IMMJ Systems

MediViewer Cloud

MediViewer Cloud is an Electronic Document Management solution built specifically for healthcare providers and designed around the needs of healthcare professionals. This end-to-end solution optimises every aspect of the digitisation of paper clinical content and then by providing fast, intuitive and secure access to electronic patient records from any device.


  • Fully mobile, touchscreen enabled ready to use on any device
  • User configurable rules to recognise un-barcoded documents utilising OCR
  • Documentation within an episodic context, featuring complete attendance history
  • Representation of document taxonomies to enable intelligent selection
  • Scanning and intelligent metadata indexing process (archive and day forward)
  • Intelligent metadata tagging provides a cost-efficient alternative to manual identification
  • A browser-based interface making it accessible from anywhere at anytime
  • Supports multiple file types including text, audio, video and image
  • Includes role-based access control and supports content lifecycle management
  • Automated document classification in realtime through unique Smartindexing technology


  • MediViewer's unique architecture and implementation approach enables rapid deployment
  • Intuitive user interface ensure a high rate of user adoption
  • Simple, fast access to all archived medical records
  • Support for efficient and effective integrated care
  • Designed to integrate ensuring seamless interoperability with other systems
  • Access from any device over low bandwith promote remote connectivity
  • Built-in OCR allows re-classification of already scanned documents effciently
  • Consistent user interface across mobile, laptop and desktop simplifies training
  • Full auditability and end-to-end control drives BS10008 compliance
  • Accepts scanned and electronic documents to complete the paperless experience


£134000 per licence per year

Service documents

G-Cloud 10


IMMJ Systems


0203 053 8599

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to MediViewer EDM (Electronic Document Management) can be implemented as a standalone solution or typically as a module of the EPR (Electronic Patient Record) or the PAS (Patient Administration System). MediViewer EDM is integrated to the EPR/PAS via an HL7 data feed and User Interface Integration with single sign on.
Cloud deployment model Public cloud
Service constraints MediViewer Cloud can be deployed to any NHS approved cloud platform whether that be hosted by a third party provider or sit within a private cloud environment hosted by the Trust. MediViewer Cloud comes with a fully managed service with no known constraints.

IMMJ's partner, UKCloud, provides the hosting service for the MediViewer Cloud Public Cloud offering.
System requirements
  • Supported browsers: Microsoft Internet Explorer 11+
  • Supported browsers: Safari 9+
  • Supported browsers: FireFox
  • Supported browsers: Chrome
  • Supported browsers: Microsoft Edge

User support

User support
Email or online ticketing support Email or online ticketing
Support response times The service level agreements will differ from customer to customer. Our typical response times depend on the severity of the support request as triaged by 1st line support. Due to the critical nature of MediViewer, 24/7 support is available on request based on the support agreement in place.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels SLA
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The intuitive design of the MediViewer™ application negates the need for extensive end user training. However, it is recognised that training will be required relating to changes to existing hospital processes. If training can be arranged by staff groups then we recommend one hour per session to cover specific MediViewer functionality and process changes.
We recommend the following methods of training carried out on-site:

• Classroom based sessions
• Ward/Department based training (where staff cannot be released)
• 1:1 training for Consultants

The ongoing training requirement once fully live should be handed over to BAU training team. IMMJ systems will provide a training resource to deliver ‘Train the Trainer’ training to enable the hospital resource(s) to provide training to all appropriate hospital staff. Depending on the chosen IMMJ consultancy model, the IMMJ implementation team will either train Consultants within the early adopter specialty or all Consultants for the duration of the deployment.

Additional IMMJ will provide:
• Training environment;
• Comprehensive On-line Help;
• Role specific process guides;
• Best Practices Guides - one-page quick glance documents that take users through specific functions, such as "changing user password", or "printing a form", etc.
• E-learning modules.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction IMMJ Systems do not charge for data repatriation and there is no cost for data transit over the internet or download from N3 if the application is being provided as part of a hosted solution. At the point of service termination, the Client is required to have the capability, resources and skills to extract and securely remove their own data set. Data can be extracted either from within the Virtual Machine, for example copying data over virtual networks or the entire VM can be exported as a VMDK or OVF.
As part of this operation the Trust would work with IMMJ Systems to spec up the required encrypted data store, which we would be more than happy to support.
Once IMMJ Systems has been formally notified that a service has been terminated, any residual customer data or configurations which remain will be securely and permanently erased. Any data or materials which cannot be deleted or exported will be returned to the customer.
End-of-contract process We will return all your data and materials which cannot be deleted or exported by you, and securely destroy all copies of your data on your written instruction. We will not penalise you for terminating your contract with us unless specifically stated in the Service Definition. We will also return all of your confidential information, unless there is a legal requirement that we keep it.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Both services are identical. This was a major consideration during the design phase to ensure that MediViewer had a single user interface with full functionality whether accessed via a tablet, laptop or desktop. This greatly simplifies the user training as there is only a single user interface to be trained on.
Accessibility standards WCAG 2.0 A
Accessibility testing Perform both manual and automated testing with Google ADT and other toolkits
What users can and can't do using the API IMMJ Systems have experience of establishing a live feed from the Hospital EPR that can include the following information:
• Patient demographics
• Patient Alerts
• Patient merges (will also trigger movement of scanned documents)
• Inpatient stays and movements
• A & E attendances
• Outpatient appointments
• Reference types, such as specialties, wards and clinics

In order for MediViewer to be updated it can receive and process HL7 messages (or similar) from the Hospital interface engine and interface with API endpoints within MediViewer to update the internal MediViewer reference tables. We have experience of working with HL7 v 2.3, 2.4 and 2.5; the translation layer in our HL7 interface is scriptable allowing ready customisation to site specific requirements. MediViewer will process the following ADT messages from the EPR; A01, A02, A03, A04, A05, A08, A11, A12, A13, A28, A31, A38, A40.
API documentation Yes
API documentation formats Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation MediViewer is highly customisable and provides many functions to the System Administrator that gives overall control of the application to the user.

Any user with the correct role can carry out customisations.

The User Interface is customisable to allow the user to decide on their default view of the patient records.

All other customisations take place via the Administration and Advanced Administration Modules.

At project start the EDMS Customisation specialist will work with the Trust to define the security model and create the initial model within MediViewer based on agreed profiles.

Smart indexing identification rules for specific types of document that will form the core of any taxonomy come standard. The joint project team will carry out investigative work in the early stages of the project to setup the additional Hospital specific business rules for recognition with the smart indexing function.

HL7 and ADT feds are also customisation and the schema-less design of MediViewer allows any number of fields to be rendered within the interface.

IMMJ will take responsibility for customising MediViewer working with the joint project team. Thereafter Systems Administrator will be trained to ensure that skills are retained in-house without requiring any specific development skills.


Independence of resources In order to guarantee that users are not affected by the demands from other users, we map dedicated GPU resources to a customers account. On the core platform, we use resource reservations and shares such as internet bandwidth shaping. In addition, the capacity planning team ensure that usage in terms of all resources are constantly monitored and increased accordingly relating to user demand.


Service usage metrics Yes
Metrics types An Admin user is able to add additional metrics from with the Admin Module that allow for surfacing almost any measurable metric from MediViewer.

These are standard.

User Groups
Metadata classification
User Activity
Imported documents
Record Growth
Image Count
Volume of records
Transactions per record
Transaction per patient
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach Customers are encouraged to protect their own data using encryption technologies where only they have the decryption key. In this way, our customers are assured that their data can never be accessed by a third party.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Export patient information: an authorised user can select part or all of a patient’s record for the creation of an encrypted PDF. Typically, this will be in response to a request for patient documents for tertiary care or in response to a Subject Access Request.
Audit Log: MediViewer provides the ability to either display or export to CSV the results of an interactive query which can report against user, date and transaction type.
Data export formats
  • CSV
  • Other
Other data export formats Encrypted PDF/A
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • PDF/A
  • TIFF
  • JPEG
  • Microsoft Word
  • MP4
  • MP3
  • Most unstructured file formats from clinical systems

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Other
Other protection between networks "We offer the choice of connecting:
• Via the internet using additional encryption such as TLS 1.2
• IPSec VPN tunnels
• Via private networks such as leased lines or MPLS
• Via public sector networks such as PSN, N3, Janet
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network We use dedicated CAS-T circuits between each of our sites to ensure the protection of customer data in-flight. We additionally encrypt this data within our Elevated OFFICIAL platform. All data flows are also subject to our protective monitoring service.

