Concentric

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: We perform near-zero downtime deployments, and therefore you should not expect scheduled maintenance downtime except on the rare occasions that a near-zero downtime deployment is not possible. There are no service constraints beyond those outlined in the system requirements.
System requirements: Modern web browser (e.g. Edge, Chrome, Safari, or Firefox)

User support

Email or online ticketing support: Email or online ticketing
Support response times: Response from Concentric support team within one working day.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: We aim for 99.9% uptime, which equals less than 8 hours and 45 minutes of downtime per year. We perform near-zero downtime deployments, and therefore you should not expect to hear from us regarding scheduled maintenance downtime except on the rare occasions that a near-zero downtime deployment is not possible.

Any downtime is documented in real-time at https://concentric.statuspage.io/. Deploying organisations should ensure that any individuals or group mailboxes that require automated email alerting regarding Concentric issues are subscribed to updates via that page.

Where there is an issue with the Concentric application or an integration issue that is within our control, the following issue resolution time targets (working hours) are used: P1 (System is down) = 2. P2 (Critical path blocked) = 8. P3 (Major functionality issue) = 48. P4 (Minor functionality issue or feature request) = Backlog item for internal prioritisation.

Organisations can contact us at support@concentric.health to inform us of an issue. Priority will be assigned by the Concentric team and communicated to the individual reporting the problem.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Having introduced Concentric into several organisations, we have experience supporting a safe, efficient and effective implementation of Concentric as the default consent method. This includes a comprehensive delivery playbook with project management and clinical engagement session resources, technical and integration documentation, testing scripts, clinician and admin user guides, and impact measurement tools and strategies.

A train-the-trainer model is used for clinician onboarding, alongside user guides, videos, and process flows for each user. Train-the-trainer sessions are delivered by the Concentric team and are supplemented by 6-monthly update sessions to trainers due to the continuous improvement of the product.

An onboarding guide is shared with each clinical user at account setup and can be hosted by Concentric or locally. These are made bespoke for each deployment, including any local considerations, such as the integrations in place, support details, test patient details, relevant policies, and business continuity processes.

In addition to training materials, project management teams and clinicians have access to the Concentric support team to aid with onboarding queries and ongoing support.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: The buyer is the data controller and therefore has the right to access to all data at contract end. Data is transferred securely to the buyer as both consent episode metadata and the associated consent form PDFs.

Following data extraction, a process of data deletion occurs. At a high level, the approach taken is that all data is stored encrypted at rest and that on deletion encryption keys are first deleted ensuring that data is unreadable (cryptographic erasure), with the physical data later deleted and over time expired from backup systems. Additionally at end of life drives are securely sanitised.
End-of-contract process: There is no additional fee for a standard data extract. Where required, other extracts are chargeable at commercial rates.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: All functionality is available across mobile and desktop with responsive web design.
Service interface: No
User support accessibility: WCAG 2.1 AA or EN 301 549
API: Yes
What users can and can't do using the API: As part of all G Cloud 13 deployments, Concentric Health will support the buyer to put in place the following integrations: patient demographic query, document ingestion, active directory login / single sign-on, and launch in the patient context from EHR.

Integration documentation and support are provided by Concentric Health.
API documentation: Yes
API documentation formats: HTML

PDF
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Buyers can customise the service in the following areas: white-labelling, integration metadata passed, content and patient information links customisation, additional consent modules, and reporting dashboard queries.

White-labelling: The organisation name and branding are used across key areas of the application and email/SMS notifications.

Integration metadata: The organisation can state which patient identifier(s) they wish to use and show in the UI, and can state what metadata to pass with the document integration so that key information (e.g treatment name) can be shown at a glance.

Content and patient information link customisation: Where local updates are required to the Concentric ontology these can be requested and are done in collaboration with the Concentric team with target delivery timeframes based on size and priority.

Reporting dashboard queries: If there are queries that would be useful to present within the admin dashboard area these can be requested.

Scaling

Independence of resources: Monitoring data is collected for early warning of increased demand and the system is designed to scale horizontally. The system operates with significant headroom and demand for this service is inherently predictable.

Analytics

Service usage metrics: Yes
Metrics types: The Concentric Admin application, protected by 2-factor authentication allows access to reporting dashboards and exporting of metrics data. These demonstrate the volume of use (active clinicians and consent episodes), use of remote consent, use of on-the-day consent, rate of sharing information digitally with patients, common treatments consented, and patient feedback received. All elements can be explored for specific periods and by specialty. An integration status dashboard is also available, demonstrating current system status, recent or ongoing incidents, and uptime %.
Reporting types: Real-time dashboards

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Staff screening not performed
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)

Other locations
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Consent form PDF's can be downloaded by users from within the application. Raw data for all reporting dashboards can be exported by admin users. Individual episode audit trail can be requested by admin users.
Data export formats: CSV

Other
Other data export formats: XLSX

JSON
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: We aim for 99.9% uptime, which equals less than 8 hours and 45 minutes of downtime per year.

