GOV.UK
Cyber Media Solutions Ltd.
Theseus: Healthy Weight Caseload Management
Theseus: Healthy Weight is a secure weight management case management system to support teams delivering behavioural change interventions, obesity prevention, nutritional advice and dietetic services. Theseus: Healthy Weight delivers triage assessments, appointment management and weigh-in recording and has integrated assessment tools include BMI, diabetes and heart disease risk calculators (Q-Risk).
Features
- Supports weight management group work and 1:1 interventions
- Supports healthy weight interventions for family groups
- Enables assessment of interacting unhealthy lifestyle behaviours
- Integrated assessment tools for heart disease and stroke (Q-Risk)
- Identifies obesity and calculates Body Mass Index (BMI)
- Easily deployable online healthy weight case management system
- Comprehensive caseload features for weight management interventions
- Supports unlimited weight management caseworkers
- Can be integrated with public self-referral and professional referral forms
- Secure and resilient hosting in ISO 27001-accredited datacentre
Benefits
- Record and review weight loss assessments, goals and timescales
- Print letters and vouchers for weight management providers
- Notification features flag caseload follow-ups due
- Supports onward referrals to activity and exercise providers
- Deployable smart rules to assist selection of referral pathways
- Powerful weight management reporting features and data dashboards
- Scalable healthy weight case management; integrates with wider wellbeing initiatives
- Increases productivity with intuitive workflows for weight management caseloads
- Proven Theseus platform is ISO 9001-accredited; used by 350+ organisations
- Integrated, granular consent features for GPPR-compliant caseload management
Pricing
£8000 per instance
Service documents
Framework
G-Cloud 10
Service ID
847617118728990
Contact
Service scope
| Software add-on or extension | No |
| Cloud deployment model | Private cloud |
| Service constraints | No. |
| System requirements |
|
User support
| Email or online ticketing support | Email or online ticketing |
| Support response times |
Critical priority issue (system unavailable): 2 hours High priority issue (partially unusable, significantly affecting operation): 4 hours Medium priority issue (aspect causing difficulty): 1 day Low priority issue (a general question): 2 days Request for enhancement: 14 days Support issues are adressed during normal working days. Telephone escalation is not available at weekends. |
| User can manage status and priority of support tickets | Yes |
| Online ticketing support accessibility | None or don’t know |
| Phone support | Yes |
| Phone support availability | 9 to 5 (UK time), Monday to Friday |
| Web chat support | No |
| Onsite support | Yes, at extra cost |
| Support levels |
We operate a universal support offer for all clients identified in our SLA: Critical priority issue (system unavailable): 2 hours High priority issue (partially unusable, significantly affecting operation): 4 hours Medium priority issue (aspect causing difficulty): 1 day Low priority issue (a general question): 2 days Request for enhancement: 14 days Support is provided at a standard cost as identified in our rates card. We have a dedicated product support team that provide professional account management and support to clients. |
| Support available to third parties | Yes |
Onboarding and offboarding
| Getting started | We provide high quality onsite and online training, accompanied with documentation. |
| Service documentation | Yes |
| Documentation formats |
|
| End-of-contract data extraction | Our product features powerful reporting functionality for data extracts. We will also support the user with data migration and extraction at contract end. |
| End-of-contract process | We will provide a complete CSV extract of service data and arrange for secure transfer to the user via an agreed secure method. |
Using the service
| Web browser interface | Yes |
| Supported browsers |
|
| Application to install | No |
| Designed for use on mobile devices | Yes |
| Differences between the mobile and desktop service | Mobile service is orientated around ease of use and responsiveness in the field. Superuser features are available on a desktop or laptop machine. |
| Accessibility standards | WCAG 2.0 AA or EN 301 549 |
| Accessibility testing |
All public facing interfaces are thoroughly browser, device and accessibility tested in line with WCAG 2.0 AA standards. As part of the testing process, testers use screen reading software to check for compliancy as well as contrast checkers. |
| API | Yes |
| What users can and can't do using the API | APIs are available to link Theseus Case Management with other systems for example to check whether a client exists in another system to prevent duplication of support activities. Further APIs can be developed on request. |
