Lincus is a highly configurable integrated digital electronic and personal health record management and communications platform. It is a CE marked Class 1 medical device and achieved 100% on the DSPToolkit.
- Modular and interoperable service that can integrate with existing systems
- Observation and clinical notes frameworks including health equalities frameworks
- Text, video, email and alert logged communications services
- Multiple user types and highly configurable user interfaces
- Multilanguage capabilities to allow rapid language conversion
- Person/patient reported outcomes tools - evidence driven and published
- IoT device connectivity connecting up to 300 different devices
- Data aggregation, analytics, visualisation and reporting
- Person held digital care record used for multiple health populations
- Personalised educational and supportive digital content provision
- Improved care delivery efficiency through cross service information sharing
- Increased insight. Earlier and improved diagnoses, especially in vulnerable populations.
- Behavioural change of service users and providers. NICE published.
- Improved communication across services minimising double data entry
- Video and text logged communications between users and providers
- Audit including human resource data for CQC and other reviews
- Connect with multiple devices and services through industry standard APIs
- Single Sign on functionality across multiple systems (OAUTH2)
- Deploy expertly reviewed educational content to service users and staff
- Real time report generation with aggregation, analytics and report engine
£0.50 per person per month
- Education pricing available
+44 7540 164 555
|Software add-on or extension||No|
|Cloud deployment model||Hybrid cloud|
|Service constraints||For optimum performance we require that organisations have up to date and manufacturer wholly supported browsers though can offer functionality for older versions if required.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
For our base service:
Within 8 hours (during business hours) for issues classified as high priority
Within 48 hours for issues classified as medium priority
Within 5 working days for issues classified as low priority
For high priority service (available for extra cost) we can respond within 60 minutes 24/7
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Yes, at an extra cost|
|Web chat support availability||24 hours, 7 days a week|
|Web chat support accessibility standard||WCAG 2.1 AA or EN 301 549|
|Web chat accessibility testing||None|
|Onsite support||Yes, at extra cost|
Online training and support materials are provided as standard.
A technical account manager with both technical and service integration experience is provided as standard. The technical account manager has direct support from our development team and senior management.
We provide onsite configuration, training and support workshops ranging from £500 for half day workshops to £2500/day for dual specialist practitioner workshops.
|Support available to third parties||Yes|
Onboarding and offboarding
Online training materials are provided as standard including user guides, help documentation, user walkthroughs, video guides and frequently asked questions which are regularly updated and can be easily accessed by users.
Workshops can be tailored to the needs of the organisation and scheduled as required. Engagement, training and follow-up workshops held on site include:
• One-day training
• Train the trainer
• Half-day workshops
• Dual specialist practitioner workshops
• Specialist configuration
• Workshop support
• User surgeries
Users are given access to a training environment on a demonstration site to enable ongoing training and testing of new developments within the organisation.
Ongoing support is provided through phone or email with coverage and response times detailed in the SLA. Remote assistance can be provided dependent on the priority of the support requested.
|End-of-contract data extraction||Our default is to provide the data in .csv format for each data field by formal request though we are happy to work with customers to provide the format best suited to their organisation. Data is delivered in a secure manner agreed by both parties.|
Depending on our role as either data controllers or data processors the costs differ.
As a data controller we provide the Lincus Personal Health Record (PHR) and hub for end users for life at no charge so there are no additional charges at the end of the contract.
If we are the data processor we then charge an additional reasonable fee to extract and deliver the data that depends on the complexity of the contract delivery and number of users.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
There are two differences:
1.) The mobile device has the option of downloading the Lincus iOS and Android apps to allow for online and offline working. Our Lincus app is highly ranked on the NHS endorsed ORCHA health and social care review platform.
2.) The mobile browser service utilises a responsive user interface so the content is optimised for the screen size of the mobile device.
|Accessibility standards||WCAG 2.1 AA or EN 301 549|
|Accessibility testing||We have completed testing with individuals with multiple and complex needs, visual impairment, hearing impairment and cognitive disabilities. We have tested screen reader technologies. We have tested integration of Amazon Alexa as an assistive adjunct to the platform.|
|What users can and can't do using the API||
Users can register; upload survey data, events, measurements, activity, nutrition and profile data. They can download survey configuration and personal data (same as upload). They can automatically sync data from wearables and other IoT enabled devices. Linked advocates with suitable permissions (social care, healthcare and mentors) can download and upload data for their assigned users. Password can be changed. It is possible to connect other services via OAuth and API calls. Users can join organisations.
For this to occur the organisation needs to be set up and assigned a token and access permissions from our team. There are separate access requirements for our test and production environments.
The can sign in, sign out (OAUTH2), pull or push data in standard formats. We utilise JSON restful API services.
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
The service can be configured/customised at a organisation and personal level. Every user has the ability to customise the service. End users for example have nine difference user interfaces they can use.
These have been codeveloped with multiple difference populations including people: with learning disabilities; at risk of homelessness; with long term conditions; who are pregnant; who are executives, administrators and athletes.
The system has personalised functions that respond to an individuals personal digital profile including the delivery of recommended content which has been expertly reviewed and digitally labelled. This includes content delivery for patients, those who are pregnant, clinicians and carers. There is provision for a content administrator function in the platform so organisation specific review content can be delivered preferentially to staff or service users within that organisation.
