Storm ID

Lenus Digital Health and Social Care Platform

The Lenus Digital Health Platform supports an eco-system of digital health and social care services through standard FHIR Data APIs, identity, access and consent management services. It offers clinical systems a single point of integration for data gathered from patient facing digital health services. It offers a full developer toolkit.


  • Supports new care pathways that leverage patient facing digital services
  • Share data from wearables, sensors and apps to dashboards/EHR
  • Connect new and existing patient facing services via APIs
  • Apple Healthkit and Google Fit integration
  • GDPR compliant consent model
  • Enforce data interoperability using FHIR HL7
  • Custom service interfaces for clinicians
  • Remote monitoring and messaging
  • Machine assisted diagnosis and alerts


  • Support new care pathways that are preventative and continuous
  • Combine patient-monitoring with machine-assisted decision support for early intervention
  • Deliver operational efficiencies by reducing need for face-to-face contact
  • Empower patients with access to their own health data
  • Support self-management of long term conditions
  • Move the burden of care from acute setting into community
  • Enforce interoperability and security standards for patient-facing services
  • Offer single point of integration for all patient generated data
  • Open Platform with developer portal. No vendor lock-in
  • Privacy by design with GDPR compliant consent model


£250 to £20000 per instance per month

Service documents


G-Cloud 11

Service ID

6 2 2 1 3 5 7 8 3 7 7 9 4 5 9


Storm ID

Craig Turpie

0131 561 1250

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
No service constraints.
System requirements
All system requirements are supported

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Response times are categorised by service request priority: Urgent: 1 hour; High: 4 hours; Medium: 8 hours; Low: 16 hours.

Response times at weekends, public and bank holidays are negotiated separately.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Response times are categorised by service request priority: Urgent: 1 hour; High: 4 hours; Medium: 8 hours; Low: 16 hours.

P1 - Urgent: Complete loss of an entire service for all users or severe degradation resulting in inability to function;
P2 - High: Service functioning improperly resulting in some loss of service/system failure removing service from a number of users;
P3 - Medium: Service functioning at less than optimal performance/system problem impacting but not removing service, resolve minor bugs/site errors;
P4 - Low: Change requests.

Support services are tailored to each client and charges reflect the level of service required to support the service. Standard hourly rate is £105. A discounted rate of £95 can be had for bank of hours bought in advance.

Storm ID provide a Technical Account Manager backed up by a WebOps Team. Support can be accessed via an online ticketing system, email or phone. Enhanced support (outside office hours and at peak service use) is available optionally. Monitoring systems and alerts will be implemented with regular reports provided on service performance and support used.
Support available to third parties

Onboarding and offboarding

Getting started
To support customers using the Lenus Digital Health and Social Care Platform we offer a tailored training programme which can be delivered onsite, online or at Storm ID.

Training documentation is provided and tailored to reflect the customers unique set-up with initial telephone support made available to those who attended training.
Service documentation
Documentation formats
End-of-contract data extraction
Providers will retain the data of the user after termination of the contract. for a period of 30 days. During this period users will still be able to access the service and retrieve the data.
End-of-contract process
Included within the price of the contact will be the decommissioning of all services and the supply of the application source code.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The service management and administration user interfaces are optimised for desktop and tablet devices.

For citizen access the service is accessible on all devices and there are no differences.
Service interface
Description of service interface
A secure service interface is provided for healthcare professionals to administer the Lenus Digital Health and Social Care Platform.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Manual and automated interface accessibility testing has been undertaken but not specifically for users of assistive technologies.
What users can and can't do using the API
The Data APIs allow authorised clients to read and write physiology body measurements, vital signs, test results, nutrition and many other standard units of measurement as well as a range of resources based on the HL7 FHIRv3 standard.

