Patients Know Best

Integrated Digital Care Record with patient consent

Patients Know Best is a clinical portal designed for borderless sharing of information. The NHS HSCN-hosted cloud-based system delivers a consolidated record from all sources across primary, secondary, mental and social care, including public, private and third sectors. Uniquely, data sharing is under patient consent with granular privacy labels.

Features

  • Access to data about patient from all other PKB customers
  • Full health and social care record data fields
  • Patient control of sharing information, with emergency access functionality
  • Bi-directional REST API for every data point including consent
  • HL7 standard API for receiving data from integration engines
  • Encryption in storage with unique private key for each record
  • Cloud-based, available on any internet enabled device
  • Shared care planning across all providers
  • Integration with GP, hospital, mental health and community IT systems
  • Single sign on from selected partners

Benefits

  • No server requirements as fully hosted secure cloud solution
  • Share data across any connected organisation, true borderless solution
  • Comply with patient's wishes for data sharing
  • Enforce granular privacy: general, sexual, mental and social care data
  • Integrate with EPRs across primary, secondary and specialist care
  • Document explicit permission for secondary use of data
  • Go paperless across organisations
  • Fully coded datasets
  • Supports mobile working - device agnostic
  • Integrate all data about patient across health and social care

Pricing

£0.75 to £1.23 per person per year

  • Education pricing available

Service documents

G-Cloud 10

537984119475111

Patients Know Best

Mohammad Al-Ubaydli

+44 1223 790708

sales@patientsknowbest.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Access internet with browser that is IE10 or later (or equivalent)
System requirements Internet browser equivalent to IE10 or later

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Requests are assigned a 'resolve' priority level from 4 hours to 3 days; customers receive an acknowledgement within 1 hour
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels All support is included in the fixed Software-as-a-Service licence fee.

Support has a defined Service Level Agreement as described at http://help.patientsknowbest.com/SLA.html

Support includes project management, technical assistance, integration and end user support. A service desk implementing 'Freshdesk' is used that has ticketing of all service queries with a single point of access. Each ticket is assigned one of four levels of priority, depending on the nature of the query. For each level there are guaranteed response times.

Each organisation will have an assigned technical account manager, where necessary and overseen by the PKB Solutions Architect.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started A dedicated project manager (Success Team member) will be assigned to the Customer immediately and they will act as the single point of contact throughout the contract.

At the beginning of the project the Success Team will create a Project Initiation Document (PID) that covers the technical, configuration, integration, and on-boarding tasks to complete, including Information Governance and technical due diligence (Privacy Impact Assessment). The Success Team member will assign milestones to every task and these can be tracked via the project management software, 'Teamwork'. The customer can interact and add to the project from within Teamwork.

Training is ongoing and includes face-to-face workshops, e-learning platform, video resources and online help manual, as well as full technical assistance via Freshdesk.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction PKB records are maintained for patients after the end of any contract and for a maximum of 8 years after last know activity of the patient. All data remains in the ownership of the patient.

Organisation level data can be extracted, with patient consent, via REST API’s in order to preserve clinical data to be transitioned onto another platform.

In order to migrate all patient data an organisation will need a list of all NHS numbers to migrate. Given this list the following API could be called programatically in order to determine the PKB Id associated with each patient:

https://sandbox.patientsknowbest.com/api/index.html#!/Users/getNationalNumberByPatientId

From this point systematic calls of all PKB REST API’s can be made, passing in the PKB Id as a parameter, to pull back patient data. PKB Rest API calls, are tightly coupled to PKB data structures in the back end and would allow an organisation to effectively migrate patient clinical data to a new platform.

The customer can use these APIs and consents to migrate the data to systems other than PKB.
End-of-contract process PKB is committed to providing a long-term complete record, a record that customers and patient can rely. PKB will maintain the record for the patient for at least 8 years (and longer if the patient is linked to any other PKB customers).

