Clinic.co

Clinic.co

Clinic.co provides clinicians with a telemedicine platform and MDT service without the need for Apps. Simply send a text/email to patients/colleagues that creates an instant consultation/MDT - no download required. Artificial Intelligence can analyse video for vital signs. AES 256 Encryption & GDPR compliant. Multiple video storage options. www.clinic.co

Features

  • Remote access telemedicine platform with no App/ Downloads required
  • Text/ Email enabled video and audio streaming
  • Online Multi-disciplinary Team meetings
  • Vital Sign (Pulse / Respiratory rate) monitoring through video
  • Multiple video storage options (none, Cloud, Local through API)
  • AES 256 Encryption, GDPR Compliance, ICO Registered
  • Appointment Scheduling system
  • Image/ Notes uploading system
  • Billing / Payment system
  • Multiple Branding options

Benefits

  • Flexible delivery - enabling patients to access care from home
  • Continuity of care (by same clinician independent of location)
  • Multi-disciplinary meetings ensuring best practice
  • Faster care and complete clinician/ service control
  • Improved clinic efficiency and increased income through tariff
  • Objective remote reading of Vital Signs - e.g. heart rate
  • Documented consultations if video is stored (optional)
  • Supporting Long term Conditions, assisted living and home healthcare
  • Improved access to clinicians (doctors, nurses and therapists)
  • AES 256 Encryption, GDRP compliant and ICO Registered

Pricing

£0 to £20 per person per month

Service documents

G-Cloud 11

522569802753908

Clinic.co

Mark Wilson

02032878128

info@clinic.co

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Clinic.co (www.clinic.co) can be used as a web-based standalone system or integrated into existing patient systems via API. The platform can be integrated with 3rd party applications such as Adastra and multiple CAD systems. Video feed can be stored in cloud or locally in patient record.
Cloud deployment model Private cloud
Service constraints No - the system is hardware neutral and works on any network. No third party software is used and we have managed continuous uptime with no interruption for maintenance.
System requirements
  • Requires HTTP / internet access
  • Requires user email address (clinician) to register
  • Requires patient email/telephone number

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email support is provided 24/7. Response time for non-urgent requests are within minutes to 24 hours (next working day at weekends). Urgent requests (those affecting system use) are dealt with by Technical team within two hours maximum of request being logged.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Support is included as part of service, including technical account management and access to our tech team 24/7. Specifically: System Uptime - System uptime will be maintained at 95% (excluding planned outages) 24 Hour Support Service - 95% of responses to requests provided within 3 hours from the time the email was logged. Rectification of Faults. Severity 1 - High impact, ie Loss of functionality - 90% of Faults are rectified within 24 hours, from the time of the email being logged. Severity 2 - Medium impact, ie Incorrect settings or changes not working. 90% of Faults are rectified to the satisfaction of client within 2 days, from the time of the email being logged. Severity 3 - Low impact, ie Fault is an inconvenience. 100% of Faults are rectified to the satisfaction of client within 7 days, from the time of the email being logged. Planned Outages. 100% of outages for technical maintenance/system updates/upgrades are planned and agreed with client - 14 days notice will be provided. Upgrades to software modifications, updates or new releases. 100% of upgrades will be provided on release whilst maintaining functionality. Where this is not possible, permission from client will be sought.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We can establish a complimentary trial for individuals / organisations to ensure the service addresses their needs.

The system is highly intuitive, but we can provide online training or onsite training if required. We have manuals, video tutorials and documentation (e.g. regarding governance) to support new users.

We have standard APIs (with documentation) and can create bespoke APIs with full technical support, both remote and on site,
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Data retention and disposal is agreed with client before service commencement. Typically this includes an agreement for Clinic.co to provide any data held to the buyer and then destroy additional records. As standard, no video data is stored on the callers mobile phone, or on the clinic.co server. However, we have options to store video if clients want this (AES 256 encrypted, GDPR compliant). In such cases, all video data is held and accessible via the Dashboard at all times (where requested by client). Buyer is able to extract data directly from the Dashboard. Very limited data is stored regarding consultants and it is all AES 256 Encrypted and GDPR compliant.

