Avegen Ltd


MyCare is a patient mobile application, that can be tailored for any chronic disease or complex care path. MyCare empowers patients to manage their health and disease better. It motivates them to live healthier and adhere to care protocols, as defined by their doctors. It enables remote monitoring and consultations.


  • Patient information resources, such as text, pictures and videos
  • Personalization of care plans, e.g. exercise plans, digital rehab programs.
  • Quizzes and forms. E.g. track knowledge, receive feedback.
  • Gamification, such as point-systems, leadership boards for motivation
  • Appointment booking & management
  • Notifications, alerts & motivational tips
  • Vital, Symptom & Quality of Life tracking
  • Wearable & Point of Care Device integration
  • Remote Patient Monitoring & Management
  • Remote consultations / Telemedicine. E.g. chat & Phone calls


  • Improve self-management by the patient, engagement & activation
  • Improve adherence of patient to care protocol or recommendations
  • Reduce costs of service by increasing efficiency & reducing readmissions
  • Improve PROMs, increase patient satisfaction with care
  • Improve patient mental health, quality of life
  • Improve data collection with wearable & device integration
  • Reduce loss-to-follow-up
  • Increase capacity by remote monitoring and consultations
  • Improve efficiency by risk stratification of patients and in-time actions


£7.50 to £25 a licence a month

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nayan@avegenhealth.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

5 7 9 0 8 7 0 5 9 1 8 7 4 8 8


Avegen Ltd Nayan Kalnad
Telephone: 07837810251
Email: nayan@avegenhealth.com

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
Requires internet access and smartphone.
System requirements
  • Internet connection
  • Smartphone access

User support

Email or online ticketing support
Email or online ticketing
Support response times
For critical and major issues:
UK business hours: 1 hour.
Out of hours: 3 hours.
Weekends: specific to each customer/contract.

Custom SLAs can be agreed with each buyer, to fit the needs of the service/team.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
License/subscription fee includes email-based support during UK business hours. In extraordinary circumstances, same-day, emergency onsite support is available.

Additional support is available at extra cost, using the SFIA framework pricing.

Each customer is assigned a customer services specialist.
Support available to third parties

Onboarding and offboarding

Getting started
Implementations start with requirements gathering for the customer's specific pathway and data needs. Then, our development team configure the customer's account with their specific data fields, forms, alerts, reports, and users/permissions.

HCPs are provided UAT/test system logins before go-live. Onsite training is provided before go-live, to explain HCPs how to download the app on the patient phones. We provide onsite support on the day of launch plus one follow-up training/Q&A day within 2-3 weeks or as needed.

All HCPs receive a digital training manual. We also provide top-up online training via video calls. Online training videos/walkthroughs are also available.

There is limited training necessary, as the patient uses the application, not the HCP.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
When a contract ends, we agree on a final service date with the customer after which no additional data will be entered or changed in the system. Patients will be informed with a notification in their App, allowing them to extract their data.

Our team then prepares an extract of all data belonging to that customer's account. The data are extracted in multiple CSV files as needed, encrypted, and shared with the customer in a secure, encrypted manner.

Data can also be exported via JSON API and FHIR API.
End-of-contract process
Once the customer confirms that their data set is complete, we delete the data from our servers (subject to any other data retention requirements). Our standard SLA is to return all data and delete from our servers within one month of contract end date (subject to individual agreement and depends on size of the dataset).

Once the contract is over and data return/deletion is complete, we delete the customer's account and all user access.

The application will be deleted from the Google Playstore / Apple Store.

There are no additional costs.

Using the service

Web browser interface
Application to install
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Differences between the mobile and desktop service
MyCare is a mobile application only and is not designed to use in a webbrowser.
Service interface
What users can and can't do using the API
APIs can be used for system integration, such as updating patient information, appointment details in both directions (both to- and from an EMR or PAS).
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
MyCare can be configured to the needs of specific individual pathways. Content, images, pathways, care plans, data fields, quizzes and tracking scales can be configured to the specific disease or pathway requirements. The System can also be translated into most languages. App name, branding, colours and design can all be white-labelled.

Our web- and tablet-based care management platform, HealthMachine, can be integrated with MyCare. HealthMachine empowers clinical teams to provide personalised, evidence-based care at scale. It's a highly configurable system that can be adapted to the specific needs of different pathways. Pathway states, forms, data fields, PDFs, and reports can be configured to specific pathway requirements. System can also be translated into most languages. Logo, landing page, and URL can be white-labelled.


Independence of resources
We leverage cloud-based autoscaling capabilities of the AWS platform, such as highly available and scalable Elasticache, RDS, ALB. Additionally, monitoring is in place to alert ops team about unusual loads, so that manual intervention can happen as needed.

