SystemC Healthcare Limited

Medway, Careflow, Carecentric and CarePlus.

System C’s service includes: PAS/EPR; Departmental Solutions (ED, Maternity, Theatres, Kiosk); Business Intelligence & Reporting; Clinical Solutions (OC/RR, ePrescribing, Clinical Documentation, e-Observations, clinical communications, H@N); Shared Care Solutions, Patient Portals and apps for New Models of Care; Child Health; Adult & Children’s Social Care.


  • A blueprint for digital excellence
  • For individual trusts as well as whole health economies
  • Integrated PAS, departmentals (eg ED, theatres, maternity)
  • Integrated clinical modules on the desktop and mobile devices
  • Open and interoperable via HL7, FHIR and APIs
  • Integrated BI and data warehouse with real time dashboards
  • Electronic observation system, designed to improve patient safety and outcomes
  • Integrated communication platform enabling better communication, collaboration and safer care
  • Child Health across a single organisation or whole region
  • The strongest deployment track record in UK healthcare IT


  • Supports existing NHS processes
  • Supports the paperless agenda
  • Helps organisations transition to New Models of Care delivery
  • Supports and improve patient safety
  • Supports 'hospital on the move'- pushes data to clinicians
  • Pushes data to Shared Care Record
  • Provides real time management information to support service delivery
  • Allows patients to be involved in their care management
  • Interoperability supports the complete EPR
  • Provides comprehensive service delivery / support and maintenance


£0 per unit per year

Service documents


G-Cloud 11

Service ID

6 0 6 6 9 9 5 0 3 3 2 4 0 8 8


SystemC Healthcare Limited

Judi Holly

01622 691616

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Services are available to extend the functionality of existing services (so an existing user of Medway EPR might wish to implement and integrate the CareFlow solution for example). Education Management solution, for example).
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
Depending on the components/modules of the solution selected, there may be limitations on the number of users, beds covered, population etc. Please see pricing for details and applicable service levels.
System requirements
  • Client PC 1xDual core 3.6Ghz, 2GB memory,4GB free Disk
  • Minimum Screen Resolution 1280x1024. 1920x1080 widescreen preferred.
  • Windows 7 or above, IE 6 or above, .NET v45
  • Microsoft Word/Excel 2007 or above.SQL2008 Client tools
  • DirectX V9 or above
  • Tablet devices capable of running the operating systems detailed above
  • Tablets with similar performance level and minimum screen resolution above
  • Device/IOS/Browser: ipod 5th Generation/iOS9.3.5: 6th Generation/iOS9.3.5: iphone/iOS 10.2.1
  • IPad 2, iPad Mini 1 &iPad Air1 onwards-iOS9.3.5,iOS10.2.1
  • Licencing will depend on the software purchased

User support

Email or online ticketing support
Email or online ticketing
Support response times
This depends on the Priority Level of the Service Incident. (P1 calls are resolved within 4 hours 24/7; lower priority calls are resolved during working hours)
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
System C provides support via the System C helpdesk (including the JIRA™ online call logging system). We offer a standard support service (with tailored SLAs depending on the component/module) for each product. This way we know that all customers receive a standardised support service. For priority 1, system down or clinical risk incidents we aim to resolve the incident within 4 hours. Priority 2 8 hours, P3 30 days and P4 next available software release. An incident can only be closed once resolution has been confirmed by the customer. Excluded from the time to resolve an incident is any time during which the issue is with the customer, a third party or when an agreed code fix is being provided. Each customer is allocated an account manager and a service delivery manager who have access to technical, cloud, or other support resource as required. On-site support is not usually needed but may be chargeable if required.
Support available to third parties

Onboarding and offboarding

Getting started
System C will work closely with the customer’s service teams and/ or third-party suppliers to implement the solution. Full project plans and PID documentation is provided. We provide on-site training (train the trainer) use documentation relevant to the solution being implemented including eLearning packages. Recommended workflows with associated Standard Operating Procedures (SOPs) are also provided as well as user documentation relevant to the service being implemented.
Complex components (e.g. Medway EPR) require a year or more to deploy using a team of implementation specialists which will include the following roles:
- Program/Project Manager/s
- Product specialists
- Data migration specialists
- Integration specialists
- Reporting/BI specialists
- Training specialists
- Change management specialists.
Other components require just a few weeks to implement, managed by a small team of clinical and technical specialists, working with the customer's team.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
Depending on the component/module in question, System C offers the following services:
- For some solutions, all data held within the system, with the exception of letters and scanned images, is made available for the customer to extract via existing Business Intelligence tools
- for other solutions, a data extract is provided in agreed format
End-of-contract process
System C works with the customer to produce a high-level Exit Strategy document and Exit Plan which details the methodology for data / service transition from the system. This will be actioned at the end of the contract. These documents would be expected to include:
• The management structure to be employed at contract end.
• Detailed description of both the data and service Transfer/Termination processes
• Scope of the Services to be provided at contract end
• Any Charges payable for the provision of Termination Service System C's standard approach towards the extraction of data at the end of the contract is to ensure that the Trust has the tools and access to the data such that the Trust has the capability of extracting its own data without automatic recourse to System C. We will provide support to the Trust in performing any such extraction activities, and if required we will be happy to provide services to more actively assist the Trust in undertaking these tasks. This would be at additional cost and a quote for this would be provided by System C.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Some of the components/modules of our service are designed predominantly to work on mobile devices (eg Careflow Vitals, CareFlow clinical communications); in these cases there may be elements of the solution (e.g. a management console) which is browser or desktop based, however the majority of the end users will be accessing the solution via mobile devices.
Other components (such as Medway EPR) are designed primarily for use on the desktop, but may have certain features (e.g. results reporting) which are delivered via mobile devices.
Service interface
What users can and can't do using the API
System C is developing a number of APIs to allow clinical application development. These APIs will enable interaction with key functionality.
The APIs are hosted as part of the System C software solution. Primary configuration is done using the main application after which the APIs can be used to transact with the system.
By calling the APIs and providing the appropriate data and application codes the API will be able to perform the desired function i.e. performing a patient transfer between beds.
Individual APIs are designed to support the user performing a specific transactional change to the system. Not all transaction support via the front end are supported within the current API set.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
The degree to which customers can customise the service depends upon which components/modules of the service they are implementing. Examples of items which can be configured include:
- screen layouts
- forms / proformas
- Free text fields
- Lookup tables and values, dropdown lists
- "my favourites" or tailored homepages
- reports and dashboards
- RBAC access rights
Some elements are designed to be configured by the end-user; others can only be amended by system supervisors with the appropriate access rights.


