Optum Health Solutions (UK) Ltd


Mede/Analytics is a cloud based business intelligence and commissioning platform that scales to provide insight across entire health economy, taking data and linking it at the individual level from multiple care settings. The platform's tools allow analysis of population health to understand demographics, morbidity, resource utilisation, outcomes, quality and cost.


  • Hosted analytics service scalable for managing entire health economies
  • Easy to use and self configure graphical and tabular interface
  • Drill down to patient/event level detail quickly and easily
  • Additional modules – patient stratification, segmentation, urgent care, population health
  • IG framework including pseudonymisation at source with re-identification capability
  • Visualise data using geomapping tools
  • Outcomes and costs for groups of patients and capitated budgets
  • Contract modelling and monitoring functions with information validation
  • Includes national, regional and local peer comparator capabilities
  • Initial training and client engagement services are included


  • Understand your local health economy with one system
  • Create intervention groups with re-identification to support direct care
  • Understand the outcomes and costs of care to understand value
  • Adopt and manage different commissioning models for different groups
  • Identify overlaps, opportunities for improvement, and exemplars for best practice
  • Comparison by provider, GP / referrer, age, and demographic
  • Workflow capabilities to facilitate dialogue between commissioner and providers
  • See the impact of service developments in near real time
  • Provides risk modelling for financial predictions
  • Supports performance management for whole care systems


£0.30 to £1.15 per person per year

Service documents


G-Cloud 11

Service ID

5 4 8 2 7 6 8 6 9 1 3 6 1 7 5


Optum Health Solutions (UK) Ltd

Bhavini Parekh



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements None - all on a Private Cloud

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Normally within 1 hour during operational hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels On - site support and training at extra cost based on SFIA Rate Card.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Links to training videos, documentation and Help FAQs.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction If individual users have been granted the correct Information Governance permission they can export data directly to their local machine or via Secure File Transfer Protocols (SFTP)
End-of-contract process Data is transferred to the client and /or securely destroyed. Data Destruction certificates are provided.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Service will automatically adjust for best
Service interface Yes
Description of service interface Web browser
Accessibility standards None or don’t know
Description of accessibility N/A
Accessibility testing N/A
Customisation available Yes
Description of customisation Users can Customise the colour palette and create and share Dashboards. Users can create Custom Metrics, Dimensions and Cohorts.


Independence of resources We monitor our service performance down to individual server level. Our flexible design allows us to add additional servers to accommodate increased user load and where necessary segregate clients from each other. We own and maintain our own virtual server environment, where we can quickly move virtualised servers onto appropriate hosts, to address performance issues.


Service usage metrics Yes
Metrics types Service metrics include reporting on user accesses per month, last login, last deactivation date, browser used and report or dashboard accessed
Reporting types
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold MedeAnalytics

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Can be done at client's request conforming to FIPS 140-2.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach If individual users have been granted the correct Information Governance permission they can export data directly to their local machine or via Secure File Transfer Protocols (SFTP).
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats PDF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.9%
Approach to resilience Failover and disk redundancy measures are in place.
Outage reporting Monitoring systems are in place to provide proactive and real-time alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Role based.
Access restriction testing frequency Never
Management access authentication
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Less than 1 month

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 11/08/2018
What the ISO/IEC 27001 doesn’t cover No non-conformities.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • SOC1 and SOC2

Security governance

Security governance
Named board-level person responsible for service security No
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards SOC 1 / SOC 2, HITRUST.
Information security policies and processes HIPAA Security Rule, 45 CFR 164.308(a)(2); UK Data Protection Act Schedule 1, Part 1, Principle 7; IG Toolkit Requirements 9‐114, 9‐115;
ISO 27001:2013, 5.1, A5.1.1; A6.1.1.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change procedure aligned to ISO 27002. Configuration management is supplier defined.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach SOC 1
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach HIPAA compliant
Incident management type Supplier-defined controls
Incident management approach This is covered by our Incident Management Procedure MA‐S‐P‐029, available upon request.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks NHS Network (N3)


Price £0.30 to £1.15 per person per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