openMAXIMS™ is a sophisticated and scalable open source PAS/EPR solution that allows healthcare providers to create a single electronic care record. Coupled with our industry leading support and implementation services this offers a flexible, affordable, turnkey solution leading to a fully integrated, Trust-wide roll out of openMAXIMS™ PAS/EPR.
- a full PAS and EPR designed for the NHS
- Order Communications
- Integrated Care Pathways
- Observations and Notes
- Emergency Department (A&E) including tracking
- Clinical Assessments
- Clinical Specialities (e.g. Oncology, Spinal Cord Injuries)
- eDishcharge process
- Bi directional HL7 interfaces and open APIs
- Improved patient outcomes and service efficiency
- Recommended by NHS England for delivering safe and integrated care
- Clients are free to separate support services (no vendor lock-in)
- Significantly better value for money that competitors (no software costs)
- Local control of openMAXIMS drives faster adoption with minimum upheaval
- Flexibility allows openMAXIMS functionality to be driven by healthcare professionals
- Open access allows free alteration of openMAXIMS to meet needs
- Cash releasing benefits (reduction in paper/staff, improved CQUIN compliance)
- Clinical empowerment and engagement in software enhancements and development road-map
£1 per unit
0203 66 86 999
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
There will be times when the system is unavailable for scheduled maintenance. These times will be agreed in advance with the client.
User access to the system is limited by Username and strong password/passphrase enforcement. These will need to be set up for each user in conjunction with the client.
Data centre access is available to our staff only
Support for specific hardware configurations only
Must include specified top-of-rack/end-of-rack network switches
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Our Incident Management process aims to return the service back to the customer as quickly as possible either through a fix or through the resolution of the Incident via a workaround. Incidents are triaged by our Application Support Team and assigned to an Application Support Specialist for ownership
There are standard support response times
Severity of the issue will affect response times. P1 will be responded to in 10 minutes resolved in 4 hour.
An Incident escalation process is available
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Onsite support|
We provide several ‘standard’ support options to our customers. However, we can be flexible and offer variations to this.
• Standard - 9am to 5pm, Monday to Friday, excl. Bank and Public Holidays;
• Extended - 8am to 6pm, Monday to Friday with the possibility of weekend cover and including Bank and Public Holidays;
• Premium - 24/7/365 for mission critical solutions, ED, Order Communications etc
Yes we provide a a technical account manager
|Support available to third parties||Yes|
Onboarding and offboarding
Our approach would be to work collaboratively with each Trust using our FIRST CLASS Implementation Methodology to implement our application.
FIRST CLASS, which has been developed over many years of experience of managing and implementing healthcare solutions throughout the UK and Ireland.
Our plan provides a very detailed, standardised and repeatable approach for implementation, augmented with new data after each implementation and will be refined through discussions with each Trust during the Project Initiation Stage to take into account local variances in approach.
It has been validated in several successful implementations and can be taken as a proven ‘model’ of how the project will proceed and provide confidence in the delivery of the contracted deliverables to agreed deadlines.
Project governance and benefits realisation are intrinsic to the approach. Risks and Issues are managed following the framework set out by the OGC, whereby they are assessed and scored against likelihood and consequence across multiple domains and plans put in place to monitor and mitigate. Embedded controls include regular reviews to allow a realistic look at the project’s direction and performance at critical stages and to adjust as needed.
|End-of-contract data extraction||The customer has complete autonomy of how data is stored and managed within their virtual environment. Data can be extracted either from within the VM (for example, copying data over virtual networks), or the entire VM (for example, exporting as a VMDK or OVF).|
|End-of-contract process||We will return all your data and materials which cannot be deleted or exported by you, and securely destroy all copies of your data on your written instruction. We will return any pre-paid sums for services not delivered to you. We will not penalise you for terminating your contract with us unless specifically stated in the Service Definition. We will also return all of your confidential information, unless there is a legal requirement that we keep it.|
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||Windows|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
The differences are in the screen size available for viewing the system. This is taken into account for mobile access.
The technology used is different between mobile and desktop.
|Accessibility standards||None or don’t know|
|Description of accessibility||The web interface is accessible using the most common web browsers and is delivered over various public and private networks including the internet, PSN, N3/HSCN and Janet. The web interface is protected by standards-based encryption, two-factor authentication and optionally IP address restrictions. The web interface is entirely HTML5 and does not require any auxilary plug-ins, therefore the web interface is accessible by any modern day desktop or mobile internet browser able to support secure HTTPS connections.|
|Accessibility testing||None at present but this is planned for the future|
|What users can and can't do using the API||
IMS MAXIMS are a founding member of the INTEROPen group which was formed to accelerate the development of open standards for interoperability in the health and social sector. We are currently working within INTEROPen in the design and curating of the technical interoperability standards, this includes areas such as data exchange, data validation, defining APIs and governance. We are currently in the process of developing and in publishing our APIs based on the INTEROPen CareConnect candidate FHIR resource profiles: http://interopen.org/candidate-profiles/care-connect/. This will provide support for resources such as:
• Allergy Intolerance
• Family Member History
We are working on the current DSTU 2 final version of the HL7 FHIR standard. Our roadmap includes support for current draft standards e.g. FHIR STU3. Our currently developed FHIR standard implementation supports the REST API through HTTPS protocol, enabling any application to safely/securely consume our implementation of FHIR standards. Via our FHIR based APIs we can expose the patient’s longitudinal patient record and support flow of data between care settings.
See later q/a for configurability
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
OpenMAXIMS™ has a variety of functionality to provide a high degree of local configurability. Local patient journeys are supported through the openMAXIMS™ configuration features listed below:
Configurable starting form for each role supporting different entry points
User defined navigations allowing clients to match the navigation to the workflow. The navigations may contain system forms, user defined forms and reports. The content, groupings and order are all configurable.
Configurable top menu bar allowing different menu bars for each user role. The contents of the menu can be customised and allows links to URLs to support the patient journey and workflow
Configuration forms allowing administrators to customise the behaviour of some areas of openMAXIMS.
System and role based configuration flags to allow the tailoring of openMAXIMS™ to support many different health care agencies
User Defined Assessments to allow clients to recreate paper assessments within openMAXIMS™ and build them into the workflow
Configurable lookups and hotlists providing control over the contents and order of drop down menus through the system.
Role based access rights and flags allow further tailoring of the behaviour of openMAXIMS™ at a local level
|Independence of resources||
We provide a guaranteed service delivery and system response time for each user. We also provide Guaranteed resources that are a stated minimum of memory, CPU and disk size or space for each customer.
The service is not affected by the demands of other users. We do have resource reservations and shares on our connectivity services that are not dedicated to our customers - such as internet bandwidth. In addition, the capacity planning team ensure that connectivity usage in terms of all resources are constantly monitored and increased accordingly to demand
|Service usage metrics||Yes|
The SLA details the hours of cover as well as the target response and resolution times for each Incident Severity.
Our Service Delivery Manager utilises the system to generate data extracts for our customer performance monitoring reports. The system contains several standard data extract reports as well as an ad-hoc reporting module which enables us to produce customer specific reports when required. These reports can be generated by our Service Management team at any time for any given time period.
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||Physical access control, complying with CSA CCM v3.0|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||The customer has complete autonomy of how data is stored and managed within their virtual environment. Data can be extracted either from within the VM (for example, copying data over virtual networks), or the entire VM (for example, exporting as a VMDK or OVF).|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Other protection between networks||
Our hosting partner offers the choice of connecting:
• Via the internet using additional encryption such as TLS 1.2
• IPSec VPN tunnels
• Via private networks such as leased lines or MPLS
• Via public sector networks such as PSN, N3, Janet
|Data protection within supplier network||
|Other protection within supplier network||Our hosting partner uses dedicated CAS-T circuits between each of their sites to ensure the protection of customer data in-flight. The partner additionally encrypts this data within their Elevated OFFICIAL platform. All data flows are also subject to a protective monitoring service.|
Availability and resilience
We confirm that the application can be hosted within an environment that provides full disaster recovery services.
We will configure the openMAXIMS™ solution according to local requirements but for most procurements we are assuming system availability is paramount and so we would propose to provide a high-availability, dual-datacentre (DC) solution, which is disaster resilient and will enable all environments to continue to operate in the event of a disaster impacting either of the datacentres.
Service credits are awarded when performance falls below the contracted level, The number of Service Points awarded to each Service Failure in that Service Period.
The accumulated total of Service Credits available.
A rolling total of the number of Service Failures that have occurred and the amount of Service Credits that have been incurred over the past six months;
|Approach to resilience||
Multiple openMAXIMS™ Application Servers and Report Servers will be configured as a cluster of VMs across these hosts and, should one of these servers fail or be taken out of service for maintenance work, then the remaining servers in the VM cluster will take up the additional workload. With the rapid recovery features in VMware your preferred method for resilience may be to dynamically provision new servers as and when a failure occurs. Your local preferences will dictate your approach to resilience and availability but be assured that openMAXIMS™ can be configured to meet your needs.
A number of options enable you to build resilience into your applications. We offer Private Cloud Compute from two geographically distinct sites, both located in the UK and separated by over 100km for excellent geo-diversity.
|Outage reporting||All outages will be reported via the Service Status page and the notifications service within the Cloud Portal. Outages are identified as Planned maintenance, Emergency maintenance, and platform issues. In addition, the designated Technical Account Manager will proactively contact customers as appropriate.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||Username and strong password/passphrase enforcement|
|Access restrictions in management interfaces and support channels||
Separation and access control within management interfaces
User access control within management interfaces
Consumers manage only their own service, and cannot access, modify or otherwise affect the service of other consumers via management tools and interfaces.
Customers have the option to raise a support request via telephone or email. Our hosting partner will always authenticate the identity of the user by validating known phone numbers and asking them for specific characters within their pre-agreed memorable word. The management interfaces are only available on the network.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||Between 1 month and 6 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||Between 1 month and 6 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||LRQA|
|ISO/IEC 27001 accreditation date||8th May 2012|
|What the ISO/IEC 27001 doesn’t cover||Nothing|
|ISO 28000:2007 certification||No|
|CSA STAR certification||Yes|
|CSA STAR accreditation date||28th October 2016|
|CSA STAR certification level||Level 1: CSA STAR Self-Assessment|
|What the CSA STAR doesn’t cover||Nothing|
|Other security accreditations||Yes|
|Any other security accreditations||
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
IMS MAXIMS has a documented framework for security governance, with policies governing key aspects of information security relevant to the service.
Security and information security are part of the service provider’s financial and operational risk reporting mechanisms, ensuring that the board would be kept informed of security and information risk.
Processes to identify and ensure compliance with applicable legal and regulatory requirements.
Our hosting partner has a number of inter-connected governance frameworks in place which control both how the Company operates and the manner in which it delivers cloud services to its customers. These have been independently assessed and certified against ISO20000, ISO27001 and ISO27018 by LRQA, a UKAS accredited audit body. The service is governed by an integrated suite of information security policies. Under the top level Information Security Policy itself are second-level documents with specific focus on Acceptable Use, Antivirus Protection, Asset Management, Business Continuity Management, Data Protection, Password Management, Personnel Management, Supply Chain Management and many others.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||Our hosting partner has documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. Formal configuration management activities, including record management and asset reporting, are monitored and validated constantly, and any identified discrepancies promptly escalated for investigation. A robust, established process for the formal submission of change requests is mandated prior to review and approval of the daily Change Advisory Board, which is attended by a quorum of operational and technical management personnel.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Potential new threats, vulnerabilities or exploitation techniques which could affect your service are assessed and corrective action is taken
Relevant sources of information relating to threat, vulnerability and exploitation techniques are monitored by the service provider
The severity of threats and vulnerabilities is considered within the context of the service and this information is used to prioritise the implementation of mitigations.
Our change management process ensures known vulnerabilities are tracked until mitigations have been deployed
We ensure we know service provider timescales for implementing mitigations and are happy with them
Patches are applied when necessary depending on their assessed priority
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
The service generates adequate audit events which we use to support effective identification of suspicious activity. Audit reports are run at regular intervals. Any attempts at unauthorised access are alerted to the system manager. These events are analysed to identify potential compromises or inappropriate service use.
We take prompt and appropriate action to address incidents. Incidents are categorised by laid down priorities which each have response times for remedial action.
Following best practice from National Cyber Security Centre, our service has enhanced protective monitoring, including checks on time sources, cross-boundary traffic, suspicious boundary activities, network connections and backup status etc.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Incident management processes are in place for the service and are actively deployed in response to security incidents
Pre-defined processes are in place for responding to common types of incident and attack
A defined process and contact route exists for reporting of security incidents by consumers and external entities
Security incidents of relevance to you will be reported in acceptable timescales and formats
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Connected networks||New NHS Network (N3)|
|Price||£1 per unit|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|