Imaging Matters


Cloud based software service providing NHS Trusts with access to additional technical and clinical capability to support Radiology reporting needs


  • Remote access
  • Real Time Workflows
  • Metric based delivery


  • Seamless management of image transfer
  • Multi-site data interfacing
  • HL7 compliant


£40.00 per unit

Service documents

G-Cloud 11


Imaging Matters

Leigh Melville

07590 309143

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No significant constraints impacting provision of solution. Planned maintenance scheduled to remove impact to end users. SLAs geared around customer requirements - 72 hour turnaround focus on core service offering
System requirements Accessible from any web enabled & connected device

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email Urgent findings within 4 hours (24/7) Normal enquiries/questions 8 hours (8am-8pm, Mon-Fri)
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support levels tailored to meet exacting requirements of each customer.

All customers have dedicated single point of contact, with mobile phone number and individual email address.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial on-site training for all stakeholders, with quarterly follow up Video meetings and further on-site training available (if required)
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction All appropriate data provided to customer in agreed format, with independent validation of physical and/or virtual destruction of data storage media
End-of-contract process All information accessible to client throughout contract. At the end of the contract, connection with host NHS Trust is terminated, without additional cost (if termination in line with agreed contractual terms).

Using the service

Using the service
Web browser interface No
Application to install No
Designed for use on mobile devices No
Customisation available No


Independence of resources Operational demand continuously monitored, with significant increases and decreases in usage highlighted to contract lead. Individual client data and requirement is maintained independently, with significant upscale available to meet increases in reporting volume.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach N/A
Data export formats Other
Data import formats Other

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability 72 hour turnaround of fully completed reports with full refund if failure, with report still being due for delivery to customer.
Approach to resilience All infrastructure is full fault tolerant, without a single point of failure in the design
Outage reporting Initial email alert, with phone follow up when outage is found to be more impactful

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Physical and virtual security measures, continuously reviewed to ensure appropriate levels and that all users are current approved users.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Supply chain partners all certified to appropriate security governance standard
Information security policies and processes All policies and procedures are aligned to ISO27001, a formal accreditation we are now working towards attaining.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All change requests must be formally submitted and approved, they are fully audited and assessed against risk. The request has to include:
1. Reason
a. Improving security
b. Improving performance or functionality
c. Reduce operational overhead or cost
2. Request to be approved by Cloud9’s:
a. Service Manager
b. System Architect
c. InfoSecurity
3. Change request must include:
a. Expected outcome
b. Test plan
c. Roll-back plan
d. SoW
Vulnerability management type Supplier-defined controls
Vulnerability management approach All systems are scanned for vulnerabilities every month, in line with the Common Vulnerability Scoring System (CVSS) for all Common Vulnerabilities and Exposures (CVE) provided by the National Vulnerability Database.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Automated systems ensure ultimate continual protection
Incident management type Supplier-defined controls
Incident management approach Prevention: The understanding of and application of insight gained from the intelligence

Detection: The interpretation of any events of interest occurring to discriminate between legitimate and abnormal events to identify anomalous activity

Investigation: The analysis of anomalies to determine whether they are emerging threats that may lead to a security incident

Reaction: Our analysts use tailored, predefined and configured Playbooks to efficiently inform their reaction to an identified threat

Response: The planning of effective mitigations in response to the cyber-attack, the communication of these plans to all relevant stakeholders, and the collaboration with all relevant parties to carry out mitigations.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks NHS Network (N3)


Price £40.00 per unit
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