Cimar Ltd

CIMAR Cloud Diagnostic Image Management and Vendor Neutral Archive (VNA)

A Single Source of Medical Imaging Data with CIMAR's cloud VNA. Images can be archived, transferred, viewed, and connected. Non-DICOM imaging can be stored side-by-side with DICOM providing a holistic view. CIMAR provides elastic storage - no need to purchase space in advance or be concerned about high-watermark budgeting.

Features

• VNA - Centrally accessible and searchable vendor agnostic storage
• Disaster Recovery - long-term storage for business continuity assurance
• PHI Normalisation - Standardise patient identifiers across all data
• Remote Access/diagnostic viewer – Log-in from any connected device
• Legacy archive data migration - Vendor neutral long term storage
• 3rd Party Integrations - Integrate with EMR, RIS, Portals
• Image Ingestion - Improve normalising incoming exams processes
• Image Sharing – Secure real-time image sharing to anyone, anywhere
• Image Routing - Gateway technology used to auto-route imaging
• Automation - workflows automate activities around PHI normalisation sharing, etc

Benefits

• Reduce On-Premise data storage and IT costs
• Low-cost Vendor Neutral Archive
• Low-cost disaster recovery
• Borderless image sharing and transfer to anyone, anywhere
• Elastic, Scalable Storage
• Serve multiple clinical specialities
• Image Enable Patient portals and Electronic Medical Records
• CD Elimination [Patient Portal]
• Cloud based deployment for AI vendors plus support
• Professional services and consultancy support

£0.75 to £5.00 a transaction

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at d.wait@cimar.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

287559417455254

Contact

Mr Dennis Wait
07771824829
d.wait@cimar.co.uk

Service scope

• Service constraints: Minimal scheduled downtime for software updates and planned maintenance; scheduled during early morning hours to minimise disruption during core working hours.
• System requirements:
  • OptiPlex 7060 Micro Core i7-8700T 6Core 12Thread 16GBRAM 256GBM.2SSD
  • Internet Connection: Wifi, Broadband or 4G, 5G
  • Internet-connected device - PC, MAC, Laptop, Tablet, Phone (IOS, Android)
  • User devices maintained with anti-virus and local security policies
  • Internet Browser supporting HTML5 (see supported list)
  • Cloud automated connectivity (optional): CIMAR Gateway (DICOM or HL7 Broker)
  • Gateway Host VM(Windows) / Appliance (Windows or MacOS)
  • No VPN or custom config required
  • (Minimum bandwidth requirements dependant on workflow. Contact for advice)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support queries are vetted and triaged. Urgent requests will be answered within 2 hours during office hours [08:00-18:00] with on-call support out of hours.; Weekends are supported through on-call.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard support: Levels 1-3 are provided as per our standard contract. All accounts are assigned a primary application specialist (technical account manager) who will monitor and support the account. Cloud support engineers oversee all accounts where required. ; Enterprise support for high volume organisations is agreed on a per contract basis.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: CIMAR provides an extensive library of on-line user support material (self-guided), and provide 'train-the-trainer' knowledge transfer as required. Additional training services can be provided upon request, including online web-event tutorials by arrangement.; ; CIMAR also assists in providing custom support material for our clients that can be accessed by all users via our client's intranet, or log in to CIMAR's service.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data can be extracted or migrated at any time from CIMAR via CIMAR's Gateway - directly to any DICOM node or suitable receiving system.; Large volumes are best migrated by arrangement with CIMAR, where a cost for such migration will be quoted, dependent on volumes, and our clients' requirement complexity. e.g. to physical drive/NAS/SAN, or if we are required to transcode data to specific syntaxes for import into other systems. Numerous variables can apply, and CIMAR is always committed to making the migration as painless as possible for our clients.
• End-of-contract process: Since CIMAR is entirely Vendor Neutral, we are able to export/migrate data we host - in formats our clients require - that match other DICOM 3.0 compliant systems.; Depending on the workflow CIMAR has been used for, we agree with our clients what data migration needs should be accommodated.; In some workflow scenarios, CIMAR holds only copy images, and their retention may not be required. In other workflows, we are the core archive - in which case all images will most likely require migration to another system.; Users continue to use CIMAR as normal throughout the termination period, whilst planning and execution of the transitional process between systems of their choice occurs.

