For integration in the UK Health economy providing interoperability for the NHS and Social Care sectors, to provide information, data and messaging between disparate applications the platform is ITK certified.


  • Based on a unique, queue-based peer-to-peer architecture
  • Deployed across cloud-to-cloud or hybrid environments.
  • Built on modern web standards including REST and JSON containers
  • integration flows to be deployed as message-pipelines
  • ITK v2 accreditation for integrating NHS systems.
  • HL7v2, HL7v3 HL FHIR EDIFACT, XML, flat file messaging
  • Utilizing graphical, executable, orchestration tools
  • Simple routing and system adapter configuration
  • Document transmission
  • Message tracking with non-repudiation


  • Tools enable describe transformations, mappings content based routing.
  • Peer-to-peer architecture with linear scalability and parallel processing
  • Drag - Drop & Integration to rapidly compose enterprise-scale flows
  • Studio allows you to centrally monitor the flow of data
  • The Integration platform has achieved 40-80% productivity gains
  • Software re-use is the primary benefit of Microservices
  • Easy service orchestration and choreography allows rapid deployment
  • Modification in near-real time, of process is easily facilitated
  • integrates heterogeneous applications, databases, cloud and other systems
  • B2B enables the secure exchange of business documents


£35000 per licence per year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

2 9 8 6 3 6 6 3 3 8 6 2 8 5 4



Richard Last


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to The software is an integration platform that provides the interoperability for the Case Management System. It can be a standalone platform for integration of any application or service, which is NHS Digital ITK certified
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints Connect4Care has in place management protocols for maintenance of its application platform, downtime is always planned and carried out at the most convenient times for our clients normally between 3 am and 4 am on a Sunday. There is no unplanned downtime necessary for the application as the application of patches are restricted to scheduled maintenance windows.
System requirements
  • Windows Server 2003/2008/2012/2016 (32-bit or 64-bit)
  • Windows 7/8/10
  • Red Hat Enterprise Linux versions 4/5/6/7
  • CentOS 5.3/5.5/6.2/6.5/6.6
  • HPUX 11i IBM AIX 5x
  • Solaris X86, Solaris Sparc
  • Mac OS X 10.9.2-10.12.
  • Java Version We recommend using Java version 8.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times The response times are set out in an SLA, the service delivery is 24/7 and that covers weekends and bank holidays
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing We are currently providing web chat testing for the Refero connectivity to NHS St Helens
Onsite support Yes, at extra cost
Support levels Connect4Care provides a range of support services that all operate to ITIL guidelines.
Support Levels are
24x7 Total Service support which includes a helpdesk, advice, and guidance, breaks fix and maintenance.
9 to 5 or 8 to 6 support including the above services.
Development support
Standard Maintenance
All service carry a separate price tag. the pricing is simply geared to the potential and actual usage of the service. the potential is geared to the possible number of users.
Connect4Care provides both an operational and technical account manager with named individules assighned to each client.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Connect4Care provide a wide range of training services. These include the provision of tailored on-site training, online training, all coupled with extensive and detailed product documentation. The service also provides online video demos and tutorials. The service also provides a comprehensive technical support portal with discussion forums
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction This element of the Connect4Care service is purely related to system integration and data flows. By its nature user data is only held on a transitory basis so at any point the integration element can be empty of data.
Data mapping and flows can be retained by the client.
End-of-contract process From a Connect4Care perspective if a client is only using the Interoperability/ Integration engine aspect of the service then when the contract ends the integration service ceases. There are no additional costs

