Patients Know Best

Patient-Controlled Records Health Information Exchange

Patients Know Best is a population health information exchange with patient control over data sharing. PKB is hosted within the NHS HSCN network. It's designed for use by all health and social care organisations across an entire region to provide integrated care and patient access to information across a population.

Features

  • Access to data about patient from all other PKB customers
  • Full health and social care record data fields
  • Patient control of sharing information, with emergency access functionality
  • Bi-directional REST API for every data point including consent
  • HL7 standard API for receiving data from integration engines
  • Encryption in storage with unique private key for each record
  • Online consultations across all providers
  • Shared care planning across all providers
  • Synchronisation with over 100 home monitoring devices
  • Single sign on from selected partners

Benefits

  • No server requirements as fully hosted secure cloud solution
  • Integrate all data about patient across health and social care
  • Comply with patient's wishes for data sharing
  • Enforce granular privacy: general, sexual, mental and social care data
  • Integrate with EPRs across primary, secondary and specialist care
  • Document explicit permission for secondary use of data
  • Go paperless across organisations
  • Use any device for staff and patients
  • Usability: supports 19 languages, different screen sizes & screen readers
  • Engage with patient using full suite of remote services

Pricing

£1.50 to £2.45 per person per year

  • Education pricing available

Service documents

Framework

G-Cloud 11

Service ID

3 0 6 7 0 6 0 1 3 7 0 5 1 5 7

Contact

Patients Know Best

Sally Rennison

+44 1223 790708

nhsbids@patientsknowbest.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
Access internet with browser that is IE10 or later (or equivalent)
System requirements
Internet browser equivalent to IE10 or later

User support

Email or online ticketing support
Email or online ticketing
Support response times
SLA targets are set within the support desk portal, 1-URGENT Response time:15 minutes Resolution objective: 4 hours 2-HIGH Response time: 30 minutes Resolution objective: 12 hours 3-MEDIUM Response time: 1 hour Resolution objective: 3 days 4-LOW Response time:1 hour Resolution objective:7 days “Response time” shall mean the time between a fault being reported to PKB and PKB notifying the Customer of the actions being taken to rectify the fault between the hours of 8 am to 8 pm Monday to Saturday (based on UK time zone).
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Onsite support
Support levels
All support is included in the fixed Software-as-a-Service licence fee.

Support has a defined Service Level Agreement as described at http://help.patientsknowbest.com/SLA.html

Support includes project management, technical assistance, integration and end user support. A service desk implementing 'Freshdesk' is used that has ticketing of all service queries with a single point of access. Each ticket is assigned one of four levels of priority, depending on the nature of the query. For each level there are guaranteed response times.

Each organisation will have an assigned technical account manager, where necessary and overseen by the PKB Solutions Architect.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
A dedicated project manager (Success Team member) will be assigned to the Customer immediately and they will act as the single point of contact throughout the contract.

At the beginning of the project the Success Team will create a Project Initiation Document (PID) that covers the technical, configuration, integration, and on-boarding tasks to complete, including Information Governance and technical due diligence (Privacy Impact Assessment). The Success Team member will assign milestones to every task and these can be tracked via the project management software, 'Teamwork'. The customer can interact and add to the project from within Teamwork.

Training is ongoing and includes face-to-face workshops, e-learning platform, video resources and online help manual, as well as full technical assistance via Freshdesk.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
PKB records are maintained for patients after the end of any contract and for a maximum of 8 years after last know activity of the patient. All data remains in the ownership of the patient.

Organisation level data can be extracted, with patient consent, via REST API’s in order to preserve clinical data to be transitioned onto another platform.

In order to migrate all patient data an organisation will need a list of all NHS numbers to migrate. Given this list the following API could be called programatically in order to determine the PKB Id associated with each patient:

https://sandbox.patientsknowbest.com/api/index.html#!/Users/getNationalNumberByPatientId

From this point systematic calls of all PKB REST API’s can be made, passing in the PKB Id as a parameter, to pull back patient data. PKB Rest API calls, are tightly coupled to PKB data structures in the back end and would allow an organisation to effectively migrate patient clinical data to a new platform.

The customer can use these APIs and consents to migrate the data to systems other than PKB.
End-of-contract process
PKB is committed to providing a long-term complete record, a record that customers and patient can rely. PKB will maintain the record for the patient for at least 8 years (and longer if the patient is linked to any other PKB customers).

