Our Mobile Health

Assessment of Digital Health Apps & Wearables (Cloud-based)

We provide an assessment service using the latest NHS health apps and wearables standards for digital health services. Our cloud-based solution includes a self-assessment and expert review. The owner of an app or wearable receives confidential feedback and guidance from our many expert assessors to improve their product.


  • Assessment to NHS Digital standards
  • Automated workflow and reminders
  • Information gathering uses conditional branching, ensuring only relevant questions asked
  • Online consultancy to assist app/wearable owners being assessed
  • Hugely experienced team always on call
  • Always up-to-date with current/upcoming regulation, standards & best practice
  • Independent expert reviewers


  • Assessment to the highest standards
  • Ensure compliance with all relevant laws, regulations & standards
  • Expertise on tap to assist with successful assessment
  • Only ever get relevant information requests
  • Preserves anonymity of reviewers whilst enabling follow-up questions & responses
  • Works completely independent of location of any participant
  • Efficient automated process


£3200 per unit per year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

6 3 2 7 4 4 4 6 8 0 9 3 2 6 2


Our Mobile Health

Julie Bretland

07799 133 598


Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements
Internet Connectivity

User support

Email or online ticketing support
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Our standard support is 2 working days response time within the following times, included in the service cost.
Normal Working Week: Monday to Friday, excluding Bank Holidays and between Christmas and New Year.
Normal Working Day: 09.00-17.00 - 7.5 hours excluding Bank Holidays and between Christmas and New Year.
Office hours 09.00-17.00 Monday-Friday excluding Bank Holidays and between Christmas and New Year.
Alternative levels of support including onsite support can be organised by special arrangement.
Support available to third parties

Onboarding and offboarding

Getting started
We provide user documentation online as well as training over the phone or by video call. Onsite training and workshops can be provided by arrangement.

The onboarding process is straightforward; the participants are each sent a welcome email when their accounts are created. On clicking the hyperlink within the email, each user must first set their password. Once logged in, the user is presented with a set of structured questions behind which there is branched logic and an automatic scoring system.

As the assessment is progressed, the user is provided with guidance throughout the process.
Service documentation
Documentation formats
End-of-contract data extraction
On request, an OMH administrator with the necessary security permissions is able to extract the relevant data into a CSV file.
End-of-contract process
There are no additional costs at the end of a contract.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
There is no difference as the solution is completely web-based.
Service interface
Customisation available
Description of customisation
The buyer may choose to limit or expand the scope of an assessment for a mobile application.


Independence of resources
Automated monitoring offers 24x7 immediate notification and escalation to our operational teams providing around-the-clock network, application, and server support. A link from our website provides any user with the current status of the platform.


Service usage metrics
Metrics types
The user is able to review progress through the dashboards and it is possible to generate custom reports on request.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
On request to our administrators by phone or email.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Our assessment solution is based on a proven third party platform that offers an uptime SLO of 99.9%.
Approach to resilience
Our solution is a customised set of forms and questionnaires using a proven third party platform. This is a tried and tested architecture with resilience designed into their system architecture and they maintain an SLO that exceeds 99.9% availability.
Outage reporting
Automated monitoring offers 24x7 immediate notification and escalation to our operational teams providing around-the-clock network, application, and server support. A link from our website provides realtime status of the platform. Email alerts are automatically sent to OMH's support team.

Identity and authentication

User authentication needed
User authentication
  • Username or password
  • Other
Other user authentication
Unique API token for each user to automate login process.
Access restrictions in management interfaces and support channels
Management interfaces and support channels are restricted through the user permissions granted to each user role. By default, users do not have management or administrator access.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We are in the process of working towards ISI/IEC 27001
Information security policies and processes
OMH has an Information Security Policy. The CTO and CEO discuss security standards and requirements at the monthly meeting and adhoc as necessary to cater for changes.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The development team uses an agile development methodology. The development team employs secure coding techniques and best practices that are described by The Open Web Application Security Project (OWASP). Developers are formally trained in secure web application development practices at least annually. We also use peer-review model to ensure code complied with sated objected.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our third party supplier is responsible for monitoring and managing any vulnerabilities. Any changes are managed and released through their change control process which are documented in their releases.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The platform that delivers our solution is actively monitored in real time, ensuring that potential compromises are responded to at the earliest opportunity.
Incident management type
Supplier-defined controls
Incident management approach
Incidents can be reported by email or phone to our support team where they will be logged and prioritised (P1-P3) accordingly. Updates and incident resolution will be fed back by email.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£3200 per unit per year
Discount for educational organisations
Free trial available
Description of free trial
A trial may be made available on request

Service documents

Return to top ↑