GPsurgerynet Limited

GPsurgery.net

GPsurgery.net helps transform the digital experience for your patients. We are a GP website platform that enables patients to help themselves or find the help they need. Our mantra is simple. Clear communication that empowers patients, connects practices and saves hours of admin time.

Features

• Centralised communication for PCN/ICS and NHS GP practices
• Compatible with all common total triage providers
• Links to all online patient service providers
• Secure online patient forms
• Easy to use website management dashboard
• WCAG 2.1 AA Accessibility compliance
• Broadcast urgent messages and news items to multiple websites
• Easily customise colour schemes and layout
• NHS symptom checkers, service finder and health lookup
• Publish public health messages quickly and easily

Benefits

• Share resources and connect across your PCN through central dashboard
• Score well using the NHS GP website benchmarking audit tool
• Collect and manage patient feedback
• Route patient information directly into your existing workflows
• Publish your social media channel content on your website
• View usage data across one or more websites
• Promote public health messages
• Signpost patients to the most appropriate way of getting help
• Clear communication that empowers patients to self care
• Mobile friendly, beautiful designs that enhance digital inclusion

£480 to £840 a unit a year

Service documents

• Pricing document

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@gpsurgery.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

449860857310640

Contact

Tim Green
01580 762900
info@gpsurgery.net

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: GPsurgery.net requires a current and up to date web browser.
• System requirements: Modern supported web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our support team work 08:30 - 17:30 Monday to Friday except for public holidays. Response time is approximately 90 minutes.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Technical support which we define as a situation where something is not working as designed is free of charge to all customers subscribed to our standard service.; ; Customer support where a customer requires help understanding and using a feature is also free of charge. Our team will provide links, videos and direct customers to appropriate tutorials in the support portal.; ; Content management support is editing where we carry out content updates that could be completed by the customer.; ; - Standard service includes unlimited support requests.; - Managed services includes unlimited support requests and all website content editing services (+ £30 per month)
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: All users benefit from free online training via Teams or Zoom. There is a support portal that includes detailed documentation and animated tutorials for all aspects of our service.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: All users can download any remaining data before the contract expires. Our off-boarding procedure includes checking and removing any data with the customers knowledge.
• End-of-contract process: If the customer does not wish to renew we will confirm the termination date and agree that the products and services supplied by GPsurgery.net will terminate on that date provided that at least 90 days notice is given before renewal. There are no additional costs at termination unless a customer asks us to manage a domain name redirection service for one year. This is not usually required. The costs is a one-off fee of £50 + VAT.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Easy to use content management system (CMS) to allow control over all website content.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Our interface is built on the WordPress CMS. We have an ongoing process of accessibility testing and improvement. The WordPress development team are constantly reviewing and improving the interface from an accessibility perspective.; ; We have a proactive attitude to accessibility and will always respond promptly to any accessibility issues reported by users.; ; Due to the nature of the WordPress platform and the constant development and improvement process this is an ongoing requirement with a goal to make the service as accessible as is reasonable possible to all users.
• API: No
• Customisation available: Yes
• Description of customisation: Colours, branding, content, page structure and hierarchy are all customisable by the full Admin users. Customisation is available to Admin users in the product dashboard. Use of the tools is covered in the Admin training programme. Some customisations are not recommended as they would conflict with NHS design guidelines.

Scaling

• Independence of resources: Server load balancing, ongoing server load monitoring and near-instant capacity upscaling. As a cloud service we use state of the art enterprise level hosting providers with a 24x7x365 support team. We can request more server resources immediately for unexpected peaks. Our servers are set up to run well below peak capacity that ensures enough headroom for all but exceptional usage spikes.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide visitor traffic data through an optional compliant cookie technology.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Downloadable CSV file directly from the Dashboard.
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats: Json

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Our hosting providers guarantee they will make the Services available 99.95% of the time, excluding any Excused Downtime.; ; In a given calendar month, they calculate “Service Availability” as follows:; Service Availability = (total minutes Services are available) x 100 divided by (total minutes in the month) – (Excused Downtime).; ; “Excused Downtime” means the length of time the Services are unavailable due to:; Scheduled Maintenance;; Emergency Maintenance;; Beta Services;; Force Majeure events; and; ; the actions or omissions of you, your Authorised Users, or any third-party acting on your behalf or at your direction, including any unauthorised use of the Services, breach of the Agreement or Acceptable Use Policy, or any use or configuration of the Services that exceeds our recommendations or advertised limits.
• Approach to resilience: Available on request
• Outage reporting: Email alerts if the outage is likely to exceed 15 minutes during working hours.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: 2-factor authentication is recommended and available to all users. This can be mandatory on demand.
• Access restrictions in management interfaces and support channels: 2-factor authentication and/or hardware key.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber essentials plus
• Information security policies and processes: One director is appointed IG lead for the organisation. We have developed a set of documents and standard operating procedures. We have a quarterly company meeting to review these policies and procedures to ensure that all staff are up to date and understand how to follow these policies.; Staff complete cyber security online training annually.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: As an SME we use an in house Kanban style process to suggest, review, log and then develop configuration changes. These are then subject to testing during the monthly development and update cycle.; ; Changes are then tested and signed off on a staging copy of the live service.; ; Once approved updates are deployed to the live environment and tested again.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Automated scanning for vulnerabilities in software; Monitoring NHS Cyber alert Feed; Technical director responsible for codebase reviews all vulnerabilities; Security patches are deployed within 24 to 72 hours depending on severity; Regular updates are deployed monthly; Members of the National Cyber Security Centre Early Warning Alerts service.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Our DNS provider is actively blocking known bad IPs and other hostile domains. We are also proactively protected to provide mitigation in the event of DDoS attacks.; There are automated services in place in our hosting environment to monitor and block common exploit techniques eg attempts to enumerate users.; Logs are reviewed regularly to look for suspicious activity.; We have comprehensive data breach procedures and all staff meet quarterly to review any changes, share near misses and refresh knowledge.; Our plans require immediate action as soon as an incident is identified.
• Incident management type: Undisclosed
• Incident management approach: We have incident management procedures documented and all staff have access to these procedures.; ; Incidents are reported by customers via email to our support team. Internal reports can be made by email, phone or Slack depending on urgency.; We have an incident log where any events and the actions taken are recorded.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity

  Fighting climate change

  Our hosting partners rely on Google Cloud and Amazon AWS.; ; Google Cloud achieved 100% annual renewable energy matching every year since 2017. They are now focused on achieving the "moonshot goal of 24/7 carbon-free energy (CFE) by 2030".; ; AWS claims significant progress on its path to power 100% of its operations with renewable energy by 2025.; ; The GPsurgerynet Limited office uses 100% renewables.

  Equal opportunity

  We pledge not to discriminate against any employee or job applicant because of race, colour, religion, national origin, sex, sexual orientation, physical or mental impairments, or age.

Pricing

• Price: £480 to £840 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@gpsurgery.net. Tell them what format you need. It will help if you say what assistive technology you use.