HealthMachine
HealthMachine is a web- and tablet-based care management platform. HealthMachine empowers clinical teams to provide personalised, evidence-based care at scale. It's a highly configurable system that can be adapted to the specific needs of different pathways. It helps coordinate care, reduce unwanted variation, and release capacity.
Features
- Digital Pathway & Care Protocol management
- Workflow management & capacity planning tools
- Personalised care plans & digital PROMs
- Appointment/session booking, cancellation, management
- Real-time pathway metrics and analytics
- Configurable to any pathway
- Online & mobile patient portal
- eCRF & clinical trial data collection
- Risk stratification & clinical alerts
- Remote patient management, monitoring & consultation
Benefits
- Reduce unwanted variation in care
- Reduce waiting times & wait lists
- Automate admin & increase capacity
- Tailor care plans to individual patient need
- Reduce costs of service by increasing efficiency & reducing readmissions
- Improve adherence to evidence-based pathways
- Increase patient self-management, engagement & activation
- Decrease trial costs with scalable data collection
- Improve PROMs, increase patient satisfaction with care
- Enable remote monitoring, management and consultations
Pricing
£250 to £450 a licence a month
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 12
Service ID
6 2 1 1 4 5 4 4 5 7 4 3 7 8 6
Contact
Avegen Ltd
Nayan Kalnad
Telephone: 07837810251
Email: nayan@avegenhealth.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
- Requires internet access and modern, up-to-date browser.
- System requirements
-
- Internet connection
- Modern, up-to-date browser
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
For critical and major issues:
UK business hours: 1 hour.
Out of hours: 3 hours.
Weekends: specific to each customer/contract.
Custom SLAs can be agreed with each buyer, to fit the needs of the service/team. - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
-
License/subscription fee includes email-based support during UK business hours. In extraordinary circumstances, same-day, emergency onsite support is available.
Additional support is available at extra cost, using the SFIA framework pricing.
Each customer is assigned a customer services specialist. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
Implementations start with requirements gathering for the customer's specific pathway and data needs. Then, our development team configure the customer's account with their specific data fields, forms, alerts, reports, and users/permissions.
Users are provided UAT/test system logins before go-live. Onsite training is provided before go-live. We provide onsite support on the day of launch plus one follow-up training/Q&A day within 2-3 weeks or as needed.
All users receive a digital training manual. We also provide top-up online training via video calls. Online training videos/walkthroughs are also available. - Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
-
When a contract ends, we agree on a final service date with the customer after which no additional data will be entered or changed in the system. Our team then prepares an extract of all data belonging to that customer's account. The data are extracted in multiple CSV files as needed, encrypted, and shared with the customer in a secure, encrypted manner.
Data can also be exported via JSON API and FHIR API. - End-of-contract process
-
Once the customer confirms that their data set is complete, we delete the data from our servers (subject to any other data retention requirements). Our standard SLA is to return all data and delete from our servers within one month of contract end date (subject to individual agreement and depends on size of the dataset).
Once the contract is over and data return/deletion is complete, we delete the customer's account and all user access. There are no additional costs.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Microsoft Edge
- Firefox
- Chrome
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
-
HealthMachine has an optional tablet app for clinical teams that is optimised for tablet UX and touch-screen data entry. It also enables offline working for remote and community teams. Not all web features are available on tablet. To use the tablet app, users must also have the web interface.
We also offer a patient mobile phone app, called MyCare. This is an add-on and is configurable to each customer organisation's needs. - Service interface
- No
- API
- Yes
- What users can and can't do using the API
- APIs can be used for system integration, such as updating patient information, appointment details in both directions (both to- and from an EMR or PAS).
- API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- HTML
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
HealthMachine can be configured to the needs to specific individual pathways. Pathway states, forms, data fields, PDFs, and reports can be configured to specific pathway requirements. System can also be translated into most languages. Logo, landing page, and URL can be white-labelled.
Our Standalone mobile patient application, called MyCare, can be integrated with HealthMachine. It allows for better self-management of the patient. This application can also white-labelled, meaning providers can add their own brand name, logo and colours.
Scaling
- Independence of resources
-
We leverage cloud-based autoscaling capabilities of the AWS platform, such as highly available and scalable Elasticache, RDS, ALB. Additionally, monitoring is in place to alert ops team about unusual loads, so that manual intervention can happen as needed.
We also have in place network layer throttling mechanisms to protect users from malicious unusually high loads (e.g., DDOS attacks).
Analytics
- Service usage metrics
- Yes
- Metrics types
-
HealthMachine is designed to make customers' pathway data accessible and usable.
