Stratus

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: None
System requirements: LINUX Server (no software licence required)

User support

Email or online ticketing support: Email or online ticketing
Support response times: Response to tickets is instant either via the online web ticketing system or call to the helpdesk. The fix time is covered in the Support Services. Response times are only available on a weekend and where a customer procures 24x7x365 services
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 9 to 5 (UK time), 7 days a week
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: EHI Provides support on a 9-5 or 24x7x365 basis. All service failures are logged with the EHI helpdesk and a severity level attached to each. EHI has agreed service levels in order to fix service failures within agreed targets (4 hours for a Severity 1; 12 hours for a severity 2; 5 working days for a severity 3 and next software release for severity 4). EHI uses on online logging tool for a full audit trail of the logging and resolution of service failures, which the customer is able to access.
EHI may refer a service failure back to a customer for further information, in order to be able to resolve the issue (this time is deducted from the fix time).
EHI will ensure that the software is available 99.9% of the time and typically measures this using synthetic scripts logging into the software on a workstation housed within the customer environment.
EHI provides reporting against service levels and monitoring of the system.
All upgrades are done during normal business hours unless otherwise agreed with the customer
Support available to third parties: No

Onboarding and offboarding

Getting started: The system is generally supported via a Train the Trainer system where the Trust training team are fully skilled to provide training for Trust staff. User documentation and e-learning resources are available.
Service documentation: No
End-of-contract data extraction: We will work with the individual Trusts and the new service provider to ensure that data is extracted in a meaningful format.
End-of-contract process: During, and towards the end of a contact term, EHI is able to provide an exit plan with customers to ensure an efficient transition of the services either back in house or to an alternative third party supplier. This will clearly set out the management structure in place, the activities in the final months of the contract and what the requirements are by the customer of the supplier in order to provide information in relation to the services.

The exit plan will identify assets to be transferred and any data migration requirements, how this is managed and any ongoing requirement for the suppliers software at the end of the contract term in order to support the transition of services. The exit plan will set out the suppliers chargeable services and how these are agreed between the parties including timing.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Screen layout is automatically scaled dependent on device screen resolution.
Service interface: No
User support accessibility: None or don’t know
API: Yes
What users can and can't do using the API: All service set up is carried out by the supplier. The API provides a full suite of functionality for application level changes and user interactivity.
API documentation: No
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Administrators of the system can customise the user interface by means of access level control for individual users. This is managed via a built in administration tool.

Scaling

Independence of resources: We provide a fully scaleable service that distributes load evenly along the different application components preventing user experience bottle necks.

Analytics

Service usage metrics: Yes
Metrics types: The following metrics are provided via reports:
System access, files access, unique users
The Trust will also receive a regular service dashboard report detailing support incidents.
Reporting types: Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Staff screening not performed
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least every 6 months
Penetration testing approach: In-house
Protecting data at rest: Encryption of all physical media
Data sanitisation process: No
Equipment disposal approach: In-house destruction process

Data importing and exporting

Data export approach: Standard reports can be scheduled to run at regular intervals or on demand outputting to a folder specified by the Trust.
Data export formats: CSV
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

Legacy SSL and TLS (under version 1.2)
Data protection within supplier network: TLS (version 1.2 or above)

Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability: EHI manages availability by an agreed uptime % of 99.9%, measured by running synthetic scripts on a reference workstation housed in the customers environment.

EHI is liable for service credits where the availability service level is not achieved, which increased on a sliding scale to recognise that as the system down time increases then the EHI liability becomes more significant and EHI lose 1 % of the Support Charge as follows:

Availability Service Credit
99.9% 0%
99 – 99.89 2.5%
98 – 98.89 5%
97 – 97.89 7.5%
96 – 96.89 10%
95 – 95.89 12.5%
94 – 94.89 15%
93 – 93.89 17.5%
Less than 93% 20%

The availability calculation will exclude permitted downtime (up to two hours per month) and shall be deemed available when the software is available on the reference workstation.
Approach to resilience: The application architecture supports multiple deployment options to support various levels of availability and redundancy depending on customer needs and risk assessment.
Outage reporting: Customers would be contacted directly to notify/report any service outages via agreed contact methods.

