EMIS Ltd

EMIS Health - Apex

Apex is a business intelligence platform designed to support Primary Care Organisations with real-time analytics, empowering NHS customers to make critical business and healthcare decisions. Apex provides a clear understanding of patient and workforce utilisation, supporting improved productivity and efficiency. Allowing evidence based system-level decision making to meet patient demand.

Features

• Real-Time Data Analytics for Primary Care
• Primary Care Management Reporting Tool and Analytics
• Patient Level Service Utilisation Trends
• Digital Clinician Appraisal and Workforce Development Tool
• Automated Submissions and National Reporting Templates (DES/LES)
• Cross Organisational Rota and Resource Management
• COVID-19 Tracking with Patient Level Exposure and High Risk Groups
• Cloud-based Platform Accessible on all Web Browsers
• Fully Interoperable with EMIS Web and TPP SystmOne
• System-Level Data Analytics for PCNs, CCGs, ICSs, ICPs, STPs

Benefits

• Improving Efficiency
• Improving Patient Access
• Improving Productivity
• Managing Demand & Capacity
• Effective Workload and Workforce Management
• Standardising Reporting
• Addressing Key Access Issues
• Redesigning Services
• Automating Submissions

£0.20 a user

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@emishealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

329157395302856

Contact

Bid Team
0113 380 3000
bids@emishealth.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Apex is used by Primary Care Organisations to provide data analytics and services in relation to data predominantly held within their practice Electronic Patient Record System.; Apex is fully interoperable with the EMIS Web and TPP SystmOne Electronic Patient Record Systems. Other EPRs are not supported at this time.
• System requirements: Internet Access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support tickets raised via email within standard support hours (Monday to Friday 9am-5pm) - Target First Response time is 30mins.; ; Tickets raised outside of support hours, including weekends, will be responded to on the next working day.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: N/A
• Onsite support: Yes, at extra cost
• Support levels: Support levels will be provided as per the selected Service Management Model.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Apex is typically deployed to new customers following a three-stage process incorporating:; i. Remote installation and configuration with the GP clinical system; ii. Remote commissioning session to customise Apex to the local way of working; iii. Final commissioning session for broader engagement of workforce and alignment to local strategic objectives.; ; During the remote installation process the EMIS Apex team will work with users to install necessary software on a nominated local PC to ensure data flows from the GP clinical systems to Apex.; ; During the remote commissioning session the EMIS Apex team will guide users to configure Apex to their unique way of working, aligning dashboards and reports to the operational model of the Primary Care Organisation.; ; During the final commissioning session the EMIS Apex team will engage a wider audience of the Primary Care Organisation workforce, including clinicians, to highlight the benefits of Apex as well as embed the tool into organisational aims and objectives as well as ensuring this is aligned to the strategic and operational direction of local Primary Care Networks (PCN), Clinical Commissioning Groups (CCG), Integrated Care Systems (ICS)/Partnerships (ICP) and Sustainability & Transformation Partnerships (STP).
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats:
  • PowerPoint
  • CSV
  • Excel
• End-of-contract data extraction: Typically data extract from Apex is not required by customers who cease to utilise Apex. This is because the underlying clinical, appointment and organisational data within Apex is obtained from integration with the Primary Care Organisation's Electronic Patient Record System (EMIS Web or SystmOne).; ; However, a final data extract service is available upon request to customers, providing any Apex acquired data in a CSV extract format.; ; In the event that an exiting customer requests a final data extract the EMIS Apex team would work with the customer to confirm secure arrangements for the transit of such data in compliance with applicable security standards, including ISO27001.
• End-of-contract process: We seek to ensure that at all stages of the contract life-cycle that Apex customers receive the best service possible, this includes upon contract termination.; ; At the end of a contract a decommissioning process is carried out with the exiting customer, which includes:; i. Confirmation of service termination date with registered Apex users;; ii. Disable access to Apex platform to registered users upon service termination date;; iii. Decommission interoperability data flow with Electronic Patient Record system;; iv. If requested by the customer, a final data extract can be provided; and; v. Deletion of customer data held within Apex, within time frames communicated to the customer and compliant with applicable Information Governance legislation.; ; The exiting customer is kept informed of progress throughout the decommissioning process and may still raise support tickets with the Apex service desk until all decommissioning services have been concluded.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems: Windows
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The Service Portal is accessed via the application directly through to the Apex support service.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: N/A
• API: No
• Customisation available: Yes
• Description of customisation: Customers can determine level of access to the data at both a local and enterprise level based on local hierarchies and organisational structures.

Scaling

• Independence of resources: The Apex platform is hosted within an Azure architecture.; ; The platform is highly scalable in order to allow burst capacity where required by user demand. The Apex team continuously monitor platform usage in order to decide whether architectural changes to infrastructure requirements are needed to support user demand.; ; All organisational databases are segregated in order to ensure that there is no cross-customer usage impact at a database level.