| API documentation | No |
| API sandbox or test environment | No |
| Customisation available | Yes |
| Description of customisation | Users can setup and manage the accounts of other users within their organisation and for third parties (subject to authorisation associated with the account). Theseus features flexible forms and other customisable functions to tailor the workflow in line with organisational and local requirements. |
Scaling
| Independence of resources | We own and operate our infrastructure in an industry leading UK datacentre. Our infrastructure features robust hardware redundancy provision and an appropriate level of server hardware is provided that exceeds demand requirements and with built in contingency. Compute resources are actively monitored, allocated and controlled to ensure service is maintained. |
Analytics
| Service usage metrics | Yes |
| Metrics types | A comprehensive range of service usage metrics can be provided by the product, for example, total number of service users, follow-ups completed, follow-ups outstanding, etc. |
| Reporting types |
|
Resellers
| Supplier type | Not a reseller |
Staff security
| Staff security clearance | Other security clearance |
| Government security clearance | Up to Baseline Personnel Security Standard (BPSS) |
Asset protection
| Knowledge of data storage and processing locations | Yes |
| Data storage and processing locations | United Kingdom |
| User control over data storage and processing locations | No |
| Datacentre security standards | Supplier-defined controls |
| Penetration testing frequency | At least once a year |
| Penetration testing approach | ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider |
| Protecting data at rest |
|
| Data sanitisation process | Yes |
| Data sanitisation type | Deleted data can’t be directly accessed |
| Equipment disposal approach | Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001 |
Data importing and exporting
| Data export approach | Data may be extracted from Theseus in CSV format from: Standard and bespoke reports, standard and bespoke dashboards, form extracts and system data extracts. Data may be exported as a CSV export of all form data submitted. |
| Data export formats |
|
| Other data export formats | |
| Data import formats | CSV |
Data-in-transit protection
| Data protection between buyer and supplier networks | TLS (version 1.2 or above) |
| Data protection within supplier network |
|
Availability and resilience
| Guaranteed availability |
The in service availability of our hosting has been, and is planned to be, better than 99.95% We operate a transparent SLA. In all cases the times indicated are targets and we will make best endeavours to meet or exceed these targets. |
| Approach to resilience |
We own and operate our own product infrastructure in an industry leading datacentre with ISO 27001 accreditation. The datacentre is located in a former Bank of England bullion vault in central Manchester with highly resilient architecture to provide exceptional reliability and system uptime. Cyber Media uses highly resilient Dell hardware for all physical servers connected using Cisco architecture with multiple redundant connections connected to the backbone network. The network is also multi-homed, has no single point of failure and utilises multiple 10Gbps DWDM MPLS ring networks which enter the facility diversely and separately, connecting to two separate POPs in London and Southampton to maximise performance. |
| Outage reporting | System maintenance and upgrades are performed outside of business hours. Customers are informed of any planned service outage in advance via email. In the event of unplanned outage, customers will receive a report on the cause of the outage and its remediation. |
Identity and authentication
| User authentication needed | Yes |
| User authentication |
|
| Other user authentication | IP restricted and time-sensitive access is also offered to all our clients. |
| Access restrictions in management interfaces and support channels |
The product features secure account management features that enables configuration of user permissions throughout the system to restrict access to management interfaces (and data) by role. In line with our Information Security Management System, all support channel users must be pre-registered by authorised contacts in order to raise support tickets. |
| Access restriction testing frequency | At least once a year |
| Management access authentication |
|
Audit information for users
| Access to user activity audit information | Users contact the support team to get audit information |
| How long user audit data is stored for | User-defined |
| Access to supplier activity audit information | Users contact the support team to get audit information |