We have customisable alerts that can be configured with up to three variables by users, carers/clinicians or administrators, along with resolution criteria at an individual, group or organisation level.
The full extent of customisation is beyond the scope of this question or media. We typically run full day workshops which determine how an organisation would best want the solution configured or further developed for their needs including partner solution integration.
|Independence of resources||
We utilise multiple cloud scaling technologies including elastic and responsive storage and analytics. As we deploy through AWS (or other cloud services as required including UKCloud) there is very little, if any, chance this service will be overwhelmed by demand.
From a service response perspective we have automated online training and support.
Our physical team have multiple roles in the organisation and all have service support training. We utilise <2% of staff time on direct service support leaving plenty of flexibility for upscaling. We have partners who can provide addition support if we meet capacity of direct physical support.
|Service usage metrics||Yes|
All digital engagement depending on configuration including login, survey use, event recording, advocate login and access.
All provided at individual and grouped levels.
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users can export their data via pdf as default. If they wish to extract their data in raw form we provide .csv files on request. Export can also occur if the service commissioned has connectivity through our APIs as part of the service package.|
|Data export formats||
|Other data export formats|
|Data import formats||
|Other data import formats||
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
This is included with our SLA we guarantee 99.5% uptime and never a break in service of longer than 30 minutes with notice in writing before this occurs.
A refund system for not meeting guaranteed levels of availability can be included within our SLA on request.
|Approach to resilience||Available on request|
|Outage reporting||Email alerts as standard with other options such as an API or dashboard configurable on request|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||
We have multiple ways of authentication depending on the user type and the access needed. Our standard authentication is username and password paired with browser recognition. If the browser is not recognised then verification is required through email linkage. We have developed an OAuth2 authentication service as part of the NHS Diabetes Digital Coach Testbed.
Public keys and dedicated links are used for higher level developer access though we can configure and customise access solutions for any customer.
We are working with the NHS Digital citizen identity team to integrate their combined video, identity and additional documentation verification methods.
|Access restrictions in management interfaces and support channels||
We utilise public key authentication, including by TLS client certification along with username and password.
Once authenticated check user is logged in on every page. Perform strict backend permissions checks, done on a per action basis, for every database request or entry. Log user out automatically after 15 minutes inactivity.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
NHS DSP Toolkit
|Information security policies and processes||
Policies and processes developed in line with NHS Digital Information Governance Toolkit including:
• Information Governance Policy
• Confidentiality Policy
• Service Level Agreement
• Privacy Impact Assessment
• Change Control
• Network Security Policy
• Network Controls
• Information Handling Procedures
• Access Management Policy
• Mobile Computing and Home Working Policies
• System Security Policy
• Incident Reporting Policy
• Business Continuity Plan
Staff complete basic information governance training as part of their induction and ongoing self-directed study. Staff are required to report back on an annual basis with a synopsis of formal and self-directed information governance training.
We have quarterly information security meetings and between staff are required to report any protocol or any breaches to the Information Governance committee made up of:
Tom Dawson, IG lead
Adie Blanchard, Caldicott Guardian
Laura Gilbert, IT security lead
Chris Milner, Senior Information Responsible Officer
We complete regular internal audits and formal wash-ups after any protocol or real data breach.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
The service can be configured by organisations which is often determined through engagement and configuration workshops.
Change management is controlled and requires completion of Change Control and Privacy Impact Assessment documentation as required for all minor and major system changes. All changes must be authorised and follow a four stage system and component release protocol which includes information and clinical governance review. The release implementation is overseen by our release manager.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Employees complete horizon scanning for potential threats which are shared. We employ an independent contractor who specialises in threat discover and system administration patching which are scheduled and deployed after hours as soon as possible, ideally same day, as potential vulnerabilities are discovered.
We employ AppCheck penetration testing services completing penetration testing on all platforms (test, staging, development and production) at least every six months.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
Employees complete formal testing on a daily basis for potential compromises. We employ an independent contractor who specialises in protective monitoring and system administration patching which are scheduled and deployed after hours as soon as possible, ideally same day, as potential compromises are discovered.
We respond to incidences according to our incident policy which involves contacting all stakeholders impacted including the data owner and information commissioners office (ICO). All compromises are logged and uploaded to the NHS Digital Information Governance Toolkit.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||Incident management and reporting policies in line with NHS Digital Information Governance Toolkit requirements. All incidents (actual or suspected) that may breach security, confidentiality of personal information or clinician/information governance must be reported to the Incident Manager who logs, investigates and documents the incident and provides feedback and actions required. Incidents identified as level 2 SIRI (serious incident requiring investigation) are reported to the Information Commissioners Office (ICO) and other boards such as the Department of Health. All incidents below level 2 SIRI are logged and investigated in house.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||Yes|
|Connected networks||Health and Social Care Network (HSCN)|
|Price||£0.50 per person per month|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||We offer demonstration accounts. We are unable to offer free live accounts due to the requirements to have legal contracts in place between ourselves and the buyer.|
|Link to free trial||https://demo.lincus.rescontechnologies.com|