Graphnet Health Limited

CareCentric

CareCentric Health Integration Exchange Platform provides: real-time, secure, unified shared care records via Clinical& Patient Portal; system integration/interoperability; CareConnect FHIR standards support; data capture forms for assessments, care plans, End of Life including workflow; mobile solutions; Personal Health Records, Population Health, Analytics and innovative solutions for managing Long Term Conditions.

Features

• Real-time shared record solutions, used by 120,000+ care professionals
• Engaging and intuitive to use, with local configuration options
• Browser and mobile access, including support for offline working
• Seamless and secure navigation from local systems
• Pre-configured data feeds available from leading care systems
• Secure access, robust consent models and comprehensive audit trails
• Simple creation of rule-based forms, including assessments and plans
• Innovative use of wearable technologies/Apps/monitoring devices
• Patient Portal enabling citizen engagement in their care

Benefits

• Safer, more targeted, coordinated and timely care across settings
• Reductions in A&E attendances, unscheduled admissions and Length of Stay
• Cost savings for unwarranted activities, e.g., appointments, admissions and tests
• Improved communication and access to information for care professionals
• Reduced clinical risk e.g. through more efficient medicines reconciliation
• ‘Do once and share’: A reduction in duplication of effort
• A reduction in the need for, and use of, paper
• Improved management of complex and life-limiting conditions
• Enablement of patient participation and engagement in their care

£210,000 a unit a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at salesandbids@graphnethealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

344818768435006

Contact

Lisa Haslam
03330771988
salesandbids@graphnethealth.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: The service is based upon a very 'open' software stack and deployment model. Specifically though; - Browser access must be based on the approved list below - Mobile device access must be based on supported mobile operating systems (IOS, Android as primary platforms) - Mobile device management is not included - just the clinical applications - The local deployment model "may" by constrained by local IG and security policies regarding presentation of secure information via N3 or public networks.
• System requirements:
  • Web: Microsoft Edge; Google Chrome; Firefox
  • Access to the web server via http/https
  • Mobile: Apple iPad 3 and above, iOS 9.0
  • Android: 7.x (Nougat) and above

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support is available on commencement of live service and we offer a variety of support packages. Each support package includes full details of call priority rankings and the corresponding response times agreed with the customer.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Options to suit customer's need. Typically 9 - 5.30pm, 24/7 or other daily times possible subject to agreed SLA and commercials. Costings depend on the number of product and user licences required. Support engineers are supplied as part of the Service Desk provision as specified under the Service Level T&Cs for each customer.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Our training methodologies have continually evolved over our 25 years of experience, supporting care providers in their implementation of our range of products. Our preferred approach is to provide Train the Trainer training, so customer’s can then go on to deliver specialist training for end users (including clinicians and other care professionals, as well as for specialist users, such as system administrators) and to support the customer team in preparation and early delivery of end user training. ; ; These local trainers act as super users within the local organisations. Trainers from all participating organisations will be provided with comprehensive training materials which will facilitate the customer’s provision of first-line support. CareCentric Portal End User training - For end-users the bulk of the training requirement concerns patient consent, confidentiality, and a description of the data available for which patient groups.; ; We will provide a Training environment which mirrors the live use CareCentric portal; it has numbers of test patients which provide examples of patients and data for training purposes. The nature of our solution footprint is such that building functional environments for the purposes of training etc. can be achieved relatively quickly and using virtualised resources to control cost and improve flexibility.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Graphnet would expect to have included in the Contract with the customer a schedule setting out the parties’ obligation on “Exit”. This would include details of our obligations to transfer Authority Data in an agreed format.
• End-of-contract process: Graphnet would expect to have included in the Contract a schedule setting out the parties’ obligation on “Exit”, the schedule would typically include its obligations: ; • to transfer Authority Data in an agreed format; ; • the return, removal of any Authority provided software; ; • the provision of other reasonable termination assistance at the Authority’s request at the Supplier’s standard rates (e.g. to assist with data migration to the replacement contractor’s system). ; ; In addition, if necessary, a “read only licence” for historic data is possible.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: In each case, the presentation of information has been optimised for the type of device in use. The web version of CareCentric is designed to scale to any desired resolution dynamically using the inbuilt capabilities of modern web browsers. The App versions are designed to suit the particular form factors of the devices being used.
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: CareCentric has a clean, modern and intuitive user interface, designed in collaboration with a wide-range of our users. The system uses native operating systems, with screens designed for each device to achieve the best user experience. Secure access to information is rapid, with meaningful landing page views, pre-configured to meet the requirements of specific groups of users. Consistent screen layouts and unambiguous, familiar navigation tools simplify use and engage users. Landing page summary tiles display key information, with further details a click away.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: The solution has been designed taking into account the W3C Web Content Accessibility Guidelines and also to meet NHS CUI guidelines and general user experience (UX) standards such as material design and iOS human interface guidelines for mobile products. We undergo testing during the design process to support colour blindness, high contrast settings and use of iconography as well as colour in key areas of the application. Additionally, we are prepared to work with customers that have specific needs on a case by case basis. Our Agile design and development approach is collaborative so we continue to develop accessible, meaningful and intuitive system. In particular: ; • Information tiles can be configured to present data in a variety of formats, font sizes etc. ; • Tiles have a simple and clear layout, with a consistent, easy to read text spacing, and colour contrast. ; • CareCentric uses a standard CUI interface, users can interact with both keyboard and mouse, navigation is consistent throughout. ; • Headings and labels describing content, simple and unambiguous. ; • Our Personal Health Record has simplified views with information. presented in a way consistent with non-clinical users. ; • Icons are intuitive, graphics are used where possible to simplify content meaning.
• API: Yes
• What users can and can't do using the API: Third parties can embed CareCentric in their software in user and/or patient context sync. Conversely, CareCentric can launch third party software in user and/or patient context. Third parties can surface data in CareCentric using the Highway data adapter layer. Third parties can interact with CareCentric using a RESTful OpenAPI. The current API supports retrieval of patient lists, user authentication, patient consent, recording audit log entries, patient alerts, and patient record retrieval. Potential integrators with our API can access the API documentation free of charge and also access the API free of charge. Our API access falls within the identified usage model due to the nature of the data being accessed, there would need to be identified access by this consuming system i.e. identified usage of the API.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Multiple system information contributed to the CareCentric shared care record is presented in accessible, intuitive and clinically meaningful views. Data is displayed in tile views grouped into, for example, Medications, Problems, Diagnoses and Procedures, Test Results, Current Problems, Recent consultations, Admissions, Summaries of any specialist care, e.g., Cancer, Mental Health and Social Care, and so on. Documents, which could include care plans made and discharge summaries issued are also available to view. This is not customisable by individual users.

