SH:24 online sexual health and STI testing service
SH:24 is the only fully-integrated online sexual health service that works in partnership with local clinics to provide access to self-sample STI/STD screening via an online platform available 24/7. Supported by remote clinical support, accredited clinical laboratory, clinical record system, pharmacy, comprehensive performance analytics and online tools to support self-management.
Features
- Seamless user pathway between online and clinic services
- Track-record on-boarding clinics to an integrated online sexual health service-model
- Remote clinical support via email, telephone, SMS and webchat
- Clinically led, user-informed designed risk/safeguarding assessment
- High visibility using web-analytics, SEO, social media and online signposting
- CQC registered service compliant with BASHH/FSRH Standards
- Secure clinic admin portal to manage users and view data
- Ability to provide online CT treatment with partner notification
- Consultant-led specialist SRH clinical team including nurses and health advisors
- Integration with ISO15189 accredited and CQC-registered laboratory for clinical specimens
Benefits
- Evidence of high satisfaction levels with positive service user feedback
- User co-designed test kits with track-record of high return rate
- Ongoing academic service evaluations informing service innovation
- Bespoke workflow and user-pathway co-designed with customers
- Detailed visual analysis of performance metrics on a monthly basis
- Dedicated data-analyst to provide intelligence and inform service provision
- Track-record shifting asymptomatic users online and releasing clinic resource
- Online algorithm designed to target and support high-risk vulnerable users
- Added value online tools to support user self-management
- User safety assured through comprehensive safeguarding and remote support
Pricing
£21.11 to £79.32 a person
Service documents
Request an accessible format
Framework
G-Cloud 11
Service ID
4 8 6 1 8 8 1 7 2 3 6 3 6 0 5
Contact
SH:24 C.I.C.
Blake George
Telephone: 020 7620 2250
Email: blake@sh24.org.uk
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
- Integration with booking systems, clinical record systems, partner notification tools, pharmacy and laboratory information management systems.
- Cloud deployment model
- Hybrid cloud
- Service constraints
- No service constraints
- System requirements
- Compliance with ICO/DoH/NHS Digital data protection security standards
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- SH:24 strives to resolve support requests within 1 hour from 9am to 5pm, Monday to Friday, and within 3 hours on weekends.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- Web chat
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 A
- Web chat accessibility testing
- SH:24 tests its features on all devices prior to launch and we review our platform analytics to ensure our testing reflects users of the platform.
- Onsite support
- Onsite support
- Support levels
- Clinic/buyer support is available 9am to 5pm - 7 days per week, service-user support is available 9am to 5pm - 7 days per week, DevOPs support for any IT technical issues is available 24/7. All support provided at no additional cost.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- Online and onsite training is provided to plan the overall user journey, set-up users and train how to use the SH:24 Admin Clinical Record System. Alongside this, customised SH:24 handbooks are provided for reference.
- Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
- Disaggregated and anonymised raw backing data is shared securely though password protected .csv file via NHS.net email. This can be provided on request following completion of the contract to account for delayed kit returns.
- End-of-contract process
- Service user eligibility agreed during the contract is removed, access to the SH:24 back-end is revoked. The buyer is required to pay for an agreed estimate of delayed kit returns.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari 9+
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- None
- Service interface
- Yes
- Description of service interface
- The interface is available 24/7 and assesses users eligibility, any risk, safeguarding needs and informs us of their circumstances that subsequently identifies which suite of tests should be requested of the pathology and which self-sampling consumables should be sent out. The admin or back-end system then flags any safeguarding needs for our clinicians to respond to and creates the kit order that a team of kit distributors fulfill. They then trigger a dispatched SMS to the user to keep them up to date on the progress of their order.
- Accessibility standards
- WCAG 2.1 A
- Accessibility testing
- SH:24 tests its features on all devices prior to launch and we review our platform analytics to ensure our testing reflects users of the platform.
- API
- Yes
- What users can and can't do using the API
- A library of APIs exist to perform integration between Laboratory LIMS, Pharmacy, clinical record and booking systems.
- API documentation
- Yes
- API documentation formats
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- During mobilisation we work with the buyer to co-design the user pathway including triage criteria, notification logic, ability for users to select/deselect tests and results management in order to target high-risk users and reduce inappropriate use. Buyers can elect to cap the number of orders each day based on their affordability limit.