Independence of resources
Services are based on flexible and scalable server designs layered onto virtualisation technologies. Allows horizontal scaling and vertical scaling to be implemented as required. All services are built from multiple servers so appropriate levels of scaling can be applied to specific areas to ensure application performance is maintained. The majority services delivered are from logically separate servers per customer ensuring no impact between competing needs of different customers. Where applications are multi tenanted, multiple design features prevent the impact of one user population upon another and we monitor all services proactively to anticipate and prevent problems before they occur.


Service usage metrics
Metrics types
The service metrics used will depend upon the component/module purchased. Typically, however they will include: -
- System / service availability (uptime)
- System / service incident response & resolution times
- System / service performance
- RPO / RTO timings for disaster recovery
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
We will prepare the data for take-off, and if required provide additional conversion services, as an Additional Service. As standard exported data from the System is made available in the strucutres already defined within the Business intelligence solution. We will provide support to the customer in performing any such extraction activities, and if required we will be happy to provide services to more actively assist with undertaking these tasks. This would be at additional cost and a quote based on scope of service for this would be provided by System C.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Please see the Terms and Conditions document for the Service Level Availability criteria and Service Credit information should the guaranteed availabilty levels not be met.
Approach to resilience
Available on Request
Outage reporting
All outages are recorded as part of the incident management process and should a problem be detected then the service desk will inform the customer as required.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Access and security features implement login and password policies via integration with Active Directory. RBAC capabilities further restrict logged-in users' access to data and functionality. Remote access via the internet would be expected to be facilitated via a Customer’s managed VPN. The security architecture of the system would not therefore be any different than on the Customer's local network. the software will require all users to be configured and for the user names to match the Customer’s AD accounts that control security.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Lloyd's Register Quality Assurance Ltd
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
All areas of the business are covered
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
System C adopts a proactive approach to Quality and Security Management consistent with the broad principles of ISO/IEC27001 series, ISO9001 ITIL and industry leading practices. System C proactively identifies the industry and customer related legal and/or regulatory security requirements and incorporates these into the Integrated Management System Information Security Management System. Compliance is monitored by external and internal audits, security monitoring and process reviews. All personnel, whether employees, contractors, consultants or visitors, are required to comply with the Quality and Security guidelines, procedures and mechanisms and to confirm compliance annually to ensure that the Security guidelines, procedures and mechanisms are observed in the performance of the company's activities
System C has an Information Governance and Compliance Manager who reports to the company at Board level

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Configuration and Change Management processes are managed in line with ISO27001, using the JIRA IT Service Management tool. The configuration and Change Management area of JIRA is visible to our customers, allowing them to see raised Requests for Change (RFCs) and track their progress. As part of the approvals process, a Risk Assessment is performed to reduce the likelihood of a potential security impact.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
System C subscribes to multiple vendor, supplier and government (NHS Digital CareCERT) security advisory emails and all advisories are assessed for risk and applicability to our technology and services and remedial action as required is scheduled accordingly based on this assessment. Routine patches are typically applied quarterly with any deemed higher risk applied out of normal cycles as required based on the risk assessment
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
System C proactively monitors server and firewall activities for any unusual or unexpected activities that may indicate a potential attempt to breach the service. Should any such attempt be identified then appropriate remedial action will be taken in line with the assessment of the risk, typically this will include blocking source IP addresses as well as reporting to UK authorities
Incident management type
Supplier-defined controls
Incident management approach
Users report incidents using the ITIL3 aligned ITSM, JIRA. The Service Desk has full online capabilities for raising, recording and monitoring issues including real time SLA management.
We have pre-defined processes in cases such as Clinical Safety or System Down situations which trigger internal business alerts to ensure the correct teams are on hand from the start.
Users can view the progress of any issue online with real time updates and create filters and dashboards of information recorded in the system and export data when required. Reports can also be provided to the customer on a monthly basis.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)


£0 per unit per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