A flexible, computer-aided dispatch, compliance, booking and governance tool which co-ordinates the flow of people and resources around a health and social care setting. Designed to support the efficient flow of patients and service users to, from and between settings (e.g. NEPTS) whilst ensuring compliance and efficient use of resources.
- CAD: Simple effective journey route planning for NEPTS
- Governance Staff and vehicle: ensuring compliance and safety for PTS
- APT: auto planning of journeys to resources, increased resource efficiencies
- Marketplace Shifts: auto gather quotes from providers for shift cover
- Marketplace Journeys: auto gather quotes from providers for journey cover
- Contract Management: report in real-time KPI compliance
- Reporting: live reporting of service levels and resource allocations
- Live Vehicle Monitoring: monitor resources in real-time
- Guided Care: Support service-user decision making in accessing services
- Quality and Governance module driving compliance across all contracts
- Cloud based, accessible on online devices, no server costs
- Self-management patient app – book, manage and control own transport
- Live mapping to track drivers, patients and all resources
- Marketplace module - dynamic purchasing system for additional resource
- Dynamic eligibility creating the ground-breaking Single Patient Transport Record
- Open two-way API for interoperability and integration
- Live auto-planning for more efficient management of resources
- Fully audited with user defined access rights driving visibility
- Efficiency though real-time reporting and live communications between driver/patient/HCP
£100 per user per year
0333 2027 365
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Our team will respond to questions within the following support level response timeframes:
Critical: within 60 minutes e.g. website portal is inaccessible, returning 500 error or 404 error.
Serious: within 90 minutes e.g. website portal is accessible, but unable to perform vital function such as assign staff member to journey.
Moderate: within 2 hours e.g. website portal is accessible, but unable to perform functions which are not vital to service delivery such as access staff record details.
Minor: within 4 hours e.g. website portal is accessible, but unable to perform functions which are not vital to service delivery.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.0 AAA|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
We provide a single all-inclusive Level of Support. The cost depends on customer size and usage as determined by the Pricing Document. Help desk facility available between 09:00 to 17:00 Monday to Friday with a 24/7 Out-of-Hours emergency line. Our team provide the following support:
• Assist Users with configuration of the platform
• Assist Users with any issues related to proper use of the platform
• Determine and fix errors in the platform
Our team will respond to requests made through the help desk in accordance with the following support levels:
Critical: within 60 minutes e.g. where the website portal is inaccessible, returning 500 error or 404 error.
Serious: within 90 minutes e.g. where the website portal is accessible, but unable to perform vital function such as assign staff member to journey.
Moderate: within 2 hours e.g. where the website portal is accessible, but unable to perform functions which are not vital to service delivery such as access staff record details.
Minor: within 4 hours e.g. where the website portal is accessible, but unable to perform functions which are not vital to service delivery.
We provide a technical account engineer and cloud support engineer as part of our service.
|Support available to third parties||No|
Onboarding and offboarding
We have comprehensive and user-friendly onboarding and offboarding processes.
We carry our clear and positive engagement with key stakeholders including users to ensure we gather the correct customer requirements.
During the mobilisation stage, we work with our customers to develop a detailed project plan which includes user training and support.
Train the Trainer sessions are agreed and scheduled for local experts/super users who will be admin users locally.
We also provide general system training to non-admin user groups via on-site training or by webex style remote training sessions.
Training guides and reference documents are also provided to support users to start using the service quickly and effectively.
Our post go-live support includes scheduling an agreed set of reviews to ensure that the users are using the service and all training needs are being met.
|End-of-contract data extraction||As part of the termination process, an offer will be made to provide a data extract to the customer. If accepted a CSV data extraction will be compiled, strongly encrypted and securely delivered to the customer.|
As part of the termination process, an offer will be made to provide a data extract to the customer. If accepted a CSV data extraction will be compiled, strongly encrypted and securely delivered to the customer.
The customer will be offered the option of 365 Response securely hosting the encrypted termination data extraction for a specified period.
At the date of termination all customer data will be fully and irreversibly deleted from the platform and no further live use of the platform will be possible by the customer.
A termination agreement will be signed by both parties which will determine the terms, duration and nature of any retention by 365 Response of a termination data extraction. There is an additional cost for data extraction which is determined as per the Pricing Document.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||None.|
|Accessibility standards||None or don’t know|
|Description of accessibility||Publicly available service through web domain Https://portal.healthcab.co.uk|
To ensure that users could use our service and service interface effectively, we carried out wide-ranging engagement and interface testing with patients using our App.
Prior to starting development on our Patient App, we spoke with users of assistive technology to understand what features they would like to see on the app and how they would feel using it to manage their transport requirements. The age range of patients we engaged with was mixed with a higher proportion of elderly users. The feedback provided was positive, with patients saying that they found the App easy to download and use.
Further engagement was carried out during the development stage, where we engaged with the Kidney Patient Association at the renal unit in St James University Hospital in Leeds and patients dialysing at the unit to test our App.
|What users can and can't do using the API||
Our API is RESTful, it is encrypted with an SSL TLS 1.2 SHA256 with RSA and secured using token based authentication, which the user (requester) can request using a valid username and API key within a GET request. The token will remain valid for 180 minutes after which a new token will need to be requested.
The API allows access to journey information, enabling the requester to GET and/or POST journey details and timestamps. The requester will not be able to Get any patient identifiable data, DELETE journey data or ACCESS the API without an authenticated token.
