Medacs Healthcare offers a market-leading technology solution that enables healthcare organisations to maximise the effectiveness of their workforce. Our cloud based system is designed for maximum flexibility, allowing you to select and use what functionality best
meets your staffing requirements.
- Cloud based
- Simple and intuitive SSER Interface
- Configurable rules and permissions
- Manage requests to sub-contractors
- Provides a full suite of management information
- Ability for suppliers to manage locum availability and match
- Ongoing compliance management
- Full audit trail
- Support you to generate savings of 30% on temporary staffing
- Manage your internal staff bank, regional collaborative bank and agency
- Rate Control-strict Break Glass process which must be followed
- Clear automated authorisation process
- Compliance checks
- Reduction in staff time on admin automated process
- Transparency of workforce metrics
- Excellent real-time management information
- 24/7 support
£5000 per unit per month
4 2 4 5 2 9 3 6 9 4 8 9 3 0 1
Medacs Healthcare Plc
0203 096 4662
|Software add-on or extension||Yes|
|What software services is the service an extension to||
Recruitment business master vendor software;
Recruitment neutral vendor software;
Direct engagement; and
Rota management software.
|Cloud deployment model||Private cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Customer service support is provided 24/7. First line of communication will be via our Portal Support Team who will direct the query to the appropriate department and respond within 24 hours. There is a centralized Service Desk in place. The service desk has an out-of-hours facility to ensure that calls can be taken from users outside of the normal 08:00 - 18:00 hours. Any support issues are logged into the centralized support system and dealt with by the appropriate IT team; technical issues are either addressed by the service desk or escalated to the infrastructure team.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
We provide onsite support to our customers during:
- System upgrades
- Introduction of additional services
- User guides
Our implementation team will work closely with your team to agree a Project Plan which will include any onsite support requirements.
We can also provide onsite support for ad hoc requests, as required. We will agree a mutual time to deliver the support.
|Support available to third parties||Yes|
Onboarding and offboarding
Medacs has a dedicated implementation team who are responsible for the mobilization of new projects. Our Project Managers are trained in Prince 2 project management methodology. They will coordinate the project through following an agreed mobilization plan, with weekly highlight reports and progress calls to ensure the project is kept on track.
For each customer implementation, Medacs will appoint a dedicated implementation team comprising a project manager and up to two business analysts. They are responsible for the on-boarding, set-up, management and exit of the project. The team will be able to utilize subject matter experts within each business function as needed, including HR, legal, tax, finance, marketing and supply chain.
Medacs will review the requirements from the cluster to design an implementation process which will ensure each individual Trust has a bespoke plan to meet their needs and timescales.
The Project Manager who reports to the Head of Implementations, is responsible for ensuring the project is kept on track and deadlines are achieved. Any project slippage will be identified during the weekly highlight report and mobilization calls.
|Other documentation formats||
|End-of-contract data extraction||On request - in Excel.|
In the event of the services being handed to another provider, customers will see an efficient transition of activities. We will work closely with each customer to transfer the services to another provider or back to the customer. We will work in partnership to ensure there is no disruption to the service during the transition and our team will continue to fill future bookings.
We will assign an Exit Project Manager to the process to ensure a transition of the service is well organised and smoothly transitioned to another supplier or the trust. Our Exit Project Manager will create an exit plan with key milestones and responsible owners to help facilitate the off boarding of the contract.
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
Our desk top provides a full suite of our software solutions including access to management information.
The mobile app provides access to a range of core functionality.
For all our products, permission levels can be set according to customer requirements.
|Description of service interface||All integrations are bespoke creations. Our standard architecture comprises of real time rest API communications and Azure Cloud messaging queues.|
|Accessibility standards||None or don’t know|
|Description of accessibility||We consider accessibility standards in designs. Considerations include, header tags in text, alt text on images, having hyperlink description strategy, taking colours schemes and background into account and high levels contrast, considering shapes and forms to help guide users. We consider label fields, tab order and table layouts. HTML elements are taken into account for lists and keyboard-only usability. Dynamic content considerations such as not auto-playing video content, alt text on slideshow images. Validation of market is considered to reduce conflict with AT and avoidance of Flash. Transcripts for audio files and video captions video and simpler language.|
|What users can and can't do using the API||We have an extensive API for interfacing with our customer's systems. You can push unfilled shifts to candidates and agencies. Timesheet information can be shared using our API.|
|API documentation formats||Open API (also known as Swagger)|
|API sandbox or test environment||Yes|
|Description of customisation||
During implementation, our team will work with you to define your specific requirements. Users can choose which parts of our service they require to meet their needs, e.g. VMS and Direct Engagement or a comprehensive Staff Bank system.