Availability and resilience

Availability and resilience
Guaranteed availability 99.90%
Approach to resilience Our service is deployed across a number of sites, regions and zones. Each zone is designed to eliminate single points of failure (such as power, network and hardware). Customers should note that GPU's present a single point of failure for a single VM instance, and that customers are encouraged to ensure their solution spans multiple sites, regions or zones to ensure service continuity should a failure occur.
Outage reporting All outages will be reported via the Service Status page and the notifications service within the UKCloud Portal.  Outages are identified as Planned maintenance, Emergency maintenance, and platform issues.  In addition, the designated Technical Account Manager will proactively contact customers as appropriate.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels The level of access that a user has, and the activities they can perform within MediViewer are governed by the following access control mechanisms:

1. Access control to function by authorised user role;
2. Access control to specific document sets.

Access rights are restricted according to the role of a user. Although the creation of AD (Active Directory) roles are performed by AD administrators, MediViewer implements an ABAC (Attribute based access control) system that assigns authorization tickets (to access specific functionality) to users based on their attributes (such as AD group membership).
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 8th May 2012
What the ISO/IEC 27001 doesn’t cover Nothing.

All above certifications covered by our partner UKCloud.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 28th October 2016
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover Nothing.

All above certifications covered by our partner UKCloud.
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO27018
  • Cyber Essentials
  • Cyber Essentials Plus
  • PSN
  • ISO20000
  • ISO27017
  • (Cloud Infrastructure Service Providers in Europe) Code of Conduct Certification
  • All above certifications covered by our partner UKCloud.

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards CSA STAR, ISO27001, ISO27017, ISO27018 and ISO20000
Information security policies and processes UKCloud has a number of inter-connected governance frameworks in place which control both how the Company operates and the manner in which it delivers cloud services to its customers. These have been independently assessed and certified against ISO20000, ISO27001, ISO27017 and ISO27018 by LRQA, a UKAS accredited audit body. The Company is governed by an integrated suite of information security policies. Under the top level Information Security Policy itself are second-level documents with specific focus on Acceptable Use, Antivirus Protection, Asset Management, Business Continuity Management, Data Protection, Password Management, Personnel Management, Supply Chain Management and many others.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach UKCloud has documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. Formal configuration management activities, including record management and asset reporting, are monitored and validated constantly, and any identified discrepancies promptly escalated for investigation. A robust, established process for the formal submission of change requests is mandated prior to review and approval of the daily Change Advisory Board, which is attended by a quorum of operational and technical management personnel.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach UKCloud has a documented vulnerability management policy and process, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 and ISO27001 standards. Where technically possible, real-time updates and status reports are identified and sourced from credible vendor sources, which cover a significant proportion of UKCloud’s asset population. For other systems and software, assigned personnel have responsibility for regularly reviewing technical forums and specialist groups to promptly identify and evaluate any emerging patches or updates which require our attention.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Following best practice from the National Cyber Security Centre, UKCloud protects both its Assured and Elevated platforms with 24x7 enhanced protective monitoring services, vulnerability scanning and assessment.  Our approach to protective monitoring at minimum meets the Protective Monitoring Controls (PMC 1-12) outlined in NCSC document GPG13 (Protective Monitoring for HMG ICT Systems).  It includes checks against systems events (SIEM) and network traffic analysis, including time sources, cross-boundary traffic, suspicious activities at a boundary, network connections and status of backups.  Any alerts generated are logged and investigated 24x7.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach UKCloud has a documented incident management policy and process, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 and ISO27001 standards. This activity is responsible for the progression of alerts generated by automated monitoring systems, issues identified by UKCloud personnel, and incidents identified and reported to UKCloud by its customers and partners. All incidents are promptly reported into a central ticketing system, which ensures that each is promptly assigned to an appropriate resource, and its progress tracked (and escalated, as required) to resolution.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)


Price £134000 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Proof of Concept
Jointly identify the best specialty or clinic for the trial.
Provide all relevant project documentation.
Classification schema design, back and day forward scanning.
Limited HL7/ADT integration with the Trust PAS for the period of the project.
A benefits report with evidence based clinical, operational and financial benefits.
Link to free trial


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