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices No
Service interface Yes
Description of service interface The ESB platform is capable of any form of interface. Each microservice has an interface that defines the acceptable formats of each input and output. Most microservices typically require runtime parameters and other variables to be configured before they are run/executed. Configurations allow customisation of microservices for the specific business scenario/situation being solved by the Event Process. Microservices can be broadly categorised into two, based on the manner in which a microservice is invoked for processing:
Synchronous (BC component—JCA compliant)
Asynchronous (EDBC component—pure JMS)
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing The Platform provides a very simple way to test the component this is to create a flow with the component and run the flow to check if desired results are obtained. At times, the result may not be the desired one, not due to a fault in the component logic but for external reasons. Therefore, the platform provides a more isolated way to test synchronous component logic. For Web service, the platform provides a Services tab which shows the details of the event processes deployed as Web Services. The User can view the status of the web service either online or offline and can enable or disable this option. The User can also test RESTful deployed from the dashboard.
The details shown for the Event Process deployed as web services are:
Context Name - Name of the context for the web service deployed
End Point URL - Effective End Point URL is http://<peerserverip>:<httpport>/<rootContext>/ContextName
Status - Indicates if the web service is online or offline
Show WSDL - Gives the link to show WSDL
Stub Name - Name of the Stub for the deployed Event Process as web service
What users can and can't do using the API The Platform is an integration engine that enables users to set-up any known API. The Platforms API Management resolves the crucial problem of making data available on the web to a large number of people. It provides a user-friendly interface that smartly handles various services, hiding the underlying technical aspects and complexities, thereby creating communication which takes place seamlessly with internal as well as external Web Services.
REST/SOAP services may be used as a set of target endpoints for better security and visibility. Depending on the endpoint, the service might then return data, formatted asHL7, XML or JSON, back to the application. API Management manages all these functions smoothly, no matter what type of data is being sent/received, without direct intervention with the actual functions.
API Management can create customised "API Projects" which encapsulate the various policies/features that have to be applied to existing services.
API Management implements features such as security, metering, monitoring, management, and developer support. The Fiorano API Management platform architecture scales linearly, allowing the infrastructure to grow on an as-needed basis.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The eStudio has been developed to create applications, flows, event processes, and so on. Application integration is possible by choreographing Microservices into asynchronous flows via the eStudio and its associated tools. Event Processes are composite applications created as event-driven assemblies of microservices (also known as Business Components) linked to each other by Data Routes. The composition of Event Processes is based on component-based programming model. The Event processes are designed by the drag-drop-connect function of microservices. The components are customised by configuration rather than by custom code. The routes between components are drawn by visually connecting the component ports. Every component instance in the flow can be configured so that it can be deployed on different ESB network nodes.
Users can simply create change and alter the flow parameters via the e-Studio module which is a part of the services provided.
Using the e-Studio for development is straight forward for a competent developer following training, for example, the team at NHS Wales national integration need only 10-day training before embarking on the national applications integration programme .


Independence of resources The integration aspect of the service is delivered via ESB's which are the management components. The platform is made up of ESB's and Microservice peers. Messaging passes through the peers which can be isolated, this allows dedicating peers to specific clients thereby insulating client data. Peer Servers acts as a container for launching Business components at the network endpoints of a platform's network and manages the life cycle of its components.
Acts as a runtime container for the components.
Routes data between components in a Peer to Peer fashion over JMS.
Routes Business component related information to the FES server.


Service usage metrics Yes
Metrics types The support portal is a dedicated portal for logging incidents and queries about the products and their usage. Customers can track their requests/queries through a Support Tracking ID provided upon logging a support request. It acts as a committed communication bridge between customers and support engineers. It also gives access to the knowledge base.
All contracts are SLA based and reporting is on agreed basis client by client .
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Fiorano Software Ltd

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach The component used will be dependent on users dater type in this example we will consider the data type to be HL7, but it can be anything we are able to convert data and message types to the receiving format. Example, if the data is sent as a RUBY message the ESB's microservice will transform it be delivered via an HL7 component. The HL7 Sender component is used to send the HL7 data on to a port specified on a particular IP address in a specified format. The component receives the response generated and sends it to the output port.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • PEM Encoding
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats PEM Encoding