Users are able to extract data through the dashboard or by sending a direct request to the Clinic.co Administration team.
End-of-contract process There are no additional costs at the end of the service. At the termination date, clinic.co revokes access to the system, shares a record of any data stored and destroys any existing the data. As the system operates in a stand alone capacity, further action is not required and other client systems will not be affected.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The Clinic.co platform automatically adjusts to optimise for the device it is being used on. The same information and features are available on mobile and desktop services.

Desktop, tablet and mobile devices can be used to initiate a video consultation / MDT. This can be by sending a link to a mobile phone (as a text message) or to a mobile phone, tablet or desktop as an email.

No App / download is required on either the clinician or the patient side.
API Yes
What users can and can't do using the API Streaming API - to send link for streaming - open up users camera and start streaming via text or email, receive heart rate data, invalidate link, delete stream and metadata using ID, fetch metadata of all recorded streams in date/time range, download stream using its name.

API to enable local storage of video (where client has selected option to record video) - allows client to pull data from Clinic.co platform and store locally.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The system is customisable and can be tailored to suit the needs of the client. For example, the system can be branded / co branded if required.

Additionally within the dashboard, organisations can create administrators of different levels, switch on video storage and vital sign monitoring options and customise text messages.

Additional specific or bespoke requirements can also be addressed. Please contact us to discuss.

Scaling

Scaling
Independence of resources Clinic.co is built on the idea of modularity (micro-services) and scaleability. We run all out our services in HA mode and since we have a modular architecture, we can horizontally scale the module/micro-service which is under the heavy load. Video streaming architecture component is based on: 1) Highly available coordinator service which is horizontally scaleable 2) Scalable media handling service which is stateless and horizontally scaleable. A microservice based architecture is extremely easy to scale and the system auto-scales with clusters which means it's able to dynamically adjust the number of our servers based on the user demand and usage.

Analytics

Analytics
Service usage metrics Yes
Metrics types Information below can be provided:
- No of clinician uses.
- Time/Date of each use.
- Duration of each use.
- The specific video can be provided where the client has elected for consultations to be stored and not just streamed.

Additional information such as AI measured pulse rate can also be stored.
Reporting types Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach Physical access control is in place for the datacenter complying with SSAE 16 and the ISAE 3402. We use AWS which is also a G-cloud compliant data centre. When the data is at REST, we use AES-256 bit encryption. Our data storage system always have a replication factor greater than 1 and we have automated back-up generation in place.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach This depends on data stored. If users require data regarding consultations stored, it can be subsequently be downloaded from the dashboard. If video data is stored, this can be downloaded (client side, not patient side) directly from the dashboard. This can be automated into 3rd part systems (e.g. CAD), patient record systems or simply onto a local server.
Data export formats
  • CSV
  • Other
Other data export formats
  • HTML
  • XML
  • JSON
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • XML
  • HTML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks DTLS and SRTP for video transmission
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network DTLS and SRTP for video transmission