Analytics

• Service usage metrics: Yes
• Metrics types: Through an API, Real-time dashboards, Regular reports, Reports on request.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Through Apex there are a number of functions which can be taken offline in various formats.; Firstly, all Apex Dashboards and Reports are configured to effectively format in the Microsoft Print to PDF function.; Users may also export their data from Apex via a range of activities, including;; - Exporting data behind graphs directly to CSV format; - Creating custom reports to export to Excel; - Creating custom dashboard style reports to export to PDF; - Exporting a GP Appraisal report to PDF
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: As a cloud based solution availability of the Apex application to our users is of paramount importance.; ; Accordingly, Apex customers receive a contractual SLA that the service will remain available to users 99.95% of the time during a Service Period.; ; A Service Period is defined as a calendar month.; ; Service Management reports are provided monthly to customers confirming performance against all SLAs, including Service Availability.; ; All SLAs are provided on a reasonable endeavours basis. The Supplier shall use their reasonable endeavors to achieve the specified SLAs. Financial refunds are not offered for failure to achieve specified SLAs.; ; This SLA is exclusive of up to 120 minutes of Planned Downtime, communicated to customers in advance, per Service Period. Planned Downtime shall be performed between the hours of 20:30 - 06:30.
• Approach to resilience: Apex is hosted within Azure data centre solutions in the UK.; ; Full information on the Microsoft Azure data centre resilience offering is available to all users upon request.
• Outage reporting: Apex service outages will be reported to customers via email alerts and via monthly Service Management reporting to Primary Care Commissioning bodies in accordance with the Apex Service Management process.; ; Such reports shall detail the date, time and duration of the service outage.; ; Customers are kept regularly informed of progress on any outage incidents via regular email notifications. Additionally, any customer reported outages, resulting in a service ticket, can be tracked by the customer via the Apex support desk ticket portal.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Individuals are granted access by a system administrator at each healthcare organisation and can only see data visible to that organisation and with role-based permissions configured for them. Role-based access permissions range from system administrator profiles through to individual user access for individual clinicians to view only personal workload. Only users with an administrator option selected are able to make any customisation within Apex and only users with the option to view other user details can view data surrounding colleagues in the healthcare organisation.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: Initial certification 14/09/16; Latest Issue 21/09/21
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • IG Toolkit
  • Data Security and Protection Toolkit (NHS Digital)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The Apex service is subject to EMIS security policies and processes. These policies and processes have been designed to ISO:27001 compliance levels and are governed by the companies Regulatory Compliance Board, chaired by the company's Managing Director, Development Director and Operations Director.; ; These policies cover all elements of the ISO:27001 standard, including data security, information governance, asset management, supplier management, acceptable use, data quality, secure development, physical media handling, change management, business continuity and continual improvement.; ; All policies and procedures are flowed down to employees, contractors and suppliers of the organisation, as appropriate, and are enforced via both contractual and operational obligations and monitoring processes.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All service components, along with their configurations and dependencies are documented in the Apex Inventory of Information Hardware/Software Assets.; ; All significant, non-routine changes to service components are subject to change control.; ; Change requests are assessed by the Information Security Manager to identify potential risks in-line with the risk management framework.; ; All changes require a testing plan with clear acceptance criteria.; ; Once a change is implemented the Change Manager authorises its transfer to the operational environment, ensuring that business processes are not disturbed and that business continuity plans are updated.; ; Software updates are version controlled and system documentation is updated.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: An automated vulnerability assessment system is used to strengthen the security posture of service components, providing advanced threat protection across the infrastructure.; ; Continuous assessments are performed across the infrastructure to determine whether existing or new resources are configured according to security best practices, providing a clear understanding of the security status of each resource. Workloads are also assessed to provide threat prevention recommendations and security alerts.; ; A Secure Score is associated with each recommendation which informs the prioritisation of mitigation or remediation actions.; ; Vulnerability fixes or configuration changes are applied in-line with the relevant priority based SLA's
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The Security Centre provided by the hosted environment generates alerts when a threat is detected to the network or a service resource. Security Centre prioritises and lists alerts, along with the information needed to investigate the problem. Recommendations are provided for how to remediate an attack. Related alerts are automatically collated into security incidents. Incidents provide a single view of an attack, giving a clear understanding of what actions the attacker took, severity, status, and the affected resource.; ; Actions to mitigate the threat and prevent future attacks are taken based on the recommendations based on severity.
• Incident management type: Supplier-defined controls
• Incident management approach: All Service Incidents are reported via the Apex Support Team and tracked within the online Apex support platform.; Service Incidents receive a priority rating, assigned by the Apex Support Team, dependent upon their severity. The severity rating at P1 - P4, with P1 being the highest level of severity. Pre-defined processes exist for common events to ensure speed of service delivery and continuous service improvement.; Users report Incidents to the Apex Support Team via either dedicated telephone or email submission routes.; Incident Reports are provided via Service Management reports on a monthly basis, or otherwise upon request from a customer.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  EMIS employees are educated annually on environmental matters with an emphasis ; on personal responsibility regarding energy consumption and waste management.; This is supported by relevant policies, such as EMIS’s Group Environmental Policy ; Statement and company benefits, e.g. during 2021 the Group launched a salary ; sacrifice scheme for employees to lease electric cars and for individuals to fund tree ; planting with Ecologi, who provide a route for organisations and individuals to fund ; climate action projects. ; ; Through Ecologi, EMIS planted 25 saplings for each new employee who joined the ; business during the previous twelve months, resulting in approx. 7,300 new saplings ; planted in countries badly affected by deforestation.

Pricing

• Price: £0.20 a user
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@emishealth.com. Tell them what format you need. It will help if you say what assistive technology you use.