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
Users with authority to customise (as determined by their security settings) can fully configure our service by setting up their own values in the system fields. Users can create tailored lists of options to allow for entry of bespoke user-specific terminology, enabling the application to be customised to their business sector.
For example, users can customise the values provided in drop-down menus with the contracts they have, the services they provide, the bases they operate from etc. Within certain areas of the system, the user can setup user defined fields which allow the label, data type and validation of the new field to be configured. Users can also set up customised logos and welcome messages.
|Independence of resources||The application runs on the Microsoft Azure platform which provide analytical information. We continuously monitor the performance analytics of the system for customers and if due to increased load the performance metrics deteriorate we are able to provision additional system capacity on demand to restore performance.|
|Service usage metrics||Yes|
|Metrics types||The system is hosted on the Microsoft Azure Platform, due to this we have taken advantage of the module "Application Insights”, this allow access to live information such as resource utilization, page loading times and response times, number of successful request and bad request. The system also records the number of live and active users which is available to view on the system by other administrators.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||Physical access control, complying with CSA CCM v3.0|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||In normal use, users can export data through inbuilt export tools such as MDS export templates. Data extracts can also be supplied by 365 Response as an additional service where the user does not wish to or is unable to complete a complex bespoke export.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
We guarantee the following level of availability:
Monthly uptime guarantee 99.95%
Monthly Uptime % = (Maximum Available Minutes-Downtime) / Maximum Available Minutes
Scheduled maintenance excluded. If service availability falls below the guaranteed level, customers are recompensed via service credits.
|Approach to resilience||Our service is designed with a high level of resilience and includes the Microsoft Azure platform which uses primary hosting in UK South (London) and continuously carries out geo-replication to UK West (Cardiff). In the event of UK South failure, hosting will restart without interruption in UK West. Sessions are stored within the database to ensure continuity in the event of failover. Comprehensive details of the data centre resilience can be found on the Microsoft Azure website.|
Service outages are reported via Microsoft Azure notification to our Development Team.
Key customer contacts are notified of outages within 60 minutes via email.
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||Inbuilt user security allows customisation of access to all areas. This can be used to restrict access in management interfaces and support channels, to read only, full control or no access to each screen.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||NQA|
|ISO/IEC 27001 accreditation date||30/01/2017|
|What the ISO/IEC 27001 doesn’t cover||All areas of our service are covered by ISO/IEC 27001 certification.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||Yes|
|Any other security accreditations||
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Our information security policies and processes are as follows::
• Information Governance and Framework Policy
• Acceptable Use Policy
• Access Control Policy
• Confidentiality and Data Protection Policy
• Disaster Recovery and Business Continuity Plan
• Information Security Policy
• Information Sharing Policy
• Information Quality and Record Management Policy
• Safeguarding Policy
• Subject Access Requests Policy
Polices are ratified at Board Level and cascaded to all staff by means of access to a shared policy folder. All new employees are notified of the process at induction. All policies are reveiwed annually.
As part of our ISO27001 accreditation, regular audits are carried out on each department; this enables us to ensure that policies are being adhered to correctly.
All staff are notified of any changes to policies and are informed by the Information Governance Lead when they are updated. All staff are responsible for accessing policies and ensuring they remain aware of them.
Our reporting structure is in line with Information Governance requirements. The Accountable Officer has overall responsibility and is supported by our Caldicott Guardian, Senior Information Risk Officer and Information Governance Lead.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Our configuration and change management process provides guidance for new system/service or change to an exisiting system/service:
• Privacy Impact Assessment completed (PIA).
• Meeting arranged with IG Lead to review responses and discuss sufficient concerns to justify the completion of PIA.
• IG Lead assesses completed PIA with consideration for potential security impact and legal compliance.
• If PIA identifies further IG issues, an action plan is developed on risk mitigation.
• Action plan is given to IG Lead for discussion with the Senior Information Risk Owner.
• All service components are tracked through version control during their lifetime.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Our vulnerability management process conforms to the ISO 27001 standard.
We enter technical and operational vulnerabilities onto our corporate risk register.
Risks and vulnerabilities are judged by likelihood and impact then given a risk rating. Any high-level risks are logged and discussed by the Senior Management Team who decide if we should treat, transfer, tolerate or terminate that risk.
365 Response patches Anti-Malware and software vulnerabilities systems when a computer is in use at least every 4 hours. We also report on the effectiveness of these systems monthly.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
365 Response use protective controls selected from ISO27001. The Statement of Applicability which lists controls is available.
We engage 3rd party suppliers to monitor our cloud based and internal systems.
Potential compromises are logged under our event and incident management process. All staff have responsibility to identify operational or technology related risks; we implement anti malware and virus technology, firewalls and technical vulnerability scanning. We respond to incidents and events immediately to understand, classify, act upon the threat if necessary. We have a security meeting to discuss recent events, incidents and operation problems affecting any of our information security systems.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Our Incident Management process ensures all incidents are managed and investigated correctly; and lessons learnt shared:
• Incidents can be reported internally, via email or telephone.
• On incident receipt, details are recorded onto an incident report form which is stored securely.
• The Compliance Team assigns an Incident Lead Officer.
• All remedial actions are completed to mitigate risk of recurrence and prevent further harm to service users/staff.
• External agencies are notified and the incident is graded.
• Incident management stages include investigation, analysis and reporting, follow-up, monitoring of actions, feedback. Reports are generated in Word format template.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Price||£100 per user per year|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|