Ultramed Ltd


Ultraprep is a cloud-based, integrated suite of programs used in the preparation of patients for procedures and operations. Patients create their personal Ultramed account online, complete their details and share their information securely with the healthcare provider. Ultraprep empowers patients, saves nursing time and reduces preoperative and pre-procedure assessment costs.


  • Cloud-based, on-line assessment process
  • Hosted outside of the NHS N3 firewall, reflecting AQP
  • Hosted on Microsoft servers, certified to hold PID
  • Detailed PDF Clinical Summary Report or can be EPR integrated
  • Regulatory compliance - ISB/SSCI0129, MHRA, CE mark
  • Centralised data entered in one program populates others
  • No complex IT integration, only a secure email address needed
  • Intuitive, sleek, patient user-friendly interfaces
  • Complete programs on a computer, tablet or smart phone
  • No upfront capital costs


  • Reduces referral to treatment time through one stop preop
  • Consistent assessment via robust branching clinical algorithms
  • Clinical decision support is through suggested investigations validated by nurses
  • ASA grades and ICD 10 codes identified, assisting income optimisation
  • Reduces preoperative and pre-procedure costs, as fewer face-to-face assessment appointments
  • Decreased cancellations on the day e.g. endoscopy, cardiac catheter labs
  • Opportunity for process redesign e.g. one-stop assessment clinics
  • Focus registered nursing time on clinical decision making
  • Supports move from paper to digital systems, reduces revenue costs
  • Patient convenience: fewer appointments, complete assessment in own time


£2.50 to £5.00 per instance

Service documents

G-Cloud 10


Ultramed Ltd

Dr Paul Upton

01872 248336


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Uploads of updated program versions are limited to times when patients are unlikely to be accessing the programs, this ensures data automatically cross populates between versions.
Patient education material would be customisable at full implementation
System requirements
  • Minimal impact on existing IT infrastructure
  • Reliable internet connection
  • Whole process is operating system independent, with pan-operating system compatibility
  • Supported web browsers include: IE9, IE10+, Edge, Firefox, Chrome, Safari

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within one business day, Monday to Friday and within normal business hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels Support for the Ultraprep programs, once implemented and live in an organisation, will be available during normal business hours. There are two days of onsite operational support built into the implementation phase of each contract. At any point of contact with buyers and potential buyers there is telephone and email support for enquiries. Support can also be offered in the form of live webinars. There are no additional costs for the support described.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Ultramed provide 2 days of onsite implementation support when a user begins to utilise the Ultraprep programs. Exemplar and recommended implementation action plans exist to assist users in the start-up phase of using the service. Access to the Ultramed demo site is available for users in the active phase of contract progression as is ongoing webinar training and support. User documentation exists in the form of a training manual, patient leaflets and posters. Users are encouraged to use the Ultramed website as a resource. The Ultramed headquarters team are available to assist users at any stage of implementation.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction The Ultraprep program exports Clinical Summary Reports which are delivered to the purchaser via a secure link. They are then incorporated into the EPR as part of the medical record. This represents a full data delivery, so no further data extracts are required after the end of the contract. Any audit reports for the period of the contract can be supplied as requested and invoiced.
End-of-contract process The cost of the contract includes: printing of patient cards, leaflets and posters; connection to the service via a secure email or integration with the EPR; implementation support and ongoing support during the term of the contract.
There are no additional costs.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There is no difference in operability for users of the service, whether accessing using mobile or desktop
Accessibility standards WCAG 2.0 A
Accessibility testing No official testing undertaken, however a significant specialist ophthalmologist surgeon was interested in the options of different coloured backgrounds and texts for the programs.
What users can and can't do using the API The API for the input of data into the program is developed. The API for export of discrete data will be developed when the specification is received from another software provider who wishes to import Ultraprep data.
API documentation No
API sandbox or test environment No
Customisation available Yes
Description of customisation The whole program can be customised for individual customers by Ultramed, customers will not be able to modify/customise themselves.


Independence of resources The capacity of Microsoft Servers are able to scale to very large volumes to ensure users are not affected, even when demand is high.