Identity and authentication

User authentication needed: Yes
User authentication: Username or password
Access restrictions in management interfaces and support channels: Role based access to separate administration application restricts supervisor level functions.
Access to support is via agreed Trust support contacts.
Access restriction testing frequency: At least every 6 months
Management access authentication: Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: BSI
ISO/IEC 27001 accreditation date: 21/04/2018
What the ISO/IEC 27001 doesn’t cover: All accreditation's have been met.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: EHI has policies and processes in place to ensure that the organisation complies on an ongoing basis with the requirements of ISO27001. We have an audit schedule which ensures that all aspects of the security management system are audited on a frequent basis with a clear process for dealing with deficiencies identified through audits and managed to resolution (corrective actions plans).

All staff are trained in the security management system and also our security requirements for NHS Toolkit requirements.

All security policies are reviewed at least on an annual basis and the scope, context and the objectives of the system are reviewed regularly by the senior management team.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: EHI maintains a configuration management database that defines software components deployed at each installation including; Application Software Versions, Modules, Operating System, Database versions, software services, integration components & configuration. This data is used to manage risk as part of the change management process to identify relational and dependent component parts during the change advisory board (CAB).

During the CAB such elements reviewed are Security, Business Change, Capacity, Availability risks and relation to other changes that maybe taking place.

All changes to deployed systems are reviewed as part of the change management process. Request for changes (RFC) are reviewed at CAB.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Security advisories are put out by the underlying products that we use which we assess internally against current deployments. Any identified vulnerabilities have hot fixes and updates issued at the earliest opportunity.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Potential compromises are identified by our open source monitoring software as well as in house firewall rules. Clients will be notified of any compromises and these will be rectified at the earliest opportunity.
Incident management type: Supplier-defined controls
Incident management approach: EHI has a mature ITIL aligned process that includes Incident, Problem, Event, Change, Configuration, Release and Capacity Management. Incidents are registered on the service desk system directly or by phone or email and are managed by the Incident Manager to ensure compliance with Service Levels.

Incident reports are either provided via the Service Desk Tool or emailed to the user with resolution details and root cause information etc.

Where a major incident occurs a major incident report is provided that identifies the resolution details and any forward actions that need to be implemented to prevent re-occurrences.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: Yes
Connected networks: NHS Network (N3)

Fighting climate change: Fighting climate change

In collaboration with our parent company, Citadel Group we are fully committed to the objective of being ‘carbon neutral’ in all our operations by 2022.

As a healthcare software supplier, Wellbeing Software has a relatively small carbon footprint as we do not manufacture any tangible goods. To identify our primary sources of carbon emissions we undertake annual greenhouse gas audits (completed by an independent auditor) which help us to identify the main sources of carbon emissions within our operations and this informs our mitigation plans. Our audits have revealed that our emissions are predominately generated due to our use of electricity to power our offices and data centres (around 41%). The second largest source of carbon emissions resulted from business travel (around 34%). No other activity accounted for more than 10% of our total CO2 emissions. In 2019/20 Citadel Group’s emissions had an estimated total output of 1,850.3 tonnes. As a result, we have used carbon offsetting with financial donations made towards reforestation projects in Uganda, Borneo and Cambodia and aligned with the UN Sustainable Development Goals. As a result of these measures Citadel Group’s operations are already classed as Carbon Neutral.
During FY21-22 we anticipate that our CO2 emissions will increase as Covid19 restrictions are lifted and more usual working patterns return. Our Board has fully committed to increase our investment in sustainable projects should our next audit show an increase in our CO2 emissions.
All our offices already use low energy lighting with smart zone technology – these automatically turn lights off when areas are not occupied. We already employ a ‘no printing’ mantra – encouraging all employees to read documents on screen and avoid printing. All of our offices have recycling facilities to separate waste streams at source.

Full Policy available on request.

Pricing

Price: £8,000 to £12,000 an instance a month
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Stratus

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents