Ortivus UK Ltd

MobiMed Smart ePCR

MobiMed Smart provides paramedics with an electronic Patient Care Record, ePCR, using a structured workflow and support that enhances the clinical decision making process. The eCPR in combination with vital signs monitoring ensures that the patient gets the right care, at the right time, in the right place.


  • Smart-card login
  • Summary Care Record (SCR)
  • Personal Demographics Service (PDS)
  • Monitoring with clinical background from cardiac critical care
  • Easy to configure/adapt to any clinical standard.
  • Integrate with CAD, Defibrillators, information systems at hospitals
  • Web browser
  • Dynamic reports for Hospital and General Practitioner output form.
  • Camera support - taking/incorporating images in the ePR and reports.
  • Vital signs are automatically transmitted monitoring to the ePR.


  • Facilitates collaboration between paramedic and receiving hospital
  • Comprehensive set of fields, supporting adaptation to working practices


£50 per licence per month

  • Free trial available

Service documents

G-Cloud 10


Ortivus UK Ltd

Philip Swan



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to MobiMed Smart VSM for performing high quality vital signs monitoring can be extended with MobiMed Smart ePCR, or vice versa.
Cloud deployment model Private cloud
Service constraints Ortivus will schedule and plan any necessary maintenance or releases / upgrades with customers to ensure minimal service disruption.
System requirements Windows based

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Ortivus Support mailbox is monitored during normal business hours, 9am-5pm GMT/BST, Monday to Friday (excluding Bank Holidays) and all emails are responded to within 24hrs. Ortivus also provide an online service portal which is available 24x7 through which customers can raise Incidents and Service Requests.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels 1st line call qualification and validation is typically performed by the Customer who would receives incoming calls from the end users and would attempt to resolve incidents in the first instance. Ortivus provide 2nd and 3rd line support for incidents raised that are unable to be resolved by 1st Line.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We can customise training for starting organisations - primarily onsite training, with provision of user guides and materials. The service also mirrors the live service with the provision of training server, so that organisations can arrange for user education in a 'safe' environment.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction At the end of contract customer data will be transferred in XML format. There is also an option of a continuous integration transfer during the contract period.
End-of-contract process Data in XML format will be provided within one month after contract end. Ortivus can also supply the data according to specific schemas and formats as requested by the customer. That would incur an additional cost depending on the details of the request.

Using the service

Using the service
Web browser interface No
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Clinical Workstations are the desktop, intended for Acute use, receiving ePCR, notifications, alerts etc.
Mobile version is ePCR, primary method for completing ePCR, and alerting Acute.
Accessibility standards None or don’t know
Description of accessibility EPCR client software installed on Windows tablet, allows for fully customised data entry of patient assessment/treatment information.
Accessibility testing None
What users can and can't do using the API MobiMed Smart includes a web service API that can be used to consume ePCR data. The API is available on the server side. Bandwidth and polling frequency restrictions apply and depend on the infrastructure chosen.
API documentation Yes
API documentation formats PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation The MobiMed Smart ePCR is completely customisable and can be tailored to the customer need and processes.

Customisation can be managed solely by appointed users at the customer. This presupposes using the Ortivus SDK along with associated training. Ortivus also provide ePR configuration work at cost.


Independence of resources By making sure that the user demand is not exceeding system capabilities and by continuous monitoring of the service resource utilization. The service is designed to minimize the impact of any malicious user actions.


Service usage metrics Yes
Metrics types Online service usage metrics are provided for the organisation operating the servers. Service reports can be provided for customers on a monthly basis.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach MobiMed Smart comes with several options for data export:

1) XML WebService intended for system integration of ePR data.
2) Data Warehouse intended for business reporting and intelligence.
3) Integration framework intended for system integration with downstream systems. Specific integrations come at additional cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • PDF
Data import formats Other
Other data import formats None

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability The service is provided to 99.6% availability with Service Point penalties in place for any deviation. This is based on incident severity with any Service Points accrued on a sliding scale.
Approach to resilience Available on request
Outage reporting Service outages are communicated according to an agreed communications matrix which would include email alerts and telephone notifications depending on severity.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication Mobile access can also be restricted to specified sim-cards.
Access restrictions in management interfaces and support channels Management interfaces only run locally within the data centre. Data Centre access is restricted to appointed personell using two factor authentication over VPN link.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Intertek Certification AB
ISO/IEC 27001 accreditation date 12 December 2014
What the ISO/IEC 27001 doesn’t cover No exclusions
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Standard security policies and processes are in place and are reviewed as part of regular ISO auditing.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Ortivus have implemented Change Management, Release and Deployment Management procedures. All Requests for Change(RFCs) go through an initial risk assessment with Quality and compliance officers and when risks, clinical safety and security verifications have been clarified, appropriate actions and requirements on the RFC are initialized.

Customer approvals are handled through established governance structures involving all relevant stakeholders. The main interfaces being the Operational Board, the Project Board and the Steering Board depending on the RFC.

All assets, documents, training and configuration changes are constantly updated within the Asset Management module within the service management tool following standard ITIL V3 procedures.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Potential threats and vulnerabilities are assessed to determine deviations from acceptable configurations. Risk assessment is carried out and recommendations or appropriate mitigation countermeasures are developed in accordance with stakeholder agreements. Evaluation of network vulnerability and the risks associated with external connections is done through risk assessment by security specialists.

Patches are identified and applied in accordance with customer and authority agreements.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises are identified through screening of servers, firewalls, routers and devices for system control and system administrations carried out on a weekly basis. This includes checking the content of the access logs and logs from intrusion detection.

Audit logging is enabled to identify all successful and failed logins, and logouts. Logs are retained for a minimum of six months and in the event of an incident, logs can be made available to the appropriate authorities such as HSCIC for investigation.
Incident management type Supplier-defined controls
Incident management approach Incidents will be addressed in accordance with the Information Security Policy, which is ISO 27001 compliant and includes appropriate escalation and resolution activities.

In the event of an actual or suspected incident, weakness, or problem which may have an impact on any aspect of the service, the Information Security Officer will be informed promptly.

Incidents may be escalated to other parties including NHS, HSCIC, and any other affected body and any corrective action identified during incident resolution will be added to the improvement plan.

Security incidents will be reported and corrective actions tracked as part of the monthly performance reporting.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)


Price £50 per licence per month
Discount for educational organisations No
Free trial available Yes
Description of free trial A local test installation to be evaluated during a period of up to 6 months. Only MobiMed licenses are included, cost for hardware and 3rd party licenses not included.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