WELLMIND HEALTH LIMITED

Pathway through Pain

Pathway through Pain is the only clinically proven digital therapeutic that delivers all the elements of an intensive Pain Management Programme (PMP). This accessible web-based program is NHS commissioned and delivers significant and often life-changing results for individuals seeking to better self-manage chronic musculoskeletal pain.

Features

• Quick and easy enrolment
• Health outcome reports
• Engagement reports
• Qualitative feedback
• Professional support
• Proven & Lasting Benefits
• Flexible & Accessible
• Guided & Supported

Benefits

• Highly impactful
• Cost-effective
• Ongoing professional support
• Secure Management Portal
• Simple to setup & maintain
• Clinical-grade digital therapeutic
• Reach housebound patients
• Reduce treatment waiting lists

£5,000 to £112,500 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at contact@wellmindhealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

189540488498169

Contact

Richard Latham
+44 (0)1273 325136
contact@wellmindhealth.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: To use this service the participant must have an internet connection and device (smartphone, tablet, laptop) to access the course.
• System requirements: Internet Browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 2 business days
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Tested by Pipedrive Ltd with additional internal testing by Wellmind Health development team
• Onsite support: No
• Support levels: We have phone, email and webchat support, all of which are free of charge. ; ; Each client has a dedicated account manager that can assist with any queries. ; ; There is a onsite cloud support engineer.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The set-up process is straightforward, requiring minimal input, with a 3 to 4-week standard implementation.; ; Week 1: Introductions to Client Service Manager for a set-up consultancy call; ; Week 2: Set up of Management Portal, walkthrough via video conference, and production of self-enrolment course page, if required. ; ; Week 3: Supporting launch with tailored promotional resources
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Users can download their data when contract ends as a csv file from the Web Management Portal.
• End-of-contract process: Included in price of contract:; • Course licenses (Lifetime access for users enrolled); • Annual License to enroll onto course; • Facilitator Support; • User Support; • Setup Fee; ; No additional costs

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: No differences between mobile and desktop service.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The service interface can be found online. There are two service interfaces:; 1) Course web interface where participants access the course and it's library of resources.; 2) Web Management Portal interface where referrers can access participant engagement and health outcome data
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: External assessment for WCAG 2.1 AA by ORCHA. ; Independent User Feedback
• API: Yes
• What users can and can't do using the API: API enables:; - Service users to be enrolled on a course; - Health outcomes and engagement data to be retrieved; - Private API connection with IAPTus where participants can be enrolled through a consultation; - Secure access to custom set of API functionality.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Buyers can customize the following:; • Welcome email text; • Data permissions; • Logo on enrollment page; • Setup of management portal by centers; ; Users can go about customizing these parts of the service in their setup period. A dedicated client services manager will help buyer setup these customizable features.