PKB will produce a detailed Termination Plan for the cessation of services at the start of any new contract. All data is available throughout the life of the contract via the REST API and so no data migration is needed. At the point of cessation the integration will be switched off and no further data from the clinical systems will come into the PKB patient record. The professional login will be ‘deactivated’, meaning they will no longer be able to access specific patient records. However, to maintain the full medico-legal record of interactions, professionals will still be able to log in to it in the same way as before and be still be able to access their own ‘discussions’. This is the medico legal record of their interactions with the patients and will not be deleted. Professionals will also retain access to any survey and care plan exports that you may have requested to this point.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service User interfaces are identical - the website is designed to scale dynamically across all size screens, and accessible with both mouse and touch screen devices
Accessibility standards None or don’t know
Description of accessibility PKB has been fully tested to meet accessibility guidelines. For example, the interface with large tiles, is designed for touchscreen devices and people who may have arthritis or other joint problems; the colour and contrast has been tested for colour-blindness and visual impairments, and; as an internet-based platform it is compatible with screen readers and dictation, making it accessible for people with auditory and visual difficulties.

No part of PKB is more than three clicks away from the home screen, with most sections being only two. Furthermore, PKB is used by all age groups, with various computer literacy abilities
Accessibility testing Usability: Patients Know Best (PKB) has been designed with an easy and intuitive interface with familiar navigation methods, for example using a 'tile' design that is familiar to both Windows and Apple users. No part of PKB is more than three clicks away from the home screen, with most sections being only two. The system undergoes extensive and continuous user feedback and testing and is incrementally upgraded on a fortnightly basis to improve the user experience. Furthermore, PKB is used by all age groups, with various computer literacy and is uniformly accepted and used.

Accessibility: The user interface is already translated into 19 languages and can be switched from one language to another in real time. As a web based solution it is fully compliant with all accessibility standards for screen resolution (changing the contrast, size and type of screen) and screen readers. PKB is also available on any internet-enabled device.
API Yes
What users can and can't do using the API PKB publishes an Open REST API at http://dev.patientsknowbest.com/home/rest-api. The REST API allows for 2-way push and pull of data from the PKB repository, enabling integration to 3rd party apps and solutions.

Users can make calls against the REST API via GET, PUT and POST operations. PKB also publishes a Single Sign On API allowing for direct log in to the PKB environment from 3rd party solutions. There is a sandbox environment that is accessible to all.

Every data point in PKB is available via a real-time 2-way REST API with OAuth 2.0. Data is extractable from PKB via REST API for data warehousing and reporting. Here follows a summary of data available to pull, push or update via swagger:
(full summary can be found at: https://sandbox.patientsknowbest.com/api/index.html)

Allergies
Appointments
Consent
Diagnoses
Encounters / Messages (virtual)
Care Plans / End of Life
Episode of Care
Immunization
Journals
Measurements
Medications
Observations
Pregnancies
Procedures
Related Person
Symptoms
Tests
Users
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The PKB patient portal can be configured for different user groups in the following ways:

1. User interface: Each professional team/organisation can use their logos, change the welcome message, colour scheme and have specific headers and footers, which might have links to specific resources or external support, such as with the National Rheumatoid Arthritis patient portal powered by PKB.
2. Content: PKB has an information library that allows condition or service specific information and resources to be held, allowing it to be tailored to the precise needs of the individual.
3. Self-management: The individual user can connect over 100+ different apps and devices to track their well being, meaning that PKB can be the hub of their individual digital ecosystem.

4. Care planning: PKB can hold as many care plan templates as necessary, with each template being able to be configured (being built in HTML) with condition specific actions.

5. User settings/preferences: both professionals and patients are able to set a number of preferences in their dashboard.

Scaling

Scaling
Independence of resources PKB is delivered as a Software-as-a-Service (SaaS), and being virtually hosted, memory and storage can be adjusted as needed on the fly. PKB typically operates around 5% memory utilisation, therefore allowing for throughput to safely increase 10-20x without service interruption, allowing for spikes in usage and on-boarding of new clients seamlessly.

Analytics

Analytics
Service usage metrics Yes
Metrics types Team aggregated usage data including login activity (all user types), file and data activity (messages sent, HL7 sent, files uploaded, symptoms tracked etc), and users created (created, registered, ID verified, email set). This data is also aggregated to organisation level, so that the data van be viewed and understood at multiple different levels.

Data is curated into a selection of graphs to present the data in a downloadable intuitive and easy-to-digest format

These graphs are delivered via an interactive and visually pleasing online dashboard service, updated weekly.