Clinical/Pathway: patient volumes; patient journey mapping; activity volume; clinical outcomes; time series outcome analysis; PROMs
Operational: team capacity/utilisation; efficiency gains/savings; progress towards KPIs.
Usage: audit trail data; user sessions; user activities (calls made, appointments booked). - Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with another standard
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
-
An individual user (clinician or nurse) can export some data into Excel or CSV formats. An organisation (e.g., a clinical department) can request an extraction of patient-level data via support ticket. Authorised access to the REST API can also be provided for customers to export data programmatically.
Individual patients cannot access the system; however, we are able to support individual subject access rights requests via support tickets that come from clinical users. - Data export formats
-
- CSV
- Other
- Other data export formats
-
- Excel (xlsx)
- Data import formats
-
- CSV
- Other
- Other data import formats
-
- JSON/REST API
- FHIR API
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- Other
- Other protection within supplier network
- All servers behind the firewall are in a virtual private cloud (VPC).
Availability and resilience
- Guaranteed availability
-
Standard service level agreement stipulates 99.9% availability.
For any unplanned outage of more than one hour during customer working hours, we will credit the pro-rated value on the next invoice. - Approach to resilience
-
We have BCP and DR SOPs in place, which are reviewed annually and drills are practiced quarterly. Periodic secure offsite backup of all data.
More details available on request. - Outage reporting
-
All users receive email alerts with outage details, resolution ETAs, and updates until service is back up and running.
There is an API which can be made available to customers upon request.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Username or password
- Access restrictions in management interfaces and support channels
- Support and firefighter access is provided strictly on request. Support personnel do not have an open-ended access. All support access is designed to fully mask any personally identifiable information (PII). Only system-internal IDs are exposed to the support interface for troubleshooting.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- DNV
- ISO/IEC 27001 accreditation date
- 07/07/20
- What the ISO/IEC 27001 doesn’t cover
- Marketing & Sales processes.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- Yes
- Any other security certifications
-
- NHS Data Security and Protection Toolkit (DSPT)
- ISO 27001
- ISO 9001
- ISO 13485 in Process
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
-
- ISO/IEC 27001
- Other
- Other security governance standards
-
ISO 13485 certification is currently in-process.
NHS DSPT completed with score of 100% (March 2019). - Information security policies and processes
-
We follow processes that align to GxP and ISO 27001 standards. We have clearly defined and documented SOPs and policies for:
- data protection,
- breach/incident management,
- record retention,
- access control,
- systems & operational security,
- recruitment, contracting & supplier policies,
- cryptography policy,
- change management controls,
- data transfer policy.
All employees are trained on information security policies and quizzed. All policies and SOPs are reviewed and updated at least once per year.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
We follow a documented change control & configuration management process. Every change is classified and assessed for impact on safety, security, system impact, testability & maintenance, scalability, customer impact, business impact/cost-benefit. Changes must be approved before added to a sprint.
All baseline and customer-specific configurations are documented in the configuration library.
Every change goes through a rigorous QA process, which is fully documented. Changes are only released once all QA criteria are met. QA pass criteria, results, screenshots, and release notes are stored internally. Customers are notified of any customer-visible changes to their configuration via release notes email. - Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
We follow processes that align to ISO 27001.
User access rights: all users are granted permissions only for the systems they require; access is restricted by default and granted if needed.
Security patching: patches are deployed based on criticality, with critical/high deployed as soon as possible once validated. All patches are tracked and logged.
Malware/virus scans: all systems have anti-malware/virus software which is regularly updated and scans on a schedule.
Systems/networks are monitored for unusual activity. Any remediating actions are assessed and carried out as per SOPs. - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
Compromise prevention: Server access is restricted using security groups, which are reviewed every 90 days. Only necessary ports are opened for IP addresses as per application requirement. Server OS configuration audit is done by third party.
Compromise identification: all access and changes are logged; audit log is reviewed for suspicious activity.
Potential compromises are flagged and escalated immediately for further investigation. If appropriate, suspected user accounts are suspended immediately. Any confirmed compromises are reported to IG and ICO teams as per SOPs.
We aim to respond to incidents within 4 hours of detection. - Incident management type
- Supplier-defined controls
- Incident management approach
- We follow an incident management SOP that aligns to the NHS DSPT guidelines and ISO 27001. We have pre-defined SOPs for events such as internal PII exposure, suspected compromised accounts, and disaster recovery. Users report incidents via email or phone, which are then escalated to senior management, DPO, ICO, and client organisation. Incident reports are provided digitally as per agreement with customer.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £250 to £450 a licence a month
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- 3-month free trial available. Includes standard-setup system access. Some features may be restricted/unavailable during free trial. No custom reports, custom configurations, or integrations in free trial period.
- Link to free trial
- https://www.healthmachine.io/