G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with Aptvision Ltd are still valid.
Aptvision Ltd

Aptvision Patient Engagement and Radiology Information System (RIS)

APTVISION created a unified Healthcare Information System embracing latest technologies to enable quicker and more effective outcomes for Patients, Clinicians and Healthcare Providers. Putting patients at the heart of care we have ten stand-alone, inter-operable software solutions to manage the end-to-end patient pathway in various 'ologies including Radiology.

Features

  • Core RIS/HIS - On-premise or Private Cloud
  • Patient Self-Registration and Flow Management
  • Centralised Network Scheduling, Local, Regional and multiple organisations
  • Patient Portal, Secure, web based, with or without web booking
  • Patient Webbooking choose an appointment which suits them
  • Shared and Home Reporting providing convenience to the reporting clinician
  • eReferral, Clinician Portal, Booking, Results management, Significant Findings alerts
  • Patient 2-way Communication, 2-way SMS, email, econsent forms
  • MDT's enabling remote access for one or more clinician
  • Peer Review Anonymous peer review including configurable settings and configuration

Benefits

  • Improved patient experience reduces DNA’s Optimisation of resources, saves money.
  • Enabling scheduling across a region from one location workload balancing
  • The patient has complete choice and control over their procedure.
  • The patient can book their appointment when it suits them.
  • Reporting performed 24*7 by the most appropriate professional
  • Clinician can organise the next appointment within their consultation
  • Immediate results including significant findings ensuring fast patient care
  • Allows patient to easily manage, reschedule and this reduces DNA's
  • Remotely manage and arrange an MDT from the reporting console
  • Allows providers to monitor work and conduct internal scan audits.

Pricing

£51,000 to £85,000 a licence

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@aptvision.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

5 7 2 1 7 9 6 2 1 5 8 2 5 2 7

Contact

Aptvision Ltd Paul Wierzbicki
Telephone: +353 (76) 888 8055
Email: info@aptvision.com

Service scope

Software add-on or extension
No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
No
System requirements
  • No software licenses required
  • RedHat licenses required if customer opts for RedHat VMs (optional)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our standard SLA is:
* Critical Priority - 30 min response time, 4 hour resolution time
* High Priority - 1 hour response time, 6 hour resolution time
* Medium Priority - 8 hour response time, 4 day resolution time
* Low Priority - 2 day response time, resolved on next release (typically less than 1 month)

Our standard SLA support hours are 9am - 7pm GMT Monday to Friday.

Different SLA options are available on request.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Our standard SLA is:
* Critical Priority - 30 min response time, 4 hour resolution time
* High Priority - 1 hour response time, 6 hour resolution time * Medium Priority - 8 hour response time, 4 day resolution time
* Low Priority - 2 day response time, resolved on next release (typically less than 1 month)

Our standard SLA support hours are 9am - 7pm GMT Monday to Friday. Support tickets can be raised on our dedicated support portal, hosted by Atlassian Service Desk.

Additional SLA options are available on request. Standard SLA support is included in license fee (see pricing section).
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Aptvision has a well defined onboarding and training process. It starts with introductory system overview, which can be done remotely on on-site. this is followed by analysing master data and any data migration requirements. The training has multiple parts and is usually done on-site in a train-the-trainer format with remote follow up training available remotely. On-site training to individual user groups is also possible. Full system documentation is available in PDF with some aspects associated by videos. There are extensive training checklists to ensure all system elements are covered, explained and signed off by the trainee.
Aptvision can assist the customer with the entire setup and launch of the system (as an additional service) which includes master data import, data migration, user setup, workflow setup, testing, training and go live support.
Service documentation
Yes
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats
Videos
End-of-contract data extraction
There are multiple, standard ways of data extraction.
Users can access relevant information through the standard APIs to extract it, save or transfer to another system.
All documents uploaded to the system as well as reports are stored as files and may be access using file sharing protocols.
The information can also be manually exported to excel compatible formats in certain areas of the system.
Finally an extra, custom data extraction/dump service can be provided where all data is extracted by the support team in the exact form required by the user.
End-of-contract process
Aptvision has a defined process of contract termination. Following all required official notices the client is granted a period of time in which the system and all data is available to them for extraction. A custom data extraction service may be requested and provided at that stage too.
After the period elapses, the data is permanently removed using a set of procedures at which point it is no longer accessible to anyone. A data deletion certificate is provided to the client upon completion of the process.

