ERS Connect

Digital/ Hybrid Patient Communications and Engagement

Supporting the NHS Digital Agenda: Rollout of cloud-based, digital patient engagement/appointment-management throughout the referral-to-treatment/RtT pathway. Delivered via EPR Integration with patient portal, on-line engagement, Email/SMS/QRcodes/Hyperlinks and hybrid print/mail. GDPR/DPA compliant; Live/Real-time/Online delivery of outcomes (Slot-Utilisation/DNA Reduction) Improved patient outcomes/experience and accessibility standards. Escalation paths; reporting; BI/MI;


  • Real Time Digital and hybrid-mail. Appointment notification and reminders
  • Patient Communications (SMS/ Agent/ IVR/ IVM/ Email, On-line Patient-Portal)
  • RtT Patient Pathway Appointments, reminders, scheduling, pre-operative/ post-discharge
  • Improved Patient Experience, Patient Accessibility standards, PALS
  • Reduction in DNA, improved slot-utilisation, cost saving, income generation
  • Real Time reporting, results and outcome analysis
  • Intelligence and results lead delivery paths
  • Bi-directional engagement using multi-channel media and escalation paths


  • Reduce print and costs up to 70%. Digital-Agenda Paperless 2020
  • Cost effective routing of data, answer based response
  • Secure data management (Data handling)
  • Support patient accessibility standards - maps/instructions/leaflets/ audio/ language
  • Accountability and audit trace (Live outcome reporting and results)
  • Secure user based permissions and portal acess
  • Cloud based and agnostic of EPR systems -
  • Uses secure API and Interface (HL7, FHIR, N3)
  • E-Referral, Choose and Book, Partial Booking


£0.018 per unit

  • Free trial available

Service documents


G-Cloud 11

Service ID

7 2 7 1 4 5 2 5 2 4 5 1 7 2 9


ERS Connect

Steve Warren


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to EPR/ PAS systems
Hybrid mail and hybrid print

Appointment reminders; Pre-Admission & Post-Discharge communication services; Friends and Family testing; Ad-Hoc Surveys.

Additional services are added to the platform, using same data upload methods to reduce unnecessary complexity via N3/HSCN/PSN.
Cloud deployment model Private cloud
Service constraints There are no constraints using our portal - it fully supports all web browsers (incl. IE7 and above). Maintenance windows are outside of core hours and the service runs in active:active mode.

There are no hardware requirements for the Customer and no software installations - all delivered via a secure cloud portal with full user permissions and role access rights.
System requirements
  • Internet Browser - all supported
  • User permissions based authorised personnel only
  • Cloud based - Agnostic to EPR/ PAS
  • API

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support queries are monitored Monday to Friday 8.00am to 8.00pm with a 24/7 363 functionality available if required.

Response times to support tickets raised are acknowledged within 1 hour, with resolutions confirmed and agreed within 24 hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels 24X7X363 Support is available. Support hours are Monday - Friday 8am-6pm (Core); 6pm-8am (On Call) Evenings and Weekends - On Call Support requests are captured by our Customer Services Team, your dedicated Account Manager, or directly into our IT Support Team. These come into our enterprise class ticketing portal and each given a unique reference number and an assigned, named technical engineer. We endeavour to respond to all Customer queries within 1 hour of receipt, however 4 hours is our standard response KPI.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started There are two states to our customer on boarding. The first being our client, their user access is cloud based with a specific on-boarding process including the creation of the specification and SLA, go live timescales, data security credentials. We have a detailed integration support process and all customers are provided with an implementation plan. This also is supported by on-site roll out support, training and backed up by webinar training sessions for users, and regular on-site review meetings and system upgrade training sessions. We also support with train the trainer.
In addition, we support our clients in supporting their end users of the product. Our Client services team and dedicated security trained agents are on hand to support the seamless delivery of your solution.
Off boarding is available as per the exit strategy agreed as part of the SLA. Support with marketing, user engagement and migration to alternative services may also be available upon request.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • On-line userguides and prompts
  • Webex
End-of-contract data extraction We are Data processors and handlers, not data controllers. All data is annonymised upon completion. End of contract data is encrypted and identifiable only to the client. Data deletion is recommended at the end of a contract term due to the nature of the service not requiring long term availability. However, GDPR opt out information may be required or specific patient contact timeframes. Upon written request by an authorised client, we can provide any extract of data up to data deletion as agreed with the Client - typically between 90-180 days. All data received will be in an anonymised format to ensure that no Patient Identifiable Data is visible. A full version of our Business Management Policies and whitepapers are available upon request.
End-of-contract process Prior to the end of the contract we recommend our client engage in an exit strategy to agree timescales, extract changes and provide support for any new service that may follow. Up to date MI and BI will be provided, along with the return on investment and up to date performance metrics. The on-line portal is accessible to our clients with their information up to an agreed time frame. Any required data extracts and secure information within permitted guidelines will also be made available for the customer. Anatomised as per the service requirement and only delivered by secure means which must be made available by the client. Additional on-site support or engagement with non standard service users or requirement of non standard data as per the SLA will be available upon request on a chargeable basis.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Secure accessibility from un-known locations may prohibit mobile access for client interface, but end user accessibility is designed for mobiles (patients etc)
Service interface Yes
Description of service interface API
Accessibility standards None or don’t know
Description of accessibility Supports National Accessibility standards. Predominantly surrounding language, visual and audio support mechanisms
Accessibility testing All relevant industry testing
What users can and can't do using the API The API is used for data uploads; role based security; managing data transfer via N3/HSCN There are no requirements to make changes by users for delivery of the secure cloud service.
API documentation Yes
API documentation formats
  • HTML
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Our service can be customised to deliver templates with fixed/fluid merge fields including dates; names; addresses; specialty; location; time; appointment date.

