openMAXIMS™ is a sophisticated and scalable open source PAS/EPR solution that allows healthcare providers to create a single electronic care record. Coupled with our industry leading support and implementation services this offers a flexible, affordable, turnkey solution leading to a fully integrated, Trust-wide roll out of openMAXIMS™ PAS/EPR.


  • a full PAS and EPR designed for the NHS
  • Order Communications
  • Integrated Care Pathways
  • Observations and Notes
  • Emergency Department (A&E) including tracking
  • Clinical Assessments
  • Clinical Specialities (e.g. Oncology, Spinal Cord Injuries)
  • eDishcharge process
  • Bi directional HL7 interfaces and open APIs


  • Improved patient outcomes and service efficiency
  • Recommended by NHS England for delivering safe and integrated care
  • Clients are free to separate support services (no vendor lock-in)
  • Significantly better value for money that competitors (no software costs)
  • Local control of openMAXIMS drives faster adoption with minimum upheaval
  • Flexibility allows openMAXIMS functionality to be driven by healthcare professionals
  • Open access allows free alteration of openMAXIMS to meet needs
  • Cash releasing benefits (reduction in paper/staff, improved CQUIN compliance)
  • Clinical empowerment and engagement in software enhancements and development road-map


£1 per unit

Service documents

G-Cloud 9



Peter Shahinian

0203 66 86 999

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints There will be times when the system is unavailable for scheduled maintenance. These times will be agreed in advance with the client.

User access to the system is limited by Username and strong password/passphrase enforcement. These will need to be set up for each user in conjunction with the client.

Data centre access is available to our staff only

Support for specific hardware configurations only

Must include specified top-of-rack/end-of-rack network switches
System requirements
  • Access through N3
  • End user devices capable of running internet explorer
  • Software licences for each end user
  • Suitable network connection between end-user device and central serve
  • GB group and Matchcode licence
  • VM Ware licence
  • Windows 2014 and SQL 14
  • Suitable firewall
  • Customers will require appropriate network connectivity
  • Customer responsible for data security over their connectivity method

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Our Incident Management process aims to return the service back to the customer as quickly as possible either through a fix or through the resolution of the Incident via a workaround. Incidents are triaged by our Application Support Team and assigned to an Application Support Specialist for ownership
There are standard support response times
Severity of the issue will affect response times. P1 will be responded to in 10 minutes resolved in 4 hour.
An Incident escalation process is available
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels We provide several ‘standard’ support options to our customers. However, we can be flexible and offer variations to this.
• Standard - 9am to 5pm, Monday to Friday, excl. Bank and Public Holidays;
• Extended - 8am to 6pm, Monday to Friday with the possibility of weekend cover and including Bank and Public Holidays;
• Premium - 24/7/365 for mission critical solutions, ED, Order Communications etc

Yes we provide a a technical account manager
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Our approach would be to work collaboratively with each Trust using our FIRST CLASS Implementation Methodology to implement our application.

FIRST CLASS, which has been developed over many years of experience of managing and implementing healthcare solutions throughout the UK and Ireland.

Our plan provides a very detailed, standardised and repeatable approach for implementation, augmented with new data after each implementation and will be refined through discussions with each Trust during the Project Initiation Stage to take into account local variances in approach.

It has been validated in several successful implementations and can be taken as a proven ‘model’ of how the project will proceed and provide confidence in the delivery of the contracted deliverables to agreed deadlines.

Project governance and benefits realisation are intrinsic to the approach. Risks and Issues are managed following the framework set out by the OGC, whereby they are assessed and scored against likelihood and consequence across multiple domains and plans put in place to monitor and mitigate. Embedded controls include regular reviews to allow a realistic look at the project’s direction and performance at critical stages and to adjust as needed.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction The customer has complete autonomy of how data is stored and managed within their virtual environment. Data can be extracted either from within the VM (for example, copying data over virtual networks), or the entire VM (for example, exporting as a VMDK or OVF).
End-of-contract process We will return all your data and materials which cannot be deleted or exported by you, and securely destroy all copies of your data on your written instruction.  We will return any pre-paid sums for services not delivered to you. We will not penalise you for terminating your contract with us unless specifically stated in the Service Definition. We will also return all of your confidential information, unless there is a legal requirement that we keep it.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The differences are in the screen size available for viewing the system. This is taken into account for mobile access.

