E-Health Innovations Ltd


VIPER is a fully featured, browser based electronic document management application providing seamless integration with existing systems. Documents collated from multiple external sources are accessed via an intuitive user interface. New electronic forms can also be designed and deployed by the customer to enable new content creation.


  • Digital medical records from scanned documents or eForms
  • Browser based access from any authenticated device on the network
  • VNA & XDS integration to provide clinician access
  • Windows AD/LDAP integration
  • HL7 compliance and integration
  • Device agnostic, designed for tablet use
  • Patient timeline view incorporating HL7 clinic data
  • Integrated form builder and release management process
  • Automatic OCR function enabling document keyword search
  • Intelligent document indexing via user defined templating


  • Access to clinical records from anywhere in the trust
  • Provides a single view of multiple document sources
  • Generate new content via user-defined, standardised forms
  • Create virtual folders for sharing and MDT support
  • Enjoy rapid access to the complete patient docuement history
  • Go digital straight away with EDM & eForms
  • Run faster and more reactive clinics
  • Easily remove paper blockers in the system
  • Centralise and bring to life patient documents
  • Massively reduce paper storage costs


£8000 to £12000 per instance per month

Service documents

G-Cloud 10


E-Health Innovations Ltd

Kate Smith

01623 489 838


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements LINUX Server (no software licence required)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times EHI offer differing levels of support ranging from 9-5 Monday to Friday to 24 x 7 x 365 depending on the customers requirements, therefore response times may be different over the weekend as determined by the customer.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels EHI Provides support on a 9-5 or 24x7x365 basis. All service failures are logged with the EHI helpdesk and a severity level attached to each. EHI has agreed service levels in order to fix service failures within agreed targets (4 hours for a Severity 1; 12 hours for a severity 2; 5 working days for a severity 3 and next software release for severity 4). HSS uses on online logging tool for a full audit trail of the logging and resolution of service failures, which the customer is able to access.
EHI may refer a service failure back to a customer for further information, in order to be able to resolve the issue (this time is deducted from the fix time).
EHI will ensure that the software is available 99.9% of the time and typically measures this using synthetic scripts logging into the software on a workstation housed within the customer environment.
EHI provides reporting against service levels and monitoring of the system.
All upgrades are done during normal business hours unless otherwise agreed with the customer
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started The system is generally supported via a Train the Trainer system where the Trust training team are fully skilled to provide training for Trust staff. User documentation and e-learning resources are available.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction We will work with the individual Trusts and the new service provider to ensure that data is extracted in a meaningful format.
End-of-contract process During, and towards the end of a contact term, EHI is able to provide an exit plan with customers to ensure an efficient transition of the services either back in house or to an alternative third party supplier. This will clearly set out the management structure in place, the activities in the final months of the contract and what the requirements are by the customer of the supplier in order to provide information in relation to the services.

The exit plan will identify assets to be transferred and any data migration requirements, how this is managed and any ongoing requirement for the suppliers software at the end of the contract term in order to support the transition of services. The exit plan will set out the suppliers chargeable services and how these are agreed between the parties including timing

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Screen layout is automatically scaled dependent on device screen resolution.
Accessibility standards WCAG 2.0 A
Accessibility testing WCAG 2.0 standards are complied with and have been tested in house.
What users can and can't do using the API All service set up is carried out by the supplier. The API provides a full suite of functionality for application level changes and user interactivity.
API documentation No
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Administrators of the system can customise the user interface by means of access level control for individual users. This is managed via a built in administration tool.


Independence of resources We provide a fully scaleable service that distributes load evenly along the different application components preventing user experience bottle necks.


Service usage metrics Yes
Metrics types The following metrics are provided via reports:
System access, files access, unique users
The Trust will also receive a regular service dashboard report detailing support incidents.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process No
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Standard reports can be scheduled to run at regular intervals or on demand outputting to a folder specified by the Trust.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability EHI manages availability by an agreed uptime % of 99.9%, measured by running synthetic scripts on a reference workstation housed in the customers environment.

EHI is liable for service credits where the availability service level is not achieved, which increased on a sliding scale to recognise that as the system down time increases then the EHI liability becomes more significant and EHI lose 1 % of the Support Charge as follows:

Availability Service Credit
99.9% 0%
99 – 99.89 2.5%
98 – 98.89 5%
97 – 97.89 7.5%
96 – 96.89 10%
95 – 95.89 12.5%
94 – 94.89 15%
93 – 93.89 17.5%
Less than 93% 20%

The availability calculation will exclude permitted downtime (up to two hours per month) and shall be deemed available when the software is available on the reference workstation
Approach to resilience The application architecture supports multiple deployment options to support various levels of availability and redundancy depending on customer needs and risk assessment.
Outage reporting Customers would be contacted directly to notify/report any service outages via agreed contact methods.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Role based access to separate administration application restricts supervisor level functions.
Access to support is via agreed Trust support contacts
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes EHI has policies and processes in place to ensure that the organisation complies on an ongoing basis with the requirements of ISO27001. We have an audit schedule which ensures that all aspects of the security management system are audited on a frequent basis with a clear process for dealing with deficiencies identified through audits and managed to resolution (corrective actions plans).

All staff are trained in the security management system and also our security requirements for NHS Toolkit requirements.

All security policies are reviewed at least on an annual basis and the scope, context and the objectives of the system are reviewed regularly by the senior management team.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach EHI maintains a configuration management database that defines software components deployed at each installation including; Application Software Versions, Modules, Operating System, Database versions, software services, integration components & configuration. This data is used to manage risk as part of the change management process to identify relational and dependent component parts during the change advisory board (CAB).

During the CAB such elements reviewed are Security, Business Change, Capacity, Availability risks and relation to other changes that maybe taking place.

All changes to deployed systems are reviewed as part of the change management process. Request for changes (RFC) are reviewed at CAB
Vulnerability management type Supplier-defined controls
Vulnerability management approach Security advisories are put out by the underlying products that we use which we assess internally against current deployments. Any identified vulnerabilities have hot fixes and updates issued at the earliest opportunity.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises are identified by our open source monitoring software as well as in house firewall rules. Clients will be notified of any compromises and these will be rectified at the earliest opportunity.
Incident management type Supplier-defined controls
Incident management approach EHI has a mature ITIL aligned process that includes Incident, Problem, Event, Change, Configuration, Release and Capacity Management. Incidents are registered on the service desk system directly or by phone or email and are managed by the Incident Manager to ensure compliance with Service Levels.

Incident reports are either provided via the Service Desk Tool or emailed to the user with resolution details and root cause information etc.

Where a major incident occurs a major incident report is provided that identifies the resolution details and any forward actions that need to be implemented to prevent re-occurrences.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)


Price £8000 to £12000 per instance per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