We also have in place network layer throttling mechanisms to protect users from malicious unusually high loads (e.g., DDOS attacks).


Service usage metrics
Metrics types
MyCare is designed to make patient monitoring & management possible

Clinical/Pathway: patient volumes; patient journey mapping; activity volume; clinical outcomes; vital / symptom / Quality of Life tracking; time series outcome analysis; PROMs

Operational: efficiency gains/savings; progress towards KPIs.

Usage: audit trail data; user sessions; user activities (calls made, appointments booked).
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
A patient can export some data into PDF format, if that is part of the requested functionality. An organisation (e.g., a clinical department) can request an extraction of anonymized aggregated- level data via support ticket, if the patient has agreed that their data is shared and accessible by the HCP.

According to GDPR regulation a patient can request all their stored data, by contacting support.

Authorised access to the REST API can also be provided for customers to export data programmatically.
Data export formats
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats
  • PDF

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
All servers behind the firewall are in a virtual private cloud (VPC).

Availability and resilience

Guaranteed availability
Standard service level agreement stipulates 99.9% availability.

For any unplanned outage of more than one hour during customer working hours, we will credit the pro-rated value on the next invoice.
Approach to resilience
We have BCP and DR SOPs in place, which are reviewed annually and drills are practiced quarterly. Periodic secure offsite backup of all data.

More details available on request.
Outage reporting
All users receive email alerts with outage details, resolution ETAs, and updates until service is back up and running.

There is an API which can be made available to customers upon request.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Support and firefighter access is provided strictly on request. Support personnel do not have an open-ended access. All support access is designed to fully mask any personally identifiable information (PII). Only system-internal IDs are exposed to the support interface for troubleshooting.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Marketing and sales processes and collateral are not covered by our certification.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • NHS Data Security and Protection Toolkit (DSPT)
  • ISO 27001
  • ISO 9001
  • ISO 13485 in process

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
ISO 13485 certification is currently in-process.

NHS DSPT completed with score of 100% (March 2019).
Information security policies and processes
We follow processes that align to GxP and ISO 27001 standards. We have clearly defined and documented SOPs and policies for:
- data protection,
- breach/incident management,
- record retention,
- access control,
- systems & operational security,
- recruitment, contracting & supplier policies,
- cryptography policy,
- change management controls,
- data transfer policy.

All employees are trained on information security policies and quizzed. All policies and SOPs are reviewed and updated at least once per year.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
We follow a documented change control & configuration management process. Every change is classified and assessed for impact on safety, security, system impact, testability & maintenance, scalability, customer impact, business impact/cost-benefit. Changes must be approved before added to a sprint.

All baseline and customer-specific configurations are documented in the configuration library.

Every change goes through a rigorous QA process, which is fully documented. Changes are only released once all QA criteria are met. QA pass criteria, results, screenshots, and release notes are stored internally. Customers are notified of any customer-visible changes to their configuration via release notes email.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We follow processes that align to ISO 27001.

User access rights: all users are granted permissions only for the systems they require; access is restricted by default and granted if needed.

Security patching: patches are deployed based on criticality, with critical/high deployed as soon as possible once validated. All patches are tracked and logged.

Malware/virus scans: all systems have anti-malware/virus software which is regularly updated and scans on a schedule.

Systems/networks are monitored for unusual activity. Any remediating actions are assessed and carried out as per SOPs.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Compromise prevention: Server access is restricted using security groups, which are reviewed every 90 days. Only necessary ports are opened for IP addresses as per application requirement. Server OS configuration audit is done by third party.

Compromise identification: all access and changes are logged; audit log is reviewed for suspicious activity.

Potential compromises are flagged and escalated immediately for further investigation. If appropriate, suspected user accounts are suspended immediately. Any confirmed compromises are reported to IG and ICO teams as per SOPs.

We aim to respond to incidents within 4 hours of detection.
Incident management type
Supplier-defined controls
Incident management approach
We follow an incident management SOP that aligns to the NHS DSPT guidelines and ISO 27001. We have pre-defined SOPs for events such as internal PII exposure, suspected compromised accounts, and disaster recovery. Users report incidents via email or phone, which are then escalated to senior management, DPO, ICO, and client organisation. Incident reports are provided digitally as per agreement with customer.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£7.50 to £25 a licence a month
Discount for educational organisations
Free trial available
Description of free trial
3-month free trial available of HealthMachine, not MyCare as Mobile Application always needs customization.

For HealthMachine, it includes standard-setup system access. Some features may be restricted/unavailable during free trial. No custom reports, custom configurations, or integrations in free trial period.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nayan@avegenhealth.com. Tell them what format you need. It will help if you say what assistive technology you use.