We perform near-zero downtime deployments, and therefore you should not expect to hear from us regarding scheduled maintenance downtime except on the rare occasions that a near-zero downtime deployment is not possible.

Any downtime is documented and monitored in real-time on our status page.
Approach to resilience: Automatic failover is configured to handle all server failures, which is designed to cause less than 5 minutes of unavailability. The system is designed to not need any scheduled maintenance. Near-zero downtime deployments of new application code are done. Concentric is designed to be resilient to a single data center failure within a region.

Data recovery processes are in place, in the unlikely event of total system failure:
- Database backups can be used in the case of total system failure. This scenario is not anticipated and would be a manual operation taken as a last resort.
- Configuration management system is used to configure all cloud services and hosts, allowing rapid total replacement of cloud infrastructure in the case of total failure.

Database backups are taken daily and stored for 30 days.
Outage reporting: A public statuspage is maintained to report any incidents. Email alerts can be subscribed to for any incident updates posted to the statuspage.

Periodic monitoring of the system results in automatic notification to a human in the case of over 5 minutes of system unavailability. Tenants are provided with a company operational and technical contact for use in an emergency, with emergency support available 24/7/365.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Username or password
Access restrictions in management interfaces and support channels: Concentric infrastructure: Security critical services are only accessible to a subset of the engineering team, at the CTO's discretion. Access is protected by cryptographic controls.

Tenant administration interface: Role-based administration access with 2-factor authentication.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Username or password

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: Yes
Any other security certifications: NHS Digital - Data Security and Protection Toolkit

NHS Digital Technology Assessment Criteria (DTAC)

NHS Digital DCB0129 clinical safety standard

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: Other
Other security governance standards: Cyber Essentials Plus
NHS Digital Data Security and Protection Toolkit
Information security policies and processes: The Chief Technical Officer and Data Protection Officer have overall responsibility for information security at Concentric Health.

Concentric is compliant and undertakes annual recertification with NHS Digital's Data Security and Protection Toolkit (DSPT) and Cyber Essentials Plus. In addition, independent penetration testing is done annually. Covering both clinical safety and elements of information security, Concentric Health also maintains compliance with NHS Digital DCB0129 clinical safety standards.

Policies and documentation include all those required as part of the Information Security Management System for ISO27001 certification.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Software releases are done every two weeks, and release notes are made available to buyers at each release. Before each release, both manual and automated end-to-end quality assurance testing is undertaken. Before a release is deployed, the Chief Technical Officer and Clinical Safety Officer must approve the release. Clinical safety and security impacts are considered as part of any release to ensure ongoing compliance with NHS Digital DSPT, NHS Digital DCB0129, and Cyber Essentials Plus standards.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Concentric is hosted on Linux VMs which receive automatic patch updates.

Application code runs within containers which depend upon a small number of official base images. As part of our regular release process, containers are continually rebuilt using updated base images.

Automatic pull requests are created and reviewed for all application code dependency updates. Security updates are sent to designated individuals. Our policy is to deploy security-related updates within 2 weeks, or sooner if deemed necessary by our Chief Technical Officer.

Security vulnerabilities may be responsibly disclosed to security@concentric.health.

Independent penetration testing is done annually to assess for potential threats.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Log data is collected centrally and monitored for signs of unusual activity.

Application logging is carefully designed to log unusual activity at warn level or above. The rate of such logs is monitored to provide an early warning signal.

Internally services are designed along zero-trust principles. This prevents a single compromised component from allowing access to other information.

Internal authentication is by way of signed authentication tokens. The private keys underlying these tokens can be replaced in case of a suspected breach which will invalidate all existing tokens and cause all users to become immediately logged out.
Incident management type: Supplier-defined controls
Incident management approach: Concentric Health is committed to managing and reporting incidents in a transparent and robust way.

Periodic monitoring of the system results in automatic notification to a human in the case of over 5 minutes of system unavailability. System status is reported in real-time and notification of any status updates is sent to all subscribers with incident details.

Tenants are provided with a company operational and technical contact for use in an emergency, with emergency support available 24/7. Root cause analysis investigations are undertaken in response to failure.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Fighting climate change: Fighting climate change

As an organisation, we are committed to supporting net-zero efforts both in our activities as a company and through the impact of the products we develop.