Scaling
- Independence of resources
- SH:24's services are designed to scale with IT hardware, resource usage and system integrity monitored 24/7. SH:24 is supported by flexible pools of organisational groupings covering operations, clinical, commercial and service development in order to support the service as it scales and provide contingency during periods of peak demand. We analyse our capacity regularly to ensure our resource planning is robust.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Including, but not limited to: orders, returns, turn-around times, insufficient/haemolysed samples, number of reactive results, CT treatments, safeguarding cases, user feedback including complaints, heat-map with uptake via LSOA, demographic breakdown of orders (gender, ethnicity, MSM, age etc). Data is quality assured and buyers are assisted with ongoing and one-off data requests to answer specific questions from our data set.
- Reporting types
-
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- European Economic Area (EEA)
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Supplier-defined controls
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
- Protecting data at rest
- Physical access control, complying with SSAE-16 / ISAE 3402
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
- Disaggregated and anonymised raw backing data is shared securely through password protected CSV file via NHS.net email each month or as required. SH:24 provides a comprehensive, visual performance report and a safeguarding report each month alongside the backing data. Reports are generated by a fully automated system within the HSCN network and data is quality-assured prior to submission. We highlight trends, concerns or improvements with a detailed qualitative analysis.
- Data export formats
- CSV
- Data import formats
-
- CSV
- ODF
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
SH:24 is hosted on AWS utilising a cluster service model with an availability of 99.99%.
https://AWS.amazon.com/compute/sla - Approach to resilience
- This information can be made available on request
- Outage reporting
- Email alerts
Identity and authentication
- User authentication needed
- Yes
- User authentication
- 2-factor authentication
- Access restrictions in management interfaces and support channels
- Prior to access being granted to Admin CRS, training is provided. We use an internal procedure to vet applications. Once training and approval are complete, users sign a Confidentiality Code of Conduct. Once access is granted each session requires login using 2-factor authentication and a memorable word. Permissions are limited by level and role. The application logs actions performed by users, providing an audit trail. This feature allows review of vies, edits and actions performed.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
- 2-factor authentication
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- Yes
- Any other security certifications
-
- Data Security and Protection Toolkit
- Cyber Essentials
- External audit of data and security measures/protocols
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- Other
- Other security governance standards
- Data Security and Protection Toolkit, Cyber Essentials, External audit of data and security measures/protocols
- Information security policies and processes
- SH:24’s approach to data protection and security is shaped by existing and relevant legislation. When designing our service, SH:24 consulted users, clinicians, data protection experts, Trusts and Public Health experts which has also influenced our approach to data protection and security. We are registered with the Information Commissioner's Office and our service has been peer reviewed and approved by SH:24’s partner NHS Trust Information Governance (IG) Boards and Caldicott Guardians. In our last Data Security and Protection Toolkit submission we provided 100% of the mandatory evidence items and confirmed 100% of all assertions.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- Changes to the application (front-end and the Admin Portal) are reviewed and approved by our Service Development Director and our DPO in accordance with SH:24’s Change Control Procedure. Prior to any deployment of any major updates or changes to the service renewed penetration testing is undertaken to assess the integrity of the SH:24 application. The management of access rights is subject to regular compliance checks.
- Vulnerability management type
- Undisclosed
- Vulnerability management approach
- Regular audits of our system security including penetration testing are conducted by an accredited third-party. Weekly code reviews take place together with Quality Assurance inspections and user acceptability testing (UAT), carried out by a combination of internal and external reviewers, before any new or revised features are deployed. No code is deployed without a regression test. Urgent security patches are automated and deployed daily. Non-urgent updates are deployed monthly.
- Protective monitoring type
- Undisclosed
- Protective monitoring approach
- The operating system and user access is monitored on a daily basis as part of SH:24's daily metrics overseen by our DevOps team. Any unusual activity or failure to meet metrics triggers an alarm and subsequent investigation compliant with ICO guidance. We promptly assess the risk to people's rights and freedoms and if appropriate report the breach to the ICO within 72 hours as per GDPR.
- Incident management type
- Undisclosed
- Incident management approach
- Our Data Breach Policy is updated yearly and sets out how we identify, investigate, manage and report information incidents. SH:24 follows NHS Digital and ICO guidelines to assess whether an incident is reportable on the Data Security and Protection Reporting Tool. If notifiable, the breach reported separately to the ICO. All incidents and near misses are entered onto our incident management system and our information security and data protection officer ensures key members of staff and any individuals/organisations affected are notified.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- Yes
- Connected networks
- Health and Social Care Network (HSCN)
Pricing
- Price
- £21.11 to £79.32 a person
- Discount for educational organisations
- No
- Free trial available
- No