Transforming Systems Limited

Transforming Systems: SHREWD Strategic

Strategic is a real time dashboard designed to provide whole system urgent care information to leaders of STPs and A&E delivery boards. An essential tool for STP digital roadmaps, data from all providers is combined in a simple view. Users see activity by day, week, month, showing trends and performance.

Features

  • Designed for leadership to plan and monitor urgent care performance
  • Sustainability Transformation Plan and A&E Delivery Board specific views
  • Monitors KPIs, target compliance, response times, DTOCs, OPEL and breaches
  • Monitor and graph trends and drill down into data
  • Economy wide matrix view of local health economy urgent care
  • Executive summary for chief officers to identify real time pressures
  • Download strategic dashboard into editable Microsoft Excel or CSV format
  • Views for ambulance, acute, community, mental health and social services
  • Customisable dashboard for daily, weekly, monthly or six week view
  • Search historical data for reports, trends, business intelligence or benchmarking

Benefits

  • Provide business intelligence to improve discharge processes and reduce delays
  • Define KPIs, reports, thresholds for patient flow across urgent care
  • Assist improved service review and commissioning for CCGs, LAEDBs, STPs
  • Supports A&E streaming at front door to improve patient flow
  • Promotes earlier diagnosis and treatment in primary and community care
  • Maximises efficiency and reduces costs by sharing across health community
  • Combines hospital trust and other providers data in real time
  • Provides overview and drill down into detail capability to commissioners
  • Speeds up communication by providing aggregated BRAG statuses in teleconferences
  • Commissioners alerted to missing provider data or thresholds exceeds

Pricing

£3699 per instance per month

Service documents

G-Cloud 9

837609997154866

Transforming Systems Limited

Colin Rees

07860139890

colin@transformingsystems.com

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to SHREWD Resilience
Cloud deployment model Private cloud
Service constraints The application requires N3 connectivity for health specific use and users should have nhs.net email addresses or NHS approved equivalents. The data used is publicly available and non-patient identifiable but data sharing agreements should be put in place between the organisations within the local health community. The data is best provided via a web service or API (other options such as csv / manual upload available) so a degree of integration knowledge is useful, however full support can be provided.
System requirements
  • Current compatible browser
  • Internet connection (2mbps minimum, 5mbps recommended )
  • Users must have nhs.net email address (or NHS approved equivalent)
  • Capability to extract data from sources (e.g. API, webservice)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times The Helpdesk (telephone and email) is available during Business Hours 08.30 to 17.00 Monday to Friday. Priority and timescale
1 (High) : Full system outage – no users at all can use the system. Response: 10 mins. Resolve 4 hours.
2 (Medium) : Partial system outage – a significant number of users are affected. Response 10 mins. Resolve: 1 business day
3 (Low): Minor – a handful of users or a part of the system is not working to Specification. Response: 10 mins. Resolve 3 business days
4 (Query) : Minimal impact. Response; 3 business days. Resolve 20 business days
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Ongoing technical support and a dedicated account manager is included within the monthly fees for the provision of the application. This includes the standard SLAs as follows:

Telephone and email helpdesk 08.30 to 17.00 Monday to Friday.

Priority and timescale
1 (High) : Full system outage – no users at all can use the system. Response: 10 mins. Resolve 4 hours.
2 (Medium) : Partial system outage – a significant number of users are affected. Response 10 mins. Resolve: 1 business day
3 (Low): Minor – a handful of users or a part of the system is not working to Specification. Response: 10 mins. Resolve 1 business day
4 (Query) : Minimal impact. Response; 3 business days. Resolve 20 business days.

Initial set up and additional training, integration and development services are available as per the rate card provided.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started "SHREWD Strategic customers receive a detailed Welcome pack containing:
• Strategic Dashboard on a page (system overview)
• Initial configuration questionnaire
• Initial communications template
• Whole systems configuration questionnaire
• Draft project plan
• Dashboard template
• Technical Specification document

The Strategic can be set up in parallel with Shrewd Resilience setup or as an add on if Shrewd Resilience is already operational.
Where being set up in parallel then an integrated Project Plan with Shrewd Resilience will be created. Customer requirements, including key roles for Resilience will also cover the Strategic Dashboard although additional customer support may be required to include those responsible for managing Strategy. These will be identified in the project planning stage. Shrewd Strategic Dashboard is dependent on the selected feeds being set up on Shrewd Resilience and estimated delivery is from 2 – 12 weeks dependent on customer readiness.
Where an add on to established Shrewd Resilience an implementation plan will be established and the delivery period will also be 2 to 12 weeks depending on customer readiness.
Service documentation Yes
Documentation formats
  • ODF
  • PDF
  • Other
Other documentation formats Microsoft Word.doc
End-of-contract data extraction All raw data is real-time and publicly available while retained by the source organisation(s). All data provided over the duration the contract could be provided as a CSV at contract end. Other formats available at additional cost.
End-of-contract process Source data feeds are switched off and accounts suspended.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 A
Accessibility testing None (data is presented in visual formats in order to simplify complex system wide events and does not therefore support some assistive technologies)
API Yes
What users can and can't do using the API SHREWD Web APIs is used by various NHS data providers to Push anonymous indicators data into SHREWD database, where indicators data contains three fields (IndicatorId, Current Values and Date Timestamp).
API documentation Yes
API documentation formats
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation A strategic template strategic data set and dashboards are provided within the application. The implementation coproduction approach allows dashboards to be custom designed for each user group.