PKB will produce a detailed Termination Plan for the cessation of services at the start of any new contract. All data is available throughout the life of the contract via the REST API and so no data migration is needed. At the point of cessation the integration will be switched off and no further data from the clinical systems will come into the PKB patient record. The professional login will be ‘deactivated’, meaning they will no longer be able to access specific patient records. However, to maintain the full medico-legal record of interactions, professionals will still be able to log in to it in the same way as before and be still be able to access their own ‘discussions’. This is the medico legal record of their interactions with the patients and will not be deleted. Professionals will also retain access to any survey and care plan exports that you may have requested to this point.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
User interfaces are identical - the website is designed to scale dynamically across all size screens, and accessible with both mouse and touch screen devices
Service interface
Yes
Description of service interface
PKB is accessed via a web application, on any device connected to the internet with a web browser. PKB has been built with the patient in mind, using a ‘tile’ design that allows quick access to core features. Due to the clean design, a patient is able to access any part of their PKB record within 2 clicks. PKB has a timeline view, so that a professional can easily see essential information on a single page and grouped. PKB also consolidates data into meaningful areas, such as grouping test results or medications together.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
PKB confirm with the meet Equality Act 2010 Compliance - Accessibility. PKB meet level AA of the Web Content Accessibility Guidelines (WCAG 2.1), work on the most commonly used assistive technologies - including screen magnifiers, screen readers and speech recognition tools and include people with disabilities in user research. Due to the clean design, a patient is able to access any part of their PKB record within 2 clicks and has been tested for those with ambulatory, visual and auditory impairments, and is available in 19 languages .The usability of the PKB software consistently means that patient require no training and interact with professionals quickly and efficiently. This has been independently verified by Cancer Research UK who conducted a usability test (UX testing) of the solution, resulting in a score of 76 out of a 100, with the industry average being 68. The record can be accessed on any device connected to the internet with a web browser. It is compatible with all the major web browsers as well as iOS and Android platforms - with dynamic resizing ability (mobile optimised).
API
Yes
What users can and can't do using the API
PKB publishes an Open REST API at http://dev.patientsknowbest.com/home/rest-api. The REST API allows for 2-way push and pull of data from the PKB repository, enabling integration to 3rd party apps and solutions.

Users can make calls against the REST API via GET, PUT and POST operations. PKB also publishes a Single Sign On API allowing for direct log in to the PKB environment from 3rd party solutions. There is a sandbox environment that is accessible to all.

Every data point in PKB is available via a real-time 2-way REST API with OAuth 2.0. Data is extractable from PKB via REST API for data warehousing and reporting. Here follows a summary of data available to pull, push or update via swagger:
(full summary can be found at: https://sandbox.patientsknowbest.com/api/index.html)

Allergies
Appointments
Consent
Diagnoses
Encounters / Messages (virtual)
Care Plans / End of Life
Episode of Care
Immunization
Journals
Measurements
Medications
Observations
Pregnancies
Procedures
Related Person
Symptoms
Tests
Users
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The PKB patient portal can be configured for different user groups in the following ways:

1. User interface: Each professional team/organisation can use their logos, change the welcome message, colour scheme and have specific headers and footers, which might have links to specific resources or external support, such as with the National Rheumatoid Arthritis patient portal powered by PKB.
2. Content: PKB has an information library that allows condition or service specific information and resources to be held, allowing it to be tailored to the precise needs of the individual.
3. Self-management: The individual user can connect over 100+ different apps and devices to track their well being, meaning that PKB can be the hub of their individual digital ecosystem.

4. Care planning: PKB can hold as many care plan templates as necessary, with each template being able to be configured (being built in HTML) with condition specific actions.

5. User settings/preferences: both professionals and patients are able to set a number of preferences in their dashboard.

Scaling

Independence of resources
PKB is delivered as a Software-as-a-Service (SaaS), and being virtually hosted, memory and storage can be adjusted as needed on the fly. PKB typically operates around 5% memory utilisation, therefore allowing for throughput to safely increase 10-20x without service interruption, allowing for spikes in usage and on-boarding of new clients seamlessly.

Analytics

Service usage metrics
Yes
Metrics types
Team aggregated usage data including login activity (all user types), file and data activity (messages sent, HL7 sent, files uploaded, symptoms tracked etc), and users created (created, registered, ID verified, email set). This data is also aggregated to organisation level, so that the data van be viewed and understood at multiple different levels.