Scaling

• Independence of resources: Availability / Capacity is a key consideration in our comprehensive approach which covers the hardware platform, software design and associated processes which cover Support and Maintenance, Business Continuity and Disaster Recovery. For a cloud hosted solution we will provide a solution that has been sized appropriately for current and agreed future expansion requirements, with redundancy built in.

Analytics

• Service usage metrics: Yes
• Metrics types: The metrics provides relate to;; - Number of user logins over time; - Number of repeat user accesses or users using the system more than once; - Number of patient records accessed.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The CareCentric platform provides a secure flexible user interface to export any data within the system in a csv format. These extracts can be ad-hoc or scheduled. Bespoke extracts can also be setup using Microsoft Azure functionality into any supported system. This service is further enhanced with the population health management module.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: White Listing is applied between the service and the customer site.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Service Level Agreements, including compensation arrangements, are flexible to meet our customer's individual requirements, budgets and priorities. Full details would be agreed as part of contract negotiations. It is normal for us to contract to a service the puts a meaningful element of the monthly service charge at risk if, for example, the agreed availability is delivered.
• Approach to resilience: Our hosted Azure service is robust secure and highly available hosting service. Microsoft Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards, such as UK G-Cloud. British Standards Institute verify Azure’s adherence to the strict security controls these standards mandate Full details regarding our service, including resilience, availability, security, business continuity and disaster recovery, will be made available on request.
• Outage reporting: All outages are recorded as part of the incident management process and should a problem be detected then the service desk will inform the customer as required.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: All CareCentric applications provide an in-built Role Based Access Control (RBAC) model, which manages which functions a user has access to and which views of data they are able to see. The system includes 25 pre-configured roles, which align with the National Registration Authority Smart Card access roles and are grouped into 5 granular levels of system functionality. CareCentric has a well-established concept of Patient Groups, which supports the ability to control which users, roles and groups of users have access to which groups of patients. System Administrators can also further refine permissions, as required.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI ISO/IEC 27001:2013 - IS 614375
• ISO/IEC 27001 accreditation date: 15/07/2021
• What the ISO/IEC 27001 doesn’t cover: Our 27001 covers the full business operation without exclusions. Graphnet holds Certification number IS 614375 and operates Information Management Systems which comply with the requirements of ISO/IEC 27001:13 for: All automated information systems under the direct control of Graphnet Health Ltd. All employees and agents of Graphnet Health Ltd All employees and agents of other organisations who directly or indirectly make use of or support the use of information systems under the direct control of Graphnet Health Ltd.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • IG toolkit (NHS Digital ODS code 8GX89).
  • ISO9001:2008, (FS614373);
  • Data Protection Act 1998 (DPA)
  • Level 3 compliance with NHS IGSoC

