Mindwave Ventures

MAIA

MAIA is Mindwave’s open source personal health record (PHR) which enables patients to access their health information, communicate with practitioners and manage their health. It is a web application which can be accessed via any internet browser on any device: mobile, tablet, laptop, desktop.

Features

  • Access to health record information: documents, appointments, demographics, care plans
  • Fully customisable questionnaire builder
  • Goal setting and coping strategy tool shared with clinical team
  • Trackers which can be monitored in partnership with clinical teams
  • Circle of support - invite others to join your circle
  • Secure messaging and online consultations
  • Integration with trust clinical systems
  • Tools and resources: useful links, leaflets, videos, events, stories, tips
  • Interoperable via FHIR, HL7, REST and OpenEHR archetypes
  • Accessible from any internet enabled device

Benefits

  • Patient activation and engagement in programme of care
  • Shared decision making between clinician and patient
  • A shift from episodic care to support as required
  • Patients more likely to achieve goals through setting and tracking
  • Increased engagement with friends and family in circle of care
  • Patients have access to core documents including care/crisis plan
  • Patient can access trusted resources relevant to their needs
  • Clinical teams can administer PREMS and PROMS questionnaire
  • Patient can be confident in privacy and security through NHSLogin
  • Patient can access personal health record through mobile or desktop

Pricing

£25,000 to £200,000 an instance

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at businessdevelopment@mindwaveventures.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

3 7 6 5 1 2 9 7 2 3 9 4 8 5 1

Contact

Mindwave Ventures Katy Edwards
Telephone: 07590057431
Email: businessdevelopment@mindwaveventures.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
Access to any supported internet browser on any internet enabled device.
System requirements
  • Internet browser equivalent to IE10 or later
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Samsung Browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
SLA response times are agreed with individual trusts, but are typically
Priority 1: Within 45minutes
Priority 2: Within 3 hours
Priority 3: Within 10 hours
Priority 4: Within 20 hours

Support can be provided during normal working hours or 24/7 as required.

Support can be provided via a client or directly to all end users.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Support is included within our SLA agreements and will be agreed with each client to ensure we can meet their needs.

Support includes project management and all technical support required.

Each issue reported will be rated a priority level based on the severity or impact of the issue and will be responded to within a pre-defined response time.

Each SLA will have a management representative and a performance representative who will provide additional support, reporting and escalation points.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
At the outset of a project, our Product Manager will make contact as well as a Project Manager who will be the day to day contact. We will work with each organisation to review and prioritise their requirements and create a detailed scope. We will also outline the documentation or other information we will need, covering technical requirements, information governance, clinical safety etc. If custom UI is required, we will set meetings with our design team to run through options and then you will be provided with user flows and a style guide for approval.

Through our extensive user testing, we are confident that minimal end user onboarding will be required, however we can provide onboarding for users via in person training, 'how-to' videos and documentation such as user guides and FAQs, which can be hosted within the platform or provided to the organisation for circulation.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Patient data can be exported and provided in a csv file on request. Data will only be released to the patient it relates to and will be provided in a password protected file with the password sent to the individual via a separate communication.

Organisation level data can be requested by an authorised representative from the buying organisation as agreed and documented in the contract or project documentation. The request will be reviewed and authorised by the Mindwave COO. Transfer of this data, and related security controls, will be dependent on the specific client deployment and could involve a secure transfer of a file and supporting data extraction through Jumpbox / Bastion.
End-of-contract process
MAIA is open source and so each implementation is owned by the organisation. At the end of a contract, the organisation retains the application and all associated data and can continue using it. If continued support and maintenance is required or further development was requested, this would be at an additional cost.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The application is built on a responsive framework which scales dynamically across all screen sizes so the user interface is identical across devices. Based on user need, we follow mobile-first design principles. The application can be operated using either a mouse or touch screen.
Service interface
Yes
Description of service interface
MAIA is a web application which has been designed in collaboration with end users to ensure beautiful and intuitive design. It is accessed via a browser on any internet enabled device and offers consistent user interface across devices and screensizes for familiarity.

MAIA allows users to customise their interface with different skins for accessibility or personal preference and offers fully user tested navigation for ease of use.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
MAIA can be accessed via any browser on any device and is optimised for mobile use, although it dynamically resizes for any size screen.

