Ampersand Health

HealthSuite (Clinician Counterpart to My Care Apps)

Ampersand Healthsuite is a collaborative self management platform. It comprises apps for patients with a variety of long term conditions; and a cloud based portal which allows clinicians to review their patients' data and intervene as necessary. It supports increased patient activation and a safe reduction in outpatient appointments.


  • Rule-based, semi-automated communication with patients
  • Maintenance of a personal, portable health record
  • Care plan management including appointment and medication reminders
  • Guidance and support from national charities and patient organisations
  • Real time reporting and analytics, per patient, department or hospital
  • Custom messaging to and from patients


  • Safely reduce outpatient appointments (by 47%)
  • Improve patient satisfaction (85% prefer our model to traditional models)
  • Reduce work up times (by 30%) and improve care quality
  • Reduce waiting times for patients that need to be seen


£12,000 a licence a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

6 8 7 0 9 9 8 2 8 1 7 2 7 4 2


Ampersand Health Nader Alaghband
Telephone: 02071127100

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Our uptime SLA for the HealthSuite platform is 99.9% which allows for 10m 4.8s of downtime per week or 43m 49.7s per month for maintenance updates and feature deployments to occur. Our deployments and upgrade windows are typically managed for a late Monday deployment window between 18:00 and 19:00 and averages a few minutes of downtime.
System requirements
No additional service requirements are necessary.

User support

Email or online ticketing support
Email or online ticketing
Support response times
We respond to queries during business hours (8am-8pm Monday to Friday). We will normally respond within an hour.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
There is only a single core service level provided by the HealthSuite platform which is included in the service cost.
Support available to third parties

Onboarding and offboarding

Getting started
Onsite training is provided with all clinical stakeholders, particularly Clinical Nurse Specialists. This is emphasised in the first 3 months of the contract start and includes training on the clinical platform as well as how to ensure embeddedness, routinisation and patient adoption. Quarterly, refresher online training is provided following the initial 3 months. Recorded webinars are also available. Provision of Quick Start Guide and workflow diagrams are also provided, so Clinical Nurse Specialists and other users are clear when they should be responding to patient data submissions and how this is incorporated into their workflow.
Service documentation
Documentation formats
  • PDF
  • Other
Other documentation formats
  • Documentation is built into the product
  • Provides new feature overviews and overlays
End-of-contract data extraction
Clinical teams with active licenses are able to extract data in machine readable format using the export functionality built into the clinical portal. Data can also be extracted for a period after termination of the contract by contacting support.
End-of-contract process
In the event that a renewal is not agreed:

- Patients will be notified in advance that their hospital is de-linking from the platform, by email and push notification. They will be able to continue to use the app to manage their condition (for free), but will no longer be able to send data to, or receive communications from, their hospital. Should they choose to stop using the app, they will be able to download a copy of the information held in the app in machine readable format.

- Hospital admins will similarly be able to request information from the portal in machine readable format, subject to the terms of the Data Sharing Agreement remaining in force. The hospital account will be deactivated and data will be retained to ensure Ampersand can fulfil its statutory obligations and the hospital can easily re-activate the account should it so choose.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The clinical portal for HealthSuite is a responsive website that can be used on mobile devices. A mobile native solution is in progress.
Service interface
Customisation available
Description of customisation
Customisations to the service are limited to:
- Creation and management of patient cohorts registered with the clinical group
- Messaging features to individual patients or multiple patients through a cohort
- Additional PROMs are supported where necessary and can be configured with assistance from the HealthSuite support team


Independence of resources
The platform infrastructure for HealthSuite is elastic based on usage metrics and server performance which allows the platform to auto scale-out and scale-up based on demand.


Service usage metrics
Metrics types
Service metrics are included in the HealthSuite clinical portal and include:
- Patient activity over time
- Metrics on PROM and health trackers.

We can provide granular metrics relating to general app usage, subject to agreement.
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Data export is only permitted by clinical staff with appropriate permissions to extract data provided within the HealthSuite clinical portal. All exports are audited and configurable at the time of export.
Data export formats
Data import formats
Other data import formats
Data imports to the clinical portal are not supported

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Our contractural SLA for operational up-time is 99.9% though we strive to achieve 99.99% uptime across all services.

This allows for weekly downtime of 10m 4.8s where necessary for service upgrades and updates that are live impacting. Where possible we aim to reduce our downtime through strategic updates where service impact is measured in seconds.
Approach to resilience
We rely on public cloud services to manage resiliency in our infrastructure and HealthSuite platform operations. At a high level we we employ the latest technologies to provide a scale out architecture that grows in near real-time to adapt to increases and decreases in platform utilisation.

More detailed information is available upon request.
Outage reporting
We report service outages through both email and the HealthSuite clinical portal.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
User rights access and management is controlled through the implementation of granular roles based access controls which are mapped to necessary functionality and flexible enough for users to be granted or restricted access based on the needs of the user and organisation.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • IEC 62304
  • CE Mark

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
CSA CCM version 3.0
Information security policies and processes
Our ISMS standard operating procedures are managed within our QMS as controlled documents. All operating procedures and policies are signed off at the executive level and training is managed and documented through our QMS.

The ISMS SOP and policy documents are reviewed and revised quarterly.

Operating procedure documents include the following:

- Software configuration management
- Server security and hardening standards
- Security incident management
- Implementing and managing audit trails
- Business continuity
- Server decommissioning
- Network creation and secure access
- Authorised access and controls to secured data assets

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Configuration and change management is managed through our agile processes as outlined within our SDLC. All requirements are captured as stories, including success criteria, using Jira and linked to all code and configuration changes which are tracked over time using source control management tools. Through our agile methodology risk assessments are made to changes relating to all data processed including security threat modelling and managed through the same agile process resulting in manual and automated tests that are processes, in whole, for every change made within the system. This process also applies to infrastructure changes and migrations.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We track Mirtre CVE threats for servers, services and components used in the development and operation of the HealthSuite platform. In addition to this we monitor and track changes and vulnerabilities in all open source components that we use and have automated alerting systems in place to notify us of critical vulnerabilities which are then managed through our agile process. Each vulnerability is triaged and tested with the highest priority and managed through to delivery and operational rollout.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
The HealthSuite platform is segmented by public and private network and all inbound and outbound connections are logged and monitored via our intrusion detection and prevention services. All network attempts to our private network are also monitored and logged including egress attempts to external networks, which are limited by restrictive firewall rules.

The HealthSuite platform infrastructure employs intrusion detection, denial of service mitigation and progressive ip banning which are all logged and reported in real time through our alerting systems.

Intrusion attempts are logged as incident reports and treated as high priority for immediate review and remediation.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Common incident management processes are included as part of our quality management system which relevant staff are trained on. Users may report incidents via email and phone and soon directly via the clinical portal. All incidents are tracked via our service delivery and incident management tools and are available to users as a pdf sent via email each month.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£12,000 a licence a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.