Open Medical Ltd

Pathpoint™+, Workflow Pathway System

Developed by practising surgical clinicians, the N3 accessed Pathpoint™ platform mimics the dynamics of clinical patient care. Highly versatile interoperable, collaboration solution offering flexible patient tracking, planning, and reviewing.. Modifiable for multiple, distributed teams following customisable workflowsAutomatic clinical-coding of treatment pathways using SNOMED-CT NLP referencing technology delivers superior analytics.


  • Patient tracking and case management
  • Case and resources planning and administration
  • Clinical case and service metrics reviewing
  • Multiple clinical teams support
  • Unlimited customisable pathway types
  • Clinical collaboration and coordination
  • FHIR interoperability
  • Digital consent capture
  • Automatic clinical summaries
  • SNOMED CT coding


  • Modern user interface designed by clinicians
  • Minimisation of administration time
  • Reduction of adverse incidents and complaints
  • Fast digital recording of clinical workflows
  • Automatic notifications and reporting
  • Highly granular data analytics and modelling
  • Maximisation of clinical efficiency and reduction of clinician burn-out
  • SNOMED CT end-user coding using Natural Language Processing
  • Effective clinical governance and internal communication


£75000 per user per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Open Medical Ltd

Charlotte Massey


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Requires N3/HSCN access
System requirements IE 11+ or Chrome/Firefox/Safari browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 7 day service (response times)
6am - 10pm: 1 hour
11pm - 5am: 15 minutes
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 A
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Licence subscription includes:

Business-as-usual - single point-of-contact client support; managing delivery and resolution of service queries.

Extra-ordinary - 24 x 7 x 365 same-day on-site support to resolve high severity live system application related incidents.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Installation: The on-boarding program is designed to ensure minimal disruption to departmental working practices.
Week 1: a small team of trainers deployed to each department to provide full on-site, on-the-job training.
Week 2-4: weekly one day training resource. On-going: Training sessions coincide with the induction day of new clinical staff throughout the duration of the contract. Training assets: wall posters, eLearning video demonstrations, manuals, client support phone/email.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Contract termination does not result in service discontinuation. System remains live in read-only state. Exported SQL files and a binary archives are generated and provided automatically. Data extraction via JSON:API or FHIR API directly from the system is also available.
End-of-contract process OpenMedical licenses are SaaS products. Where recommissioning is not optioned at the end of subscription period, there are no additional costs. The service remains available with a full read-only functionality and can be resumed at any time.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No difference
Accessibility standards WCAG 2.0 A
Accessibility testing As with all OpenMedical products, the system undergoes the following, repeated simulations: - Dyslexia: Flipping the letters randomly within words. - Field loss: Application of a CSS filter that simulates peripheral as well as central field loss while still allowing you to click / navigate through everything. - Colorblindness: Application of this uses CSS / SVG filters to dynamically apply the following condition simulations: protanopia, protanomaly, deuteranopia, deuteranomaly, tritanopia, tritanomaly, achromatopsia, and achromatomaly.
What users can and can't do using the API ETrauma is a decoupled service that can be fully operated via APIs. JSON:API and FHIR APIs are available out of the box allowing all CRUD operations via basic or cookie authentication. Any authorised user of the service can make any changes allowed by their access role with no limitations.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Pathpoint™ is OpenMedical's out-of-the-box data-storage system. Pathway and interfaces supplied with this is completely modified to clinical team specifications.
Patient and clinical pathway entities are fully customisable and can be added, changed or removed (including specific data fields). The refinements process is managed by OpenMedical's engineering team, in association with clinical team leaders.


Independence of resources The system's load balancing process automatically provisions additional VMs and containers. Upscalling system resources in response to request loads. Furthermore OpenMedical employs a number of processor reduction techniques, including multiple cache-like layers for querying and outputs with forced tag and context cache expiration.


Service usage metrics Yes
Metrics types Our systems are designed to track, plan and review patient care. Embedding coded-fields into the data-storage architecture allows OpenMedical to manipulate and present service metrics at a range of granularity levels.
Clinical: diagnosis/procedure specific data, temporal, demographic.
Health management: KPIs, referral source, time-of-day, year-on-year, service capacity/level boundaries.
Auditing: User data access tracking.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Authenticated users can export their data via the JSON:API / FHR API /directly via the user interface as an CSV file.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our standard Service Level Agreement guarantees 99.9% server up-time. Any unscheduled service outage for more than 1 hour after reporting is refunded at its full subscription price for the outage duration.
Approach to resilience Available on request.
Outage reporting The service reports any outages via a public API, by email alerts to all clinical team leads and nominated secondary addresses.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Client determines access requirements to match their specific organisational needs. Role-based and team-based access system manages system's restrictive access controls, constraining user functionality assignment; including writing, editing and viewing. Team-based permissions are dependent on data-originating teams. Role-based access restricts system-wide processes and data such as management, user-auditing and interface channels.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • N3 Assurance
  • IG Toolkit

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards N3 Assurance and NHS Digital IGT
Information security policies and processes The following policies are used to capture and monitor security: - Data Protection Policy - Information Risk Policy - Information Security Policy - Network & Mobile Security Policy - Pseudonymisation Policy - Recruitment and Contracting Policy - Secure Data Transfer Procedure - eTrauma System Level Security - eTrauma Data Flow Mapping A dedicated team with the responsibility to monitor the above is contactable at All security policies are reviewed every 6 months internally and verified every year independently.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change management policies ensure all the changes are assessed, approved, implemented and reviewed in a controlled manner. All changes will be recorded in the service management tool following an explicit process: - Recording of all changes - Classification- - Risk assessment for their risk - Impact and business benefit - Approval and authorisation - Coordination for implementation of changes - Post implementation review - Post implementation feedback
Vulnerability management type Undisclosed
Vulnerability management approach The vulnerability management process follows a mandatory workflow: - Preparation - Vulnerability scan - Remediation actions definition - Remediation actions implementation - Vulnerability scanning
Protective monitoring type Supplier-defined controls
Protective monitoring approach Compromise scanning: Three-way data surveillance, including database and binary data tracks identification alteration. Daily reconciliation of all IP access logs outside the N3 network. Compromise response: suspected authentication/access or integrity immediately escalated to engineering and infrastructure team for assessment and action. Confirmed compromises: reported as per the Information Risk Policy to SIRO, senior management, ICO, NHS Digital and the client organisation Information Security and IG teams.
Incident management type Supplier-defined controls
Incident management approach Recorded incident reporting and pre-existing incident response processes are in-place. All incidents and adverse events are reported and recorded according to Information Risk Register Policy and cross-referenced to the Disaster Recovery and Business Continuity Plans. IG SIRIs will be managed in accordance with the Incident Management Procedure. All incidents are reported to SIRO, senior management, ICO, NHS Digital and the client organisation immediately.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)


Price £75000 per user per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Universal four-month trial period. Full access to system. Includes evidence based service improvement evaluation.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