We are involved in a specific project to support the NHS to reach net-zero by 2040 (with an ambition to reach an 80% reduction by 2028 to 2032). The project explores the feasibility of introducing carbon data to support patient-clinician shared decision making conversations. It is one of 10 NHS/SBRI backed net-zero projects for 2022.

The core Concentric product reduces the carbon impact of healthcare, both by remote consent functionality reducing the number of in-person outpatient appointments required and the removal of paper use in the consent process.

Where possible, we use carbon neutral providers in our supply chain, such as Google, for our cloud hosting. Google is carbon neutral today, but aiming higher: their goal is to run on carbon-free energy, 24/7, at all their data centres by 2030.
Covid-19 recovery: Covid-19 recovery

Digital-first elective care pathways are crucial for healthcare organisations recovering from the COVID-19 pandemic, particularly concerning the surgical backlog. Concentric and other digital consent / econsent applications are vital in enabling digital-first elective care pathways, particularly with remote consent. The NHS features Concentric as a tool to support COVID-19 recovery.

We have been responsive to the needs of our partner organisations during the pandemic and secured Welsh Government and Innovate UK grant funding to deliver projects to support the initial response to and recovery from the pandemic.

In response to the pandemic, employees have mainly worked remotely and flexibly.
Tackling economic inequality: Tackling economic inequality

Concentric Health is a health technology startup / SME (small/medium-sized enterprise) based in Wales. Founded and based in Wales, the Company has created job opportunities in Wales and has led to international inward investment.

Since 2019, Concentric Health has been hiring team members in the high-growth digital health sector. Our recruitment practices and employment conditions aim to follow the Good Work Plan’s foundational principles of quality work: fair pay, participation and progression, voice and autonomy. We support workforce development by training existing employees and medical and technical student placements with Cardiff University.

We aim to support other SME’s across the UK and, by doing so, increase supply chain resilience and capacity. Examples include our use of co-working spaces such as Tramshed Tech and Desg in Cardiff and our Cyber security partner Sapphire.

We are willing to commit 1% of any Concentric Health contract revenue to support local communities supported by the contracting healthcare organisation. Support decisions will be made collaboratively with the healthcare organisation.
Equal opportunity: Equal opportunity

Concentric Health is committed to encouraging equality, diversity and inclusion among our workforce, and eliminating unlawful discrimination. The aim is for our workforce to be truly representative of all sections of society and our customers, and for each employee to feel respected and able to give their best. The organisation - in providing goods and/or services and/or facilities - is also committed against unlawful discrimination of customers or the public.

We publicly commit to:

- Encourage equality, diversity and inclusion in the workplace as they are good practice and make business sense
- Create a working environment free of bullying, harassment, victimisation and unlawful discrimination, promoting dignity and respect for all, and where individual differences and the contributions of all staff are recognised and valued.
- Take seriously complaints of bullying, harassment, victimisation and unlawful discrimination by fellow employees, customers, suppliers, visitors, the public and any others in the course of the organisation’s work activities.
- Make opportunities for training, development and progress available to all staff, who will be helped and encouraged to develop their full potential, so their talents and resources can be fully utilised to maximise the efficiency of the organisation.
- Make decisions concerning staff being based on merit (apart from in any necessary and limited exemptions and exceptions allowed under the Equality Act).
- Review employment practices and procedures when necessary to ensure fairness, and also update them and the policy to take account of changes in the law.
- Monitor the make-up of the workforce regarding information such as age, sex, ethnic background, sexual orientation, religion or belief, and disability in encouraging equality, diversity and inclusion, and in meeting the aims and commitments set out in the equality, diversity and inclusion policy.
Wellbeing: Wellbeing

We are committed to supporting mental health in the workplace, implementing the six standards of the ‘Mental Health at Work commitment’:

- Prioritise mental health in the workplace by developing and delivering a systematic programme of activity
- Proactively ensure work design and organisational culture drive positive mental health outcomes
- Promote an open culture around mental health
- Increase organisational confidence and capability
- Provide mental health tools and support
- Increase transparency and accountability through internal and external reporting

In 2022 we commit to providing paid-for volunteering time for all staff, to support community-led initiatives or good causes of significance to the individual.

Pricing

Price: £0.50 to £2.25 a transaction
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: A free trial is offered to any NHS Trust or Health Board for up to 6 months. Where demographic integrations can be completed using modern standards, demographic integration is included at no cost.

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Concentric

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents