For children and young people living with long-term respiratory conditions, Hacka Health provides support to manage everyday routines, empowering them to manage their condition, engaging them and helping them adhere to their treatment plans.
Results are tracked in real-time using web-based technologies enabling actionable insights and driving improved patient outcomes.
- Healthcare practitioner dashboard allows for real-time monitoring and communication
- Secure and confidential
- Application can integrate with Fitbit and Apple Watch
- Application can be adapted based on specific clinical requirements
- Application can be adapted based on specific patient requirements
- Patient can add in their own exercise records
- On-site training can be provided to clinical teams
- Patients are incentivised via badges and rewards, based on performance
- Parent/carer portal allows for parents/carers to monitor progress
- Continuous engagement and encouragement
- Monitoring and communication allows for care programme adaptation
- Reduce unnecessary visits
- Support self care and management
- Targeted conversations for better patient outcomes
- Improve efficiency in patient interactions
- Provide reach and scale to healthcare professional's expertise and oversight
- Empower patients to be in control of their own recovery
- Badges and rewards can increase patient compliance and engagement
- Eliminates traditional snapshot view of patient progress
- Passive activity recording on app via HealthKit/Google Fit
£20 to £150 per licence
- Education pricing available
- Free trial available
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Service constraints||Access to the mobile application can only be offered to a patient by invitation from a healthcare professional.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Critical issues < 2 hours
Others < 5 hours
Support is available 9 to 5 Monday to Friday. Critical issue support is available 24/7/365
|User can manage status and priority of support tickets||No|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Healthcare professional email support is available Monday to Friday 9 to 5.
Critical Issues - Response and resolution < 3 hours
Other Issues - Response < 5 hours, resolution < 5 working days.
User manuals and FAQs are available to cover common support questions.
HCP training is available (see pricing document)
|Support available to third parties||No|
Onboarding and offboarding
Healthcare Practitioners - we provide training as well as train-the-trainer to enable all users to access the system
Patients - a get-started guide is provided
|Other documentation formats||PowerPoint files|
|End-of-contract data extraction||
We are a data processor, contracted to a healthcare provider. The healthcare provider decides which data to collect and the legal basis for collecting it. Patients are invited to use the service by the healthcare provider.
Data retention periods and end of service data management/transfer are covered in each contract. Options for data extraction include:
1. Continue to provide the Hosted service for use by the clinic only in a read-only format. Subject to a new agreement/contract covering this service with commercials and costs agreed at that time.
2. Continue to store data for archiving purposes instead of transferring it back to the customer. Subject to a new agreement/contract covering this service with commercials and costs agreed at that time.
3. Provide professional services to assist the customer in an orderly transition to any replacement system on an hourly charged basis at Innerstrength’s then current rates. Innerstrength will not be obliged to disclose any confidential information to the customer or replacement.
4. Return the customer data to the customer in an industry standard format requested by the customer; and/or destroy all copies of the customer data held by Innerstrength and provide the customer with written verification of such destruction.
The contract end service is defined in each respective contract and can include:
- Data return and retention periods
- Statistical analyses
- Extended contract to only include data storage
In the majority of circumstances data is returned and deleted.
Data is not returned to the patient by Innerstrength Health.
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
The web application is for Healthcare Practitioners
The smartphone application is for patients
|Accessibility standards||None or don’t know|
|Description of accessibility||
The mobile app has been designed for mobile devices with capabilities for user accessibility.
We work with app users during initial design phases of our application in order to constantly imporve usability.
|Accessibility testing||Currently we do not underake testing specific to users of assistive technology.|
|What users can and can't do using the API||All of the functionality of our applications is exposed through our secure APIs. Additionally, we expose custom integration APIs to support specific customer requirements.|
|API documentation formats||Open API (also known as Swagger)|
|API sandbox or test environment||Yes|
|Description of customisation||
During the implementation phase, the customer can decide on:
These can be changed during the lifetime of the contract, by contacting the support team
|Independence of resources||Our platform is hosted on AWS and is configured to provision additional resources as the demand on existing resources increases. This guarantees that load on any part of the infrastructure is maintained within its operating tolerances.|
|Service usage metrics||Yes|
|Metrics types||Usage metrics can be made available to customers upon request (this usually forms part of the contractual agreement)|
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||European Economic Area (EEA)|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
All personally identifying and protected health information is encrypted at rest
Access is via individual logins
Access control is strictly monitored
User access is based on the least-privileges concept
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||
Users cannot export their data. The service allows users to manually enter and review their data via web application or smartphone application.
Data export of users data can be requested by the nominated customer contact directly to support. We can then arrange for data to be exported and provided to the customer for delivery to the user.
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Other protection between networks||Any manual transfer of sensitive information that may be required is achieved using password encrypted archives (zips etc..) using a secure transfer service provider (e.g. wire.com)|
|Data protection within supplier network||
|Other protection within supplier network||Data is stored in AWS and is encrypted at rest|
Availability and resilience
|Guaranteed availability||Subject to contract. Typically 99.5% is guaranteed under our SLA|
|Approach to resilience||Our platform is hosted on AWS and is deployed in a minimum of 2 availability zones at any time. The service runs in a "n+1" redundant configuration such that if any component should fail, the service will remain operational and self "heal" by automatically replacing the impacted resource.|
|Outage reporting||We publish our status using a 3rd party availability monitor with global access checking.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||All access employs a role based security model that assigns appropriate priveleges to a user according to their role. Only specifc users are granted access to administrative and/or support interfaces.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||GDPR also working towards ISO/IEC 27001:2013 (ISO 27001)|
|Information security policies and processes||The Innerstrength Health Company Information Security Policy is followed by all staff members|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Innerstrength’s configuration management process for issue tracking, source code maintenance and documentation including changes relating to security patches and software components utilised in the product are detailed in our development process manual.
Our source code repository is linked directly to our issue management system. This guarantees each change to the codebase is recorded against a description containing the reasons for the change, code review process and any security considerations taken during implementation.
We have distinct development and production environments and Continuous integration procedures in place. Build tools are used to track build numbers and issue numbers within each build.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
In order to ensure vulnerabilities are tracked and monitored across all systems we maintain a vigilant approach that includes, external penetration and security testing, carrying out security reviews during our weekly planning sessions and our own internal security testing.
We also carry out code reviews so that code is critically viewed by other members of the team prior to commit.
We monitor security updates and advisories relating to our software components and deploy patches relating to these straight away.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
A full audit trail is kept of all application and user activity on Amazon AWS. All alarms and events are written to periodically rotated log files and persisted to secure S3 storage for retrospective analysis.
Automated alarms are used to notify us of any potential threats. Customers can also report any incidents directly to us.
Any notified threat is acted upon by the incident team and is remedied.
|Incident management type||Supplier-defined controls|
|Incident management approach||
An Incident Response Plan is detailed within the Innerstrength Health Information Security Policy. The Plan covers incidents of an electronic (e.g. an attacker accessing the network for unathorised/malicious purposes, or a virus outbreak) or physical (e.g. loss/theft of a laptop of mobile device). The Plan incorporates the following aspects:
- Incident Preparation (following guidelines and policies outlined in the Plan)
- Confidentiality of data
- Electronic Incident plan details
- Physical Incident plan details
- Notification of relevant parties, if applicable
- Managing risk
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£20 to £150 per licence|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||We can provide a time-limited free version of our service in certain circumstances, for example for educational institutions and charities, where no development work is required.|