Promptly Health

Secure Data Environment (Federated Platform)

An on-premises federated data infrastructure product designed to harmonize Trust's databases according to the Observational Medical Outcomes Partnership data model (OMOP-CDM), providing access to a catalogue of analytics. The secure environment together with harmonization enables authorized users to conduct federated studies on Trust's health data, without compromising data privacy.

Features

• OMOP Data Harmonization
• Standard analytics catalog
• Outcomes benchmarking
• Federated data network (FDN)
• Consent management and oversight platform for FDN
• Cohort definitions
• Studies and collaborations
• Real-world evidence (RWE) generation & sharing

Benefits

• Infrastructure Burden Removal
• Secure and trustable by design
• Management and oversight of deployment across different environments
• Harmonization streamlines data to multi-centric studies
• Access to an analytical environment with standardized insights and outcomes
• Inclusion in a collaborative network enabling multi-centric federated studies

£65,000 a licence

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michelle.waddell@promptlyhealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

595880822295984

Contact

Michelle Waddell
+447826726323
michelle.waddell@promptlyhealth.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Database applications, Business Intelligence services
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: As far as we are concerned, no.
• System requirements:
  • Hard drives: Use SSD NVMe drives
  • CPU: Choose CPUs with a recent architecture (<5 years)
  • VCPU: 2 * RAM: 2 GiB
  • Disk: 50 GiB
  • Worker Nodes: * vCPU: 16 * RAM: 16 GiB

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: "Support is conducted through email. All incidents should be recorded in the Helpscout support tool which will include information on the affected assets, the classification based on urgency level, service impact, and on the priority for incident resolution. The role of the technical team is to analyze and solve any problem, incident, or request raised by the end user. ; ; SLAs: First Reply Time –Critical Failures <4h (BH*); Non-critical failures <8h (BH); Configurations and Service definition and features improvement/suggestions <24h (BH); Time to recovery –Critical failures <20h (BH); Non-critical failures <16h (BH); ; BH = Business hours
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Onsite support is guaranteed and provided in the most critical phases of the Promptly SDE Activation: (1) Preparation for Go-Live: Setup of the solution to align and prepare the go-live; ; (2) Go-Live: the platform is tested and ready to be used by the trust. ; Maintenance and Ongoing support is also a critical milestone of our implementation process. This phase involves the follow-up of the project after the go-live. In addition to field follow-up (onsite support, to be agreed with the trust), monitoring, and remote support, the first data analysis sessions and improvement cycles will be held together.; The role of the technical team is to analyze and solve any problem, incident, or request raised by the end user.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Theoretical training via documentation of every step of the process. ; Practical training where the end-users can get in touch and experiment with the application, having to complete a set of use cases that go over the most important components of the system.; Support via communication with both technical and clinical team members, namely in the analytical module.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: This is discussed with clients at contract start
• End-of-contract process: Promptly Secure Data Environment (SDE) is implemented in the client premises so all the data is available inside the client infrastruture. If the contract is terminated, the harmonized database will remain in place. The infrastructure and software that performs the harmonization will be removed from the client's infrastructure.; ; PROMPTLY commits to designing and executing an exit management plan within the Business Continuity Plan when issued a formal termination under the agreement and commits to provide it at least four months prior to the end of the contract term agreed. The principle of the exit plan will be to facilitate an effective and smooth transition of the services from PROMPTLY to the Buyer, assuring the minimum disruption of the services and the efficient completion of all agreement obligations. ; ; Non-PII data that is transfered to PROMPTLY as a part of service operation such as logging and monitoring will be removed according to industry standards and the Business Continuity Plan agreed with the client.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems: Linux or Unix
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: Optionally, the analytical dashboard components can be deployed on-premise and accessed via browser. It will diosplay the standard analytics catalog described above in insights similar to a business intelligence (BI) platform. However, the deployment is flexible and the client can opt to use its own BI tool.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: None
• API: No
• Customisation available: Yes
• Description of customisation: Promptly SDE is customizable in terms of deployment and modularity. ; Deployment: by following BYOC approach, the service can be deployd in a private, public or hybrid cloud. The service was also designed to avoid any possible constraints in terms of setup and be accessible to any client, independently of their infrastructure; Modularity: the harmonization module contains different connectors that allow it to perform the harmonization process in the DBMS of the client, taking advantage of the infrastructure already in place or by implementing an on-premise datalake in the prefered DBMS.; The analytical module can also take advantage of the client's infrastructure already in place by connecting to other BI platforms or, on the other hand, provide access to Promptly's analytical dashboard tool.