The technology used is different between mobile and desktop.
Accessibility standards None or don’t know
Description of accessibility The web interface is accessible using the most common web browsers and is delivered over various public and private networks including the internet, PSN, N3/HSCN and Janet. The web interface is protected by standards-based encryption, two-factor authentication and optionally IP address restrictions. The web interface is entirely HTML5 and does not require any auxilary plug-ins, therefore the web interface is accessible by any modern day desktop or mobile internet browser able to support secure HTTPS connections.
Accessibility testing None at present but this is planned for the future
What users can and can't do using the API IMS MAXIMS are a founding member of the INTEROPen group which was formed to accelerate the development of open standards for interoperability in the health and social sector. We are currently working within INTEROPen in the design and curating of the technical interoperability standards, this includes areas such as data exchange, data validation, defining APIs and governance.  We are currently in the process of developing and in publishing our APIs based on the INTEROPen CareConnect candidate FHIR resource profiles: This will provide support for resources such as:
•         Allergy Intolerance
•         Condition
•         Encounter
•         Family Member History
•         Flags
•         Locations
•         Medication
•         Observation
•         Patient
•         Practitioner
•         Procedure
We are working on the current DSTU 2 final version of the HL7 FHIR standard. Our roadmap includes support for current draft standards e.g. FHIR STU3. Our currently developed FHIR standard implementation supports the REST API through HTTPS protocol, enabling any application to safely/securely consume our implementation of FHIR standards. Via our FHIR based APIs we can expose the patient’s longitudinal patient record and support flow of data between care settings. 

See later q/a for configurability
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation OpenMAXIMS™ has a variety of functionality to provide a high degree of local configurability. Local patient journeys are supported through the openMAXIMS™ configuration features listed below:
        Configurable starting form for each role supporting different entry points
        User defined navigations allowing clients to match the navigation to the workflow. The navigations may contain system forms, user defined forms and reports. The content, groupings and order are all configurable. 
        Configurable top menu bar allowing different menu bars for each user role. The contents of the menu can be customised and allows links to URLs to support the patient journey and workflow
        Configuration forms allowing administrators to customise the behaviour of some areas of openMAXIMS.
        System and role based configuration flags to allow the tailoring of openMAXIMS™ to support many different health care agencies
        User Defined Assessments to allow clients to recreate paper assessments within openMAXIMS™ and build them into the workflow
        Configurable lookups and hotlists providing control over the contents and order of drop down menus through the system.
        Role based access rights and flags allow further tailoring of the behaviour of openMAXIMS™ at a local level


Independence of resources We provide a guaranteed service delivery and system response time for each user. We also provide Guaranteed resources that are a stated minimum of memory, CPU and disk size or space for each customer.

The service is not affected by the demands of other users. We do have resource reservations and shares on our connectivity services that are not dedicated to our customers - such as internet bandwidth. In addition, the capacity planning team ensure that connectivity usage in terms of all resources are constantly monitored and increased accordingly to demand


Service usage metrics Yes
Metrics types The SLA details the hours of cover as well as the target response and resolution times for each Incident Severity.
Our Service Delivery Manager utilises the system to generate data extracts for our customer performance monitoring reports.  The system contains several standard data extract reports as well as an ad-hoc reporting module which enables us to produce customer specific reports when required. These reports can be generated by our Service Management team at any time for any given time period.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The customer has complete autonomy of how data is stored and managed within their virtual environment. Data can be extracted either from within the VM (for example, copying data over virtual networks), or the entire VM (for example, exporting as a VMDK or OVF).
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks Our hosting partner offers the choice of connecting:
• Via the internet using additional encryption such as TLS 1.2
• IPSec VPN tunnels
• Via private networks such as leased lines or MPLS
• Via public sector networks such as PSN, N3, Janet
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network Our hosting partner uses dedicated CAS-T circuits between each of their sites to ensure the protection of customer data in-flight. The partner additionally encrypts this data within their Elevated OFFICIAL platform. All data flows are also subject to a protective monitoring service.

Availability and resilience

Availability and resilience
Guaranteed availability We confirm that the application can be hosted within an environment that provides full disaster recovery services.
We will configure the openMAXIMS™ solution according to local requirements but for most procurements we are assuming system availability is paramount and so we would propose to provide a high-availability, dual-datacentre (DC) solution, which is disaster resilient and will enable all environments to continue to operate in the event of a disaster impacting either of the datacentres.
Service credits are awarded when performance falls below the contracted level, The number of Service Points awarded to each Service Failure in that Service Period.
The accumulated total of Service Credits available.
A rolling total of the number of Service Failures that have occurred and the amount of Service Credits that have been incurred over the past six months;
Approach to resilience Multiple openMAXIMS™ Application Servers and Report Servers will be configured as a cluster of VMs across these hosts and, should one of these servers fail or be taken out of service for maintenance work, then the remaining servers in the VM cluster will take up the additional workload. With the rapid recovery features in VMware your preferred method for resilience may be to dynamically provision new servers as and when a failure occurs. Your local preferences will dictate your approach to resilience and availability but be assured that openMAXIMS™ can be configured to meet your needs.

A number of options enable you to build resilience into your applications. We offer Private Cloud Compute from two geographically distinct sites, both located in the UK and separated by over 100km for excellent geo-diversity.
Outage reporting All outages will be reported via the Service Status page and the notifications service within the Cloud Portal.  Outages are identified as Planned maintenance, Emergency maintenance, and platform issues.  In addition, the designated Technical Account Manager will proactively contact customers as appropriate.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
  • Other
Other user authentication Username and strong password/passphrase enforcement
Access restrictions in management interfaces and support channels Separation and access control within management interfaces
User access control within management interfaces
Consumers manage only their own service, and cannot access, modify or otherwise affect the service of other consumers via management tools and interfaces.

Customers have the option to raise a support request via telephone or email. Our hosting partner will always authenticate the identity of the user by validating known phone numbers and asking them for specific characters within their pre-agreed memorable word. The management interfaces are only available on the network.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 8th May 2012
What the ISO/IEC 27001 doesn’t cover Nothing
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 28th October 2016
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover Nothing
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • Data Protection Act Registration - Z6940443
  • Certified to ISO9001:2008
  • MAXIMS conformation ISB0129 Patient Safety Risk Management System
  • Accordance with BSISO/IEC 27002 Code of Practice Information Security Management
  • MAXIMS conformation BSISO/IEC 12207 software life cycle processes.
  • MAXIMS conformation ISB0129 Manufacture of Health Software.
  • IGSOC V13 connection to NHS Digital
  • Cyber security accreditation
  • Records Management – NHS Code of Practice
  • Access to Medical Reports & Health Records acts

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes IMS MAXIMS has a documented framework for security governance, with policies governing key aspects of information security relevant to the service.

Security and information security are part of the service provider’s financial and operational risk reporting mechanisms, ensuring that the board would be kept informed of security and information risk.
Processes to identify and ensure compliance with applicable legal and regulatory requirements.

Our hosting partner has a number of inter-connected governance frameworks in place which control both how the Company operates and the manner in which it delivers cloud services to its customers. These have been independently assessed and certified against ISO20000, ISO27001 and ISO27018 by LRQA, a UKAS accredited audit body. The service is governed by an integrated suite of information security policies. Under the top level Information Security Policy itself are second-level documents with specific focus on Acceptable Use, Antivirus Protection, Asset Management, Business Continuity Management, Data Protection, Password Management, Personnel Management, Supply Chain Management and many others.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our hosting partner has documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. Formal configuration management activities, including record management and asset reporting, are monitored and validated constantly, and any identified discrepancies promptly escalated for investigation. A robust, established process for the formal submission of change requests is mandated prior to review and approval of the daily Change Advisory Board, which is attended by a quorum of operational and technical management personnel.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Potential new threats, vulnerabilities or exploitation techniques which could affect your service are assessed and corrective action is taken
Relevant sources of information relating to threat, vulnerability and exploitation techniques are monitored by the service provider
The severity of threats and vulnerabilities is considered within the context of the service and this information is used to prioritise the implementation of mitigations.
Our change management process ensures known vulnerabilities are tracked until mitigations have been deployed
We ensure we know service provider timescales for implementing mitigations and are happy with them
Patches are applied when necessary depending on their assessed priority
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach The service generates adequate audit events which we use to support effective identification of suspicious activity. Audit reports are run at regular intervals. Any attempts at unauthorised access are alerted to the system manager. These events are analysed to identify potential compromises or inappropriate service use.
We take prompt and appropriate action to address incidents. Incidents are categorised by laid down priorities which each have response times for remedial action.

Following best practice from National Cyber Security Centre, our service has enhanced protective monitoring, including checks on time sources, cross-boundary traffic, suspicious boundary activities, network connections and backup status etc.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incident management processes are in place for the service and are actively deployed in response to security incidents
Pre-defined processes are in place for responding to common types of incident and attack
A defined process and contact route exists for reporting of security incidents by consumers and external entities
Security incidents of relevance to you will be reported in acceptable timescales and formats

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)


Price £1 per unit
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