Transforming Systems Limited

SHREWD WaitLess

WaitLess is a simple, easy to use smartphone app for patients which shows them where they can access the fastest care for minor injury and illness, based on real-time location, traffic information and current waiting times from Minor Injury Units (MIU), Walk-in-Centres and Accident and Emergency (A&E).

Features

  • Geolocation of patients and urgent care providers
  • Live waiting times for A&E, MIU and WIC
  • Live number of patients waiting for A&E, MIU and WIC
  • Calculates travel time (drive, walk, public transport) against traffic conditions
  • Lists services and treatment types available for each facility
  • List opening times and contact details for each facility
  • Excludes facilities that are not open at time of arrival
  • Prioritises shortest combined waiting and travel time for patients
  • Pass through to smartphone mapping applications for directions
  • Can input location manually to override geolocation if different

Benefits

  • Reduce pressure on Accident & Emergency departments
  • Divert patients to more appropriate care with lower waiting times
  • Proven to reduce costs in delivering urgent care
  • Improves efficiency by making use of spare urgent care capacity
  • Move activity away from busy units as waiting times increase
  • Encoourage patients to access care closer to home
  • WaitLess provides live routing information navigate you to your destination
  • Shows patients which services are available in real time
  • Shows patients viable alternatives, comparing location and waiting times
  • Proven to reduce A&E attendances and increase MIU activity

Pricing

£2999 per instance per month

Service documents

Framework

G-Cloud 11

Service ID

7 6 0 5 0 9 0 6 2 4 9 5 0 4 0

Contact

Transforming Systems Limited

Lisa Riley

0203 397 6626

info@transformingsystems.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
SHREWD Resilience
Cloud deployment model
Private cloud
Service constraints
For data feeds from source systems: Requires HSCN connectivity, data provided via web service (other options such as csv / manual upload available). Provider agreement for data sharing (non PI), community & public health providers, care (public and private).

The Apple or Android smartphone app requires download from the Appstore or Playstore respectively.
System requirements
  • Current compatible browser
  • Internet connection (2mbps minimum, 5mbps recommended )
  • Users must have nhs.net email address (or NHS approved equivalent)
  • Capability to extract data from sources (e.g. API, webservice)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Helpdesk (telephone and email): 08.30 to 17.00 Monday to Friday.

SLAs (applies to commissioning customer (rather than patient end users which are by best endeavour)):
1 (High) : Full system outage – no users can use the system. Response: 10 mins. Resolve: 4 hours.
2 (Medium) : Partial system outage – significant number of users affected. Response: 10 mins. Resolve: 1 business day.
3 (Low): Minor – handful of users or part of the system is not working to specification. Response: 10 mins. Resolve: 3 business days.
4 (Query) : Minimal impact. Response: 3 business days. Resolve: 20 business days.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Ongoing technical support and a dedicated account manager is included within the monthly fees for the provision of the application (applies to commissioning customer (rather than patient end users of smartphone app who are served by best endeavour)). This includes the standard SLAs as follows:

Telephone and email helpdesk 08.30 to 17.00 Monday to Friday.

Priority and timescale
1 (High) : Full system outage – no users at all can use the system. Response: 10 mins. Resolve 4 hours.
2 (Medium) : Partial system outage – a significant number of users are affected. Response 10 mins. Resolve: 1 business day
3 (Low): Minor – a handful of users or a part of the system is not working to Specification. Response: 10 mins. Resolve 1 business day
4 (Query) : Minimal impact. Response; 3 business days. Resolve 20 business days

Initial set up and additional training, integration and development services are available as per the rate card provided.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
A pre-sales questionnaire will inform a project plan to undertake the following
- Identify resources and their details to be included on the WaitLess App (A&E, MIU,WIC, other)
- Technical work required for setting up feeds for waiting times and numbers attending with a minimum of 10 minute updates.
- Training for those that are required to manually update feeds.
Service documentation
Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction
All raw data is real-time and publicly available while retained by the source organisation(s). All data provided over the duration of the contract could be provided as a CSV at contract end. Other formats available at additional cost.
End-of-contract process
Source data feeds are switched off and accounts suspended.

Using the service

Web browser interface
No
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
WaitLess is primarily a smartphone app, and users do not access the back end, however, a web app version is deployable as a widget which requires limited technical set up.
Service interface
Yes
Description of service interface
WaitLess is primarily a smartphone app, and users do not access the back end, however, a web app version is deployable as a widget which requires limited technical set up.
Accessibility standards
WCAG 2.1 A
Accessibility testing
None (data is presented in visual formats in order to simplify complex system wide events and does not therefore support some assistive technologies)
API
Yes
What users can and can't do using the API
SHREWD Web APIs is used by various NHS data providers to Push anonymous indicators data into SHREWD database, where indicators data contains three fields (IndicatorId, Current Values and Date Timestamp).
API documentation
Yes
API documentation formats
  • ODF
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The app will be configured for local requirements using a coproduction design process. Users can configure the information template for each centre displayed within the app to meet local needs.

