PRIMUM DIGITAL LTD

CrossCover - Clinical Pathway Development and Operations Platform

CrossCover enables clinical teams to design, build, test, deploy, operate and monitor clinical decision support pathways at scale. Designed by clinicians to operationalise best practice to maximise clinical and cost effectiveness of clinical pathways. Interoperable with primary and secondary care Electronic Patient Records and NHS Digital national APIs.

Features

• Clinical Pathway Development and Operations Content Management System
• Referral Management System
• FHIR interoperability with Primary Care and Secondary Care EPRs
• SNOMED CT coding
• UKCA marked Medical Device with ISO13485, DCB0129 and DCB0160 compliance
• Electronic Patient Record compliant with NHSx DTAC
• Completely customisable clinical pathways through the web application interface
• Customisable Digital PROMs and PREMs
• Realtime Budget and Carbon Impact Analysis
• Realtime advanced Data Analytics Audit and Research features

Benefits

• Operationalise best practice to maximise clinical effectiveness of healthcare staff
• Standardise clinical pathways across Primary and Secondary Care
• Gain efficiency savings by optimising resource provision across clinical pathways
• Deliver a Net Zero NHS by reducing unnecessary patient journeys
• Reduce Health inequalities by standardising care
• Maximise cost effectiveness of service delivery
• Efficiency cost savings
• Gain operational intelligence from realtime patient pathway data
• Deploy patient facing clinical pathways with Shared Decision Aids
• Enable collaboration at scale across an Integrated Care System

£900.00 to £38,800.00 a unit a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@primumdigital.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

627684903901954

Contact

Nathan Moore
07960051761
sales@primumdigital.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: CrossCover works as a standalone progressive web application accessed via the web browser. It can also be opened from within Primary and Secondary Care electronic patient records (EPRs).
• Cloud deployment model: Public cloud
• Service constraints: To access all connected NHS Digital APIs requires a HSCN connection at present. This may change as more of the NHS Digital APIs become accessible over the internet securely.
• System requirements:
  • Internet Access on a PC, Mac, iOS or android device
  • Google Chrome, Microsoft Edge, Mozilla Firefox, Safari web browser
  • HSCN connection to access NHS Digital eRS API

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Issue Service Desk Response times:; Critical- within 15 mins; High- within 15 mins; Medium- within 2 hours; Low- within 4 hours.; ; We provide support for all services between 9am and 5pm Monday to Friday (excluding Bank Holidays).; We do not routinely provide support for Medium and Low priority issues after 5pm or before 9am weekdays or anytime on weekends.; For incidents classified as High or Critical an on-call engineer is available 24/7 via the on-call phone and service desk. ; If the on-call engineer is not able to accept the call, a backup answering service is provided and actively monitored.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We don't offer tiered support levels. All customers have access to our service desk and a 24/7 on call engineer.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Implementation starts with scoping out the customer requirements. We meet the IT team and ensure we have set up all the necessary API connections. As an internet first solution, the application can be fully managed by our engineering team remotely. We can SSH into VMs or bare metal machines in client networks where we can deploy integration engines, if required, although API connections are preferred. For implementation we provide a train the trainers approach. We can provide onsite training, but this is an additional cost of £1500 per member of staff per day. We meet the Clinical Safety Team and support hazard workshops to help the local Clinical Safety Officer generate the implementation DCB0160 Clinical Safety Case Report. We meet all key stakeholders from each specialty department and explain how roles and responsibilities must be distributed for successful implementation. We provide access to a complete user manual for the application and training videos on all functionality. During the pathway development phase before GO LIVE our implementation team works closely with clinical leaders training them on how to use the system to design, build, test, deploy, operate and monitor clinical pathways. All training is performed via video conferencing and screen sharing.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats: Training videos mp4
• End-of-contract data extraction: If the contract is not renewed at the end of a contractual term, we can offer full patient and pathway data exports made available via CSV, XML, JSON via secure transfer. A data extraction request is made from the clients Information Asset Administrator to us.; ; No additional cost for data extraction in our default format of CSV, XML or JSON. If the tenant wishes to have the data transformed into a bespoke format, we charge £1500 per day for engineering time.; ; The clinical data is accessible from dashboards within the application. If the user has the permissions, they can extract patient identifiable and de-identified data sets to CSV, XML or JSON through a dashboard in the application. All these data exports are logged for information governance compliance.
• End-of-contract process: No additional cost for data extraction in our default format of CSV, JSON or XML. If the tenant wishes to have the data transformed into a bespoke format we charge £1500 per day for engineering time.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There are no functional differences between the web and mobile views of the web application.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The CrossCover web application is accessed via the URL https://www.crosscover.app through a compatible browser on any PC, Mac or mobile device with an internet connection. The application can be installed on the device from the browser, but does not have to be. If the application is installed on the device and the pathways have been previously cached, it can work offline. Regular Users with permissions can lookup patients and enter a decision support pathway for them. Pathway Editor Users can create, read, update and delete clinical pathways through a comprehensive pathway editing interface. All user activity is logged.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Annual Accessibility audit.
• API: Yes
• What users can and can't do using the API: CrossCover's CRUD operations to clinical records are fully accessible via APIs. The clinical pathways are only accessible via the web application to ensure as a medical device the pathways are displayed in the format clinically risk assessed.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: All clinician facing and patient facing clinical pathways are completely customisable through the web applications content management system. The pathway approval and deployment policies are dynamically customisable so you can have defined processes around the governance of your clinical pathways. There is a dynamically customisable user management system, whereby the client can create custom roles with granular permissions. These custom roles created by the clients Super Admin control which users can customise each component in the system. With these features the client can change the way the app functions easily.