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Connect4Care operates an ITIL based best practice support services for clients backed by agreed SLA's. The Connect4Care integration software platform is available on a 24/7 basis this is important as the access to policies and procedures for Health and Social Care staff is a 365-day activity. The Connect4Care support functions mirror are availability profile and this operates in conjunction the agreed SLA, this covers both access and to experienced technical support team.
The Service Level Agreement sets out the scope of the Services to be provided by Connect4Care to the Client under the Agreement(s).
The tables within the SLA set out:
i) the extent to which a service element is in the scope of the Services;
ii) the Client and Connect4Care's responsibilities;
iii) the volumes of individual service elements that are to be provided;
iv) the targeted performance level for the delivery of the Services within the stated volumes;
v) the Connect4Care teams that shall deliver each service element.
Approach to resilience Our provides Data Centre is audited annually and has been granted the latest ISO 27001 certification by DNV GL in September 2017 (Certificate No. 245825-2017-AIS-GBR-UKAS) resulting with data being securely managed and maintained. The information security management system has been audited and verified to ensure that controls are in place to protect information assets and provide the highest levels of security. The n+1 resilience of the facility provides the highest levels of uptime and ensures continuity of application availability.
Resilience is designed into the service with separated datacenters with multiple network providers with automatic BGP supporting failover.
DC's are provided with multiple utility power feeds to ensure no single point of failure. All sites have onsite 500KVA power back-up generators which are configured to be on standby at all times and will automatically start in the event of a power failure.
Outage reporting Connect4Care service team regularly monitor agreed to thresholds of system utilisation using tools fit for the purpose. Connecr4Care will take appropriate action or make recommendations to relieve the degradation of performance beyond the agreed thresholds. Cash client has its own dashboard which provides all relevant information on performance and availability of the service, this is intern backed up by both the Connect4Care and Data Centre support desk who are continuously monitoring all clients services.
If an outage were to occur the Support Desk Team would communicate directly with the client and this would be backed up by the designated Client Manager and all parties would also be e-mailed as to the situation.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Connect4Care's procedure is to ensure that clients receive and processes Subject Access Requests in accordance with the General Data Protection Regulations and Data Protection Act 2018.
The procedure outlines the steps to be followed, the records to be kept and the rules which must be applied
Ensures the processing of “sensitive personal data” is fair and lawful. The best practice is to obtain explicit consent from any Data Subject whose sensitive personal data is being processed. The definition of explicit consent is not clear, but probably means express, specific, obtained on a case by case basis (and preferably in writing).
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Connect4Care's data centre provider has an ISO 27001:2013 certification which is backed by a Data Centre Alliance Class 3 certification. The provider's sites have on-site 24/7 security controlled access. Multi-layered physical entry restrictions to the data centre.
The Board of Directors (“the Board”) is ultimately accountable for corporate governance as a whole. The management and control of information security risks is an integral part of corporate governance. In practice, however, the Board explicitly delegates executive responsibilities for most governance matters to the Operational Directors, led by the Chief Executive Officer (CEO).
The Operational Directors give overall strategic direction by approving and mandating the information security principles and policy's but delegate operational responsibilities for physical and information security to the Security Committee (SC) chaired by the Chief Technology Officer (CTO).
The Executive Directors depend heavily on the SC to coordinate activities throughout Connect4Care, ensuring that suitable policies are in place to support Connect4Care's security principles and policies. The Executive Directors also rely on feedback from the SC, CTO, Information Security Manager, auditors, Enterprise Risk Management, Compliance, Legal and other functions to ensure that the principles, and policies are being complied with in practice.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The Configuration Management Policy applies to all components that make up the Service and includes but is not limited to:
 Business Functions of the Service (i.e. what the Service does)
 Live Application Software
 Systems Software
 Data repositories
 Hardware (physical and virtual)
 Network Infrastructure
 Hosting environment (e.g. Data centres where physical hardware resides)
 Documentation and procedures relevant to the operations, support and maintenance of the Service
 User access device if the configuration is essential to the Service
 User skills and training if essential to the Service
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach All technical vulnerabilities are carefully assessed and evaluated during the risk assessment process. The effectiveness of existing controls are evaluated and strengthened or if necessary new controls implemented, as necessary. Vulnerability assessments are carried out on a quarterly basis or if a vulnerability is detected, and all critical and high risks are addressed within the stipulated time frame. Penetration Tests are conducted using external agencies to detect any possible vulnerabilities. Reports produced relating to vulnerabilities assessments are acted on within a framework which grades the vulnerability and the actions required.
Protective monitoring type Supplier-defined controls
Protective monitoring approach All systems and services employed by Connect4Care in their delivery are continuously monitored. All Technologies and tools deployed for monitoring and intrusion attempts are approved by Connect4Cares security officer. Access to the monitoring systems and logs generated by the monitoring systems are secure and available only to the personnel responsible for monitoring security. Any suspicious activities, for example, abnormal connections, network probing, or large data flows are investigated immediately and acted on.
Incident management type Supplier-defined controls
Incident management approach Connect4Care has an Incident management policy based on ITIL principles. The objective of the Incident Management Process an appropriate priority level will be set for each Incident. All Incidents will be prioritised. Priority will be set as a product of Impact and Urgency assessment of the Incident. The Service Desk will agree on the Impact and Urgency ratings with the user. All Incidents will be managed in accordance with the Incident Management Process. Priority 1 and 2 Incident will be defined as Major Incidents. all reporting to Clients will be managed via the Connect4Care service desk.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • NHS Network (N3)
  • Joint Academic Network (JANET)
  • Scottish Wide Area Network (SWAN)
  • Health and Social Care Network (HSCN)


Price £35000 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We offer a full evaluation integration platform there is normally a 30-day license issued but this can be extended with a consultation. This comes with full online documentation of however training would be chargeable.

Service documents

Return to top ↑