Healthcare Gateway Ltd

MIG Shared Record Viewer (SRV)

MIG Shared Record Viewer is an independent web portal which provides healthcare professionals with instant access to the Medical Interoperability Gateway (MIG). It allows users to search for patients and view their medical records without an existing clinical system.

Features

  • compatible with all mobile devices
  • accessed via HSCN/ N3 Network
  • internet browser based technology
  • fully auditable
  • designed to be fully adaptable to any screen size
  • smart card access not required

Benefits

  • can be accessed on any web browsing device
  • stand alone access, no dependency on existing clinical system
  • simple technology, quick and easy to deliver
  • can be used in any health or social care setting
  • tactical solution whist systems or settings are accredited

Pricing

£3,500 a licence a year

Service documents

Framework

G-Cloud 12

Service ID

7 9 8 2 8 9 8 3 1 1 6 7 1 2 6

Contact

Healthcare Gateway Ltd Andrea French
Telephone: 08456012642
Email: andrea.french@healthcaregateway.co.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
MIG consuming portal which allows the MIG shared record viewer to be embedded in EMIS Web frame a system provided by EMIS Health
Cloud deployment model
Hybrid cloud
Service constraints
• Healthcare Gateway have a monthly maintenance window for 1 hour per month on a Wednesday between the hours of 12:00 and 13:00.
System requirements
Health and Social Care Network or N3 access required

User support

Email or online ticketing support
Email or online ticketing
Support response times
Users can report an incident to our service desk via JIRA service desk, telephone or email. All incidents logged over the weekend receive an automated response however, incidents are not actioned until next working day​​. Email response time is within 30 minutes.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
All incidents/service requests are recorded within the service desk system and allocated a priority depending on severity. When an incident is reported to the Healthcare Gateway Service desk, the team will create an incident log and assign a priority level which will dictate the target incident resolution time. The priority is derived from the assessment of the impact and urgency of the reported issue.

The priority levels and target resolution times are as follows:
level 1 - 4 hours
level 2- 8 hours
level 3 - 16 hours
level 4 - 48 hours
level 5 - 144 hours

Healthcare Gateway use reasonable endeavours to resolve each incident in accordance with the relevant target resolution time as described. The counter will run within the support hours relevant to the priority of the incident. Incidents will be closed once resolved, or where a suitable work around has been provided.
Healthcare Gateway deliver a standard support contract as part of any contract agreed with customers. The support levels are included as part of the MIG service annual licence charge
Support available to third parties
Yes

Onboarding and offboarding

Getting started
HGL apply a tried tested approach to the deployment of MIG services. Within this context all the project management activity is based upon a tailored plan to meet the individual project requirements, taking into account the varied system estate and resource allocation, which can determine the rate and complexity of the implementation.

HGL will appoint a project lead to progress the project implementation of the services ordered. The HGL Project lead will organise a project initiation call or meeting with the customer. This expected outcome from this meeting is to discuss and agree the following:
• Roles and Responsibilities
• Commercial Review
• Project dependencies including Supplier Accreditation and Information Governance Agree the Project Plan
• Discuss the HGL Implementation Process
• Support and Service arrangements
• Training Requirements

HGL will provide an Implementation Plan outlining the activities required by all stakeholders to enable a successful deployment; the HGL project manager will update this plan as the project progresses. The HGL project manager will ensure regular checkpoint calls are scheduled with all stakeholders to discuss progress, raise risks and/or issues and review progress in line with the implementation though the go live of the service
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Microsoft Excel
  • Microsoft Word
End-of-contract data extraction
As the MIG is a bi-directional brokering service it does not hold or store and any data. The Shared Record Viewer does however store users and audit information. At the end of the contract the customer has the option to extract the users and audit information stored in the Shared Record Viewer. This is done by way of a CSV export facility. All data can be exported via the auditing export functionality.
End-of-contract process
At the end of a contract the Shared Record Viewer service will be decommissioned. On receipt of confirmation from the customer for decommission of the Shared Record Viewer There will be one Auditor (customer) set up who’s responsibility it is to remove all the data from the Shared Record Viewer. The customer will receive an email notifying them they have 3 months from this date to remove all the data from the Shared Record Viewer. After 2 months has passed the customer will be notified they have 1 month remaining. The final email will be notification of decommissioning. There is no additional cost for this process

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
There is no difference between the mobile and desktop service
Service interface
No
API
No
Customisation available
No

Scaling

Independence of resources
Our solution executes in a virtualised environment which allows us to start up new instances on demand when the load becomes high. The service runs in a portal container which has been specifically designed for enterprise and allows clustering and distributed caching to deliver scalability and high performance.
Clustering of the application server nodes allows us to scale horizontally the portal application services across two or more application servers and, when combined with clustered database servers, provides a service that can be scaled to meet any demands placed on the service.