Scaling

• Independence of resources: Primarily we build the web application to work standalone and to be fully customisable by the client. Every feature including user management, pathway design, pathway deployment, pathway monitoring, pathway issue service desk, analytical tools are all within the web interface of the application. This means the clients can do most of the day to day customisation and data queries through the application without having to ask us for engineering support or data. The application itself is hosted on Google Cloud Platform servers in the UK with automatic horizontal scaling to deal with dynamic increases in demand.

Analytics

• Service usage metrics: Yes
• Metrics types: Daily usage by staff members. All details around pathway episode data including patient demographic details, staff member details, the pathway decision support content displayed to the staff member, all decisions made and clinical outcome. All this pathway data can be aggregated in patient identifiable and de-identified data sets and queried for any string or concatonation of strings in the data set. We also provide a realtime budget and carbon impact analysis. We provide data on the pathway issue tracker service desk including average time to deal with an issue and issue classifications.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: All data is encrypted at rest with AES-256 on a distributed block storage device in Google Cloud Platform in data centres within the host country. (For example in the UK the data is stored in Google data centres in London). All client access to patient records is logged in an audit trail accessible by users with audit trail retrieval permissions. Structured log data is created by the web applications backend infrastructure. Logs are stored in Cloud Logging and stored for 30 days.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The clinical data is accessible from dashboards within the application. If the user has the permissions they can extract patient identifiable and de-identified data sets to CSV, XML or JSON through a dashboard in the application. All these data imports and exports are logged for information governance compliance.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • JSON
  • XML
  • FHIR
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • JSON
  • XML
  • FHIR

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: All data is encrypted in transit with TLS 1.2 or above and where possible data is transferred across the HSCN. We have annual code assisted whitebox penetration tests by a third party CREST and CHECK certified cybersecurity company looking for vulnerabilities including the OWASP top 10 vulnerabilities.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: All data is encrypted at rest with AES-256 on a distributed block storage device in Google Cloud Platform in data centres within the host country. (For example in the UK the data is stored in Google data centres in London).