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: We comply with NHS standards and best practice guidelines. Standards/accreditations include; ; • ISO27001:2013 ; • ISO9001:2015 ; • Data Security and Protection Toolkit ; • Cyber Essentials Plus; ; Graphnet's ICO Registration is Z1045461. ; Other SCCIs/ISNs applicable to shared care record solutions, including DCB 0129 and DSCN14-2009.
• Information security policies and processes: We have a range of policies to ensure we adhere to IG and Information Security arrangements. These include:; - Access Control ; - Information Governance ; - Project and Security Coding ; - Clean Screen and Clear Desk; - PID ; - Secure Software; - Solution Development Procedure; - Data Transfer (Encryption); - Secure Disposal; - Acceptable Use; - Network Control.; ; We have other specific guidance and polices available to provide assurance with our Data Processor and internal responsibilities.; ; We have an IG Steering Group which our IG Director, Information Security Manager, ISO Compliance Manager, SIRO and Caldicott Guardian all sit on. Through these key roles we ensure policies are reviewed and amended in light of any issues arising, audit reviews and process changes etc.; ; Policies are available to all staff via our employee hub system which requires staff to read all required policies. ; ; We incorporate the Crown Commercial Service’s Generic Standard GDPR clauses in all our contracts where we process personal data; we process in compliance with Article 32. Where services use the “cloud” this processing adheres to the fourteen National Cyber Security Centre cloud service security principles as applicable to UK OFFICIAL and the cloud host complies with ISO27018.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Graphnet follow a standard ITIL deployment methodology and use AGILE Design and Development practices for the iterative delivery of software releases which may include major or minor features / functions and any patches. We use JIRA case management system to log, track and manage change requests. All Releases and changes are version controlled through our Change Management process. ; ; All patches are tested internally prior to deployment and are monitored for success. Customers are provided with Release Notes and are advised to carry out formal acceptance testing where any bugs may be identified prior to deploying to the LIVE environment.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We use a combination of internal vulnerability scanners, system monitoring and industry sources to monitor for possible threats, applying patches within 14 days of their release. Additionally, we use NHS CARE-cert, US-Cert and industry publications to assess threats weekly and respond accordingly. Out Of Band patch releases are investigated and installed immediately if appropriate.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The application is monitored using Microsoft’s Sentinel, Defender for Cloud and Azure policies, with alerts raised for anomalies found, including suspicious or potentially malicious activity. Audit logs are retained for all Azure, web application and SQL server activities for 90 days. The application keeps its logs indefinitely.; ; These audit alerts generate an email to the operational support team and are investigated by them.; ; Proactive monitoring is in place for environmental triggers such as low disk space, high CPU usage.; ; The anti-malware software will monitor for any malicious software or activities.
• Incident management type: Supplier-defined controls
• Incident management approach: Incidents are formally managed through Graphnet's Support Desk, using an ITIL focused call logging application to record, track and manage issues through all stages of the incident lifecycle. The Service Desk is also briefed on the service responses agreed through the customer contracts and use the incident logging application to monitor incidents’ service level response times. ; ; Problems are identified through incident reviews and managed through diagnosis, resolution and planned changes. These reviews of issues attempt to identify trends/recurrent issues; when identified, these undergo a root cause analysis and recommendations are made for changes to the product based on the analysis.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Social Value

• Fighting climate change:

  Fighting climate change

  Tackling climate change is of great consequence to Graphnet. We encourage customers to adopt an ecologically sound approach when implementing our solutions and conducted remote deployments throughout the pandemic. Where possible, automating our implementation processes removes the environmental and economic impact of paper-based activities during implementation. ; ; Our solutions are designed to help customers become paper-free or paper-lite. This enables customers to minimise the need for medical records libraries, thus reducing their need to store and dispose of paper-based records; and in doing so our solution suite is helping create a greener NHS that will reach net zero carbon by 2050. ; ; To further the efforts against climate change, our solutions are mobile and can be remotely accessed. In practice this allows healthcare professionals to access vital patient related data whenever they need it. Such mobile capability is crucial in the post-pandemic environment, and minimises carbon footprints by reducing the need to travel.; ; Patients can play their part too. DOC@HOME provides a trusted and highly effective remote patient monitoring solution that allows patients to be monitored and supported within their home. This reduces or even removes the need for patients to regularly visit the hospital for monitoring, and removes the environmental impact of having to travel to and from the hospital.; ; Our analytics solutions provide information on environmental cost from the Sustainable Healthcare Commission which can be included in any planning or Population Health analysis to demonstrate the climate costs of healthcare.
• Covid-19 recovery:

