISO/IEC 27001 accreditation date||07 January 2019|
|What the ISO/IEC 27001 doesn’t cover||.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
We and our hosting partner have the following security policies and processes in place:
Information Security Policy
Acceptable Use Policy
IT Access Control Policy
Asset Management Procedure
Change Management Policy
Clear Desk and Screen Policy
Document Control and Records Management
Incident Management Procedure
Information Control, Classification and Exchange Policy
Internal Audit Procedure
Media Handling and Disposal Policy
Mobile Devices Policy
Physical Security Policy
Risk Management Procedure
Supplier Security Policy
Supplier Management Procedure
Other relevant policies
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||Change management is performed for all software and infrastructure changes. All non-standard changes must be pre-authorised by going through a peer, senior and CAB approval process where the impact of the change is carefully assessed from a range of perspectives, including security. Standard changes are created in template form and are approved in CAB before being implemented into Change controls.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||Our hosting provider run an internal penetration test once a week. All reported vulnerabilities that are reported are categorised into priority depending on the severity and a case is logged with the operation team who will fix the vulnerability under the time frames dictated by the security standards.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||Our hosting partner have a protective monitoring system where all logs are centralised and checked on a daily basis for security breaches using several key search filters. Alerts are sent out for high risk activity and are pro-actively responded to by the operations and security teams.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||We operate an ITIL aligned incident management process with associated procedures for security related incidents. The process has a clearly defined governance framework, including roles and responsibilities, clear policies and associated KPIs. Users report incidents through the Service Desk and incident reports, which include a summary of activities undertaken or planned to prevent recurrence are provided to clients by email.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Connected networks||NHS Network (N3)|
|Price||£5 per user per year|
|Discount for educational organisations||No|
|Free trial available||No|