Medacs Healthcare Plc

Medacs Healthcare

Medacs Healthcare offers a market-leading technology solution that enables healthcare organisations to maximise the effectiveness of their workforce. Our cloud based system is designed for maximum flexibility, allowing you to select and use what functionality best
meets your staffing requirements.


  • Cloud based
  • Simple and intuitive SSER Interface
  • Configurable rules and permissions
  • Manage requests to sub-contractors
  • Provides a full suite of management information
  • Ability for suppliers to manage locum availability and match
  • Ongoing compliance management
  • Full audit trail


  • Support you to generate savings of 30% on temporary staffing
  • Manage your internal staff bank, regional collaborative bank and agency
  • Rate Control-strict Break Glass process which must be followed
  • Clear automated authorisation process
  • Compliance checks
  • Reduction in staff time on admin automated process
  • Transparency of workforce metrics
  • Excellent real-time management information
  • 24/7 support


£5000 per unit per month

Service documents


G-Cloud 11

Service ID

4 2 4 5 2 9 3 6 9 4 8 9 3 0 1


Medacs Healthcare Plc

Carol Waller

0203 096 4662

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to Recruitment business master vendor software;
Recruitment neutral vendor software;
Payroll software;
Direct engagement; and
Rota management software.
Cloud deployment model Private cloud
Service constraints No.
System requirements
  • Internet Explorer 9 or greater
  • Safari
  • Chrome 56 and above

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Customer service support is provided 24/7. First line of communication will be via our Portal Support Team who will direct the query to the appropriate department and respond within 24 hours. There is a centralized Service Desk in place. The service desk has an out-of-hours facility to ensure that calls can be taken from users outside of the normal 08:00 - 18:00 hours. Any support issues are logged into the centralized support system and dealt with by the appropriate IT team; technical issues are either addressed by the service desk or escalated to the infrastructure team.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We provide onsite support to our customers during:
- Implementation
- Training
- System upgrades
- Introduction of additional services
- User guides

Our implementation team will work closely with your team to agree a Project Plan which will include any onsite support requirements.

We can also provide onsite support for ad hoc requests, as required. We will agree a mutual time to deliver the support.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Medacs has a dedicated implementation team who are responsible for the mobilization of new projects. Our Project Managers are trained in Prince 2 project management methodology. They will coordinate the project through following an agreed mobilization plan, with weekly highlight reports and progress calls to ensure the project is kept on track.

For each customer implementation, Medacs will appoint a dedicated implementation team comprising a project manager and up to two business analysts. They are responsible for the on-boarding, set-up, management and exit of the project. The team will be able to utilize subject matter experts within each business function as needed, including HR, legal, tax, finance, marketing and supply chain.

Medacs will review the requirements from the cluster to design an implementation process which will ensure each individual Trust has a bespoke plan to meet their needs and timescales.

The Project Manager who reports to the Head of Implementations, is responsible for ensuring the project is kept on track and deadlines are achieved. Any project slippage will be identified during the weekly highlight report and mobilization calls.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • CSV
  • Word
  • Excel
  • Powerpoint
End-of-contract data extraction On request - in Excel.
End-of-contract process In the event of the services being handed to another provider, customers will see an efficient transition of activities. We will work closely with each customer to transfer the services to another provider or back to the customer. We will work in partnership to ensure there is no disruption to the service during the transition and our team will continue to fill future bookings.

We will assign an Exit Project Manager to the process to ensure a transition of the service is well organised and smoothly transitioned to another supplier or the trust. Our Exit Project Manager will create an exit plan with key milestones and responsible owners to help facilitate the off boarding of the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Our desk top provides a full suite of our software solutions including access to management information.

The mobile app provides access to a range of core functionality.

For all our products, permission levels can be set according to customer requirements.
Service interface Yes
Description of service interface All integrations are bespoke creations. Our standard architecture comprises of real time rest API communications and Azure Cloud messaging queues.
Accessibility standards None or don’t know
Description of accessibility We consider accessibility standards in designs. Considerations include, header tags in text, alt text on images, having hyperlink description strategy, taking colours schemes and background into account and high levels contrast, considering shapes and forms to help guide users. We consider label fields, tab order and table layouts. HTML elements are taken into account for lists and keyboard-only usability. Dynamic content considerations such as not auto-playing video content, alt text on slideshow images. Validation of market is considered to reduce conflict with AT and avoidance of Flash. Transcripts for audio files and video captions video and simpler language.
Accessibility testing N/A
What users can and can't do using the API We have an extensive API for interfacing with our customer's systems. You can push unfilled shifts to candidates and agencies. Timesheet information can be shared using our API.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation During implementation, our team will work with you to define your specific requirements. Users can choose which parts of our service they require to meet their needs, e.g. VMS and Direct Engagement or a comprehensive Staff Bank system.