Scaling

Scaling
Independence of resources Our primary servers are on a managed cloud provision. We have application and server monitoring in place to monitor the resource usages to automatic alerts in place to provision new resources when there is a need for more resources.

Analytics

Analytics
Service usage metrics Yes
Metrics types Users/Agencies/Indicators usage/breakdown/performance metrics, Indicator update frequency/breakdown/total metrics, Features usage metrics.
Reporting types
  • Real-time dashboards
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency Less than once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Via the application menu, a user can select various export options including format (as below) and which specific indicator they wish included in the export. Bespoke exports may be available at additional cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • .xls
  • SQL
Data import formats
  • CSV
  • Other
Other data import formats .xls

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks The primary datastore is replicated across networks using SSL. File based data transfers are password locked and encryption done using private/public key encryption algorithm.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network The primary datastore is replicated using SSL. File based data transfers are password locked and encryption done using private/public key encryption algorithm on top of TLS.

Availability and resilience

Availability and resilience
Guaranteed availability Planned maintenance is undertaken outside business hours. As the service is charged on a 'pay as you use' basis, any unplanned outages would be refunded at a pro-rata percentage for unavailability in business hours.
Approach to resilience Non-Disclosure Agreements are in place with all of hosting provider suppliers. A risk assessment is undertaken for each supplier, with any required actions (which can include the supplier being subject to a security audit by the hosting provider) are conducted and managed by the Director for Supplier Management in conjunction with the Security Manager. All suppliers are audited as part of ISO 27001 third party audit policies, which are in turn assessed by qualified and impartial third party ISO 27001 compliance assessors. Due diligence is performed on any security impacting third parties prior to selection and appropriate security requirements are built into contractual agreement where necessary. All strategic suppliers are assessed for their Business Continuity provision. Once reviewed the results of the assessment are analysed to assess the supply chain risk with regard to business continuity. Those suppliers considered to be inadequately prepared to deal with a BC scenario affecting their own organisation, which could therefore impact on the hosting provider to continue normal service operations, will be subject to further auditing, via a more detailed questionnaire or onsite at their premises. Third party suppliers are audited at least annually, with a shorter (quarterly) audit cycle for critical suppliers.
Outage reporting When service has a disruption or outage, we notify the users through emails.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Access to accounts that are created by internal admins is limited. Created accounts use two factor authentication to be able to access the interface.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Complies with NHS Information Governance Toolkit IGTK2 (3 in progress) i.e. ISO/IEC 27000 series of standards and The Data Protection Act 1998. Policies and processes followed or used include: Email Policy, Information Asset Register, Information Asset Access Control Policy, IG Steering Group Roles and Responsibilities, Terms of Reference for Information Governance Steering Group, Physical Security Checklist, IG Awareness and Basic Training for new staff, Annual IG Refresher Training for all staff, Network Security Policy, Information Security Policy, Compliance Audit Checklist, Remote Access Policy, Mobile Computing & Teleworking Policy, Assignment of Mobile Computing Form, Portable Devices Standard Operating Procedure, Risk Assessment Impact, Incident Management Procedure, Business Continuity Management Policy, IT Disaster Recovery Plan and Business Impact Analysis Report amongst others. All documents pertaining to Information Governance are available and accessible to all members of staff on the company intranet. The reporting structure entails that all staff report any and all incidents to the IG Lead, who works closely with the appointed SIRO, IAO and Caldicott Guardian. Spot checks are carried out quarterly, IG refresher training courses are undertaken annually with an IG assessment carried out at the end of the year to ensure staff remain IG aware.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Processes are in place to ensure that all changes to the system are authorised and tested prior to being employed. These are compliant with the relevant aspects of NHS Information Governance Toolkit IGTK2. To track components of services over time, version control is enforced and access control records are kept and monitored. All change requests are documented and assessed. All staff are trained on operational procedures maintained on the company intranet, including: Access Control and Password Management Procedures, Change Control Process, Privacy Impact Assessment & IG Checklist, Project and Change Management Control Plan, Network Security Policy and Information Security Policy.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Risk assessments to identify and mitigate issues are carried out as part of a process that is compliant with the relevant aspects of NHS Information Governance Toolkit IGTK2 i.e. Information Security Assurance, Incident Management and Investigation.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Measures are put in place to detect any attacks or unauthorised activity as part of a process compliant with the relevant aspects of the NHS Information Governance Toolkit IGTK2 i.e. Information Security Assurance, Incident Management and Investigation. Potential threats to our services are assessed through employing a 'listener', upon the detection of a threat the relevant IP address is immediately isolated and blocked, whilst a potential threat to our software products is monitored and curtailed immediately with patches deployed automatically to the affected areas.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Procedures are in place to ensure incidents are dealt with immediately to recover a secure and available service. The guidelines apply to all staff and include:All incidents must be reported to a line manager and/or IG lead immediately. An information incident report is then completed detailing; name of the individual reporting the incident, date of the incident, where the incident occurred, details of the incident and any initial actions taken, including who the incident has been reported to and the date the report is created. The line manager or IG lead investigate the incident and employ the necessary measures

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)

Pricing

Pricing
Price £3699 per instance per month
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