Service usage metrics Yes
Metrics types Monthly usage, other audits available on request
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data arrives with the buyer as either a PDF or is integrated into existing systems such as an EPR. The data is then internally managed by the buyer.
Data export formats
  • CSV
  • Other
Other data export formats
  • HTML5
  • PDF
Data import formats
  • CSV
  • Other
Other data import formats
  • HTML
  • PDF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The supplier will use commercially reasonable endeavours to make the Services available 24 hours a day, seven days a week except for: planned maintenance and unscheduled maintenance performed outside Normal Business Hours, advance notice of which will only be given where reasonably practicable. Ultraprep is a cloud-based product and utilises Microsoft Azure SQL Cloud Servers. Microsoft Azure does not have scheduled downtimes and services are available 99.99% of the time. If an incident occurs which cannot be handled using normal procedures, a major incident will be declared and the Business Continuity Policy will be used to provide a framework for a response to the incident. An incident report will also be filed once the immediate situation is brought under control. There are currently no refund arrangements in place. Loss of service availability will be assessed on a case by case basis depending on the cause, extent and impact of the loss of availability. A root cause analysis will be performed, and practical steps to prevent further future service disruption will be put in place as part of policy.
Approach to resilience SQL database automatically creates database backups and uses Azure read-access geo-redundant storage. SQL database uses SQL server technology to create full, differential and transaction log backups for point-in-time restore to the same server that hosts the database. All backups are fully encrypted and are held for 35days.
At any one-time Microsoft Azure Cloud Servers have at least three database replicas running, one primary replica and two (or more) secondary replicas; these replicas reside in the same datacentre and the full and differential database backups are also replicated to a paired data centre (also residing in the UK) for protection against data centre outage.
Azure SQL Databases provide built in business continuity and scalability features; automatic backups, point-in-time restores and active geo-replication.
If the hardware fails on the primary replica the secondary replica takes over and a point in time restore can be performed. In case of a physical loss of a replica, a new replica is automatically created.
The Microsoft Azure Trust Centre provides significant technical, security and infrastructural information on their website.
Outage reporting The initial response to the outage will be determined by the cause. Where a Microsoft Azure Cloud Server failure occurs, Microsoft will inform Ultramed of the failure via an Outage Report. Ultramed will then use the Outage Reporting Standard Operating Procedure. Where the service outage is caused by an Ultramed process, Ultramed will directly use the Outage Reporting Standard Operating Procedure.
This Outage Reporting standard operating procedure will detail the basic steps to inform our clients, and their patients of the service downtime with an estimation of the time they can expect resumption of normal service. The Outage Reporting Standard Operating Procedure will also document Ultramed’s initial response to the Outage with a view to rapid resolution. This process will be used alongside the business continuity and incident reporting processes.

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels Access decisions for management interfaces and support channels are made by the Ultramed Directors and are actioned by the 3rd party software development partner at the request of the Ultramed Directors.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 As
ISO/IEC 27001 accreditation date 05/09/2017
What the ISO/IEC 27001 doesn’t cover The certification is for our 3rd party software house for development of the programme and software, the certification does not cover Ultramed internal procedures and policies.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • NHS IG toolkit level 2 compliance confirmed by NHS digital
  • SCCI0129

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Ultramed's security is managed within the Microsoft Azure relationship. Ultramed is compliant with ISB/SSCI0129 and the NHS IG Toolkit to Level 2. The 3rd party software partners are ISO/IEC 27001 certified. Ultramed has a security reporting process led by the Clinical Safety Officer.
Information security policies and processes Ultramed is compliant with the NHS Information Governance Toolkit and the Ultraprep programs are compliant with ISB/SSCI0129. In achieving compliance Ultramed have created documentation and policies consisting of various digital files: Clinical Risk Management Plan, Clinical Safety Reports, Clinical Safety Cases, Competencies of Personnel, Hazard Logs, Compliance Assessments and Safety Incident Management Logs. The compliance file for ISB/SSCI0129 provides an evidence base of compliance with this regulatory standard. The security policies and processes include but are not exclusive to, compliance with the General Data Protection Regulations 2016, a Cloud Network Security Policy, an Internal Network Security Policy.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Ultramed review all feedback and suggestions. Any proposed changes are undertaken using “Change Implementation” documentation, including risk assessment. Controls on who can action changes are determined by the Directors. Any changes to the clinical algorithm must be signed off by all stakeholders prior to live implementation. Changes are tested by Ultramed staff and Clinical Leads on the Ultraprep development site. Wider user testing on the trial site occurs before full integration. Final approval is by the Clinical Safety Officer. Versions and respective changes to the live products are tracked. There is a SOP for Clinical Algorithm sign-off, updates and access.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Microsoft Azure Cloud Server management, security and patch deployment is undertaken by Microsoft. More information can be found on the Microsoft Azure Trust Centre website. The Clinical Safety Officer is responsible for assessing vulnerability. This is assessed as part of the ongoing development process for Ultraprep, including the supporting governance structures such as IGT and ISB/SSCI0129. The clinical safety officer subscribes to several IT news-providers offering daily security updates and security news.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Governed by Microsoft Azure security processes and monitoring of program use activity by Ultramed's 3rd party software development partner. Incidents would be escalated to the Ultramed Directors and Clinical Safety Officer as a matter of urgency in accordance with the IG policy and incident reporting protocols.
Incident management type Supplier-defined controls
Incident management approach Ultramed is committed to reporting and managing incidents in a logical, honest and robust way covered by an Incident, Reporting and Management Policy. There is a readily available incident log which all staff are expected to use. It is recommended that incidents are reported by email for audit purposes, although initial alert by telephone to a Director or the Clinical Safety Officer is also an option. In business terms risk management and incidents are reported to monthly operational business meetings. In real time all parties involved are informed about the incident, the investigation and the outcomes and are supported appropriately.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2.50 to £5.00 per instance
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