Skip to main content

Help us improve the Digital Marketplace - send your feedback

ORCHA Health Ltd

ORCHA Digital Health Innovation (& Compliance) Portal ("DHIP")

ORCHA is the world’s leading digital health quality management and distribution platform, featuring the infrastructure needed to deliver digital health safely in healthcare services at scale. The ORCHA compliance portal provides access to assessment data, digital care pathways, product portfolios, and benefit cases, supporting transformation and digital teams.

Features

  • Access to all ORCHA assessed digital products
  • Detailed breakdown of assessment results from the ORCHA Baseline Review
  • DTAC ORCHA Certified Products listed
  • Thousands of patient facing digital health solutions listed
  • Specialised 'professional support' solutions section
  • Utility and Administrative product section
  • Rapid 'Assessment on Demand' service
  • Rich search and filter options to narrow down use cases
  • Rapid market scanning to understand the art of the possible

Benefits

  • Fast-track the commissioning of digital health in your organisation
  • Access to 'on-demand' assessment of digital tools/treatments you need
  • Evaluate/validate the digital health solutions you currently use
  • Identify potential new digital health solutions for your organisation
  • Save money and time by using our single source platform
  • Cut down costs in introducing new technologies
  • All your digital solutions in one place with accessible documentation
  • Manage risk in deploying digital health solutions

Pricing

£10,000 a user

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tim.andrews@orchahealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

6 2 3 9 4 2 7 6 1 3 7 8 6 5 7

Contact

ORCHA Health Ltd Tim Andrews
Telephone: 07798931630
Email: tim.andrews@orchahealth.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
None
System requirements
  • Chrome v51
  • Firefox v54
  • Microsoft Edge v14
  • Safari v10
  • Opera v38

User support

Email or online ticketing support
Email or online ticketing
Support response times
Online support management solution for end users and an online/telephone support solution for ORCHA ProAccount users, client assessors and client administrators. Operates between 0800 and 1800 (UK) on business days. We will respond to: Priority 1 tickets - six hours of receipt by US; Priority 2 tickets - twelve hours of receipt by Us; and Priority 3 tickets - 24 hours of receipt by Us
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
No
Onsite support
Onsite support
Support levels
We will endeavour to ensure that the platform will be provided with a 99.7% availability rate (excluding scheduled maintenance slots which will be restricted to off peak times between the hours of 1800 and 0800 UK time). We provide an online support management solution for end users. The support function operates between the hours of 0800 and 1800 UK time on Business Days. The support function will look after all user and system related queries and bugs. The relevant platform elements will be available during the Contract term. It will be decommissioned within 4 weeks of the end of the Contract unless a further Contract has been agreed within 30 days of the contract end date. We will save all platform data for a period of three (3) months from the end of the Contract. This can be provided to You in csv.format upon request.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We provide a comprehensive implementation support service, as set out in the service summary documentation.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
We provide users with csv. extracts of their data for up to three months following the end of their contract term.
End-of-contract process
Customer data extract in csv. format

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The ORCHA platform is accessed via the browser and is designed to work across multiple screen types including mobile, tablet and desktop.
Service interface
No
User support accessibility
WCAG 2.1 AA or EN 301 549
API
Yes
What users can and can't do using the API
Setting Up the Service Account Creation and API Key: Users must register for an account to receive a unique API key. This key is essential for authenticating requests to access digital health apps. Authentication: Users should include their API key in request headers to authenticate and gain read-only access to the API. Making Changes Through the API Read-Only Limitations: Currently, our API does not support making changes to data. It is strictly for viewing or retrieving information. Limitations of the API Access Restrictions: Our API provides read-only access, meaning it cannot be used for creating, deleting, or updating data. Data Scope: The API is limited to retrieving information available from the connected digital health apps. API Usage Limits: Users may also face limitations on the number of requests they can make within a certain time frame, commonly known as rate limiting.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The ORCHA platform is highly configurable with many elements that customers can tailor to their own requirements as detailed in the Service description document.

Scaling

Independence of resources
To ensure consistent service regardless of user demand, we employ several strategies on Microsoft Azure: Auto-Scaling: Automatically adjusts resources to handle increased traffic, maintaining stable performance. Load Balancing: Distributes user requests across servers to optimize response times. Geo-Replication: Our services are replicated across multiple regions, enhancing reliability and reducing latency by routing users to the nearest data center. These measures ensure that our services remain resilient and performant, providing a seamless and consistent user experience even during peak demand.