Using the service

Web browser interface
Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Yes
Compatible operating systems
Windows
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Some elements of the solution are accessible on mobile devices through dedicated mobile apps or web browsers. These include: patient web booking, clinician e-referral and booking, self service registration, patient and clinician portals. They have been created using responsive technology and automatically adjust to the device size. There are also certain functionalities of the Core RIS that are available on mobile devices - filling in of documents and questionnaires, waiting lists or worklists.
Service interface
Yes
Description of service interface
The Aptvision RIS is accessed as a normal website via browser or via the Aptvision Desktop App. The latter also uses the standard web interface but improves the handling of external devices connected to the computer (eg. microphones, scanners, printers, etc.) that web browsers may not natively support.
Accessibility standards
None or don’t know
Description of accessibility
The Aptvision RIS is fully usable through a normal web browser. Some aspects of the system require that the Aptvision Desktop Application be used, such as voice recognition.
Accessibility testing
We have not performed any testing with users of assistive technology.
API
Yes
What users can and can't do using the API
The solution provides a REST based API with token based authentication. The API may be currently used to retrieve certain information from the system and have limited ability to update data.
The list of endpoints is constantly growing and my be provided on request.
The tokens may be generated by users in the single sign on service and then used to access endpoints.
The data retrieval or changes are made through HTTP calls to endpoints using TLS encrypting for transport.
The APIs are currently mainly used to retrieve patient event information for patients which can be used by third party systems, data extraction, BI systems and integrations.
There is also a limited functionality available allowing creation and updating of patient events primarily used for inbound integrations with third party systems.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Users with specific administrator access levels can configure following aspects of the system via the Configuration screens available in the service:

add/edit/disable Users
grant/edit/revoke User Permissions
assign/remove users to/from Clinics and Workflows
add/edit Clinic(s) details
add/edit Scan Room details
add/edit/remove Scan Room availability
add/edit/remove Scan Room Blocked Slots
add/edit/remove Staff availability
add/edit/remove Resources availability
add/edit/remove Optimizations
add/edit/disable Insurers
add/edit/disable Referrers and Practices
add/edit/disable Procedures and Protocols
add/edit Reporting Templates
add/edit/remove Materials and Material Groups used during Procedures
add/edit/remove Procedure Safety Questions
add/edit/remove Procedure Patient Preparations
add Periods for the Peer Review module
set Targets for the Peer Review module
create Questions and Questionnaires for the Peer Review module
create and assign user Skills for the Peer Review module

Other more complex and specific aspects of the service, are usually configured with advice or by the support team. This is to avoid issues resulting from incorrect configuration. There is no technical obstacle for advanced administrators to gain access to additional configuration screens and being able to adjust more complex service parameters.

Scaling

Independence of resources
For the Aptvision Cloud RIS (deployed on cloud servers) we constantly monitor the infrastructure and scale up as required. We also monitor each customers use of resources. This ensures that the demand from other users do not affect all users.

If the client opts for an on-premise deployment then this is not a concern.

Analytics

Service usage metrics
Yes
Metrics types
There are extensive, out of the box usage metrics available through directly in the system as well as through a third party tool cloud based tool called datadog.
The local metrics relate mostly to the software and include real time page load times, numbers of active users, log in times, audit logs as well as all standard reports relating to patients and their events, integrations, numbers of outgoing emails/SMS, inbound and outbound HL7 with error rates, etc.
The datadog metrics concentrate mostly on infrastructure and include, CPU, memory, network, IO, processes, replication status and many other.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach
We only use secure data centres where the operator provides highest level of physical security.

Data is not currently encrypted at rest in all cases but this can be provided on request and in such case an encrypted container will be created on top of the physical media.