Availability and resilience

Availability and resilience
Guaranteed availability System Uptime guaranteed at 99.5% (excluding planned outages). Refund of 3% of the monthly license fee if not met. 24 Hour Tech Support Service. 100% of response to requests provided within 1 hour from the time the call was logged. Refund of 1% of the monthly license fee if not met. Rectification of Severity 1 Faults - High impact. 100% of Faults are rectified to the satisfaction of the buyer within 24 hours, from the time of the call being logged. Refund of 3% of the monthly license fee if not met. Rectification of Severity 2 Faults - 100% of Faults are rectified to the satisfaction of buyer within 2 days, from the time of the call being logged. Refund of 3% of the monthly license fee if not met. Rectification of Severity 3 Faults - 100% of Faults are rectified to the satisfaction of the client within 7 days, from the time of the call being logged. Refund of 3% of the monthly license fee if not met. Upgrades to software modifications, updates or new releases - 28 days notice will be provided - Refund of 3% of the monthly license fee if not met.
Approach to resilience All Clinic.co features are coded in house. There is no third party utilities (e.g. video is done through native WebRTC not through Skype or a commercial third party). This means we can guarantee uptime as we are not reliant on another party. This accounts for why we have not had even a second downtime in 4 years. The Clinic.co platform is built using micro-service architecture which is the bleeding edge industry standard. (Rather than being one monolithic which cannot be changed, load balanced, scaled, improved or continuously deployed.)
Outage reporting Supplier will report any outages to Buyer via email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Access to data is tightly controlled by users roles, password restricted to closed group of authorised employees. Access and use is closely monitored and systems in place to ensure access is only provided to those with a bona fide interest. We also train employees on acceptable use and have protocols in place which all employees adhere regarding security protocols.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards We use AWS which is also a G-cloud compliant data centre.

We fully meet ISO/IEC 27001 compliance and are in the process of attaining accreditation. A Letter of Commitment from our Accreditors is available upon request.

We are GDPR compliant and ICO registered
Information security policies and processes We have information security policies in place to ensure confidentiality (data and information assets is confined to people authorised to access and not be disclosed to others), integrity (keeping the data intact, complete and accurate, and IT systems operational) and availability (system is at disposal of authorised users when needed). Our security policies adhere to the Security Forum's Standard of Good Practice, the International Standards Organisation's Security Management series and the Information Systems Audit and Control Association's Control Objectives for Information Technology. Specifically, we adhere to additional sub-policies, including: Authority & Access Control Policy to ensure staff are permitted hierarchical access according to their role. All access is monitored and staff adhere to Acceptable Use and Data Handling Policy. We also have a Change Management Policy, Incident Response Policy, Remote Access Policy, Email/Communication Policy, Disaster Recovery Policy and Business Continuity Plan. We also have processes to ensure technology standards, procedures and guidelines for staff and workflow processes.

We are GDPR compliant and ICO registered

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach There are no third party utilities or components used (e.g. video is done through native WebRTC not through Skype or a commercial third party). All code is done in standard programming languages of objective C for iOS, Java for android, C# for windows phones and HTML. No contractors are used - all tech is developed in house. This means we can manage change effectively through our in-house processes and the security impact is mitigated. This accounts for no downtime in the last five years.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach All of the communications on our platform are done using TLS 1.3 or 1.2. We also have an integrated database with amazon/google and are able to deprecate crackable ciphers. We don't use Windows products at all due to their known vulnerabilities, all the services are Linux based and developer environments are Unix based. We also have measures in place for various hack prevention such as cross site scripting, DOS, DDOS and brute force attack. Unauthorised kernal modules are continuously scanned and checked against the Amazon’s AWS definitions.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We employ repeatable and periodic process for scanning, identifying and remediating newly discovered security vulnerabilities on servers, workstations, network equipment, and applications. We use Linux and Unix based kernals and all actions are monitored based on the users logon and roles. Policy and procedures have been developed in line with relevant legal and regulatory requirements and also adhere to NHS industry standards. Our Tech team commit to responding to all critical incidents 24/7, with all issues resolved within 24 hours of being identified.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach A summary of the incident management approach is below: Incident logging - Incident logged through phone and email. Incident categorisation - based on the area of IT or business Incident prioritisation - priority of incident determined as a function of its impact and urgency using a priority matrix, determining the time within which the incident should be resolved. Incident routing and assignment SLA management and escalation Incident resolution Incident closure Post-incident review - all incidents are reviewed and evaluated by Technical Team. Reporting - All processes are logged and Buyers are able to request incident reports documenting steps

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks NHS Network (N3)

Pricing

Pricing
Price £0 to £20 per person per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We provide a free use basic video service to individual clinicians who have an NHS email address/CQC approved clinical practice. Recording consultations is chargeable.

We can also offer a free trial of advanced features to organisations on a case by case basis.
Link to free trial https://clinic.co

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