Analytics

Service usage metrics
Yes
Metrics types
We provide a comprehensive set of Performance Dashboards and reporting as detailed in the services summary document.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Via a csv. extract upon request PowerBi Monthly Data Service
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
To protect data within our network, we implement robust measures:

Encryption: All sensitive data is encrypted at rest to ensure confidentiality.
Access Controls: Strict access controls are enforced, allowing only authorised personnel access based on the least privilege principle.
Network Segmentation: Critical data and systems are isolated using network segmentation.
Regular Audits: We conduct security audits and compliance reviews to identify and mitigate vulnerabilities.
Intrusion Detection Systems: Advanced systems monitor for suspicious activities.
Data Backup: Regular, encrypted backups and disaster recovery plans ensure data integrity and availability.
Employee Training: Staff undergo regular security training to maintain high awareness and competence.

Availability and resilience

Guaranteed availability
We will endeavour to ensure that the Platform will be provided with a 99.7% availability rate (excluding scheduled maintenance slots which will be restricted to off peak times between the hours of 1800 and 0800 UK time).
Approach to resilience
Available on Request
Outage reporting
To report service outages, our setup in Azure Monitor, along with integrations into Microsoft Teams and custom dashboards, ensures efficient and prompt notifications:

Azure Monitor Alerts: We use Azure Monitor to set up automated alerts for operational issues or outages, which are triggered based on specific metrics and conditions. This allows for immediate detection and notification of any service disruptions.

Teams Alerts: Alerts are also configured to automatically notify our teams through Microsoft Teams. This integration ensures that notifications are quickly communicated within our collaborative platforms, enabling our team to respond swiftly and effectively to incidents.

Dashboards: Custom dashboards within Azure provide real-time visual monitoring of our systems. These dashboards are essential for ongoing oversight and immediate recognition of potential issues or outages, helping our team to react promptly.

This combination of Azure Monitor alerts, Teams notifications, and detailed dashboards ensures that we can quickly detect, communicate, and address any service outages, maintaining optimal service levels and minimising any potential disruptions to our users.

Identity and authentication

User authentication needed
No
Access restrictions in management interfaces and support channels
All access is user-specific e.g. None-free to access. Services are restricted to user accounts that require user names and passwords.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Intertek Certification Limited
ISO/IEC 27001 accreditation date
01/05/2024
What the ISO/IEC 27001 doesn’t cover
Letter of intent provided, pending formal certification in June 2024. All company activities are covered within the certification.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our Information Security policies and processes are aligned to those outlined within the ISO 27001 standard.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We adopt a security by design methodology. All updates to core systems are rigorously tested through each stage of the testing cycle. This includes: - Unit Testing - Integration Testing - Regression Testing - User Acceptance Testing These elements are integral to the overall development process that follows an Agile methodology that is managed with a strict change control model underpinning it.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We undertake regular vulnerability and penetration testing. We regularly review our overall system security in preparation for these tests and we maintain a log of open source and third party software. We rely upon and monitor these elements for patches and updates on a regular basis.
Protective monitoring type
Undisclosed
Protective monitoring approach
We have an e-ticketing system and a prioritisation process within this that enables us to rapidly identify issues as they arise. We will respond to P1 incidents within 6 hours of notification and resolve these within 48 hours.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our incident management approach is via our e-ticketing system or telephony support model. Incidents can be raised directly by end user via these channels or via our dedicated Account and Delivery management function. We maintain regular updates regarding live incidents and our Account and Delivery management team maintain regular contact with impacted users and monitor these issues on a monthly basis as part of the general client reporting and review processes.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

  • Fighting climate change
  • Covid-19 recovery

Fighting climate change

Our solution prioritises access to and visibility of digital health products that will have a demonstrable impact on traditional service delivery and their environmental impact, through enabling: - Remote monitoring including multidisciplinary team working - Telecare and telehealth solutions - Effective demand management and capacity planning

Covid-19 recovery

Digital healthcare has been identified as a key enabler to healthcare systems Covid-19 recovery plans, including at a national level within the current NHS Operating Plan and 'Delivery Plan for Tackling the Covid-19 backlog of Elective Care'. Assessment of digital health products against NHS DTAC standards at scale and at pace will be crucial to achieving these strategic aims and objectives.

Pricing

Price
£10,000 a user
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tim.andrews@orchahealth.com. Tell them what format you need. It will help if you say what assistive technology you use.