Graphnet Health Limited

CareCentric Population Health

CareCentric Population Health is an analytics data platform designed to support integrated health economies with their population health programmes. The solution integrates with the CareCentric Shared Care Record and surfaces near real time analytics. Data can be incorporated and cross linked from any other available source as required by customers.


  • Scalable Microsoft Azure based population health analytics platform.
  • Secure IG compliant using tried and trusted framework supporting SSO.
  • Three segregated data marts available; identifiable, pseudonymised, and research.
  • Near real-time data feeds (up to 15 mins).
  • Links GP, acute, SUS, mental health, community patient level data.
  • Additionally links social care, out of hours, 111, 999 data.
  • Allows local data flows to be crosslinked into patient records.
  • Risk stratification (ACG System) and population segmentation.
  • Users include; GPs, PCNs, CCGs, ICSs, LHCRs, public health, community.
  • Includes additional wider determinant data to understand health inequalities.


  • Analyse the health and care of a community or population.
  • Advanced case finding capabilites using linked datasets.
  • Monitors impact of care intervention programmes.
  • Identify and understand data quality issues.
  • Identify and support care delivery best practice using casemix approaches.
  • Area wide operational patient flow management.
  • Understand the drivers and risks which lead to outcomes.
  • Identify trends in activity, diseases and patient behaviour.
  • Supports pro-active care though identification and monitoring of patient cohorts.
  • Ability to design, build and publish custom analytics.


£150,000 a unit a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

9 8 6 8 8 0 1 7 0 9 7 8 7 5 1


Graphnet Health Limited Sarah Pendlebury
Telephone: 07720 340599

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Cloud deployment model
Public cloud
Service constraints
Dissented patients and all their corresponding information, are excluded from data marts where legally required. Sensitive codes defined by NHS England are excluded. The local deployment model maybe constrained by local IG and security policies regarding presentation of secure information. Mobile device management is not included - just the clinical applications.
System requirements
  • Supported web browsers; IE11, Edge, Chome, Firefox, Safari.
  • Supported mobile devices: Apple iOS 11.0+, Android 5.0+
  • Customer must support IG and data sharing activities.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support is available on commencement of live service and we offer a variety of support packages. Each support package includes full details of call priority rankings and the corresponding response times agreed with the customer.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Options to suit customer's need. Typically 9 - 5.30pm, 24/7 or other daily times possible subject to agreed SLA and commercials. Costings depend on the number of product and user licences required. Support engineers are supplied as part of the Service Desk provision as specified under the Service Level T&Cs for each customer.
Support available to third parties

Onboarding and offboarding

Getting started
Our training methodologies have continually evolved over our 25 years of experience, supporting care providers in their implementation of our range of products.

Our preferred approach is to provide Train the Trainer training, so customer’s can then go on to deliver specialist training for end users (including clinicians and other care professionals, as well as for specialist users, such as system administrators,) and to support the customer team in preparation and early delivery of end user training. These local trainers act as super users within the local organisations. Trainers from all participating organisations will be provided with comprehensive training materials which will facilitate the customer’s provision of first-line support.

CareCentric Portal End User training - For end-users the bulk of the training requirement concerns patient consent, confidentiality, and a description of the data available for which patient groups.

We will provide a Training environment which mirrors the live use CareCentric portal; it has numbers of test patients which provide examples of patients and data for training purposes. The nature of our solution footprint is such that building functional environments for the purposes of training etc. can be achieved relatively quickly and using virtualised resources to control cost and improve flexibility.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Graphnet would expect to have included in the Contract with the customer a schedule setting out the parties’ obligation on “Exit”. This would include details of our obligations to transfer Authority Data in an agreed format.
End-of-contract process
Graphnet would expect to have included in the Contract a schedule setting out the parties’ obligation on “Exit”, the schedule would typically include its obligations:
• to transfer Authority Data in an agreed format;
• the return, removal of any Authority provided software;
• the provision of other reasonable termination assistance at the Authority’s request at the Supplier’s standard rates (e.g. to assist with data migration to the replacement contractor’s system).
In addition, if necessary, a “read only licence” for historic data is possible.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices
Differences between the mobile and desktop service
All information is available on each delivery channel. In each case the presentation of information has been optimised for the type of device.
Service interface
Description of service interface
The platform allows users to access the reports using two methods. Within the CareCentric shared care record, reports are embedded into the interface ensuring that users do not have to transition to another system to access population health information. This method can also take advantage of single sign-on (SSO). Alternatively users can log into Microsoft's Power BI front end to directly access the analytics and available apps in an industry standard interface.
Accessibility standards
WCAG 2.1 A
Accessibility testing
The solution has been designed taking into account the W3C Web Content Accessibility Guidelines. We undergo testing during the design process to support colour blindness, high contrast settings and use of iconography as well as colour in key areas of the application. Additionally, we are prepared to work with customers that have specific needs on a case by case basis. Our Agile design and development approach is collaborative so we continue to develop accessible, meaningful and intuitive system.
Customisation available
Description of customisation
Customer's information analysts can securely access the underlying data structures directly using any tool that support Microsoft Azure SQL server. This give them the power to create any custom analytics utilising the wealth of data on the platform. This approach gives users ultimate control. All analytics created in Power BI can also be published using the supplied platform.