Data is curated into a selection of graphs to present the data in a downloadable intuitive and easy-to-digest format

These graphs are delivered via an interactive and visually pleasing online dashboard service, updated weekly.

Guides on the metrics and dashboards are available publicly at http://help.patientsknowbest.com/Statistics.html
Reporting types
Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Every data point in PKB is available via a real-time 2-way REST API with OAuth 2.0. Data is extractable from PKB via REST API for data warehousing and reporting. Here follows a summary of data available:
(a full summary can be found here: https://sandbox.patientsknowbest.com/api/index.html)

Allergies
Appointments
Consent
Diagnoses
Encounters / Messages (virtual)
Care Plans / End of Life
Episode of Care
Immunization
Journals
Library
Measurements
Medications
Observations
Pregnancies
Procedures
Related Person
Symptoms
Tests
Users
Data export formats
  • CSV
  • Other
Other data export formats
JSON format via GET command via API
Data import formats
  • CSV
  • Other
Other data import formats
  • HL7
  • JSON-formatted PUT and POST commands via API

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
PKB’s protects data in transit in 2 ways:

1. Secure server holding the data: this is hosted to ISO 27001 standards inside the NHS HSCN network, behind the NHS firewall. This protects against malicious hacking attempts and provides uptime, disaster recovery and business continuity guarantees.

2. Transport through TLS 1.2: RSA 2048-bit keys (SHA256withRSA) with Extended Validation and HSTS enforcement. We do not support unencrypted HTTP requests, and internal communication between the web application, EJBs, LDAP, and database are additionally all over TLS. We reject SSL 2.0 and 3.0 connection requests but allow TLS 1.0, TLS 1.1 and TLS 1.2.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
1.Medical record data storage layer: encrypts medical data using DESede (Triple DES), a unique public and private key for each patient. Only the patient, and the people the patient chooses, have a copy of the private key.

2.Secure server holding the data: this is hosted to ISO 27001 standard inside the NHS HSCN network.

3. Transport through TLS 1.2: RSA 2048-bit keys (SHA256withRSA) with Extended Validation and HSTS enforcement. We do not support unencrypted HTTP requests, and internal communication between the web application, EJBs, LDAP, and database are all over TLS as well.

Availability and resilience

Guaranteed availability
PKB commits to 99.5% uptime, which includes scheduled downtime, and can be monitored at www.pkbstatus.com. Customers can see uptime and response levels and subscribe to receive automatic notifications of upgrades and disruptions.

Service credits for failure to meet agreed SLA are associated with response and resolution times detailed below. Service credits are cumulative over each month and offset against any future payments, typically the next quarters charges.

Service credits are allocated according to the following table and can be tracked on a continuous basis at www.pkbstatus.com:

Incident Priority
Service Credits allocation

Three (3) Service Credits allocated for each Incident that breaches Resolution Time.
One (1) additional Service Credits allocated for each subsequent whole hour until the Incident is resolved up to twelve (12) hours.
Two (2) Service Credits allocated for each Incident that breaches
One (1) additional Service Credits allocated for each subsequent whole hour until the Incident is resolved up to eighteen (18) hours.
Two (2) Service Credits for each month that the Availability is less that 99.5%
One (1) Service Credits for each month the average load time for a page exceeds 5 seconds for more than 5% of the time

Full SLA can be found at: http://bus.patientsknowbest.com/project-management/service-level-agreements
Approach to resilience
PKB commits to 99.5% uptime, which includes scheduled downtime, and can be monitored at www.pkbstatus.com

The PKB infrastructure is hosted by Carelink in the UK. Carelink is one of a shortlist of hosting providers to be certified to the stringent ISO 27001 standard. All facilities are tier 4 data centres (Telehouse, Docklands and Equinix, Heathrow).
Beyond the information contained within our public DR statement http://help.patientsknowbest.com/DR.html - it is difficult to define resilience in a generalised sense. One of the key tenants in designing any high availability system is to apply the assumption that it (components, hardware and or service dependencies) will fail. Accordingly, every dependency within the context PKB service availability/delivery is considered, with measures in place to ensure the minimisation of single points of failure across PKB’s service infrastructure.

It is for this reason that we utilise Tier 4 data centres, ensuring core service delivery functionality is maintained; be that power, transit or core networking components. Regarding PKB’s own systems (databases, servers, firewalls) the same rule applies, wherever possible a failover solution is in place.
Outage reporting
PKB commits to 99.5% uptime, which includes scheduled downtime, and can be monitored at www.pkbstatus.com. Users can automatically be informed of any changes to service levels by subscribing to www.pkbstatus.com. This provides details of outages, uptime, response rate of solution (transaction times) and maintenance schedules and overview of upgrades/changes.

Additionally, reports to organisations can be provided on a frequency requested basis, but typically PKB provides a weekly report detailing the service and any disruption to the service levels.
PKB can also provide more detailed reports specific to the organisation and can customize a weekly SLA fulfilment report as needed.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Privileged access to PKB’s production environment is highly restricted where only designated and suitably experienced Senior Production Support Engineer have direct access to PKB’s production environment. Circumvention of security measures is minimised through the use of 2-Factor Authentication and certificate based VPN access. Support Engineers with access to the database, decrypting of clinical data is only possible with the requisite per-user keys. Administrative system passwords have a minimum of 10 characters with 4 complexity classes (special, uppercase, lowercase, number). Passwords are cycled every 30 days (force change) for all administrators. Administrative passwords are blocked after 3 failed attempts.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Other
Description of management access authentication
2-FA enabled SSH

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Both Patients Know Best, and data host Piksel
ISO/IEC 27001 accreditation date
11/2017
What the ISO/IEC 27001 doesn’t cover
All services (hosting) under Piksel control at their locations are within the scope of the ISMS and governed by the requirements of ISO27001
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • IGT Level 3
  • CyberEssentials

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Information security policies and process are drawn primarily from those defined within ISO27001:2013 and from NHS Digital IGT, as such we have implement a Information Security Management System. To support this initiative comprehensive Information security policies serve as overarching guidelines for the use, management, and implementation of information security throughout the PKB eco-system.
Internal controls provide a system of checks and balances intended to identify irregularities, prevent waste, fraud and abuse from occurring, and assist in resolving discrepancies that are accidentally introduced in the operations of the business. When consistently applied throughout PKB, these policies and procedures assure that information technology resources are protected from a range of threats in order to ensure business continuity and maximize the return on investments of business interests.
PKB’s Information Security Management Plan and Policies reflects commitment to stewardship of sensitive personal information, clinical information and critical business information, in acknowledgement of the many threats to information security and the importance of protecting the privacy of PKB constituents, safeguarding vital business information, and fulfilling legal obligations. The plan is reviewed and updated at least twice a year or when the environment changes.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All changes to our database, application, architecture and environment are authorized, reviewed and fully logged. We use a combination of JIRA and internal development Wiki to document bug fixes, releases, upgrades, maintenance and other elements that might impact our production environment. Additionally, database schema management is via Liquibase.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Server security patching is conducted monthly or as required when a patch is released by a manufacturer. Information about threats is gathered from various sources including: developer bulletins, security mailing lists and other internet sources. PKB maintain a InfoSec/OpSec team that monitor new threats. Scanning is both externally commissioned/conducted and internally conducted - for internal vulnerability scanning we use Tenable Labs / Nessus. Additionally, internal information security and information asset audits are regularly conducted, threats are evaluated, registered, graded and assigned for mitigation.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
PKB maintain a InfoSec/OpSec team that monitor new threats. Scanning is both externally commissioned/conducted and internally conducted - for internal vulnerability scanning we use Tenable Labs / Nessus. Additionally, internal information security and information asset audits are regularly conducted, threats are evaluated, registered, graded and assigned for mitigation - the speed of mitigation/resolution or patching depends on the likelihood and severity of the threat/compromise. Actual compromises are prioritised for immediate resolution. Identification may take places via a number of pathways; malware scanning, internal security audit, internal vulnerability scanning, external vulnerability scanning or reporting.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
PKB’s IG Incident Response Plan (IRP) establishes full incident management alignment to the guidelines established and published by NHS Digital, specifically: ’Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation. PKB’s IG Lead will assess the severity of all incidents based on the sensitivity and the scale of the incident. The IG Lead will use NHS Digital’s IG Scoring Matrix to establish an accurate grade of the incident.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Yes
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Pricing

Price
£1.50 to £2.45 per person per year
Discount for educational organisations
Yes
Free trial available
No

Service documents

Return to top ↑