G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with NewDerm Clinic are still valid.
NewDerm Clinic

Pin.Health

Holistic patient health records platform giving with patient control over data. We help to identify health related issues in real-time by sending alerts to medical professionals. It's designed for use by individuals and all healthcare parties on Trust/Region/National level to provide patient centric care at the time it matters.

Features

  • Holistic patient health records with patient control over data
  • Work on any device over our web smartphone apps
  • Integration with any PHR/EHR and Lab Systems
  • Real-time health issues identification and recommendation
  • Real-time alerting system for medical professionals
  • Patient and population data visualization for precise analysis
  • Cloud-based accessible 24x7 for authorized parties
  • GDRP, UK DPA, HIPAA compliance
  • HL7 standard API for receiving/sending data

Benefits

  • More effective handover of tasks between clinical teams
  • Alert to all team members about detected issue in real-time
  • Go paperless — use any device for staff and patients
  • No server requirements as fully hosted secure cloud solution
  • Decreases amount of fatal cases at the Hospital
  • Decreases number of doctors’ errors or human factors
  • Increases time reaction on most critical acute cases
  • Increases patient turnaround.
  • that decreases the amount of fatal cases in hospitals
  • Saves money on unnecessary blood tests & hospital bads

Pricing

£20 to £120 a user a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@7a0eb5ea-f185-4f9d-87c4-d8f1928aee79.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

4 3 3 6 0 0 4 3 8 6 4 3 5 5 9

Contact

NewDerm Clinic <removed>
Telephone: <removed>
Email: <removed>@7a0eb5ea-f185-4f9d-87c4-d8f1928aee79.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
— VPN channel between customer and Pin.Health infrastructure might required under customer request (but not necessary if customer's infrastructure supports authenticated SSL / TLS response)
— Android app might take up to 1.5 months to get access to the platform (should be clarified in each particular case)
System requirements
  • Modern browsers under Windows/MacOS/Linux computers
  • IOS and Android (current version and current version minus one)

User support

Email or online ticketing support
Email or online ticketing
Support response times
24 x 7 support is provided to all customers.

Response times vary from 15 minutes to 24 on workdays and up to 48 hours (weekends, until first workin day) in accordance with the severity of the issue.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
No
Web chat support
Yes, at an extra cost
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Access to web chat is available at all times in the software or Pin.Health website.
Web chat accessibility testing
In-house QA and beta testing with external stakeholders.
Onsite support
Yes, at extra cost
Support levels
End user support — in-app tools and knowledge base
Technical support for enterprise customers

Additional services:
Training — £500/day
Technical Account Manager — £750/day
Cloud Support Engineer — £950/day
Support available to third parties
No

Onboarding and offboarding

Getting started
A support knowledge base is provided for guidance on initial configuration.

Pin.Health can provide on-demand, on-site training to assist with configuration and set-up.
Service documentation
Yes
Documentation formats
HTML
End-of-contract data extraction
All data related to customer account can be exported over file in following formats:
— TXT
— Tab delimited
— CSV

Customer can use API to export data as well.
End-of-contract process
At the end of the contract access to the Pin.Health platform is terminated and during certain amount of time account will be removed, if customer not showing interest in prolongation of the contact.

Pin.Health can assist with data extraction at extra charge, which includes the option to extract and return any audit data our customers require.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
— The navigational structure is necessarily different. All functional features are the same.
— Doctors, nurses and patients access available over mobile/tablet applications.
— All platform/customer account management features available only over web browser (trust/hospital admin, lab manager/worker and others).
— Our applications uses advantages of mobile operation systems to send notifications, which are not available in browsers. So we use mobile notifications to send alerts to authorized parties about detected findings.
Service interface
No
API
Yes
What users can and can't do using the API
Pin.Health users can read and write data with the Web and Events APIs.

The Pin.Health API can be used to integrate functionality directly into existing websites, apps, platforms or devices.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Admin can customize core Trust/Hospital, lab, data mapping settings as well as set of some work/data flow processes. By using Pin.Health API own applications can be built from scratch with own identity, layouts, features etc.

We also open to any enhancements and features requests from our customers. If there will be requirements by which all our customers would be benefit — we will implement and deploy it for no additional cost for our customers.

Scaling

Independence of resources
We use state of the art load-balanced, clustered and auto scaled architecture. If there is significant increase in demand in any cluster — additional servers instances added automatically to handle it and to maintain fast response rate.

We maintain data storages in different geography for customers across the world to meet local legal requirements, which means traffic is separated by different geography as well.

Analytics

Service usage metrics
Yes
Metrics types
— Stats about data circulated on the platform
— Stats how many case detected and alerts generated
— Stats how many alerts proceeded by doctors, by status, by type
— Stats how many labs tests ordered, proceeded
— Doctors performance based on alerts reviewed
— Interactive Trust, Regional, National dashboards/charts (on request to authorized NHS parties)
— General reports of the platform usage: users, logins etc.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Pin.Health stores data such as personal, accounts, users, activity, health records, lab data, and customer’s data in different locations while also compiling and generating data when requested. All users/patients personification/identifications data and links between locations/entities in each location is encrypted at rest with AES-128 or AES-256 and sophisticated encryption keys management.
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
User can export their data on request. Access will be provided by an online sign in solution or in encrypted file.
Data export formats
  • CSV
  • Other
Other data export formats
XML
Data import formats
  • CSV
  • Other
Other data import formats
  • API (FHIR NL7, JSON, XML)
  • Encrypted Excel
  • CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
By default all data encrypted over SSL / TLS in transit (if supported by buyer's network/infrastructure). We can setup VPN channel between Trusts/Hospitals or local/regional interexchange health records systems / laboratory information systems as well by request, if buyer's network/infrastructure does not support SSL / TLS.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
The Pin.Health web application is multi-tiered into logical segments (front-end, mid-tier, and database), each independently separated from each other in a DMZ configuration. This guarantees maximum protection and independence between layers.