Using the service

• Web browser interface: Yes
• Using the web interface: Viewing medical imaging studies, sharing studies, downloading workflow management, security, roles and permissions and full administration of the platform is accessed via the zero-footprint CIMAR user interface.; ; CIMAR's services are all accessible via 3rd party applications via API, including Electronic Health Records, Radiology Information Systems and any other applicable applications.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: CIMAR's UI is accessed via the zero-footprint, browser-based user interface. The interface is 'white labelled' using client logos, terminology, colours, language, workflows, and vanity URL.; ; Accessibility is subject to normal requirements for use of a web interface, keyboard and mouse as well as navigation skills and requirements. VR (voice recognition) functionality is available within the platform, this is for reporting functions and not for navigating the platform.
• Web interface accessibility testing: Testing is performed within the constraints of the intended use of the software with UAT across the user base.
• API: Yes
• What users can and can't do using the API: CIMAR provides a complete RESTful API, featuring all functionality as embeddable components. This ranges from a raft of image harvesting, manipulation, transcoding, and viewing functionality, to web diagnostic reporting, voice recognition (VR) support, and RESTful cloud archiving and recall.; ; All API integration is via JSON and web-hooks. Integration can be done via synchronised encrypted hyperlink exchange or as native JSON calls between platforms. CIMAR supports AD and SSO via Ping identity services.; ; Embedded imaging functionality can be achieved in as little as a few hours, or complete integration at a granular level typically takes a few weeks development.; ; CIMAR can also be embedded using simple hyperlinks to CIMAR hosted image harvesting and dynamic viewing services - including a complete, customisable Second Opinion Portal. All User Interface presentation can be customised and honed to match applications into which CIMAR is embedded.
• API automation tools: OpenStack
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: CIMAR's service interface can be extensively customised.

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Our host platform is hosted with AWS and is built on a dynamically expandable architecture where load balancing manages system performance and on-demand resource availability. All of our data is stored using S3 and RDS. Storage is elastically expandable, as is application and database layer infrastructure running as a virtual environment. Both the client facing architecture and the storage is set up to provide High Availability through redundancy and intelligent load balancing.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • Disk
  • HTTP request and response status
  • Network
  • Number of active instances
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Intelerad Medical Systems

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Compute services (all web and application services)
  • Data base storage (PHR / PHI and user data)
  • Object storage (images and reports)
• Backup controls: CIMAR platform is cloud based and set up to handle all backups automatically per industry best practices and for disaster recovery.; In line with GDPR, users can request for specific data to be deleted.; Users can request bespoke backup services on request.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Service Level (System Level Uptime) is determined as a percentage of time in a month that the system is available and functioning properly as defined below. Additionally, any downtime caused by the Subscriber environment as recurring maintenance windows, scheduled downtime, and emergency updates are excluded from the system level uptime percentage calculation. Not considered downtime for any component of the CIMAR application. (i.e. Subscriber internet connection is down, a power outage at a Subscriber site, etc.); ; System Component/Function Service Level (System Uptime): Application Suite and Gateway 99.8%; ; Regular maintenance windows are agreed upon as needed with our clients.
• Approach to resilience: In summary, CIMAR's cloud is replicated across multiple data centres and meets the AWS best practice for cloud architecture and high availability. We leverage AWS S3 storage across multiple availability zones and physical data centres to ensure that all backups and primary data meet the 99.99999999999% AWS standard of resilience (the eleven 9s of durability).; ; Further information: CIMAR utilises the AWS infrastructure that is built around multiple data centres replicated between Availability Zones i.e. physical data centres across physically isolated Availability Zones that are connected with low latency, high throughput, and highly redundant networking. These Availability Zones offer an effective way to design and operate applications and databases. They are more highly available, fault-tolerant, and scalable than traditional single data centre infrastructures or traditional multi-datacenter infrastructures. Availability Zones are connected to each other with fast, private fibre-optic networking, enabling the ability to architect applications that automatically failover between Availability Zones without interruption.; ; Additional ways we've enhanced resiliency is through "principle of least privilege", versioning and delete protection.
• Outage reporting: A public dashboard (status page) and email alerts.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Customers have the option to raise a support request via HelpScout (online support and ticketing management tool), telephone or email. CIMAR authenticates the enquirers' identity by validating known phone numbers and asking them for specific characters within their pre-agreed memorable word. Application administrative access is only available to those users, that our clients permit. this is only application-level admin, and no deeper system access is possible. Such access is used to configure the client's own account settings, which are entirely separate from all system and infrastructural configuration settings.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Devices users manage the service through: Dedicated device over multiple services or networks