Availability and resilience

• Guaranteed availability: We provide a 99.9% uptime guarantee, dependent on the availability of Google Cloud Platform.
• Approach to resilience: We provide a zero-downtime deployment of new application code. We release new versions of the software frequently (at least once a month). We operate development, testing and production environments with an automated CI/CD pipeline and Quality Assurance process. We operate an ISO13485 compliant externally audited Quality Management System to design, develop, manufacture and distribute Software as a Medical Device (SaMD) to the highest standards. When a new version is deployed it automatically updates on all clients devices so clients are always using the most up to date version of the application. We backup all data daily with scheduled cloud functions. We keep 30 days of backups within Google Cloud Platform. Each month a copy of the database is sent to Microsoft Azure servers in the UK. This enables us to have a multi-cloud data resilience structure.
• Outage reporting: We use an API to ping all our endpoints every 5 mins. This data feeds into a service availability status page. Any downtime notifications are automatically sent to the engineering team. All tenants are given company operational and technical contact available 24/7 for use in an emergency. Any downtime notifications are also sent to the named leads via email at each tenancy.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
  • Other
• Other user authentication: We have multiple routes to authenticate users. Our standard authentication requires two factor authentication to access any clinical data. We do offer the option for authentication via the NHS Digital Care Identity Service 2 OAuth 2.0 for NHS staff login. We also offer the option for patients to authenticate vie the NHS Digital NHS Login API.
• Access restrictions in management interfaces and support channels: We provide the tenant with a completely customisable user management system. Every function in the application has a permission coded for it. In the User Management system the tenants SuperAdmin can create dynamic customisable roles with any combination of these permissions. We provide suggested role configurations with templates that can be customised. The permissions assigned to a role determine what interfaces in the application users with that role have access to.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 30/03/2022
• What the ISO/IEC 27001 doesn’t cover: We also cover all requirements of the NHS Digital Data Security and Protection Toolkit (DSPT) and NHSx Digital Technology Assessment Criteria (DTAC).
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: NHSx Digital Technology Assessment Criteria (DTAC);; NHS Digital Data Security and Protection Toolkit.
• Information security policies and processes: Primum's core information security policy: The organisation believes that despite the presence of threats to the security of such information, all security incidents are preventable. ; ; The Senior Management of Primum Digital Limited are committed to achieving the objectives detailed in the policy through the following means: ; ; The implementation and maintenance of an ISMS that is independently certified as compliant with ISO 27001:2017; ; ; The systematic identification of security threats and the application of a risk assessment procedure that will identify and implement appropriate control measures; ; ; Regular monitoring of security threats and the testing/auditing of the effectiveness of control measures; ; ; The maintenance of a risk treatment plan that is focused on eliminating or reducing security threats; ; ; The maintenance and regular testing of a Business Continuity Plan; ; ; The clear definition of responsibilities for implementing the ISMS; ; ; The provision of appropriate information, instruction and training so that all employees are aware of their responsibilities and legal duties, and can support the implementation of the ISMS; ; ; The implementation and maintenance of the sub-policies detailed in this policy. The appropriateness and effectiveness of this policy, and the means identified within it, for delivering the organisation’s commitments will be regularly reviewed by Top Management.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We have an ISO13485 certified Quality Management System to ensure the software we develop is of the highest standards. We also have an ISO27001 certified Information Security Management System. From staff recruitment though to training and daily operational practices we have documented processes and procedures to ensure standards are met. We have regular internal and external audits to ensure compliance with our systems. We have automated systems that scan our dependencies and alert us to any vulnerable or out of date packages. Policy details can be made available on request.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We use automated code analysis to monitor our code for vulnerabilities continuously. Annual external penetration tests are performed by a CREST and CHECK certified cybersecurity company. 6 Monthly internal penetration tests are performed. OWASP training is provided for all company engineers. We have a documented patch process in our software development procedure in our QMS. We deploy new versions of the software every 2 to 4 weeks. We will patch the software more frequently as and when a bug or vulnerability is detected.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Log data is collected centrally and monitored for signs of unusual activity.; ; Application logging is carefully designed so that unusual activity is logged at warn level or above. The rate of such logs is monitored to provide an early warning signal.; ; Internally services are designed along zero-trust principles. This prevents a single compromised component from allowing access to other information.; ; Internal authentication is by way of signed authentication tokens. The private keys underlying these tokens can be replaced in case of a suspected breach which will invalidate all existing tokens and cause all users to become immediately logged out.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We have a Security Incident Management Procedure which details how we achieve our aims in our Information Security Policy. For every security incident the immediate action is to limit its impact and obtain and preserve evidence to enable an accurate investigation to be completed, root causes identified and a corrective action taken to prevent recurrence. Details of any security incidents will be recorded in our Security Incident Log. If the incident is related to Personal Information the company must inform the Information Commissioners Office within 72 hours and the data Controller without undue delay along with a full report.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Health and Social Care Network (HSCN)

Social Value

• Fighting climate change:

  Fighting climate change

  CrossCover won the NHS England/ NHS Improvement SBRI Healthcare Competition 18 Delivering a Net Zero NHS Development Award. CrossCover helps to reduce emissions from care miles, reduce emissions from surgical pathways and supports low-carbon decision making.; The quantitative evidence provided by an independent Health Economic Study suggests optimised decision support pathways can reduce outpatient appointments by 50- 75%, which is how we will help the NHS to realise net-zero emissions. It is estimated that 5% of the traffic on the roads is NHS traffic and 9% of the NHS carbon footprint is related to; patient and visitor transport. The average patient travels 15 miles in urban areas and 27 miles in rural areas for an outpatient appointment. Optimised pathways will have a huge impact on CO2 emissions by reducing the number of miles travelled by patients who currently go to unnecessary outpatient appointments. The platform also supports GPs to; run low-carbon community diagnostic hubs and reduce unnecessary imaging requests. The pathways enable the promotion of sustainable mobility aids and support decisions to use the last splint as the first splint in trauma to minimise waste without compromising on quality of care.; As a company, Primum Digital Limited operates a fully remote workforce working from home. This helps us as a company minimise our carbon footprint as none of are staff are commuting to a central office every day. At the start of the contract we can submit an annual forecasted baseline for every different type of emissions generated in the delivery of the contract and we can supply half-yearly reports on activities undertaken to reduce this impact.
• Covid-19 recovery:

  Covid-19 recovery

  The NHS Long term plan is to “avoid up to a third of outpatient appointments” (Page 6, lines 29-30). This is largely going to be achieved by reducing face-to-face appointments with consultants. One way to reduce face-to-face appointments is to make sure every appointment with a health care professional is done with the right person at the right time. ; The COVID-19 pandemic has reinforced the need to reduce face-to-face consultations. A by-product of the COVID-19 pandemic was a high presence of consultant decision making at the front door. This was possible as all elective services were cancelled and Specialty consultants were redeployed to the Emergency Departments. During this process NHS organisations recognised that they were saving many unnecessary; appointments by making the best decisions at first contact with the patient. As elective services restart, CrossCover will allows NHS organisations to maintain this consultant led service as a force multiplier when they can no longer be as involved in the front line with boots on the ground. ; To achieve this goal, the best decisions regarding directing patient flow need to be made. CrossCover enables the uniformity of treatment, onward referral, and discharge of patients.; National Guidelines are very generic and hard to implement locally. With CrossCover an NHS organisation’s own consultant experts can summarise all the relevant national guidelines and convey this information in an informative, innovative way directly into every Healthcare Professional’s workflow. Standardising not only management, but uniformity of documentation which is so important from a medicolegal perspective and for continuity of care.; Reducing unnecessary appointments will free up staff to deal with the elective backlog.
• Equal opportunity:

  Equal opportunity

  CrossCover will help to minimise health inequalities in access to and experience of health services by providing optimised and standardised pathways of care for all presentations which will help to reduce the impact of unconscious bias. This means no matter what a patients social gradient in health is or their index of multiple deprivation their clinicians will be given the same decision support information to guide their care without prejudice, thereby reducing inequalities in life expectancy. Similarly we can prevent inequalities in avoidable mortality by increasing the chances patients receive preventative interventions or more timely health care as better decisions are made at every presentation by their clinicians. Through collaboratively building and deploying the range of primary care/ elective decision support pathways we can help to reduce inequalities in long-term health conditions, such as degenerative joint disease that lead to long term disability. At the start of the contract we can complete the MSAT Tool and report half-yearly what is being done to tackle modern slavery within our organisation and supply chain. Our main activity to tackle modern slavery is to audit our supply chain and ensure we choose the best suppliers. We will continue to complete an MSAT on an annual basis.
• Wellbeing:

  Wellbeing

  CrossCover enables patient-facing clinical staff to follow best practice national guidelines adapted to local processes by local expert NHS leaders through providing tools to build fully interactive patient care flowcharts. This empowers rapid and optimal decisions that are essential to reduce unnecessary follow-up, reduce re-presentations to Primary and Secondary Care, reduce length of stay in Emergency Departments, and improve patient outcomes. Rationalising and standardising the clinical pathways helps the wellbeing of NHS staff, who are often in stressful challenging decision making scenarios. It can be hard for leadership in the NHS to actually operationalise best practice. By providing a means to easily do this, it will help the wellbeing of NHS leaders. CrossCover is a platform for collaboration across many communities and health providers to codesign optimised patient care pathways. It is designed to support standardisation of service delivery across Integrated Care Systems. During the contract, as part of our service, we will support the collaboration between health providers and communities.

Pricing

• Price: £900.00 to £38,800.00 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@primumdigital.com. Tell them what format you need. It will help if you say what assistive technology you use.