CATCH - Common Approach to Children's Health
CATCH is a health information service which supports CCGs or LAs to easily customise and publish hyper-local health information. Designed for parents of young children, content is delivered through personalised notifications when it is most relevant, maximising the opportunity for engagement and behaviour change, reducing inappropriate service usage.
- Hyper-local customisation of content
- Integration of existing local services
- Notification through mobile app
- Analytics dashboard
- Content Management Dashboard
- Social Media Marketing
- Health promoters available to attend briefing sessions
- Information Governance compliant, no personally identifiable data
- Monitoring and updating of content
- Content available offline
- Reduce inappropriate service use
- Increase confidence to deliver care at home
- Personalised content delivery to reduce 'information overload' for parents
- Customise regional content to align with current campaigns
- Reduced workload for teams, support provided by CATCH content managers
- Review anonymised analytics by postcode or LSOA
- Increased reach of local services by linking to relevant content
- A unified information source delivered across services
£10000 to £40000 per licence per year
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Email responses within 24 hours on weekdays. Only Level 1 High Priority support available at weekends.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Onsite support|
Telephone and email helpdesk 09.00 to 17.00 Monday to Friday.
Technical Support Priorities and Timescales
1 (High) : Full system outage – no users at all can use the system. Response: 10 mins. Resolve 4 hours.
2 (Medium) : Partial system outage – a significant number of users are affected. Response 10 mins. Resolve: 1 business day
3 (Low) : Minor – a handful of users or a part of the system is not working to Specification. Response: 1 hour. Resolve 5 business day
4 (Query) : Minimal impact. Response; 3 business days. Resolve 20 business days
All content requires approval by the client, the following assumes that approval has been given...
1 (High) : Incorrect Clinical Information. Response: 10 mins. Resolve 4 hours.
2 (Medium) : Incorrect non-Clinical Information. Response 10 mins. Resolve: 1 business day
3 (Low) : Additional Information. Response: 1 hour. Resolve 5 business day
Health promoters are available to attend briefing sessions (for example GP practice forums, health visitor briefings or PLT events) and a limited number of public engagement events.
|Support available to third parties||Yes|
Onboarding and offboarding
For users of the CATCH app, no training or documentation is required. The app was designed to be intuitive with all the information required to use the app available as part of it's design.
Onsite training is available for buyers using the management portal.
|End-of-contract data extraction||
No user data is stored as part of the service, all content is available in the public domain.
Analytical data is shared with buyers regularly in open format (PDF) and can be exported at any time.
|End-of-contract process||Users of the app will be notified that their area is no longer being supported and asked to select their nearest supported region.|
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||The mobile app is designed for parents, the desktop service is the management dashboard that focuses on customising content and viewing analytical data.|
|What users can and can't do using the API||There is a private API for communication between the content delivery network and the mobile app. We do have plans to make this API available to clients and client selected 3rd parties.|
|API sandbox or test environment||No|
|Description of customisation||All information delivered via the Content Delivery Network to the app can be customised by clients. This includes removal of any of the default health articles; adding any locally required health articles; adding and linking national and local support groups to health articles;|
|Independence of resources||The information streams are delivered via AWS's Cloud Front Content Delivery Network (CDN). Amazon CloudFront content delivery network is optimised for low latency and high data transfer speeds. A CloudFront "miss" is passed back to an auto-scalable server-less architecture.|
|Service usage metrics||Yes|
Analytics is built in to many features of the app and can be accessed through the management dashboard.
Metrics are visible as a data table, visualisation or heat map for each geographic region.
Metrics can be viewed as a whole (e.g. top 10 articles), or per article (e.g. Number of views per post-code for this content).
User Surveys are delivered through the app, responses are checked to ensure there is no risk to confidentiality and are shared with buyers to provide additional usage data.
|Supplier type||Not a reseller|
|Staff security clearance||Staff screening not performed|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||European Economic Area (EEA)|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||In-house|
|Protecting data at rest||Physical access control, complying with SSAE-16 / ISAE 3402|
|Data sanitisation process||No|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Health Information articles are stored in a SQL database and Analytics is stored in a noSQL database. Both datasets can be exported to CSV format.|
|Data export formats||CSV|
|Data import formats||Other|
|Other data import formats||
|Data protection between buyer and supplier networks||Other|
|Other protection between networks||TLS (Version 1.2 or above) and availability controlling access by IP subnet|
|Data protection within supplier network||IPsec or TLS VPN gateway|
Availability and resilience
Service Availability : 99.99% during work days, 99.9% for nights/weekends.
Unplanned Outages : Refunded at a pro-rata percentage
|Approach to resilience||
Our platform is highly resilient with 2 cacheing layers and a server-less architecture.
Firstly, Health Information is cached within the app so that if the mobile device is offline or our cloud services go down the app users can still access the information.
Secondly, the app receives Health Information updates via a Content Delivery Network that caches data from our server-less architecture. So if the server-less architecture fails then the CDN will still have a region's latest information to deliver to the mobile app.
Thirdly, the server-less architecture is very resilient in itself, as it uses an on-demand hardware resource allocation. A server is only allocated to a task as and when a data request is made.
|Outage reporting||EMail alerts have been set up to notify of any unexpected behaviour.|
Identity and authentication
|User authentication needed||No|
|Access restrictions in management interfaces and support channels||Access to the content management dashboard is via username and password with the ability to limit access by network IP range|
|Access restriction testing frequency||At least once a year|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users receive audit information on a regular basis|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||NHS Information Governance Toolkit Version 14.1 (2017-2018)|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||NHS England Information Governance Data Protection Registration Number - ZA276533|
|Information security policies and processes||Adhere to the NHS Information Governance Toolkit Version 14.1 (2017-2018). Moving to the Data Security and Protection Toolkit after 31st March 2019 when it replaces the above IG Toolkit.|
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
All tasks are tracked through a Jira project management system, before being thoroughly assessed for Information Governance compliance. Once the task is completed, its progress is tracked through a cloud-based version control system.
An IG template table, according to section 14.1 - 210 (Implementation of new processes and information assets) is used for monitoring changes.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Risk assessments to identify and mitigate issues are carried out as part of a process that is compliant with the relevant aspects of NHS Information Governance Toolk
An annual review is be conducted of all active accounts to ascertain whether access controls are being governed appropriately and access will be restricted if necessary to prevent vulnerabilities in data security (IG Section 14.1 - 305, Access Control Functionality).
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Our Content Delivery Network accepts only well-formed connections to prevent many common DDoS attacks, like SYN floods and UDP reflection attacks. It can also automatically close connections that are unusually slow, which can indicate a potential DDoS attack.
Automatic "Watchers" are assigned to all delivery systems that notify upon specific trigger values being exceeded. Any threats to our service are identified and resolved within 1 business hour.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||As specified in the Information Governance documentation, section 14.1 - 320 (Incident management and reporting), all incidents and near-misses which arise must be reported. This is done via the Incident Report Form sent to the IG lead, followed by a management meeting, from which appropriate action is taken. All staff have received training on how to find, fill out and submit the Form. Incidents must subsequently be submitted through the Incident Reporting Tool by the IG lead.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£10000 to £40000 per licence per year|
|Discount for educational organisations||No|
|Free trial available||No|