Scaling

Independence of resources
Our primary servers are on a managed cloud provision. We have application and server monitoring in place to monitor the resource usages to automatic alerts in place to provision new resources when there is a need for more resources.

Analytics

Service usage metrics
Yes
Metrics types
Users/Agencies/Indicators usage/breakdown/performance metrics, Indicator update frequency/breakdown/total metrics, Features usage metrics.
Reporting types
  • Real-time dashboards
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
Less than once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Via the application menu, a user can select various export options including format (as below) and which specific indicator they wish included in the export. Bespoke exports may be available at additional cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • .xls
  • SQL
Data import formats
  • CSV
  • Other
Other data import formats
.xls

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
The primary datastore is replicated across networks using SSL. File based data transfers are password locked and encryption done using private/public key encryption algorithm.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
The primary datastore is replicated using SSL. File based data transfers are password locked and encryption done using private/public key encryption algorithm on top of TLS.

Availability and resilience

Guaranteed availability
Planned maintenance is undertaken outside business hours. As the service is charged on a 'pay as you use' basis, any unplanned outages would be refunded at a pro-rata percentage for unavailability in business hours.
Approach to resilience
Non-Disclosure Agreements are in place with all of hosting provider suppliers. A risk assessment is undertaken for each supplier, with any required actions (which can include the supplier being subject to a security audit by the hosting provider) are conducted and managed by the Director for Supplier Management in conjunction with the Security Manager. All suppliers are audited as part of ISO 27001 third party audit policies, which are in turn assessed by qualified and impartial third party ISO 27001 compliance assessors. Due diligence is performed on any security impacting third parties prior to selection and appropriate security requirements are built into contractual agreement where necessary. All strategic suppliers are assessed for their Business Continuity provision. Once reviewed the results of the assessment are analysed to assess the supply chain risk with regard to business continuity. Those suppliers considered to be inadequately prepared to deal with a BC scenario affecting their own organisation, which could therefore impact on the hosting provider to continue normal service operations, will be subject to further auditing, via a more detailed questionnaire or onsite at their premises. Third party suppliers are audited at least annually, with a shorter (quarterly) audit cycle for critical suppliers.
Outage reporting
When service has a disruption or outage, we notify the users through emails.

Identity and authentication

User authentication needed
Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels
Access to accounts that are created by internal admins is limited. Created accounts use two factor authentication to be able to access the interface.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Complies with NHS Data Security Protection Toolkit (DSPT). Policies and processes followed or used include: Email Policy, Information Asset Register, Information Asset Access Control Policy, IG Steering Group Roles and Responsibilities, Terms of Reference for Information Governance Steering Group, Physical Security Checklist, IG Awareness and Basic Training for new staff, Annual IG Refresher Training for all staff, Network Security Policy, Information Security Policy, Compliance Audit Checklist, Remote Access Policy, Mobile Computing & Teleworking Policy, Assignment of Mobile Computing Form, Portable Devices Standard Operating Procedure, Risk Assessment Impact, Incident Management Procedure, Business Continuity Management Policy, IT Disaster Recovery Plan and Business Impact Analysis Report among others. All documents pertaining to Information Governance are available and accessible to all members of staff on the company intranet. The reporting structure entails that all staff report any and all incidents to the IG Lead, who works closely with the appointed SIRO, IAO and Caldicott Guardian. Spot checks are carried out quarterly, IG refresher training courses are undertaken annually with an IG assessment carried out at the end of the year to ensure staff remain IG aware.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Processes are in place to ensure that all changes to the system are authorised and tested prior to being employed. These are compliant with the relevant aspects of NHS Data Security Protection Toolkit. To track components of services over time, version control is enforced and access control records are kept and monitored. All change requests are documented and assessed. All staff are trained on operational procedures maintained on the company intranet, including: Access Control and Password Management Procedures, Change Control Process, Privacy Impact Assessment & IG Checklist, Project and Change Management Control Plan, Network Security Policy and Information Security Policy.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Risk assessments to identify and mitigate issues are carried out as part of a process that is compliant with the relevant aspects of NHS Data Security and Protection Toolkit i.e. Information Security Assurance, Incident Management and Investigation.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Measures are put in place to detect any attacks or unauthorised activity as part of a process compliant with the relevant aspects of the NHS Data Security and Protection Toolkit i.e. Information Security Assurance, Incident Management and Investigation. Potential threats to our services are assessed through employing a 'listener', upon the detection of a threat the relevant IP address is immediately isolated and blocked, whilst a potential threat to our software products is monitored and curtailed immediately with patches deployed automatically to the affected areas.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Procedures are in place to ensure incidents are dealt with immediately to recover a secure and available service. The guidelines apply to all staff and include:All incidents must be reported to a line manager and/or IG lead immediately. An information incident report is then completed detailing; name of the individual reporting the incident, date of the incident, where the incident occurred, details of the incident and any initial actions taken, including who the incident has been reported to and the date the report is created. The line manager or IG lead investigate the incident and employ the necessary measures

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Yes
Connected networks
Health and Social Care Network (HSCN)

Pricing

Price
£2999 per instance per month
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