Also, users can elect (user permissions in place) on:
Colour - Mono/Black&White
Envelope: C5/D4
Postage: First-Class; Second-Class (default); Special
Inserts: Select as required *unlimited options
Templates: Use existing or create on the fly templates (with governance approval chain)
Ad-Hoc: Surveys by type; postcards

Customisation is roles/permission based and is agreed as part of scoping with a client.

Customisation is simple and completed on the Chronos portal, once a user has successfully authenticated onto the secure cloud portal.

As part of the Customisation, we can also include a unique hyperlink/security options onto a letter for secure access onto an end user portal - this will allow an end user to view online, view maps; supporting information; questionnaires (FFT/Ad-Hoc etc.) and the option to listen/translate and print their documentation as required or send to their mobile device of choice.

Additionally, we capture feedback, for example, in the NHS & Public Sector to ACCEPT:CANCEL:RE-ARRANGE an appointment digitally - with a comprehensive, real-time reporting suite both online and as a subscription report available to authorised users. Please ask for more information or Demo.


Independence of resources The ERS Connect Chronos portal sits on ultra-resilient infrastructure from world-class leading providers - It is a 24x7x365 managed service and is fully scalable to burst should demand require it. We monitor our services with threshold alarms in the event of usage being reached, to ensure we can spin up to meet demand with no limitations. For more information, you are welcome to review our Business Management System overviews upon request.


Service usage metrics Yes
Metrics types Metrics types

The ERS Connect service can provide both a portal dashboard view of key usage metrics including communication type; if the patient has downloaded documents (& requisite documents); opted to translate; postage day/time/cost; review of escalation methods; reductions in print/postage costs (upto 70%), full audit history.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach All backup data is encrypted. Physical access control to all SQL databases. Physical role and access levels and authorisation for access to the data. Layered access controls in place based on role; permissions and responsibilities. Sensitive fields, ie.passwords are hashed, to non-readable format in the database (no plain text storage). Full joiner and leaver process in place as part of our Business Management System and ISO certifications.
For more information or to view our fully audited Business Management System, please request more information or site visit.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data can be uploaded onto the Chronos service, irrespective of which service(s) are being used - all use the same methodology for client ease: 1) HL7 integation - either 1-way or bi-directional, via an upload script (given to you by our IT team); 2) Manual upload - either by uploading a .vbs file into the web application, or; 3) Manual upload - directly onto the portal itself. Full training is provided
Data export formats
  • CSV
  • Other
Other data export formats
  • .XLS
  • Via HL7 Bi- and Omni- directional
  • .VBS (VB Script)
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • .VBS
  • .XLS

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks Behind a dedicated firewall in a secure leading manufacturer Tier 3 Data Centre with active:active load balancing and redundancy. Authorised users only with Connect permissions have access utilising roles based authentication.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network Data is protected behind leading firewalls along with anti-virus and malware protection. Role based security access and physical access security. VPN access for remote access. All servers are privately addressed. Data backups are stored behind secure location and are encrypted within leading T3 Data Centres running as Active:Active. SQL Cluster, with active:passive configuration for 99.99% uptime. More information is available upon request and detailed within our Business Management System under an NDA

Availability and resilience

Availability and resilience
Guaranteed availability ERS Connect offers a 99.99% uptime. There are no refunds for any service not meeting levels of availability - this is due to our service being ultra resilient and we have UK data centres, on separate networks in the event of any not being unavailable.
Approach to resilience We operate using the leading Data Centre providers, running in active:active sync across 3 DC's. These are fully managed on a 24x7x365 basis with SLA's in place. Supplier audits and reviews ensure these are met.