Scaling

• Independence of resources: The course is online and made up of pre-recorded videos allowing us to take a large influx of users on the course, while still having spare server capacity. We have an large space capacity of participants we can take on in our service, due to the online and asynchronous nature of our course.; ; As we take on new clients we are able to plan demand accordingly on server capacity and customer service requirements.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide Engagement reports:; • User course engagement usage; • Helpfulness ratings; • Enrollment metrics; • Star ratings; ; We measure the following metrics before and after the course:; • Anxiety (GAD7); • Depression (PHQ9); • Disability (ODI); • Health (EQVAS)
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export, delete and edit their data via the course interface.; ; Buyers can export data via the web management portal.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Service levels are maintained to the highest standard for both course providers and participants. All helplines and response times are from 9am to 5pm (UK) standard business days.; ; --Course Providers--; ; Technical Support: ; Responsive and continuous technical help ; Helpline: 9 to 5 pm (UK) Response within 24 hours; ; Operational Support:; Initial onboarding, portal setup, advisory and ; day-to-day service, Annual Review and Recommendations report; Helpline: 9 to 5 pm (UK), Response within 24 hours; ; Management Portal:; Participant enrolment, course engagement and outcome reporting; On-demand; ; Support for Clinicians and Facilitators:; Individual participant assistance, monthly emailed participant reports; Helpline: 9 to 5 pm (UK) Response within 12 hours; ; Complaints: ; Escalated to Client Services management ; Response within 24 hours; ; --Course Participants--; ; Technical Support:; Responsive and continuous technical help ; Helpline: 9 to 5 pm (UK) Response within 24 hours; ; Course Support:; Day-to-day support for all course queries (Non-clinical); Non-Clinical Helpline: 9 to 5 pm ; Response within 24 hours ; ; Clinical Support:; Advice is not offered or given to course participants. Clinical assistance needs are; referred to the enrolling clinician or facilitator; Action/Response within 12 hours; ; Course Resources and Tools:; Course login ; On-demand and lifetime access; ; Complaints ; Escalated to Client Services management ; Response within 24 hours
• Approach to resilience: Available on request
• Outage reporting: Email alerts, API and public dashboard.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Secure password policies with multifactor authentication.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: SecureTrust / Trustwave
• PCI DSS accreditation date: 2021/09/01
• What the PCI DSS doesn’t cover: SecureTrust / Trustwave covers all PCI DSS requirements.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Digital Technology Assessment Criteria (DTAC)
  • Data Protection Impact Assessments (DPIA)
  • NHS Data Security & Protection Toolkit
  • AWS cloud security compliance

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: DTAC - Digital Technology Assessment Criteria ; Cyber Essentials; NHS Toolkit; AWS Cloud Compliance
• Information security policies and processes: Internal policies and procedures ensure all staff are aware of restrictions and regulations pertaining to acceptable use of IT and secure control of sensitive data. This includes - but not limited to - remote access, password management, BYOD, removable media, encryption/key management, backups and general awareness of data breach & cyber-security threat. Regular training and review processes in place and overseen by CTO and CEO.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: JIRA software for collaboration, planning and tracking of product development. Updates released roughly monthly and may include performance improvements, bug fixes, security patches, new features, and other changes in response to changes in user needs. Updates with major functionality changes are released as beta versions which are then tested with members of our existing user base. Development approach closely follows OWASP methodology. All code and config is tracked by GIT and peer-reviewed. Server-side config management utilises AWS tools that track and audit all changes to infrastructure and component configuration.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Third-party vulnerability scanning and review of findings takes place monthly. Penetration testing is done annually or as required due to major config/code updates. These activities as well as our team's keen interest in secure software development enable us to be aware of potential threats and vulnerabilities. Patching schedule is within 30 days of release however highly dependant upon the area of concern.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Active monitoring with automated exception reporting is in place wherever possible. As well, AWS Cloudwatch Alarms are configured to alert administrators immediately of any metric anomalies or threshold violations. Log datasets are analysed at least each quarter to further detect anomalies using tools such as Splunk, Cloudwatch Logs Insights and Cloudwatch Metrics Explorer. Response times vary depending upon the severity of the potential compromise however most incidents are resolved within hours where possible.
• Incident management type: Supplier-defined controls
• Incident management approach: Users report incidents through our customer support channels (phone, email or live chat). Response procedure to common events is adequately covered by internal process and guidance documentation. Complex events will involve JIRA service desk ticketing system which is integrated with our SDLC such that incident investigation right through to a potential patch release is all auditable and reported upon with use of the system's in-built toolset.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Equal opportunity:

  Equal opportunity

  Wellmind Health pledges to provide equal opportunities in the work environment and makes sure no one is discriminated by their gender, age, race, religion, sexual orientation, or disability.
• Wellbeing:

  Wellbeing

  As an organisation that helps other organisations improve staff mental health, Wellmind Health is dedicated to also promoting good mental health internally. Wellmind Healths wellbeing programme includes free services provided to all staff.

Pricing

• Price: £5,000 to £112,500 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We provide a demo account to evaluate the course content.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at contact@wellmindhealth.com. Tell them what format you need. It will help if you say what assistive technology you use.