Analytics

Service usage metrics
Yes
Metrics types
Healthcare Gateway service metrics by way of a monthly report to customers on request . This demonstrates the total number of transactions for the reported period by organisation. This also includes a breakdown of those successful and failed transactions along with raw data for the period.
Enhanced reporting is available at an additional charge. Bespoke analytical reports are available from the service desk on request subject to availability.
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
All data can be exported from the Shared Record Viewer using auditing functionality. Filter options are available;
Time - to select any, last hour, today and yesterday.
Date - to select a date range.
Users - to select the a single or multiple user
Actions -to the specific actions that you wish to view
Detail - to filter the actions by a detail combined with the Action filter applied above
Filter - The value that applies to the detail filter
There is an option to bulk export all information.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
Private network or public sector network
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
We do not guarantee any level of availability, we use reasonable endeavours to provide at least 99% availability in respect of the relevant service during its standard support hours.
Service availability shall be represented as a percentage, calculated as follows:
actual minutes in month – planned downtime minutes = total service minute
total service minutes – unplanned downtime minutes /total service minutes * 100 = Availability

Service availability is measured at the end of each calendar month.
For the avoidance of doubt, issues and downtime caused by the acts or omissions of the customer or any third party caused outages or disruptions will be taken into account by HGL on an appropriate basis when determining the availability measure achieved.
Users are not refunded in the event of HGL not meeting SLAs
Approach to resilience
Our service currently runs within an enterprise virtualised environment and utilises separate virtual machines to provide service isolation should any issue occur during the running of the application instances. The database that the service relies on is also isolated so that it is dedicated to the running services.

We use a portal application container that has been specifically designed for an enterprise environment and each portal can be sandboxed allowing for the separation of services. This provides security should any portal break down during its run time and this will not affect any other running portals or the portal application container.

The portal application containers can be clustered to provide resilience should one container fail and, likewise, any database services that the portal relies on can also be clustered to provide resilience against database failure
Outage reporting
All outages and/or scheduled maintenance are reported to stakeholders using the Atlassian Status Page Software. This software is the method used for all Services provided by Healthcare Gateway by default all updates are also set to update the Service Delivery Twitter feed.
Stakeholders sign up for this reporting service using the webpage and from their can choose how they receive the alerts (email, text or RSS feed) specifically for them and how often.
The page is updated manually be the Service Delivery team at each stage of an outage (issue, monitoring, resolved) then a root cause analysis provided if appropriate. The API of this software is also linked to our Social Media account on Twitter should the stakeholder prefer this method of communication.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Restricted access to management interfaces is provided by a firewall IP white list. Once the firewall has established a users IP as valid, a user must also have valid username/password credentials to access any of the web portals developed for various elements of our infrastructure.
Further to this, we limit the ability to provide maintenance to a limited number of technical staff and whose access has been approved by heads of departments and elevated by a change process to a platforms team for review. The maintenance staff access is restricted by controlling access to file system folders e.g. configuration files
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Less than 1 month

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
BSI Group
ISO/IEC 27001 accreditation date
09/03/2020
What the ISO/IEC 27001 doesn’t cover
A 14.2.7 Outsourced Development
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Crest accredited cyber essentials

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Crest accredited cyber essentials 0027705268311508
Information security policies and processes
Healthcare Gateway follow ISO 27001 methodology and are independently certified to the ISO/IEC 27001: 2013 standard.
Healthcare Gateway are committed to establishing, implementing, operating, monitoring, reviewing and maintaining an Information Security Management System.
Healthcare Gateway have an overarching information security policy with clear aims and objectives set throughout the business with robust processes in place, which are as follows;
• Information security risk assessment process that assesses the business harm likely to result from a security failure and the realist likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and controls currently implemented;
• Defined security controlled perimeters and access controlled offices to prevent unauthorised access, damage and interference to business premises and information;
• Data classification and exchange guidelines, including compliance with regulations;
• Development and maintenance of an appropriate business continuity plan to counteract interruptions to business activities and protect critical business processes;
• Information security awareness guidance for all company employees;
• Incident management and escalation procedures for reporting and investigating security incidents and;
• A senior management team that supports the continuous review and improvement of the companies Information Security Management System.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
This is controlled by our Development policy (HGLPD9) where all releases and development work is risk assessed. This process is controlled and managed by the Development team, Product Owner and Clinical Safety Officer. Services are managed during the lifecycle by monitoring their usage, this task is performed by our Product team.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We follow our secure development policy which outlines a development process that covers secure development coding guidelines. Each development work item is validated by a definition of done which includes having an assessment by an external clinical safety officer. The clinical safety officer is responsible for classifying each work item according to criteria defined by our Safety Hazard Log and, if a vulnerability is identified, then the emergency release process is followed. This is assessed by a change advisory board and the system will be patched at a time and date specified by the change advisory board (within 24 hours)
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We perform regular PEN tests by external contractors that assess the accessibility of our application programming interfaces (API) against current security standards which are covered by Cyber Essentials, PCI Security Council Standards, CHECK, Crest, and TigerScheme accreditation's. Our PEN tests are scheduled every year or upon any major API changes and any issues are categorised from low to critical. Any issues that are identified as high or critical are address immediately. All other issues are assessed and prioritised by the seriousness of their nature and if any clinical safety is involved and then scheduled into our normal development life cycle.
Incident management type
Supplier-defined controls
Incident management approach
Healthcare Gateway have a predefined process in place for all incidents. Users will report this incident via a set template giving a description and severity of the incident this is then handled by the information security officer who will report back to user when the incident has been logged and resolved. During handling the information security officer will resolve the incident via the correct department and put in service improvement if required to prevent re-occurrence.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Yes
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Pricing

Price
£3,500 a licence a year
Discount for educational organisations
No
Free trial available
No

Service documents