In order to mitigate any risks and ensure an acceptable level of security of data at rest, we have taken additional steps such as ensuring multiple layers of firewalls and reducing users allowed access to systems.
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can export data individually in the context of the application (eg. reports for date range, events for date range).
Additionally, a "GDPR pack" functionality allows creating and downloading a package of all information and documents relating to a particular patient.
Data can also be exported in bulk as a custom, additional service on request and in such case any required format can be supplied.
The documents uploaded and stored in the system can be be accessed through an agreed file sharing method on request (additional service).
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • XLSX
  • PDF
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • JSON
  • HL7
  • XLSX

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We offer the following SLA as standard:

1 – Critical Priority
Completely stopping client’s business critical operation in any of the clinics, with no workaround on the client’s side to continue business critical operations or any major security issue and/or any function halt important for medical laws.
Response: 30 Minutes
Restoration: 4 Hours

2 – High Priority
System issue causing significant effect on the client’s business critical operation, with no workaround, but it is still possible to continue through the full workflow
Response: 60 Minutes
Restoration: 6 Hours

3 – Medium Priority
System issue causing medium effect on the client’s business critical operation, not blocking them from continuing operation and with medium level of inconvenient workaround on the client side.
Restoration: 4 Business Days

4 – Low Priority
System issue not causing direct effect on the client’s business critical operation like an element not working, with acceptable workaround on the client side but with a desire to be eventually corrected
Restoration: Next scheduled release date

Service credits range depending on the severity and duration, up to 10%
Approach to resilience
The platform is designed to be Highly Available (HA). This means that the key parts of the architecture have hot standbys which can transparently take over from it's counterpart in the event of a failure or planned maintenance.

Uptime is measured strictly and monitored constantly to ensure system availability for all of our clients.
Outage reporting
Client facing:
We have a documented process to provide email notifications to all affected customers immediately upon detection, as well as provide continuous feedback and updates during the incident. The exact methods and contacts used for this will be agreed upon onboarding.

Internal (to Aptvision):
Monitoring is extensively built into the platform and we receive automated alerts whenever part of the platform misbehaves, this is immediately investigated by our team and notifications sent to customers if needed.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
The solution may also use our own Oath2 compatible Identity federation single sing on service.
We can connect to AD/LDAP compatible services on premise and in the cloud to provide user account verification based on username and password provided at login.
Access restrictions in management interfaces and support channels
User permissions are fully configured for the platform, permissions can be given or revoked for certain "management" features of the platform for certain users. This can be done by the customer themselves if desired.

Access to our customer support portal requires an account which is provided to a limited number of users in the customers organization.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Certification in progress by ABIWAY
ISO/IEC 27001 accreditation date
To be finished by 31/12/2019
What the ISO/IEC 27001 doesn’t cover
Any aspects not covered during the certification process will be advised at a later stage.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
ISO 9001

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
We are currently in the process of obtaining certification for ISO/IEC 27001.
Information security policies and processes
Our SIRO (Senior Information Risk Owner) is board appointed and reports regularly back to the board. They are responsible for ensuring that our Security Policies are enforced. We have two types of security policies, the first is a staff-facing policy which details how staff should approach security in their daily work. The second is a company policy which details the SIROs responsibilities, which include:
- Ensuring that staff are informed about and follow the security policy
- Conducting regular security audits and penetration tests, tracking progress and reporting to the board

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All of our products are versioned, as such it's possible to track the exact version of any product in use at any given time.

Our development workflow follows a change process which tracks exactly when and why a change was made, and by who.

A typical change would pass through the following process:
- The change is requested by the customer or by our internal Product Owner, this gets approved internally and handed over to the technical team
- The technical team perform the change to the configuration or codebase of a product, this change is tracked and auditable
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
As per our policy, all of our servers are configured to automatically receive and apply security patches nightly. Other threats are assessed periodically during penetration testing and risk assessment exercises.

We subscribe to security mailing lists for individual 3rd party products that are in use within our platform.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Logs are monitored for potential compromises, however this process is not yet automated.

We have policies in place to determine how we react to a potential compromise, steps include notifying customers and the relevant authorities, immediately shutting down affected servers if there exists a threat of further breaches, launching an investigation into the breach and keeping stakeholders up to date, and finally mitigating the risk to prevent further breaches.
Incident management type
Supplier-defined controls
Incident management approach
We have automated monitoring and alerting that alerts us to most incidents and allows us to react as quickly as possible.

Incident reports are prepared for all major incidents and sent to all affected customers, usually within 2 days of the incident occurring.

Incidents can be reported by the customer through each customers dedicated support portal. Any incidents reported here are measured against response/resolution times under the SLA in force.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Yes
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Pricing

Price
£51,000 to £85,000 a licence
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@aptvision.com. Tell them what format you need. It will help if you say what assistive technology you use.