More information is available upon request that includes our SLA's with world-leading providers; along with our architecture/network diagrams on a request basis.
Outage reporting Outage's are classified as follows:
ERS Connect generated outage - this is only in exceptional circumstances (as yet never used), whereby notice would be given to all Clients 5 days ahead with timely reminders at intervals.
Non ERS Connect outages are communicated using either Email and/or SMS messages to all Clients notifying them of an outage and regular updates. Users can also see any notifications on our website and in the example of WannaCry, we mobilised our Agent Teams to call all Clients to advise them of WannaCry and that our service was not compromised.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication Customers have options for inclusion of Staff and/or Patient/End User 2-factor authentication, offered via a unique pin code (Patient Portal Access), along with a further option for additional authentication around a last know digit sequence
Access restrictions in management interfaces and support channels All access follows our fully auditable ISO accredited BMS process. Users are restricted by permissions as follows: Internal ERS Connect staff members are limited based on role/function permissions. General Client users are restricted by role/function with a cut down service Administrators/Managers have more functionality and access to services on the Chronos portal. Additionally ERS Connect has a hierarchical department structure which is used for permissions access for sensitive and non-sensitive information and data.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI Group
ISO/IEC 27001 accreditation date 02/11/2017
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO9001
  • ISO14001
  • C&CCC Standard 55: Cheque Printer Accreditation Scheme
  • UK Finance Standard 72: PINS Printer Accreditation Scheme
  • FSC (Foest Stewardship Council)
  • PEFC (Programme for the Endorsement of Forest Certification)
  • Connecting for Health 100% Level 3 approval Information Governance Toolkit

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ERS Connect is certified against ISO9001/ISO14001/ISO27001:2015; IG Toolkit 14.2 Level 3 Partner (100%). We have a dedicated Compliance team headed up at senior management level as part of the company leadership team. All ERS Connect employees undertake security and governance training and must pass, IG Toolkit certification along with internal security measures. A full 'Security Policy and Processes' is available for review (upon request) and sits within our Business Management System. This is reviewed at least twice per annum, or sooner as required and forms part of our Senior Leadership Team annual meeting.

Additionally, our partner for secure delivery of letters, meets many of the same standards, along with others including:

•C&CCC Standard 55: Cheque Printer Accreditation Scheme
•UK Finance Standard 72: PINS Printer Accreditation Scheme
•BS ISO IEC 27001:2013 Information Security Management Systems
•BS ISO 9001-2015 Quality Management System
•Connecting for Health - 100% approval Information Governance Toolkit.

All information processing and mailings are undertaken under the guidance of these standards

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All documented within our BMS under ISO standards Service request, work item generated (unique detail); code checked-in against code item; code reviewed; tested; merged into code base; released. Testing is broken down into Unit; Integration and System testing. Documented system testing compiled - for end to end processes alongside test plans for completedness. A full Change Management and Configuration process and supporting guides are available upon request
Vulnerability management type Undisclosed
Vulnerability management approach This is sensitive information and therefore only the highest level information is provided here - more detail can be provided on request. We test daily for vulnerabilities and further deeper monthly testing and tests run against all releases of new software. Any changes to our vulnerability scans is addressed in line with our BMS ISO and Security processes - available upon request. Against all public IP's and applications. Automated and manual patching. Technical team across alerts from leading manufacturers and orgainisations such as Microsoft, Rackspace, NHS Digital etc.
Protective monitoring type Undisclosed
Protective monitoring approach This information is not for public domain, however it can be supplied upon request. Identification of potential compromises are managed via leading manufacturers and organisations. These are managed within a risk register available on our BMS. Any virus, open port, vulnerability will be handled immediately as a P1 instance Bulletins and communications are given to customers should a breach be identified with our actions. During WannaCry we patched immediately and kept the NHS working - this is a case reference we are happy to Share with you
Incident management type Undisclosed
Incident management approach Pre-defined processes in-place; within BMS
Breaches notified immediately at the point breach; Raised on the approved system by any team member. This auto escalates to the Director of Compliance & Manager.
Management review the breach - mobilisation as set out in our BMS,
Manager signs off incident at point of completion
Director of Compliance presents in monthly senior leadership team, review of incidents/ear misses. full report.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)
  • Other
Other public sector networks
  • HL7
  • Other options considered and available where required


Price £0.018 per unit
Discount for educational organisations No
Free trial available Yes
Description of free trial MAP ACROSS

Service documents

Return to top ↑