Independence of resources
Availability is a key consideration in our comprehensive approach which covers the hardware platform, software design and associated processes which cover Support and Maintenance, Business Continuity and Disaster Recovery.

For a cloud hosted solution we will provide a solution that has been sized appropriately for current and agreed future expansion requirements, with redundancy built in.


Service usage metrics
Metrics types
The metrics provides relate to;
- Number of user logins over time
- Reports accessed
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The population health platform provides a secure flexible user interface to export any data within the system in a csv format. These extracts can be ad-hoc or scheduled. Bespoke extracts can also be setup using Microsoft Azure functionality into any supported system.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Service Level Agreements, including compensation arrangements, are flexible to meet our customer's individual requirements, budgets and priorities. Full details would be agreed as part of contract negotiations. It is normal for us to contract to a service the puts a meaningful element of the monthly service charge at risk if, for example, the agreed availability is delivered.
Approach to resilience
Our hosted Azure service is robust secure and highly available hosting service. Microsoft Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards, such as UK G-Cloud. British Standards Institute verify Azure’s adherence to the strict security controls these standards mandate Full details regarding our service, including resilience, availability, security, business continuity and disaster recovery, will be made available on request.
Outage reporting
All outages are recorded as part of the incident management process and should a problem be detected then the service desk will inform the customer as required.

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
All CareCentric applications provide an in-built Role Based Access Control (RBAC) model, which manages which functions a user has access to and which views of data they are able to see. The platform also has a well-established concept of Patient Groups, which supports the ability to control which users, roles and groups of users have access to which groups of patients. System Administrators can also further refine permissions, as required.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Bsi / 27001:2013 - IS 614375
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Our 27001 covers the full business operation without exclusions.
Graphnet holds Certification number IS 614375 and operates Information Management Systems which comply with the requirements of ISO/IEC 27001:13 for:
All automated information systems under the direct control of Graphnet Health Ltd.
All employees and agents of Graphnet Health Ltd
All employees and agents of other organisations who directly or indirectly make use of or support the use of information systems under the direct control of Graphnet Health Ltd.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • IG toolkit (NHS Digital ODS code 8GX89).
  • ISO9001:2008, (FS614373);
  • Data Protection Act 1998 (DPA)
  • Level 3 compliance with NHS IGSoC

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have a range of policies to ensure we adhere to IG and Information Security arrangements. These include:
-Access Control
-Information Governance
-Project and Security Coding
-Clean Screen and Clear Desk
-Secure Software
-Solution Development Procedure
-Data Transfer (Encryption)
-Secure Disposal
-Acceptable Use
-Network Control.
We have other specific guidance and polices available to provide assurance with our Data Processor and internal responsibilities.

We have an IG Steering Group which our IG Manager, Information Security Manager, ISO Compliance Manager, SIRO and Caldicott Guardian all sit on. Through these key roles we ensure policies are reviewed and amended in light of any issues arising, audit reviews and process changes etc.

Policies are available to all staff via our employee hub system which requires staff to read all required policies.

We incorporate the Crown Commercial Service’s Generic Standard GDPR clauses in all our contracts where we process personal data; we process in compliance with Article 32. Where services use the “cloud” this processing adheres to the fourteen National Cyber Security Centre cloud service security principles as applicable to UK OFFICIAL and the cloud host complies with ISO27018, a standard which Graphnet are also working towards achieving compliance with in 2020.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Graphnet follow a standard ITIL deployment methodology and use AGILE Design and Development practices for the iterative delivery of software releases which may include major or minor features / functions and any patches. We use JIRA case management system to log, track and manage change requests.

All Releases and changes are version controlled through our Change Management process. All patches are tested internally prior to deployment and are monitored for success. Customers are provided with Release Notes and are advised to carry out formal acceptance testing where any bugs may be identified prior to deploying to the LIVE environment.
Vulnerability management type
Vulnerability management approach
The overall architecture of our solution is based on Microsoft Azure services. Security and integrity of Graphnet applications is tested at every major Release through formal penetration testing, carried out by an accredited independent Information Security practitioner to exacting criteria set by CREST and CHECK.
Our AGILE development approach enables rapid bug resolution and deployment of software updates.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The overall architecture of our solution is based on Microsoft Azure services. Security and integrity of Graphnet applications is tested at every major Release through formal penetration testing, carried out by an accredited independent Information Security practitioner to exacting criteria set by CREST and CHECK.
Our AGILE development approach enables rapid bug resolution and deployment of software updates.
Incident management type
Supplier-defined controls
Incident management approach
Incidents are formally managed through Graphnet's Support Desk, using an ITIL focused call logging application to record, track and manage issues through all stages of the incident lifecycle. The Service Desk is also briefed on the service responses agreed through the customer contracts and use the incident logging application to monitor incidents’ service level response times.

Problems are identified through incident reviews and managed through diagnosis, resolution and planned changes. These reviews of issues attempt to identify trends/recurrent issues; when identified, these undergo a root cause analysis and recommendations are made for changes to the product based on the analysis.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)


£150,000 a unit a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.