Scaling

• Independence of resources: The service provides automatic scaling to accommodate demand

Analytics

• Service usage metrics: Yes
• Metrics types: "The control plane associated with the on-premise deployment will provide metrics related to the infrastructure such as: ; - Resource usage; - Service stability; - Harmonization process monitoring at every step; - Data quality monitoring"
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data does not leave the premises of the data partner.
• Data export formats: Other
• Other data export formats: Not-Applicable
• Data import formats: Other
• Other data import formats: Not-applicable

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Due to the SDE on-premise deployment, availability is also dependent on the client's infrastructure which is defined in detail during contract.; For Promptly managed services, availability is 99.8%.; Allowable downtime is less than 1hr 27 minutes in any given month with no roll over.
• Approach to resilience: Our solution is architected with high availability architecture practices with redundant services across multiple availability zones. Nevertheless, Promptly has a comprehensive disaster recovery (DR) plan in place to ensure that all its systems can continue operating in the event of a major outage or other disruptive event. This is included in our ISO27001 certification. Promptly deploys all services across multiple Availability Zones for fault tolerance and low latency.
• Outage reporting: Through a public dashboard

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Username or password
  • Other
• Other user authentication: On Promptly SaaS products, we enforce a limit of 10 failed login attempts before temporarily blocking the account to prevent brute force attacks. We empower our clients to integrate their own Identity Provider (IDP) for authentication, thereby enhancing system security. In cases where clients do not provide an IDP, we offer a username and password login system, ensuring password strength in compliance with the NIST 800-63b standard.
• Access restrictions in management interfaces and support channels: Promptly adheres to the "principle of the least privilege," ensuring users access only necessary resources for their roles, minimizing unauthorized access and data breaches. Ungranted permissions are prohibited. RBAC (Role-Based Access Control) is the primary method for assigning and maintaining access, with rights allocated primarily to groups for role-specific access. Individual accounts may receive additional permissions with authorized approval. All privileged access to production systems requires Multi-Factor Authentication (MFA).
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Proks Certification - https://proks.co/en
• ISO/IEC 27001 accreditation date: 15/09/2023
• What the ISO/IEC 27001 doesn’t cover: "We have a group of 19 policies that covers all the iso 27001 topics:; - Information Security Policy; - Risk Assessment and Management; - Access Control; - Physical Security; - Information Security Awareness and Training; - Incident Management and Response; - Business Continuity and Disaster Recovery; - Compliance"
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO27001
  • CE+
  • DTAC

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: CE+
• Information security policies and processes: We have a group of 19 policies that covers all the iso 27001 topics:; - Information Security Policy; - Risk Assessment and Management; - Access Control; - Physical Security; - Information Security Awareness and Training; - Incident Management and Response; - Business Continuity and Disaster Recovery; - Compliance; We have an web application that allows to manage all the policies and all the employees needed to agree with them. We have a Governance council responsible to keep track on security needs and provide guidance and information when needed. We have formal meetings that we call management reviews that we use to understand improvement needs and mitigation actions. We give security training every year to our employees as standard.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: The Change Management process ensures all changes are managed methodically—recorded, evaluated, authorized, implemented, and reviewed. The Customer Success Manager oversees this, mitigating project risks. Changes arise from client requests or during phases like system design and testing, needing improvement or error correction. Changes are categorized as:; ; 1. **Standard Changes**: Low-risk, common, pre-authorized.; 2. **Normal Changes**: High-priority, requiring thorough evaluation and approval.; 3. **Emergency Changes**: Immediate actions for unexpected threats.; ; The process concludes with a formal sign-off at the contract's end.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability management process consists of Access review, Risk Assessment, Vulnerability test and Penetration test. Findings out of these assessments are prioritised and addressed. Change, Patch and Asset management processes helps in identifying and mitigating the vulnerabilities and the associated risks. We follow ISO 27001 standard and best practices.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Promptly employs the AWS recommend services for monitoring, identify and block attacks. AWS WAF on AWS ALB and AWS Cloudfront to control and absorb traffic and deflect unwanted requests.; Amazon Guardyty, a managed service that continuously monitor for malicious or unauthorised behavior is also enabled. It monitors for activity such as unusual API calls or potentially unauthorised deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Our management policy: https://proefgroup.sharepoint.com/:b:/r/sites/promptlyhealth/Documentos%20Partilhados/Promptly%20Compliance/ISO%2027001/Policies%20pdf/POL-17%20Incident%20Management.pdf?csf=1&web=1&e=uGzQXi

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity

  Fighting climate change

  Improvement in digital processes ensures the progressive dematerialization of healthcare services. The usage of efficient and automated processes ensures less resource waste.

  Covid-19 recovery

  Standard analytical models are crucial for responding to emerging diseases, like COVID-19. Our services enable clients to be more prepared for seamless collaboration and generating valuable insights.

  Tackling economic inequality

  Increasing interoperability between healthcare providers enables the democratization of access to better and more affordable care. Promoting collaboration while preventing siloing and isolation empowers patients and clinical teams with better research tools.

  Equal opportunity

  At-scale real-world evidence can be useful for reducing bias in clinical studies, increasing equity in treatment efficacy.

Pricing

• Price: £65,000 a licence
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Upon request and customized accordingly

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michelle.waddell@promptlyhealth.com. Tell them what format you need. It will help if you say what assistive technology you use.