Once the products have been selected, the system will be customized to meet your requirements, such as:
- Cost codes
- Authorisation levels
- Cascade times
- Permission settings
|Independence of resources||Our service is built to scale. We use an Amazon Web Services (AWS) which is fully scalable to meet our customer requirements.|
|Service usage metrics||Yes|
• Invoiced spend by directorate (number of directorates is flexible as per the client’s
• Savings by directorate;
• Fill rates by both jobs and hours, broken down by Medacs and supply chain;
• Reasons for request by number of hours and spend;
• Supplier league table, broken down by specialty;
• Demand and fill by grade;
• Demand and fill by specialty;
• Average charge rates by grade;
• Average charge rates by specialty;
• Demand and fill: overall or for a specific grade or specialty;
• NHSi reporting.
|Reporting types||Real-time dashboards|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||Physical access control, complying with SSAE-16 / ISAE 3402|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Medacs provides the client a set suite of reports that we provide on a monthly basis. All of these reports can be provided at the exit of the contract. For any additional ad hoc reporting, the client can make a request to our team who will import or export the data. In addition, Medacs provides our clients with a self-serve reporting suite which also can be used to extract the data.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||Legacy SSL and TLS (under version 1.2)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||99.50% (subject to maintenance and upgrades).|
|Approach to resilience||All servers are hosted on high-availability, resilient AWS cloud hosted infrastructure.|
|Outage reporting||Full resilience with AWS test environment with a fully controlled Quality Assurance process. Changes are fully tested in a UAT environment.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||
The identification of the user is controlled through the provision of a unique username. Using a generic account prevents an Information Asset Owner from being able to identify, monitor and report on user activity.
The authentication of the user can take multiple forms, ranging from unique passwords, single sign on or two factor authentication (2FA). The type of authentication selected is usually determined by the sensitivity of the information asset. When selecting an authentication method, it is important to apply as much complexity as is possible without overwhelming the user.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Certificate for Assessment CFA|
|ISO/IEC 27001 accreditation date||12/02/2022|
|What the ISO/IEC 27001 doesn’t cover||No exclusions noted on ISO27001 Annex A Controls.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Compliance with the Group’s ISMS will be monitored and reported on through the performance of internal and external audits. The resulting audit reports will be presented to the Group’s ISMS Management Board and will drive the process of review and improvement. The Group IT Audit and Compliance Manager is responsible for the monitoring elements for compliance and ensuring adherence to the ISO27001:2013 attributes and requirements set for maintaining accreditation.
Breaches of this, and any other ISMS policy, should be reported through the Incident Management process. Where it is felt that the breach involves a senior member of the ISMS Management Board, Group HR should be contacted in the first instance.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
The Group’s Change Management policy applies to all changes made to an IT service that is used to store or host the Group’s information, which includes 3rd Party IT services. Excluded from this policy are changes that occur as part of the system development lifecycle or a system acquisition. These changes are covered as part of the Group’s ISMS System Development Lifecycle and ISMS Systems Acquisition policies respectively.
Changes to the functionality of a Group IT service require a documented request for change, which has been approved by the IT service owner.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
The Group’s Intrusion Detection policy establishes appropriate intrusion detection and prevention controls to protect the Group’s information assets from being breached. Third parties are expected to be able to demonstrate compliance with this policy when hosting information.
Group IT maintain a record of all open network ports- base-lined to identify unusual or suspicious activity and regularly monitored.
All IT systems that are accessible from the Internet or public location should operate intrusion detection software approved by Group IT. Suspected intrusions, suspicious activity or unexplained systemic behaviour should be reported to the Cyber Security Manager and Head of Infrastructure and Security.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
The Information Governance Internal Audit is responsible for reviewing reports of incidents and
recommending actions where necessary to strengthen information security controls. The Group Audit and Compliance Manager will monitor and review all information security incidents and make a regular report to the Information Security Management System Board, recommending further action-any issues and risks are escalated.
Throughout the lifetime of the incident, the Incident Coordinator maintains a record of the actions taken. The completed IS Incident Log will be used to investigate the cause of the IS incident following its resolution and must be preserved.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Any incidents are submitted by the client to our on-site team to review. All incidents will be rated depending on their severity and will be escalated to our IT Managed service team who are responsible for reporting, investigating and taking appropriate action to address breaches of physical security and suspected attempts to gain unauthorised access to secure areas. All
incidents requiring development will follow our quality assurance and user acceptance testing process. In addition the Group Audit and Compliance Manager will monitor and review all information security incidents and report to the Information Security Management System Board, recommending further action.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£5000 per unit per month|
|Discount for educational organisations||No|
|Free trial available||No|