GHX UK Ltd

GHX Exchange Services

GHX Exchange Services is a Peppol-certified automated order management solution designed for the swift transmission of electronic business documents in the healthcare supply chain – including purchase orders, purchase order acknowledgements, advance ship notices and invoices.

Features

• Access your electronic business transactions via a single, user-friendly interface
• Real-time dashboard for reliable information on your electronic business documents
• Track the full order cycle from start to finish
• Receive email notifications on order status, error messages and more
• Over 350 suppliers across Europe are already connected through GHX
• The largest healthcare trading platform in the world
• Simple and seamless integration to your ERP system

Benefits

• Digitises the entire order cycle for more efficient processes
• Orders sent and invoices received automatically in the correct formats
• Greater visibility of your electronic business documents
• Increased standardisation and automation
• Reduces data entry errors and administrative costs
• Increases transparency with the same data your integrated suppliers see
• More connected supply chain data and better performance insights
• Supports GS1 standards and Peppol-compliant transactions

£4,995 a unit a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at james.minards@ghxeurope.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

363772078971312

Contact

James Minards
0345 620 2222
james.minards@ghxeurope.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Maintenance and updates do not usually require the service to be made unavailable. Where this is required any; downtime will be scheduled between 18:00-20:00 to minimise impact to customers.
• System requirements:
  • Access to the internet
  • Defined versions of web browsers

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Priority 1 - Target 1 hour. Priority 2 - Target 2 hours. Priority 3 - Target 4 hours. Priority 4 - Target next working day.; Out of hours support can be provided on request. Additional fees apply.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: GHX provides a single comprehensive level of support. When an incident is reported to the UK support team,; priority is established based upon the business impact to the customer, using the Salesforce.com CRM system.; OLA's are in place for escalations beyond the support team to technical teams. Support and an account manager is; provided as part of the annual subscription fee.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: GHX provides onsite or remote online training as agreed with the customer.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Users can extract their data at the end of their contract via request to the support team.
• End-of-contract process: At the end of the contract, GHX will support the customer with extraction of their data. In addition, GHX works; closely with the customer on an Exit Plan to enable continuity of service with a smooth and secure transition of; service to them or a replacement service provider.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Provider Exchange Services provides an intuitive user interface supporting full management of the customer's data; and applicable business processes.
• Accessibility standards: None or don’t know
• Description of accessibility: Provider Exchange Services is designed to be highly flexible with easy-to-use functions that are accessible for all; users.
• Accessibility testing: So far, GHX has had no customer requests to support assistive technology, but will look to support this where; needed.
• API: No
• Customisation available: No