Once the products have been selected, the system will be customized to meet your requirements, such as:
- Cost codes
- Authorisation levels
- Cascade times
- Notifications
- Permission settings


Independence of resources Our service is built to scale. We use an Amazon Web Services (AWS) which is fully scalable to meet our customer requirements.


Service usage metrics Yes
Metrics types • Invoiced spend by directorate (number of directorates is flexible as per the client’s
• Savings by directorate;
• Fill rates by both jobs and hours, broken down by Medacs and supply chain;
• Reasons for request by number of hours and spend;
• Supplier league table, broken down by specialty;
• Demand and fill by grade;
• Demand and fill by specialty;
• Average charge rates by grade;
• Average charge rates by specialty;
• Demand and fill: overall or for a specific grade or specialty;
• NHSi reporting.
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Medacs provides the client a set suite of reports that we provide on a monthly basis. All of these reports can be provided at the exit of the contract. For any additional ad hoc reporting, the client can make a request to our team who will import or export the data. In addition, Medacs provides our clients with a self-serve reporting suite which also can be used to extract the data.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Legacy SSL and TLS (under version 1.2)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.50% (subject to maintenance and upgrades).
Approach to resilience All servers are hosted on high-availability, resilient AWS cloud hosted infrastructure.
Outage reporting Full resilience with AWS test environment with a fully controlled Quality Assurance process. Changes are fully tested in a UAT environment.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels The identification of the user is controlled through the provision of a unique username. Using a generic account prevents an Information Asset Owner from being able to identify, monitor and report on user activity.

The authentication of the user can take multiple forms, ranging from unique passwords, single sign on or two factor authentication (2FA). The type of authentication selected is usually determined by the sensitivity of the information asset. When selecting an authentication method, it is important to apply as much complexity as is possible without overwhelming the user.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Certificate for Assessment CFA
ISO/IEC 27001 accreditation date 12/02/2022
What the ISO/IEC 27001 doesn’t cover No exclusions noted on ISO27001 Annex A Controls.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials Certification
  • PCI-DSS SAQ Level 4
  • ISO 9001:2015
  • ISO 14001:2013

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Compliance with the Group’s ISMS will be monitored and reported on through the performance of internal and external audits. The resulting audit reports will be presented to the Group’s ISMS Management Board and will drive the process of review and improvement. The Group IT Audit and Compliance Manager is responsible for the monitoring elements for compliance and ensuring adherence to the ISO27001:2013 attributes and requirements set for maintaining accreditation.
Breaches of this, and any other ISMS policy, should be reported through the Incident Management process. Where it is felt that the breach involves a senior member of the ISMS Management Board, Group HR should be contacted in the first instance.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The Group’s Change Management policy applies to all changes made to an IT service that is used to store or host the Group’s information, which includes 3rd Party IT services. Excluded from this policy are changes that occur as part of the system development lifecycle or a system acquisition. These changes are covered as part of the Group’s ISMS System Development Lifecycle and ISMS Systems Acquisition policies respectively.

Changes to the functionality of a Group IT service require a documented request for change, which has been approved by the IT service owner.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach The Group’s Intrusion Detection policy establishes appropriate intrusion detection and prevention controls to protect the Group’s information assets from being breached. Third parties are expected to be able to demonstrate compliance with this policy when hosting information.

Group IT maintain a record of all open network ports- base-lined to identify unusual or suspicious activity and regularly monitored.

All IT systems that are accessible from the Internet or public location should operate intrusion detection software approved by Group IT. Suspected intrusions, suspicious activity or unexplained systemic behaviour should be reported to the Cyber Security Manager and Head of Infrastructure and Security.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach The Information Governance Internal Audit is responsible for reviewing reports of incidents and
recommending actions where necessary to strengthen information security controls. The Group Audit and Compliance Manager will monitor and review all information security incidents and make a regular report to the Information Security Management System Board, recommending further action-any issues and risks are escalated.

Throughout the lifetime of the incident, the Incident Coordinator maintains a record of the actions taken. The completed IS Incident Log will be used to investigate the cause of the IS incident following its resolution and must be preserved.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Any incidents are submitted by the client to our on-site team to review. All incidents will be rated depending on their severity and will be escalated to our IT Managed service team who are responsible for reporting, investigating and taking appropriate action to address breaches of physical security and suspected attempts to gain unauthorised access to secure areas. All
incidents requiring development will follow our quality assurance and user acceptance testing process. In addition the Group Audit and Compliance Manager will monitor and review all information security incidents and report to the Information Security Management System Board, recommending further action.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5000 per unit per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