The production network segments are logically isolated from other Corporate, QA, and Development segments. In fact we are using separate cloud service provider for our Corporate, QA, and Development segments, so it is physically isolated from our production network segment.

Availability and resilience

Guaranteed availability
Pin.Health is provided to guaranteed Availability Service Levels to 95.5% as standard. Pin.Health uses AWS, and their stated uptime is 99.99%. This does not include scheduled/planned maintenance carried out by Pin.Health. Enhanced availability up to 99.9% is available by arrangement for business critical services.

Pin.Health shall use commercially reasonable efforts to make the services available 24 hours a day, 7 days a week, except for: (a) planned downtime, or (b) any unavailability caused by circumstances beyond Infinity Health's reasonable control, including without limitation, acts of God, acts of government, floods, fires, earthquakes, civil unrest, acts of terror, strikes or other labor problems, Internet service provider failures or delays, or denial of service attacks.
Approach to resilience
It’s available on request.
Outage reporting
Real time monitoring on both application and infrastructure levels. Third party hosting partner sends alert to Pin.Health. Email alerts to key staff 24/7. Broadcast email message to users to check Pin.Health status page.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Access is restricted on the following levels:
- Policy level - any access must be approved and documented in advance.
- Access granting - performed on a centralised system, which holds action logs and access logs.
- Authentication - critical management systems (cloud console, server access, DB, etc.) are protected by 2-factor-authentication.
- Access to data storage possible only from certain servers, no direct access possible from outside of the internal network.
- Access to production environment of the platform is restricted by encrypted security ssh certificates / keys. Only few designated senior technical staff have direct access to it.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Username or password
  • Other
Description of management access authentication
2-factor authentication on request.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • ISO/IEC 27001 certification issued for AWS (our cloud hosting)
  • CSA certification issued for AWS (our cloud hosting)
  • PCI DSS certification issued for AWS (our cloud hosting)
  • ISO 9001 certification issued for AWS (our cloud hosting)
  • ISO 27017 certification issued for AWS (our cloud hosting)
  • ISO 27018 certification issued for AWS (our cloud hosting)
  • SOC 1 certification issued for AWS (our cloud hosting)
  • SOC 2 certification issued for AWS (our cloud hosting)
  • SOC 3 certification issued for AWS (our cloud hosting)

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Security of medical information, medical records and results of healthcare organizations and patients is a top priority at Pin.Health. Medical entries contain information that only particular patient and authorized medical professionals, healthcare organizations need to see, and we intend to keep it that way. Every day we ensure that our security is parallel with industry standards and compliance. We built and keeping Pin.Health platform in compliance with HIPAA, GDPR, UK DPA and some other local standards.

Pin.Health has defined roles and responsibilities to specify which roles in the organization are responsible for operating the various aspects of our Information Security Management System (ISMS). The responsibilities of each role are detailed in Pin.Health’s security documents.

At the center of administering our ISMS is Pin.Health's Security Team. Pin.Health has appointed a Chief Security Officer (CSO) with overall responsibility for the implementation and management of our ISMS. The CSO is supported by the other members of Pin.Health’s Security, Development and QA Team — focusing on Product Security, Security Operations, Computer Security Incident Response, and Risk and Compliance.

Our security documents help ensure that Pin.Health customers can rely on our workers to behave ethically and for our service to operate securely.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We use iterative development for adding new features and fixes. All bug fixes, change requests, new features and releases, upgrades, maintenance and other elements that might impact our production environment are document and well tested before deployment to production. All changes are authorised, reviewed and fully logged.

To minimize the risk of data exposure, Pin.Health controls changes, especially changes to production systems, very carefully. Pin.Health applies change control requirements to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Pin.Health operates continuous automated static analysis using advanced tools and techniques. Defects identified by this process are reviewed and followed to resolution by our team.

Platform security is evaluated by the development team in sync with the application release cycle. This vulnerability testing includes the use of commonly known web application security toolkits and scanners to identify application vulnerabilities before they are released into production.

Pin.Health has a defined vulnerability management process that will triage vulnerabilities based on severity levels, it monitors incoming bug reports, prioritizes true vulnerabilities and ensures their timely resolution.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Pin.Health monitors servers, workstations and mobile devices 24×7 by comprehensive automated systems to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure.

Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel immediately to correct any issues. Alerts are examined and resolved based on documented priorities.

All incidents are managed by Pin.Health’s dedicated detection and response team. Pin.Health defines the types of events that must be managed via the incident response process. Incidents are classified by severity, response procedures are tested and updated at least annually.
Incident management type
Supplier-defined controls
Incident management approach
Users can report incidents via email or support page.

Pin.Health has established policies and procedures for responding to potential security incidents. All incidents are managed by Pin.Health’s dedicated Detection and Response Team. Incidents are reported to a nominated individual who investigates the issue and produces a full report within prescribed timescales.

Pin.Health defines the types of events that must be managed via the incident response process. Incidents are classified by severity, response procedures are tested and updated at least annually.

In the event of a security breach, Pin.Health will promptly notify you of any unauthorized access to your Customer Data.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£20 to £120 a user a month
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@7a0eb5ea-f185-4f9d-87c4-d8f1928aee79.com. Tell them what format you need. It will help if you say what assistive technology you use.