| How long supplier audit data is stored for | User-defined |
| How long system logs are stored for | User-defined |
Standards and certifications
| ISO/IEC 27001 certification | No |
| ISO 28000:2007 certification | No |
| CSA STAR certification | No |
| PCI certification | No |
| Other security certifications | Yes |
| Any other security certifications | Department of Health and Social Care IGSoC supplier reference 8HP72 |
Security governance
| Named board-level person responsible for service security | Yes |
| Security governance certified | No |
| Security governance approach |
We have a comprehensive approach to security governance which we manage through an Information Security Management System developed in line with ISO 27001 and Government Cyber Essentials best practice. Our Information Security Management System is annually assessed via the Department of Health and Social Care's Information Governance Toolkit (Supplier reference 8HP72). Our overall score was 95% for 2017-18. We are actively working towards Government Cyber Essentials Plus and formal ISO 27001 accreditation. |
| Information security policies and processes |
We operate an Information Security Management System developed in line with ISO 27001 best practice. Our Information Security Policy (CM 0003 - Information Security Policy) is supplemented with detailed security policies and procedures that all staff receive training on, including: • 0004 - Policy on Transfer and Receipt of Personal or Sensitive Information • 0019 - Policy on Visitors to Cyber Media • 0030 - Policy on the Use and Disclosure of Personal and Sensitive Information • 0035 - Change Management and Control Policy • 0038 - Internal ISMS Audit Policy • 0041 - Access Control Policy • 0043 - Network Access Policy • 0044 - Password Policy • 0045 - Acceptable Use Policy • 0051 - Network Security Policy • 0052 - Remote Access Policy • 0053 - Mobile Computing Security Policy • 0054 - Remote Working Policy • 0057 - Policy on Written Contracts and Information Governance Responsibilities • 0065 - Information Security Incident Management Policy |
Operational security
| Configuration and change management standard | Supplier-defined controls |
| Configuration and change management approach |
We maintain detailed change logs for all our components and services. Significant change must be assessed through compilation of a testing plan with clear acceptance criteria and security impact assessment via a Change Request Form. The individual responsible for testing must be identified and briefed regarding the testing they will need to undertake. The asset owner obtains approval for the change, taking into account any technical considerations, the costs of the exercise, the potential benefits and security impact. Once the change request is approved by the Team Manager, approval is recorded and logged (RECF0101). |
| Vulnerability management type | Supplier-defined controls |
| Vulnerability management approach | Our infrastructure is scanned once per month using Nessus. All new software is risk assessed in line with our software management policy. Security patches are applied within 14 days of the update being made available by a vendor. To identify potential threats the NVD and CVE databases are regularly reviewed. Public facing applications are subject to third party pen tests. Our Cisco firewalls employ next generation firewall services to mitigate against vulnerabilities. |
| Protective monitoring type | Supplier-defined controls |
| Protective monitoring approach | We have a multilayer approach. At the network edge the firewall contains Cisco Next Generation Firewall services (IDS/IPS). This will alert to potential indicators of compromise. We also deploy system end point protection from Symantec offering a second layer of IDS/IPS. |
| Incident management type | Supplier-defined controls |
| Incident management approach |
We have an information security incident management policy (0065) that defines our response. All staff will be made aware through their contract of employment, training and by their team manager of what is considered to be an incident. Information Security weaknesses, events and incidents will be reported immediately by staff to the ISM as soon they are seen or experienced. The ISM will also be responsible for closing out the incident. This includes reports to external authorities. |
Secure development
| Approach to secure software development best practice | Conforms to a recognised standard, but self-assessed |
Public sector networks
| Connection to public sector networks | Yes |
| Connected networks |
|
Pricing
| Price | £8000 per instance |
| Discount for educational organisations | No |
| Free trial available | No |
Documents
| Pricing document | View uploaded document |
| Skills Framework for the Information Age rate card | View uploaded document |
| Terms and conditions document | View uploaded document |