Lenus protects user data with SSL while in transit and Microsoft SQL Server Transparent Data Encryption at rest. Access to these resources is locked-down by Azure Key Vault. Client applications are added to the system by a human. Only approved partners clients can access the Lenus platform.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Almost any element of the Lenus Digital Health and Social Care Platform can be customised to meet specific customer needs. Customisation is available to support the need to scale, to support specific security standards, monitoring and reporting or to provide extended help desk cover.

The Storm ID Account Manager can action any customisations to the service that is required.


Independence of resources
Virtualisation is used to ensure applications and users sharing the same infrastructure are kept apart.


Service usage metrics
Metrics types
Using tools such as web analytics and other data sources Storm ID’s Performance team monitors and measures service performance to recommend where improvements to the service can be made.

These recommendations are reviewed with our clients to determine options for continued improvement.
Reporting types
Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Data is exported from the application on request via the Storm ID Service Account Manager.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Storm guarantee that our hosted Lenus service will be available 99.95% of the time. We guarantee at least 99.99% of the time customers will have connectivity between Microsoft Azure SQL Database and the Internet gateway.

We acknowledge that if the service levels fall below the quality we commit to then penalties will be incurred to compensate clients and drive service improvement.

Financial penalties and service credits and their calculation will be agreed as part of the call-off agreement with the specific customer together with the terms and conditions and KPIs for the service.
Approach to resilience
Available on request.
Outage reporting
Email alerts.

Identity and authentication

User authentication needed
User authentication
Limited access network (for example PSN)
Access restrictions in management interfaces and support channels
Available on request
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Storm are working towards ISO/IEC 27001:2013 (ISO 27001) which is the international standard that describes best practice for an information security management system (ISMS).
Information security policies and processes
It is the policy of Storm ID to ensure that Information will be protected from a loss of:
Confidentiality: so that information is accessible only to authorised individuals.
Integrity: safeguarding the accuracy and completeness of information and processing methods.
Availability: that authorised users have access to relevant information when required.

The Operations Director and their team review and make recommendations on the security policy, policy standards, directives, procedures, incident management and security awareness education.

Regulatory, legislative and contractual requirements are incorporated into the Information Security Policy, processes and procedures.
The requirements of the Information Security Policy, processes, and procedures are be incorporated into the Storm’s operational procedures and contractual arrangements.

Storm ID is working towards implementing the ISO27000 standards, the International Standards for Information Security.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change management processes are employed to evaluate, control and minimise risks and costs, and to maintain the standards and quality criteria planned during project delivery

Extensive documentation of the service is maintained to ensure knowledge sharing and continuity of service into Production.

Storm ID employs a self-documenting approach to writing code and supplements this, where appropriate, with technical and user guides.

We do this in order to ensure that skills and knowledge are transferred to Storm ID’s operations and support staff to enable them to efficiently deliver ongoing support and maintenance services, in accordance with agreed SLAs.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability management is handled by the Microsoft, who host the Lenus service. Internal vulnerability management is handled by our WSUS management and security bulletin subscriptions, which notify us of new threats. Where necessary, manual patches are deployed.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use 3rd party 'always-on' site monitoring services to detect any potential issues with service. We use site/server logging features, enabled in the Azure service portal, to subsequently search for any malicious activity on the site. We respond within 1hr to urgent issues .
Incident management type
Supplier-defined controls
Incident management approach
Storm ID has a pre-defined process for managing common incident events. All suspected security events are reported to the Operations Director by email, telephone or in person. The Operations Director will log the incident and notify the service owner and Storm ID Support Team. The Operations Director will provide incident reports in line with incident communication strategy.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£250 to £20000 per instance per month
Discount for educational organisations
Free trial available
Description of free trial
A free developer version is available for evaluation. It includes:

Secure data store
Compatibility with HealthKit and Google Fit data models
Data APIs
Consent APIs
OpenId Connect and OAuth 2 standards
Developer documentation
1 client app
100,000 API calls per month
Throughput up to 2 requests/sec
Link to free trial

Service documents

Return to top ↑