  Covid-19 recovery

  Graphnet is committed to supporting our customers in delivering patient care during the outbreak of Coronavirus (COVID-19). As an organisation we have been continuously monitoring the developing situation surrounding COVID-19 and have also worked extremely closely with our customers to identify and expedite relevant changes that would be beneficial. ; ; Key to the work undertaken was to ensure rapid deployment could be safely and successfully achieved. Examples include:; • New summary COVID-19 tile added at the application entry point for user so users are immediately aware of any known or suspected Covid infection. ; • CareCentric offers Virtual Ward Assessment and patient Care@Home solutions which comprise of citizen focused web and/or app content which enables individuals with suspected or proven COVID-19 infection to be remotely managed at home by Virtual Ward Care Teams.; • Alerts for Shielded Patients based on the NHS Digital supplied lists.; • Suite of Covid-19 dashboards and reports. ; COVID-19 recovery – Our solutions directly support this this theme via multiple analytics use cases including the following examples:; • NHS elective recovery programme via use cases on with a focus on patient tracking lists and using wider datasets for whole community impact of waiters including AI for assistance with prioritisation.; • Mental health explorer for ICS to analyse their populations needs. This is complemented by Severe mental health physical health check targeting of most in need populations.
• Tackling economic inequality:

  Tackling economic inequality

  Our health solutions are targeting health inequalities generally via multiple use cases. An example is:; • Core 20 +5 directly supporting this NHS approach to health inequalities via a series of subject specific use cases including an overarching summary dashboard.
• Equal opportunity:

  Equal opportunity

  Our solutions support diverse workforces and help encourage more disabled people into work. CareCentric has been designed taking account of the W3C Web Content Accessibility Guidelines (WCAG) v2.0 in order to support a wide range of users. Our systems and user interfaces are also designed in collaboration with our customers and users. Features include:; • Our data tiles have a simple and clear layout, with a consistent and easy to read text spacing, and colour contrast.; • Users can interact with our solutions using a variety of methods, dependent on the capabilities of the device and browser / OS in use, e.g. touchscreen, magnification, voice recognition, screen reading and so on. ; ; Graphnet has a duty of care to all employees and, as such, will make reasonable adjustments to facilitate the employment of a disabled person. This may include:; ; • Making adjustments to Graphnet premises, where possible;; • Re-allocating some or all of a disabled employee’s duties;; • Transferring a disabled employee to a role better suited to their disability;; • Relocating a disabled employee to a more suitable office;; • Giving a disabled employee time off work for medical treatment or rehabilitation;; • Providing training or mentoring for a disabled employee;; • Supplying or modifying equipment, instruction and training manuals for disabled employees; or; • Any other adjustments that the Company considers reasonable and necessary provided such adjustments.; ; Employees with a disability may request a home-based role for many reasons, and the pandemic has shown that some roles can be home-based. And because the majority of our solutions are mobile, such requests can be granted.
• Wellbeing:

  Wellbeing

  The Graphnet solution uses vast amounts of data, covering wide ranging services stored within the product set. The recent Combined Intelligence for Population Health Action (CIPHA) programme which was initially devised to support the fight against the COVID pandemic, uses the multitude of data sources to devise specific use cases. These are based upon the service needs of a population. For example, the growth of COVID meant the need for public health catchments to devise plans such as the identification of specific areas of growth so that testing and vaccinations could be prioritised. A large volume of use cases has been created in nearly two years which continue to grow to allow intervention across communities for the 17 million citizens within the Programme. Due to lockdowns in particular, the pandemic started to impact citizen’s mental health. The issue increased over the duration of the lockdowns in particular. People were isolated with little no contact and the enablement of support around them was greatly impacted. As a result, the need to monitor and support mental health services grew with use cases being developed to identify those most at risk who need monitoring and direct intervention. Depressions and suicides are unfortunate symptoms of the pandemic and there is a growing need for supporting these services. The CIPHA Programme uses the data from sources such as GPs, mental health and social care to blend the data and identify those who need prioritisation so the clinicians support workers can manage their patients to the best effect with the best outcomes.

Pricing

• Price: £210,000 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at salesandbids@graphnethealth.com. Tell them what format you need. It will help if you say what assistive technology you use.