Scaling

• Independence of resources: To maintain high levels of service availability and provide services that scale to meet growing supply chain; demands, GHX leverages an Information Technology Service Management (ITSM) framework committed to; continual service improvement. Guided by the Information Technology Infrastructure Library (ITIL), GHX integrates; people, process and technology to manage its vital supply chain services. This comprehensive and coordinated; approach to service management enables GHX to continue to meet the evolving 24/7/365 demands of the; healthcare supply chain.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export their data through the user interface.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: GHX understands the critical nature of the services provided to the healthcare supply chain community. For more; than 10 years, healthcare providers, suppliers, distributors and group purchasing organisations have been relying on; GHX to provide enterprise-grade services. Year after year, GHX customers consistently rate GHX service availability; as one of the top reasons they choose to partner with GHX. GHX provides over 99.9% annual uptime of core; Exchange services; processing approximately one million supply chain transactions per day for its healthcare; trading partners, including over 4,100 medical providers and 400 medical suppliers.
• Approach to resilience: Available on request.
• Outage reporting: GHX proactively monitors the availability of the services we provide. 24/7/365 automated monitoring and alerting.; Tier 1, 2, and 3 Customer Care and Application Support centres. Network Operations Centre (NOC) for incident; management and customer assurance. Prioritised incident management with response, resolution and; communication targets based upon impact and urgency.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Access is provisioned to GHX users on a "need to know" basis. GHX maintains on and off-boarding procedures that; are test 2x per year during SOC1 and SOC2 audits.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: GHX aligns with the PCI DSS requirements for a security program.
• Information security policies and processes: GHX maintains information security policies that are updated at least annually. Policies that have been translated (in; Dutch, French and German) include: (1) IT Management Policy; (2) Information Security Management Policy; (3); User ID and Password Guidelines; (4) Data Classification and Handling Guidelines; and (5) Reporting Security and; Privacy Incidents Procedures. To protect the data in its care, GHX looks to the ISO/IEC 27000 series of standards; as the framework for the Company’s information security management system. GHX also looks to best-practice; security controls in protecting data in its care, including those published by the National Institute of Standards &; Technology (NIST). The GHX security program is managed by its Global Security Operations Director, under the; direction of the GHX Vice President, Global Operations and Infrastructure. GHX also maintains a compliance; department, managed by the Director of Compliance, under the direction of GHX Vice President, General Counsel.; The compliance department is responsible for monitoring compliance with policy documents and engages an; independent 3rd party to audit compliance annually (SOC1 and SOC2 audits). The SOC1 and SOC2 audits focus on; activities in North America but also include global audit of certain strategic controls.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Change Requests are received and reviewed by the change management team for completeness, accuracy and; operational readiness, including but not limited to: (1) targeted implementation date; (2) business and security risks;; (3) priority; (4) business justification; and (5) any other change-related information. Changes are categorised by: (1); Informational; (2) Patch; (3) Standard; (4) Minor; (5) Major; and (6) Initial Production Release. GHX performs asset; inventories to track service components through their lifetime. Change process is used to track changes to assets,; including the install and decommissions of assets. Changes are reviewed by the security team for potential security; impacts.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: GHX performs quarterly vulnerability scanning to identify vulnerabilities in the infrastructure and applications. GHX; performs quarterly penetration testing to assess if the vulnerabilities can be exploited. If exploits are discovered,; then GHX will apply applicable patches, remove Internet access to affected systems, or make other changes as; necessary to remediate the exploits. Patches are applied to systems on a quarterly basis. GHX’s Global Security; Operations Director attends security conferences and subscribes to news feeds to get information about potential; threats.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: GHX monitors the systems and investigates alerts from the monitoring tools. GHX investigates security alerts from; system logs, office productivity applications, intrusion detection and prevention systems, and tickets submitted by; end users to identify potential compromises. GHX follows its incident response procedures to evaluate the incident.; Infrastructure and application engineers will be engaged for the technical analysis on incidents and take appropriate action to resolve the incident. GHX Global Security Operations Director oversees the incident investigation, and the; GHX Director of Compliance oversees the investigation for breaches of data and requirements for reporting.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: GHX has a defined GHX Security and Privacy Incident Response Plan for responding to incidents. Customers report; incidents to GHX customer success team, and the customer success team keeps the customer informed of; progress. GHX employees use internal ticket procedure to report incidents.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  GHX is committed to meeting the NHS target of Net Zero. As a company, we have reduced office space and are striving to ensure that all systems and processes have the minimum environmental impact.

  Covid-19 recovery

  GHX has invested in technology and processes to minimise the impact of COVID-19 and future pandemics. People and systems are resourced and deployed remotely, and suitable redundancy and scalability are planned for each area.

  Tackling economic inequality

  GHX continually reviews its employment policy and guidelines to ensure fair and equitable remuneration. GHX pays above the minimum wage and ensures recruitment and rewards align with market needs.

  Equal opportunity

  GHX has equal opportunity requirements and policies embedded in our HR policies. Regular reviews are held to ensure remuneration and opportunities are suitably balanced.

  Wellbeing

  GHX prioritises the wellbeing of its staff and, where applicable, its customers. As a company, we provide various free, easily accessible wellbeing services to all staff and their families. In addition, regular people leader reviews and surveys identify areas of concern, and we address them as a priority.

Pricing

• Price: £4,995 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at james.minards@ghxeurope.com. Tell them what format you need. It will help if you say what assistive technology you use.