Guides on the metrics and dashboards are available publicly at http://help.patientsknowbest.com/Statistics.html
Reporting types Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Every data point in PKB is available via a real-time 2-way REST API with OAuth 2.0. Data is extractable from PKB via REST API for data warehousing and reporting. Here follows a summary of data available:
(a full summary can be found here: https://sandbox.patientsknowbest.com/api/index.html)

Allergies
Appointments
Consent
Diagnoses
Encounters / Messages (virtual)
Care Plans / End of Life
Episode of Care
Immunization
Journals
Library
Measurements
Medications
Observations
Pregnancies
Procedures
Related Person
Symptoms
Tests
Users
Data export formats
  • CSV
  • Other
Other data export formats JSON format via GET command via API
Data import formats
  • CSV
  • Other
Other data import formats
  • HL7
  • JSON-formatted PUT and POST commands via API

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks PKB’s protects data in transit in 2 ways:

1. Secure server holding the data: this is hosted to ISO 27001 standards inside the NHS HSCN network, behind the NHS firewall. This protects against malicious hacking attempts and provides uptime, disaster recovery and business continuity guarantees.

2. Transport through TLS 1.2: RSA 2048-bit keys (SHA256withRSA) with Extended Validation and HSTS enforcement. We do not support unencrypted HTTP requests, and internal communication between the web application, EJBs, LDAP, and database are additionally all over TLS. We reject SSL 2.0 and 3.0 connection requests but allow TLS 1.0, TLS 1.1 and TLS 1.2.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network 1.Medical record data storage layer: encrypts medical data using DESede (Triple DES), a unique public and private key for each patient. Only the patient, and the people the patient chooses, have a copy of the private key.

2.Secure server holding the data: this is hosted to ISO 27001 standard inside the NHS HSCN network.

3. Transport through TLS 1.2: RSA 2048-bit keys (SHA256withRSA) with Extended Validation and HSTS enforcement. We do not support unencrypted HTTP requests, and internal communication between the web application, EJBs, LDAP, and database are all over TLS as well.

Availability and resilience

Availability and resilience
Guaranteed availability PKB commits to 99.5% uptime, which includes scheduled downtime, and can be monitored at www.pkbstatus.com. Customers can see uptime and response levels and subscribe to receive automatic notifications of upgrades and disruptions.

Service credits for failure to meet agreed SLA are associated with response and resolution times detailed below. Service credits are cumulative over each month and offset against any future payments, typically the next quarters charges.

Service credits are allocated according to the following table and can be tracked on a continuous basis at www.pkbstatus.com:

Incident Priority
Service Credits allocation

Three (3) Service Credits allocated for each Incident that breaches Resolution Time.
One (1) additional Service Credits allocated for each subsequent whole hour until the Incident is resolved up to twelve (12) hours.
Two (2) Service Credits allocated for each Incident that breaches
One (1) additional Service Credits allocated for each subsequent whole hour until the Incident is resolved up to eighteen (18) hours.
Two (2) Service Credits for each month that the Availability is less that 99.5%
One (1) Service Credits for each month the average load time for a page exceeds 5 seconds for more than 5% of the time

Full SLA can be found at: http://bus.patientsknowbest.com/project-management/service-level-agreements
Approach to resilience PKB commits to 99.5% uptime, which includes scheduled downtime, and can be monitored at www.pkbstatus.com

The PKB infrastructure is hosted by Carelink in the UK. Carelink is one of a shortlist of hosting providers to be certified to the stringent ISO 27001 standard. All facilities are tier 4 data centres (Telehouse, Docklands and Equinix, Heathrow).
Beyond the information contained within our public DR statement http://help.patientsknowbest.com/DR.html - it is difficult to define resilience in a generalised sense. One of the key tenants in designing any high availability system is to apply the assumption that it (components, hardware and or service dependencies) will fail. Accordingly, every dependency within the context PKB service availability/delivery is considered, with measures in place to ensure the minimisation of single points of failure across PKB’s service infrastructure.

