G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with Ortivus UK Ltd are still valid.
Ortivus UK Ltd

Ortivus MobiMed ePCR

Ortivus MobiMed provides paramedics with an electronic Patient Care Record, ePCR, using a structured workflow and support that enhances the clinical decision making process. The eCPR in combination with vital signs monitoring ensures that the patient gets the right care, at the right time, in the right place.

Features

  • Smart-card login
  • Summary Care Record (SCR) access
  • Monitoring with clinical background from cardiac critical care
  • Easy to configure/adapt to any clinical standard.
  • Integrate with CAD, Defibrillators, information systems at hospitals
  • Web browser
  • Dynamic reports for Hospital and General Practitioner output form.
  • Camera support - taking/incorporating images in the ePR and reports.
  • Vital signs are automatically transmitted monitoring to the ePR.

Benefits

  • Facilitates collaboration between paramedic and receiving hospital
  • Comprehensive set of fields, supporting adaptation to working practices

Pricing

£63.50 a licence a month

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@25d30bc1-9258-4982-98bd-39c1c74e8675.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

9 6 8 3 3 3 6 4 2 1 6 3 6 1 6

Contact

Ortivus UK Ltd <removed>
Telephone: <removed>
Email: <removed>@25d30bc1-9258-4982-98bd-39c1c74e8675.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
MobiMed VSM for performing high quality vital signs monitoring can be extended with MobiMed ePCR, or vice versa.
Cloud deployment model
Private cloud
Service constraints
Ortivus will schedule and plan any necessary maintenance or releases / upgrades with customers to ensure minimal service disruption.
System requirements
Microsoft Windows based

User support

Email or online ticketing support
Email or online ticketing
Support response times
Ortivus Support mailbox is monitored during normal business hours, 9am-5pm GMT/BST, Monday to Friday (excluding Bank Holidays) and all emails are responded to within 24hrs. Ortivus also provide an online service portal which is available 24x7 through which customers can raise Incidents and Service Requests.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
1st line call qualification and validation is typically performed by the Customer who would receives incoming calls from the end users and would attempt to resolve incidents in the first instance. Ortivus provide 2nd and 3rd line support for incidents raised that are unable to be resolved by 1st Line.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We can customise training for starting organisations - primarily onsite training, with provision of user guides and materials. The service also mirrors the live service with the provision of training server, so that organisations can arrange for user education in a 'safe' environment.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
At the end of contract customer data will be transferred in XML format. There is also an option of a continuous integration transfer during the contract period (e.g. to Customer Data Warehouse).
End-of-contract process
Data in XML format will be provided within one month after contract end. Ortivus can also supply the data according to specific schemas and formats as requested by the customer. That would incur an additional cost depending on the details of the request.

Using the service

Web browser interface
No
Application to install
Yes
Compatible operating systems
Windows
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Clinical Workstations are the desktop, intended for Acute use, receiving ePCR, notifications, alerts etc. Mobile version is ePCR, primary method for completing ePCR, and alerting Acute.
Service interface
Yes
Description of service interface
Ortivus provides a browser based management tool - Admintool for the administration and management of service elements.
Support is also available using the Ortivus (ServiceNow based) service portal.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
None
API
Yes
What users can and can't do using the API
MobiMed includes a web service API that can be used to consume ePCR data. The API is available on the server side. Bandwidth and polling frequency restrictions apply and depend on the infrastructure chosen.
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
The MobiMed ePCR is completely customisable and can be tailored to the customer need and processes. Customisation can be managed solely by appointed users at the customer. This presupposes using the Ortivus SDK along with associated training. Ortivus also provide ePR configuration work at cost.

Scaling

Independence of resources
By making sure that the user demand is not exceeding system capabilities and by continuous monitoring of the service resource utilization. The service is designed to minimize the impact of any malicious user actions.

Analytics

Service usage metrics
Yes
Metrics types
Online service usage metrics are provided for the organisation operating the servers. Service reports can be provided for customers on a monthly basis.
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
MobiMed ePCR comes with several options for data export: 1) XML WebService intended for system integration of ePR data. 2) Data Warehouse intended for business reporting and intelligence. 3) Integration framework intended for system integration with downstream systems. Specific integrations come at additional cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • PDF
Data import formats
Other
Other data import formats
  • XML
  • JSON
  • Excel

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
The service is provided to 99.6% availability with Service Point penalties in place for any deviation. This is based on incident severity with any Service Points accrued on a sliding scale.
Approach to resilience
Available on request
Outage reporting
Service outages are communicated according to an agreed communications matrix which would include email alerts and telephone notifications depending on severity.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication
Mobile access can also be restricted to specified sim-cards.
Access restrictions in management interfaces and support channels
Management interfaces only run locally within the data centre. Data Centre access is restricted to appointed personell using two factor authentication over VPN link.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Issued by Intertek Certification AB, accredited by UKAS management systems
ISO/IEC 27001 accreditation date
Initial certification date 12 December 2014 - Date of certification decision 30 August 2018
What the ISO/IEC 27001 doesn’t cover
No exclusions
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Ncidents will be addressed in accordance with the Information Security Policy, which is ISO 27001 compliant and includes appropriate escalation and resolution activities. In the event of an actual or suspected incident, weakness, or problem which may have an impact on any aspect of the service, the Information Security Officer will be informed promptly.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Ortivus have implemented Change Management, Release and Deployment Management procedures. All Requests for Change(RFCs) go through an initial risk assessment with Quality and compliance officers and when risks, clinical safety and security verifications have been clarified, appropriate actions and requirements on the RFC are initialized. Customer approvals are handled through established governance structures involving all relevant stakeholders. The main interfaces being the Operational Board, the Project Board and the Steering Board depending on the RFC. All assets, documents, training and configuration changes are constantly updated within the Asset Management module within the service management tool following standard ITIL V3 procedures.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Potential threats and vulnerabilities are assessed to determine deviations from acceptable configurations. Risk assessment is carried out and recommendations or appropriate mitigation countermeasures are developed in accordance with stakeholder agreements. Evaluation of network vulnerability and the risks associated with external connections is done through risk assessment by security specialists. Patches are identified and applied in accordance with customer and authority agreements.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Potential compromises are identified through screening of servers, firewalls, routers and devices for system control and system administrations carried out on a weekly basis. This includes checking the content of the access logs and logs from intrusion detection. Audit logging is enabled to identify all successful and failed logins, and logouts. Logs are retained for a minimum of six months and in the event of an incident, logs can be made available to the appropriate authorities such as NHS Digital for investigation.
Incident management type
Supplier-defined controls
Incident management approach
Incidents will be addressed in accordance with the Information Security Policy, which is ISO 27001 compliant and includes appropriate escalation and resolution activities. In the event of an actual or suspected incident, weakness, or problem which may have an impact on any aspect of the service, the Information Security Officer will be informed promptly. Incidents may be escalated to other parties including NHS, NHS-Digital, and any other affected body and any corrective action identified during incident resolution will be added to the improvement plan. Security incidents will be reported and corrective actions tracked as part of the monthly performance reporting.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Yes
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Pricing

Price
£63.50 a licence a month
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
A local test installation to be evaluated during a period of up to 6 months. Only MobiMed licenses are included, cost for hardware and 3rd party licenses not included.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@25d30bc1-9258-4982-98bd-39c1c74e8675.com. Tell them what format you need. It will help if you say what assistive technology you use.