Ampersand Health

HealthSuite (Clinician Counterpart to My Care Apps)

Ampersand Healthsuite is a collaborative self management platform. It comprises apps for patients with a variety of long term conditions; and a cloud based portal which allows clinicians to review their patients' data and intervene as necessary. It supports increased patient activation and a safe reduction in outpatient appointments.


  • Rule-based, semi-automated communication with patients
  • Maintenance of a personal, portable health record
  • Care plan management including appointment and medication reminders
  • Guidance and support from national charities and patient organisations
  • Real time reporting and analytics, per patient, department or hospital
  • Custom messaging to and from patients


  • Safely reduce outpatient appointments (by 47%)
  • Improve patient satisfaction (85% prefer our model to traditional models)
  • Reduce work up times (by 30%) and improve care quality
  • Reduce waiting times for patients that need to be seen


£12000 to £26500 per licence per year

Service documents

G-Cloud 11


Ampersand Health

Nader Alaghband


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Our uptime SLA for the HealthSuite platform is 99.9% which allows for 10m 4.8s of downtime per week or 43m 49.7s per month for maintenance updates and feature deployments to occur. Our deployments and upgrade windows are typically managed for a late Monday deployment window between 18:00 and 19:00 and averages a few minutes of downtime.
System requirements No additional service requirements are necessary.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We respond to queries during business hours (8am-8pm Monday to Friday). We will normally respond within an hour.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels There is only a single core service level provided by the HealthSuite platform which is included in the service cost.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Onsite training is provided with all clinical stakeholders, particularly Clinical Nurse Specialists. This is emphasised in the first 3 months of the contract start and includes training on the clinical platform as well as how to ensure embeddedness, routinisation and patient adoption. Quarterly, refresher online training is provided following the initial 3 months. Recorded webinars are also available. Provision of Quick Start Guide and workflow diagrams are also provided, so Clinical Nurse Specialists and other users are clear when they should be responding to patient data submissions and how this is incorporated into their workflow.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • Documentation is built into the product
  • Provides new feature overviews and overlays
End-of-contract data extraction Clinical teams with active licenses are able to extract data in machine readable format using the export functionality built into the clinical portal. Data can also be extracted for a period after termination of the contract by contacting support.
End-of-contract process In the event that a renewal is not agreed:

- Patients will be notified in advance that their hospital is de-linking from the platform, by email and push notification. They will be able to continue to use the app to manage their condition (for free), but will no longer be able to send data to, or receive communications from, their hospital. Should they choose to stop using the app, they will be able to download a copy of the information held in the app in machine readable format.

- Hospital admins will similarly be able to request information from the portal in machine readable format, subject to the terms of the Data Sharing Agreement remaining in force. The hospital account will be deactivated and data will be retained to ensure Ampersand can fulfil its statutory obligations and the hospital can easily re-activate the account should it so choose.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The clinical portal for HealthSuite is a responsive website that can be used on mobile devices. A mobile native solution is in progress.
Customisation available Yes
Description of customisation Customisations to the service are limited to:
- Creation and management of patient cohorts registered with the clinical group
- Messaging features to individual patients or multiple patients through a cohort
- Additional PROMs are supported where necessary and can be configured with assistance from the HealthSuite support team


Independence of resources The platform infrastructure for HealthSuite is elastic based on usage metrics and server performance which allows the platform to auto scale-out and scale-up based on demand.


Service usage metrics Yes
Metrics types Service metrics are included in the HealthSuite clinical portal and include:
- Patient activity over time
- Metrics on PROM and health trackers.

We can provide granular metrics relating to general app usage, subject to agreement.
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Data export is only permitted by clinical staff with appropriate permissions to extract data provided within the HealthSuite clinical portal. All exports are audited and configurable at the time of export.
Data export formats CSV
Data import formats Other
Other data import formats Data imports to the clinical portal are not supported

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Our contractural SLA for operational up-time is 99.9% though we strive to achieve 99.99% uptime across all services.

This allows for weekly downtime of 10m 4.8s where necessary for service upgrades and updates that are live impacting. Where possible we aim to reduce our downtime through strategic updates where service impact is measured in seconds.
Approach to resilience We rely on public cloud services to manage resiliency in our infrastructure and HealthSuite platform operations. At a high level we we employ the latest technologies to provide a scale out architecture that grows in near real-time to adapt to increases and decreases in platform utilisation.

More detailed information is available upon request.
Outage reporting We report service outages through both email and the HealthSuite clinical portal.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels User rights access and management is controlled through the implementation of granular roles based access controls which are mapped to necessary functionality and flexible enough for users to be granted or restricted access based on the needs of the user and organisation.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • IEC 62304
  • CE Mark

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards CSA CCM version 3.0
Information security policies and processes Our ISMS standard operating procedures are managed within our QMS as controlled documents. All operating procedures and policies are signed off at the executive level and training is managed and documented through our QMS.

The ISMS SOP and policy documents are reviewed and revised quarterly.

Operating procedure documents include the following:

- Software configuration management
- Server security and hardening standards
- Security incident management
- Implementing and managing audit trails
- Business continuity
- Server decomissioning
- Network creation and secure access
- Authorised access and controls to secured data assets

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Configuration and change management is managed through our agile processes as outlined within our SDLC. All requirements are captured as stories, including success criteria, using Jira and linked to all code and configuration changes which are tracked over time using source control management tools. Through our agile methodology risk assessments are made to changes relating to all data processed including security threat modelling and managed through the same agile process resulting in manual and automated tests that are processes, in whole, for every change made within the system. This process also applies to infrastructure changes and migrations.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We track Mirtre CVE threats for servers, services and components used in the development and operation of the HealthSuite platform. In addition to this we monitor and track changes and vulnerabilities in all open source components that we use and have automated alerting systems in place to notify us of critical vulnerabilities which are then managed through our agile process. Each vulnerability is triaged and tested with the highest priority and managed through to delivery and operational rollout.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach The HealthSuite platform is segmented by public and private network and all inbound and outbound connections are logged and monitored via our intrusion detection and prevention services. All network attempts to our private network are also monitored and logged including egress attempts to external networks, which are limited by restrictive firewall rules.

The HealthSuite platform infrastructure employs intrusion detection, denial of service mitigation and progressive ip banning which are all logged and reported in real time through our alerting systems.

Intrusion attempts are logged as incident reports and treated as high priority for immediate review and remediation.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Common incident management processes are included as part of our quality management system which relevant staff are trained on. Users may report incidents via email and phone and soon directly via the clinical portal. All incidents are tracked via our service delivery and incident management tools and are available to users as a pdf sent via email each month.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £12000 to £26500 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial App is available from the Appstore free of charge for patients. We can provide a 3 - 4 month pilot of the clinical platform for Trusts. This can be a live trial with live patients, when Information Governance DPIA is approved.
Link to free trial

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