Hicom Technology Ltd

Community Module

A mobile application extension to our clinical patient management systems, the Community Module has been designed to improve the delivery of care away from the traditional hospital setting.


  • Data synchronisation with Diamond, Twinkle, CareHub, Koru, Enterprise and Insight
  • Platform independent
  • Remote access to up-to-date data
  • Graphical representation of linear data
  • Removes the need for manual notes and later transcription


  • Hospital visits are reduced
  • Facilitates community care for better, more efficient patient encounters
  • Utilising technology for joined-up community care


£400 per device

Service documents

G-Cloud 10


Hicom Technology Ltd

John Sanderson

01483 794945


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Diamond, Twinkle, CareHub, Koru, Enterprise and Insight
Cloud deployment model Private cloud
Service constraints Hicom will notify the Client of any planned service disruption or downtime, although we reserve the right to temporarily restrict access to the service outside of normal Service Hours without notice to undertake system upgrades or maintenance. Hicom also reserve the right to limit use of the service to within Service Hours in the event that a risk is identified by use of the service outside of the Service Hours.

Access to the system is provided via HSCN.
System requirements Provision of industry standard browsers for each PC/device

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Hicom guarantee to respond to all support calls within eight working hours from the time of receipt of the call. Response to critical problem will be within two working hours from the time of the call.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We provide:

- First-line support: Basic level user and technical support. Also used to gather information and analyze a problem

- Second-line support: In depth technical support used to troubleshoot and solve problems

- Third-line support: Expert support for complex issues. Also used to support first and second line support

All levels of support are provided through payment of the standard support and maintenance charge.

A technical Account Manager is provided.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a comprehensive package of user training. The standard package includes on site training, but online training can also be provided. This training involves all elements necessary for users to utilise the sytem. In addition, administrative training will also be provided and, optionally, report builder training can also be delivered. User manuals and, where relevant, technical documentation is also provided.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Data is extracted by Hicom on request in a format dependent on future needs.
End-of-contract process The following activities can take place at the end of the contract:

- Analysis and design: We would be keen to either provide the replacement system, or provide consultancy around the nature of the requirement. This would include comprehensive legacy analysis of the existing system to inform the requirements of the next (additional cost).
- Configuration and change management: Any change requests or defect reports will be passed to the developers of the subsequent system (additional cost).
- Data will be provided as IFF (included).
- Operations and support: The final release will still be supported until it is finally removed as long as this stage is still within contract(included).
- Transition consultancy: General consultancy is offered to enable the move to the replacement system. This may include consultancy around data migration and, specifically, around the data schema (additional cost)

Using the service

Using the service
Web browser interface No
Application to install Yes
Compatible operating systems Android
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No major difference. Some small difference in how screens are rendered.
Accessibility standards None or don’t know
Description of accessibility Although not compliant to WCAG 2.0 AAA, WCAG 2.0AA or WCAG 2.0A, we are aware of these standards and incorporate them wherever possible into the design of all of our software. This awareness of Web Content Accessibility Guidelines (WCAG) 2.0 ensures that content is accessible to a wider range of people with disabilities as well as making our web content more usable to users in general.
Accessibility testing Our experience of interface testing with users of assistive technology is limited. However, we are aware that WCAG 2.0 success criteria are written as testable statements and are seeking to integrate this into our testing procedures.
Customisation available Yes
Description of customisation Users have limited ability to customise the service. This includes menu items, data entry templates, document templates and, to a limited extent, the look and feel of the interface. This ability is limited to those users who have appropriate role based access controls.


Independence of resources This is achieved through the following:
- Appropriate hardware: Our data centre in Brookwod in Surrey is constantly monitored to ensure it has the capability to provide the service for our current and projected workload. If required, new hardware and other infrastructure is added to accommodate demand
- Efficient software design: Our systems are designed to ensure the most effective use of service resources are made
- Our SLA: Users of the system can rely on the service level outlined in our service level agreement to ensure appropriate system provision


Service usage metrics Yes
Metrics types The following service usage metrics can be provided on request:

- Core user actions: Are users consistently using predefined core user actions?
- Activity time: The number of times a user visits a service and the elapsed time they spend
- Visit frequency: How often does a user return to a service
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach FIPS assured encryption
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported either by using pre-formatted, customisable audit reports or by creating their own reports via MS SQL server report builder.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • JPEG
  • PNG

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network Physical security.

Availability and resilience

Availability and resilience
Guaranteed availability Hicom will endeavour to make the service available without disruption during Service Hours; however allowances should be made within this period for essential service downtime to enable critical software upgrades and system maintenance to be carried out.

Hicom guarantee system availability for 99.5% of the time during the Service Hours, however guarantees cannot be provided on the HSCN network connectivity that exceed those provided by Redcentric (the provider).

The 99.5% service availability objective equates to 10.4 hours of downtime during Service Hours within the contract year. Subject to the conditions set out in the full SLA, in the event that the service is not available for more than 20 hours within the Service Hours in any one contract year then the current contract period will be extended by 10 days without charge. For each additional 10 hours of downtime within the Service Hours in the same contract year, the current contract period will be extended by a further five days.
Approach to resilience This information is available on request.
Outage reporting All outages are reported via email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels All access to the system, including management interfaces, is provided by Role Based Access Control dependent on successful entering of a username and password. As the system is hosted within the HSCN network this adds a higher level of security. Where possible access control lists are used to restrict access by IP address.

Access to online support is similarly managed by Role Based Access Control, whilst those accessing telephone support may be asked to prove their identity if required. Where possible access control lists are used to restrict access by IP address.
Access restriction testing frequency At least once a year
Management access authentication
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 16/06/2015
What the ISO/IEC 27001 doesn’t cover We believe this covers all of our activities.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We are ISO 27001 accredited and, as such, our information security policies and processes are guided by this. This, therefore dictates the following:
• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance; with internal requirements, such as policies, and with external requirements, such as laws
Hicom is also registered with the Information Commissioner Office and adhere to the Data Protection Act 1998. We have and continue to take steps to ensure we remain compliant with the General Data Protection Regulations (GDPR). Hicom also hold certification for our Information Security Management System (ISMS) under ISO27001 and manage our confidential data policy and responsibility through our ISMS. Hicom are also registered under the Data Security and Protection Toolkit for NHS digital and measure and publish our performance against the National Guardian’s ten data security standards.
ISO 27001 compliance is managed by our Office and HR Manager Elaine Smart who reports directly into our Board.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes related to the product specification (configuration) are either captured by the Project Manager if the system is still being implemented, or by our support department or the clinical account manager if the system has already been implemented. These are then tasked as Requests for Change and prioritised for implementation

Changes in the project processes or baseline (time, money etc.) are dealt with via the Project Manager and, if necessary the relevant Hicom Product Manager. If a change is identified, all affected project parameters will be assessed, analyzed for impact and acted upon.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our vulnerability management process can be seen as follows:
- The information team review threats on a case by case basis
- Once alerted they review technical guidance regarding threats and other sources to identify a plan of action
- Depending on the patch we look to deploy all patches within seven days of release and critical and security patches within 48 hours
- Information about threats are gained from suppliers, industry sources, and industry publications
Protective monitoring type Supplier-defined controls
Protective monitoring approach Our protective monitoring process can be seen as follows:
- The information team review potential compromises on a case by case basis
- Once alerted they review technical guidance regarding potential compromises and other sources to identify a plan of action
- Depending on the patch we look to deploy all patches within seven days of release and critical and security patches within 48 hours
Incident management type Supplier-defined controls
Incident management approach Our approach to incident management is informed by ITIL. As such it is made up of the following components:
- Incident detection and recording
- Classification and initial support
- Investigation and diagnosis
- Resolution and recovery
- Incident closure
- Ownership, monitoring, tracking and communication
Users report incidents through the support service defined in our standard SLA and incident reports are provided via the relevant Product Specialists.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £400 per device
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