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International
• ISO/IEC 27001 accreditation date: Original 05/04/2019 and Current 05/04/2023
• What the ISO/IEC 27001 doesn’t cover: Any functionality outside the scope of: THE PROVISION OF CLOUD-BASED MEDICAL DATA, SHARING AND STORAGE SERVICES
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO9001
  • FDA 21CFRPart11
  • The Health Insurance Portability and Accountability Act (“HIPAA”)
  • Digital Technology Assessment Criteria (NHS DTAC)
  • NHS DSP Toolkit [Exceeded]

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We adhere to a formal, monitored and reported information and system security program. This is comprised of our own policy library as is reflected in our ISO 9001 accreditation and GDPR policy documentation. Policy documents include; hazard analysis, information security program, 3rd party integration policy, breach policy, incidence response policy, system access policy, disaster recovery and business continuity policy, privacy policy, encryption policies and additional systems specific monitoring and reporting policies. Our policies provide the structure for periodic and continued monitoring and reporting. Exceptions are reported upstream through management, with ultimate responsibility sitting with the CTO and CEO.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: CIMAR uses the Github System for configuration management of source code. All application change development is managed on a siloed principle, before deployment to a complete UAT environment with full roll-back capability. A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP test principles. Deployment to LIVE is only done once a new release version has been resilience tested, performance validated, security and stress tested.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: CIMAR has a documented vulnerability management policy and process with Intelerad, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3. Where technically possible, real-time updates and status reports are identified and sourced from credible sources. For other systems and software, assigned Intelerad personnel have responsibility for regularly reviewing technical forums and specialist groups to promptly identify and evaluate any emerging patches or updates which require technical attention or preventative action.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: In accordance with best practice from the National Cyber Security Centre, and Cyber Essentials, CIMAR thoroughly protects its applications and systems at the hypervisor level and below. Our approach to protective monitoring includes realtime checks on malicious threats, Portscan attacks, evidence of unauthorised access to privileged accounts and anomalous occurrences that are not related to specific applications on the host, suspicious activities at a boundary, network connections and the status of backups, amongst others. All alerts are immediately notified to us for prompt investigation.
• Incident management type: Supplier-defined controls
• Incident management approach: Incident Management is managed through our own/Ambra policies which conform to the requirements of 21CFRPart11 and as detailed in our ISO9001 procedures. Our Incident and security monitoring policies define the chronological processes and remedial activities in the event of a detected threat that requires action above our systems automated threshold of control. Such action is reported through a predefined command/responsibility structure, and all such reports are recorded.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: TBC
• How shared infrastructure is kept separate: N/A

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: 451 Research show that AWS’s infrastructure is 5 times more energy-efficient than the median surveyed. More than two-thirds of this advantage is attributable to the combination of a more energy-efficient server population and much higher server utilization.

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  CIMAR utilises AWS cloud infrastructure and is helping the healthcare industry to migrate to more sustainable cloud solutions. AWS infrastructure is up to 5 times more energy efficient than typical European data centres.; In order to continue our progress to achieving Net Zero, we have adopted the following carbon reduction targets:; - CIMAR’s cloud is being migrated in stages (resulting in its entirety) to AWS London (a carbon neutral data centre – see here for; details).; We continue to implement further measures such as:; • Continued effort to resource electricity only from renewable energy providers.; • Reducing travel to a minimum, with Cloud-First and Web First approaches to software we use and meetings we conduct with suppliers and clients.

Pricing

• Price: £0.75 to £5.00 a transaction
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Access to the trial (demo) account to test and assess functionality. ; Time-limited access to a trial account. ; Ability to upload unlimited own studies for the trial period, all studies will be anonymised on upload.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at d.wait@cimar.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.