MAIA meets WCAG 2.1 AA standard for accessibility including the following:
- Semantically built - Can tab through, use alt tags for images, etc
- Minimum text size of 14pt.
- All colour contrasts are above 4.5:1
- We don't using any flashing or moving content (except videos which are user controlled)
- We use clear typographic hierarchy for easy scanning of content including obvious links and buttons
- We have multiple "skins" to allow users to choose their preference, including a dyslexia-friendly option.
- We adhere to minimum click areas.

The design has been tested extensively with users of varying technology familiarity and accessibility needs to ensure it is intuitive and easy to use.
API
Yes
What users can and can't do using the API
MAIA publishes an REST API at https://docs.maiaphr.com/. The REST API allows for 2-way push and pull of data from the MAIA repository, enabling integration to 3rd party apps and solutions. Also, 3rd party apps to pull information from MAIA.

Users can make calls against the REST API via GET, PUT and POST operations.

We have well-documented REST API. Every endpoint in MAIA is available via a real-time 2-way REST API with JWT token. Data is extractable from MAIA via REST API to access the data. Here follows a summary of data available to pull, push or update: https://docs.maiaphr.com/

AboutMe
Circle
Diary
Goals
Mood
Problem
Sleep
API documentation
Yes
API documentation formats
  • HTML
  • Other
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
MAIA can be customised in a number of ways:

Organisations can:
- turn features on/off for their users
- set up questionnaires/ surveys/ outcome measures using our customisable questionnaire builder.
- customise the UI, from uploading a logo and editing copy, to applying totally customised UI.
- customise information and resources either directly in the content management system or via support from Mindwave.
- integrate the application with different clinical systems or other third parties.

Through our focus on user-led design and development and our collaborative approach we will work with each organisation to map their needs and identify the customisations which are needed for their user groups.

Individual users can:
- customise the tracker dashboard to select which features they want to use.
- apply different skins to the UI based on accessibility requirements or personal choice.
- invite others to join their circle of support and can share parts of their personal health record.
- opt in/out of email notifications

Guidance is provided within the platform where needed to support users in customising their PHR.

Scaling

Independence of resources
MAIA is a microservice application, where each module is running in the separate services in the Kubernetes cluster.

We have set up a minimum of 3 and maximum of 10 replicas of each module in the cluster. Kubernetes will always make sure each service is monitored, providing high availability and enabling continual service provision to users.
It has attached 3 hosts/nodes. If any node is down Kubernet automatically spins up the modules in the remaining host/nodes.

Kubernetes has an autoscale feature and configured horizontal scaling. So it automatically scales 3-4x without service interruption.

Analytics

Service usage metrics
Yes
Metrics types
Service metrics will be agreed with individual organisations based on their needs. This can be provided within the platform or via a third party of their choosing if required.

We provide aggregated usage data for all actions carried out within the platform - this could include signs ups, logins, admin tasks such as creating users and number of visits to specific pages. This data can be provided for the organisation as a whole, or broken down by service or user demographics.

Metrics can be provided via reports, downloads or presented graphically.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Patient data can be exported in a csv file. Data will only be released to the patient it relates to and will be provided in a password protected file with password sent to the individual via a separate communication.

Organisation level data can be requested by an authorised representative from the buying organisation as agreed/documented in the contract or project documentation. The request will be reviewed and authorised by Mindwave COO. Transfer of this data, and related security controls, will be dependent on specific client deployment and could involve secure file transfer and supporting data extraction through Jumpbox/Bastion.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
MAIA’s protects data in transit in 3 ways:

1. Transport from user to the web server is via Letsencrypt-provided certificate, encrypted (RSA 2048 bits (SHA256withRSA) )
with Extended Validation and HSTS enforcement.

2. MAIA servers are in a virtual network in Microsoft's Azure cloud. The only access to the data is from the configured Public IP through REST API. This virtual network protects against malicious hacking attempts and provides uptime and business continuity guarantees.

3. For internal communication between servers/microservices within the VNet like Diary, Goals, and database are using TLS protocol with RSA 2048 bits (SHA256withRSA) encryption.
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
MAIA commits to 99% uptime but individual availability guarantees can be made with clients with associated refunds as required.
Approach to resilience
MAIA commits to 99% uptime (this includes scheduled downtime), and can be monitored with Pingdom and email alerts.

MAIA is a microservice platform is running on in Kubernetes cloud service (AKS), which is set to upscale and scale-out automatically based on the traffic. It has a minimum of 3 replicas for each service.

The MAIA infrastructure is hosted in Azure cloud in the UK region. Microsoft Azure data centres are Tier 4, providing high availability, disaster recovery and backup. And it has more than 90 compliance certifications. https://azure.microsoft.com/en-us/overview/trusted-cloud/compliance/
Outage reporting
MAIA is running on in Kubernetes cloud service (AKS), which has set upscale up and scale-out in automatic based on the traffic.

MAIA service is monitored with Pingdom tool and email alerts. The Mindwave DevOps team monitor the reports, traffic and resources.

Mindwave will report outages to the buying organisation via email, as agreed per individual client.

Identity and authentication

User authentication needed
Yes
User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
Accesss to the MAIA production environment is highly restricted and managed seperately. Only the Technology Lead would normally have access for maintenance and support requirements. Additional access may be granted to Development managers or senior development engineers in line with the internal approval process. Further technical control exist to regulate access to information within the database.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
17/07/2020
What the ISO/IEC 27001 doesn’t cover
Our development partner Mediwave Digital follow our processes and are currently going through the accreditation process themselves.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials
  • Data Security and Protection Toolkit
  • IASME Governance

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
- IASME
- Cyber Essentials
- Data Security and Protection Toolkit
Information security policies and processes
Our Information Security Management System is based on ISO 27001 standards.
Key policies include Information Security, Access Control, Data Breach, Quality & ISMS Manual and Risk Management.

The CEO has ultimate responsibility for information security. The COO is the designated Senior Manager. The Information Security Manager (currently the Technology Lead) has operational responsibility for managing and implementing the Information Security policy.

Policies are disseminated via the internal HR system for team review. Regular training is arranged. An internal audit schedule is followed to identify any areas for improvement. Progress is monitored and key actions are identified at 3-monthly management meetings.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes to database, application, architecture and environment are authorised by DevOps lead, reviewed by Project Manager and fully logged in GitHub. Mindwave usds a Wrike and Github to document bug fixes, releases, upgrades, maintenance and other elements that might impact the MAIA production environment.
The Mindwave Project Manager will discuss any proposed changes with the client to include benefits, any potential risks and any impact on wider systems or infrastructure. Any changes will only be implemented once agreed with the client.
We store the last ten changes as a docker image, enabling us to resolve issues with upgrades or releases.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The vulnerability management process is the responsibility of the designated Mindwave development manager.

In addition to proactive monitoring of threat information and patch releases, Mindwave uses the GitHub Security Lab feature which discovers vulnerabilities across a codebase with CodQL and reports weekly.

If there is evidence to suggest that a vulnerability is being actively exploited in the wild or that a patch is 'critical', we will deploy mitigations or the patch within 10 hours.

Additionally, time is allocated every month and before releases to fix the new threads.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The protective monitoring processes are the responsibility of the designated Mindwave development manager.

In addition to proactive scanning and review of systems, Mindwave uses the GitHub Security Lab feature which discovers vulnerabilities across a codebase with CodQL and reports weekly.

If there is evidence to suggest that a vulnerability is being actively exploited in the wild or that a patch is 'critical', we will deploy mitigations or the patch within 10 hours.

Additionally, time is allocated every month and before releases to fix the new threads.
Incident management type
Supplier-defined controls
Incident management approach
Mindwave's processes are defined in our 'Data Breach Policy', which defines the framework for identifying the breach, evaluating the risks, responding to the incident, and notifying any relevant individuals or authorities. It details the processes to be followed in reporting incidents, including a Data Breach Report form. Mindwave's Data Protection Lead will appoint a Lead Investigator for each event and manage the overall process including predefined processes for assessing, responding, reporting and notifying incidents.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£25,000 to £200,000 an instance
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at businessdevelopment@mindwaveventures.com. Tell them what format you need. It will help if you say what assistive technology you use.