It is for this reason that we utilise Tier 4 data centres, ensuring core service delivery functionality is maintained; be that power, transit or core networking components. Regarding PKB’s own systems (databases, servers, firewalls) the same rule applies, wherever possible a failover solution is in place.
Outage reporting PKB commits to 99.5% uptime, which includes scheduled downtime, and can be monitored at www.pkbstatus.com. Users can automatically be informed of any changes to service levels by subscribing to www.pkbstatus.com. This provides details of outages, uptime, response rate of solution (transaction times) and maintenance schedules and overview of upgrades/changes.

Additionally, reports to organisations can be provided on a frequency requested basis, but typically PKB provides a weekly report detailing the service and any disruption to the service levels.
PKB can also provide more detailed reports specific to the organisation and can customize a weekly SLA fulfilment report as needed.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Privileged access to PKB’s production environment is highly restricted where only designated and suitably experienced Senior Production Support Engineer have direct access to PKB’s production environment. Circumvention of security measures is minimised through the use of 2-Factor Authentication and certificate based VPN access. Support Engineers with access to the database, decrypting of clinical data is only possible with the requisite per-user keys. Administrative system passwords have a minimum of 10 characters with 4 complexity classes (special, uppercase, lowercase, number). Passwords are cycled every 30 days (force change) for all administrators. Administrative passwords are blocked after 3 failed attempts.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Both Patients Know Best and data-host Piksel
ISO/IEC 27001 accreditation date 11/2017
What the ISO/IEC 27001 doesn’t cover All services (hosting) under Piksel control at their locations are within the scope of the ISMS and governed by the requirements of ISO27001
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • IGT Level 3
  • CyberEssentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Information security policies and process are drawn primarily from those defined within ISO27001:2013 and from NHS Digital IGT, as such we have implement a Information Security Management System. To support this initiative comprehensive Information security policies serve as overarching guidelines for the use, management, and implementation of information security throughout the PKB eco-system.
Internal controls provide a system of checks and balances intended to identify irregularities, prevent waste, fraud and abuse from occurring, and assist in resolving discrepancies that are accidentally introduced in the operations of the business. When consistently applied throughout PKB, these policies and procedures assure that information technology resources are protected from a range of threats in order to ensure business continuity and maximize the return on investments of business interests.
PKB’s Information Security Management Plan and Policies reflects commitment to stewardship of sensitive personal information, clinical information and critical business information, in acknowledgement of the many threats to information security and the importance of protecting the privacy of PKB constituents, safeguarding vital business information, and fulfilling legal obligations. The plan is reviewed and updated at least twice a year or when the environment changes.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All changes to our database, application, architecture and environment are authorized, reviewed and fully logged. We use a combination of JIRA and internal development Wiki to document bug fixes, releases, upgrades, maintenance and other elements that might impact our production environment. Additionally, database schema management is via Liquibase.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Server security patching is conducted monthly or as required when a patch is released by a manufacturer. Information about threats is gathered from various sources including: developer bulletins, security mailing lists and other internet sources. PKB maintain a InfoSec/OpSec team that monitor new threats. Scanning is both externally commissioned/conducted and internally conducted - for internal vulnerability scanning we use Tenable Labs / Nessus. Additionally, internal information security and information asset audits are regularly conducted, threats are evaluated, registered, graded and assigned for mitigation.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach PKB maintain a InfoSec/OpSec team that monitor new threats. Scanning is both externally commissioned/conducted and internally conducted - for internal vulnerability scanning we use Tenable Labs / Nessus. Additionally, internal information security and information asset audits are regularly conducted, threats are evaluated, registered, graded and assigned for mitigation - the speed of mitigation/resolution or patching depends on the likelihood and severity of the threat/compromise. Actual compromises are prioritised for immediate resolution. Identification may take places via a number of pathways; malware scanning, internal security audit, internal vulnerability scanning, external vulnerability scanning or reporting.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach PKB’s IG Incident Response Plan (IRP) establishes full incident management alignment to the guidelines established and published by NHS Digital, specifically: ’Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation. PKB’s IG Lead will assess the severity of all incidents based on the sensitivity and the scale of the incident. The IG Lead will use NHS Digital’s IG Scoring Matrix to establish an accurate grade of the incident.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)

Pricing

Pricing
Price £0.75 to £1.23 per person per year
Discount for educational organisations Yes
Free trial available No

Documents

Documents
Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