Ortivus UK Ltd

Controlled Drug Management

Controlled Drug Management is a digital solution purpose-built for Ambulance Services to efficiently, securely and safely administer and monitor Controlled Drugs. It replaces paper registers with a contemporary solution that integrates to ePCRs and other systems and enables control and accurate auditability of CD transactions and improved CQC compliance

Features

• Enables Controlled Drug Management legislative and DCB0129 compliance
• SaaS solution available on any device with an internet connection
• Regulatory compliance via features like dual sign-off
• Blind or open stock-takes
• Instant audit of CD transactions
• Real-time reporting for all transaction types
• Secure digitally signed reports to prevent tampering
• Integrate with ePCR for efficiency and single-handling
• Configured to Ambulance Service's workflow
• Integration to Active Directory, other FHIR/HL7 capable systems

Benefits

• Reduced risk of diversion and abuse
• Meet legislative and CQC obligations for managing CDs
• Reduce risk of diversion and abuse
• Simple to use interface increases efficiency and compliance
• Audit by individual, station, area, region or whole service
• Pharmacy has complete, real-time visibility of all CD transactions
• Easily conduct batch recalls and expired drug destruction
• Instant desktop audit reduces travel and time for managers
• Remove paper registers from CD Management
• Supports executives with Responsibility and Accountability for CDs

£0.50 to £1.00 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at philip.swan@ortivus.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

539209948466387

Contact

Philip Swan
07525277218
philip.swan@ortivus.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: EPCR solutions
• Cloud deployment model: Public cloud
• Service constraints: As a SaaS solution there are 4 planned releases each year with ad hoc unscheduled maintenance for urgent security patches etc.
• System requirements: Computer or smart-mobile device with internet connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Ortivus Support mailbox is monitored during normal business hours, 9am-5pm GMT/BST, Monday to Friday (excluding Bank Holidays) and all emails are responded to within 24hrs. Ortivus also provide an online service portal which is available 24x7 through which customers can raise Incidents and Service Requests.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 1st line call qualification and validation is typically performed by the Customer who would receives incoming calls from the end users and would attempt to resolve incidents in the first instance. Ortivus provide 2nd and 3rd line support for incidents raised that are unable to be resolved by 1st Line.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online 'train-the-trainer' to SMEs supported by documentation and optional SCORM-compliant training package. Both training packages can be edited by the customer to reflect specific workflows or nomenclature. ; Full, fixed price project management to ensure project produces desired outcomes. Full configuration advice and assistance. 'Sandpit' environment for SMEs to experience the solution and familiarise themselves with configuration options.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats: SCORM
• End-of-contract data extraction: Data is provided to users continuously via API, but will also be provided using database export of transactional and logging information.
• End-of-contract process: Transacted and logging information extract is included as part of contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Software has been written to be responsive and form-fit to the particular device being used. No difference in functionality on desktop, laptop, tablet or smart-mobile device.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Integration occurs through API for the following possible information: * Transactions from a supported system * Users and org unit hierarchy * Roster information for users * Export of transactions for data warehousing.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Configuration to suit relevant legislation and business processes. Customisation occurs within the implementation project by the vendor.

Scaling

• Independence of resources: Customers have the option to deploy in the following configurations: * Shared infrastructure - Ortivus monitors the load to ensure that users aren't affected by other users of the system, keeping data and systems separate, sharing only computational load. * Dedicated infrastructure - Ortivus will deploy the system into a separated environment

Analytics

• Service usage metrics: Yes
• Metrics types: Application usage, as well as operational metrics provided through a combination of Azure services and logging database infrastructure.
• Reporting types: Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: HealthCare Software Pty Ltd

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data can be exported continuously via API, but can also use ETL transaction techniques supported through Microsoft Azure.
• Data export formats: Other
• Other data export formats:
  • API
  • Database extracts
• Data import formats: Other
• Other data import formats: API import

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Separated virtual networks for different customers, along with all data encrypted in transit.

Availability and resilience

• Guaranteed availability: Standard availability SLA is 99.5%. Service credits are not offered.
• Approach to resilience: Data hosted within Microsoft Azure using best practice for data resiliency and availability. Further information available on request.
• Outage reporting: Through our online service desk.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
• Access restrictions in management interfaces and support channels: Support channels are secured using accounts on the service desk platform (JIRA service desk). Management interfaces restricted via IP and also secured via privileged accounts that require activition for supplier to access.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Other
• Description of management access authentication: Privileged Identity Management through Microsoft Entra ID.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Issued by Intertek Certification AB, accredited by UKAS management systems
• ISO/IEC 27001 accreditation date: Initial certification date 12 December 2014
• What the ISO/IEC 27001 doesn’t cover: No exclusions
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: HIPAA

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Incidents will be addressed in accordance with the Information Security Policy, which is ISO 27001 compliant and includes appropriate escalation and resolution activities. In the event of an actual or suspected incident, weakness, or problem which may have an impact on any aspect of the service, the Information Security Officer will be informed promptly.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We standardise the configuration of our CDM deployments and manage compliance through automated alerts and rules managed with our CSP. This is managed through Microsoft's Security Centre project, as well as using VMWare CloudHealth. Changes to infrastructure are managed through source control and standard documentation.; Ortivus is certified for ISO27001:2022 compliance and ISO20000 for Change Management.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerability management is handled through Microsoft Defender for Cloud, monitoring PAAS components in Microsoft Azure. Patches to underlying services are managed by Microsoft. Azure environment is also managed by our CSP, who are ISO 27001 certified.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Along with our CSP, Macquarie Cloud Services, our Azure environment is monitored by tools provided by Microsoft and responded to initially by our CSP, and then by us. Incidents are typically responded to within minutes.
• Incident management type: Supplier-defined controls
• Incident management approach: Pre-defined processes for common events are part of our arrangement with our CSP, and Macquarie Cloud services are compliant with SSAE18 type 2 and ISO 27001. Users report incidents through our service desk or they are automated through Azure.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  By managing and tracking dangerous and addictive drugs the solution helps Ambulance Services fulfil their moral and legal obligation to protect paramedics from the temptation of drug diversion and abuse.

Pricing

• Price: £0.50 to £1.00 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at philip.swan@ortivus.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.