Cimar Ltd

Cimar Medical Imaging Vendor Neutral Archive (VNA) and Disaster Recovery (DR) in the Cloud

Gain a Single Source of Medical Imaging Data with Cimar's cloud VNA. Images can be archived, transferred, viewed, and connected. Non-DICOM imaging can be stored side-by-side with DICOM providing a holistic view. Cimar provides elastic storage - no need to purchase space in advance or be concerned about high-watermark budgeting.

Features

• VNA - Centrally accessible and searchable vendor agnostic storage
• Disaster Recovery - long-term storage for business continuity assurance
• PHI Normalisation - Standardise patient identifiers across all data
• Remote Access – log-in from any device with Internet connectivity
• Zero-footprint diagnostic viewer - access from any PC, Mac, tablet
• 3rd Party Integrations - Integrate with EMR, RIS, Portals
• Image Ingestion - Improve normalising incoming exams processes
• Image Sharing – Secure real-time image sharing to anyone, anywhere
• Image Routing - Gateway technology used to auto-route imaging
• Automation - workflows automate activities around PHI normalisation sharing, etc.

Benefits

• Reduce On-Premise storage and IT costs. Cloud-native service.
• Low-cost Vendor Neutral Archive
• Low-cost disaster recovery
• Borderless image sharing and transfer to anyone, anywhere
• CD Elimination
• Elastic, Scalable Storage
• Image Enable Patient portals and Electronic Medical Records
• Secure, remote management of VNA/DR.

£0.10 to £5.00 a transaction a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at d.wait@cimar.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

645743077886934

Contact

Mr Dennis Wait
07771824829
d.wait@cimar.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: PACS - Seamlessly connects to any Vendor's PACS via gateway technology, enabling direct PACS-PACS sharing and simple and borderless medical image exchange.; RIS - Cimar is fully compatible with all RIS and HL7 message exchange.; EHR / PATIENT PORTAL - API embeddable imaging layer inside 3rd party applications.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: Service is provided on a 99.8% uptime.; Maintenance windows are rarely required but are advised well in advance if ever needed. Maintenance and releases performed out of normal working hours to minimize possible disruption.
• System requirements:
  • Internet Connection: Wifi, Broadband or 4G, 5G
  • Internet-connected device - PC, MAC, Laptop, Tablet, Phone (IOS/Android)
  • User devices maintained with anti-virus and local security policies
  • Internet Browser supporting HTML5 (see supported list)
  • Cloud automated connectivity (optional): Cimar Gateway (DICOM/HL7 Broker)
  • Gateway Host VM(Windows) / Appliance (Windows or MacOS)
  • VPN or custom connection config not required
  • (Minimum bandwidth requirements dependant on workflow. Contact for advice)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times apply to working days and support contract.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Cimar’s approach to supporting our client's administration of their cloud account. When issues arise we are here to support you 24x7x365. ; ; First Level Support ; ; 1. Verifying entitlement to receive support. ; 2. Taking the initial call from the Subscriber, and tracking the problem until its resolution. ; 3. Assigning an initial severity level to the problem. ; 4. Checking the list of known problems and workarounds. ; 5. Implementing resolution to known problems or assisting Subscriber with a workaround where feasible. ; 6. Isolating, identifying, and reproducing unknown problems reported by Subscriber. ; 7. Researching a workaround or other solution to an unknown problem. ; 8. Escalating the issue to Second Level Support if unresolved at this level. ; 9. Advising Subscriber of status changes related to reported problems. ; ; Second Level Support ; ; 1. Confirming the severity level of the problem. ; 2. Investigating and analysing the problem. ; 3. Providing resolution of problems with known corrections or workarounds. ; 4. Escalating an unknown problem to Third Level Support (Engineering). ; 5. Delivering hotfixes to Subscriber. ; 6. Providing assistance with more complex installation/configuration problems. ; 7. Advising Subscriber of status changes related to their reported problem.; ; Cost depend on service contract or Pro-Serve rate.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Cimar provides an extensive library of on-line user support material, and provide 'train-the-trainer' knowledge transfer as required. Additional training services can be provided upon request, including online web-event tutorials by arrangement.; ; Cimar also assists in providing custom support material for our clients that can be accessed by all users via our client's intranet, or log in to Cimar's service.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Data can be extracted or migrated at any time from Cimar via Cimar's Gateway - directly to any DICOM node or suitable receiving system. ; Large volumes (Tb) are best migrated by arrangement with Cimar, where a cost for such migration will be quoted, dependant on volumes, and our clients' requirement complexity. e.g. to physical drive/NAS/SAN, or if we are required to transcode data to specific syntaxes for import into other systems. Numerous variables can apply, and Cimar is always committed to making the migration as painless as possible for our clients.
• End-of-contract process: Since Cimar is entirely Vendor Neutral, we are able to export/migrate data we host - in formats our clients require - that match other DICOM 3.0 compliant systems.; Depending on the workflow Cimar has been used for, we agree with our clients what data migration needs should be accommodated. ; In some workflow scenarios, Cimar holds only copy images, and their retention may not be required. In other workflows, we are the core archive - in which case all images will most likely require migration to another system. ; Users continue to use Cimar as normal throughout the termination period, whilst planning and execution of the transitional process between systems of their choice occurs.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The Cimar cloud solution and mobile app run on smart mobile devices (phone and tablet) with suitably constrained diagnostic functionality.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Cimar's UI is accessed via the zero-footprint, browser-based user interface. Securely accessed using username and password, 2FA or SSO. The interface is 'white labelled' using customer logos, terminology, colours, language, workflows, and vanity URL.
• Accessibility standards: None or don’t know
• Description of accessibility: Viewing studies, sharing studies, downloading workflow management, security, roles and permissions and full administration of the platform is accessed via the zero-footprint Cimar user interface. ; ; All Cimar's services are also accessible via 3rd party applications via API, including Electronic Health Records, Radiology Information Systems and any other applicable applications.
• Accessibility testing: N/A - No direct testing with assistive technology has been completed by Cimar. Where and how our cloud is integrated in an assistive environment, depends on the development scope and implementation remit of those apps and programmers that elect to embed our cloud. Native access to our cloud is entirely through browsers, and the functionally in these (assistive functions, configuration and settings), are features of the browsers themselves, rather than Cimar's PACS UI.
• API: Yes
• What users can and can't do using the API: Cimar provides a complete RESTful API, featuring all functionality as embeddable components. This ranges from a raft of image harvesting, manipulation, transcoding, and viewing functionality, to web diagnostic reporting, VR support, and RESTful cloud archiving and recall. ; ; All API integration is via JSON and web-hooks. Integration can either via synchronised encrypted hyperlink exchange or as native JSON calls between platforms. we support AD and SSO via Ping identity services. ; ; Embedded imaging functionality can be achieved in as little as a few hours, or complete integration at a granular level typically takes a few weeks coding. ; ; Cimar can also be embedded using simple hyperlinks to Cimar hosted image harvesting and dynamic viewing services - including a complete, customisable Second Opinion Portal. All User Interface presentation can be customised and honed to match applications into which Cimar is embedded.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Cimar's Service interface can be extensively customised. ; The User Interface can be adapted to include custom terminology, other languages, CSS colour schemes, white-labelled branding, and URL access.; Unlimited custom fields can be added, and if required, auto-mapped to DICOM tags. ; Smart rule-logic can be customised to accommodate IF/ELSE logic within workflows and such rules can be content-aware using Cimar’s Machine Learning features to automate and transcode study, PHI, or custom field content.; The platform is designed to enable clients to design and create their own bespoke workflows, to the extent that user roles, functionality permissions, rules-based logic, and automated tasks can all be configured to match existing or new operational practices as required.

Scaling

• Independence of resources: Our host platform is hosted with AWS (S3) and is built on a dynamically expandable architecture where load balancing manages system performance and on-demand resource availability. Storage is elastically expandable, as is application and Database layer infrastructure running as a virtual environment.; ; Object or Block storage architectures are available as required.

Analytics

• Service usage metrics: Yes
• Metrics types: Dashboard usage graphs are available as permissible role functionality. Detailed study reports can be downloaded including custom field content and study metrics. Audit trails at study and user activity levels can be viewed where role profiles permit, and similarly exported as structured data reports.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Ambra Health Inc. an Intelerad Company.

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported any time via Cimar's Gateway - directly to any DICOM or VNA node or suitable receiving system. ; Large volumes (TB) are best migrated by arrangement with Cimar, where a cost for migration will be quoted, dependant on volumes and requirement complexity. e.g. to physical drive/NAS/SAN, or if we are required to transcode data to specific syntaxes for import into other systems. We can script to match/de-dupe/morph studies during export enabling easy synchronisation between our platforms connected to our Service. ; Numerous variables can apply, and Cimar is committed to making migration a painless excercise for our clients.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • DICOM
  • Bulk data migration of all formats is possible
• Data import formats: Other
• Other data import formats:
  • DICOM
  • JPEG - Viewable in Cimar's Zero-footprint DICOM Viewer
  • BMP - Viewable in Cimar's Zero-footprint DICOM Viewer
  • TIFF - Viewable in Cimar's Zero-footprint DICOM Viewer
  • AVI - Viewable in Cimar's Zero-footprint DICOM Viewer
  • MPG - Viewable in Cimar's Zero-footprint DICOM Viewer
  • PDF - Viewable in Cimar's Zero-footprint DICOM Viewer
  • PNG - Viewable in Cimar's Zero-footprint DICOM Viewer
  • Any other format can be DICOM wrapped

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection within supplier network: We provide patented Split/Merge protection for all data within our network. Images at rest are stored without any identifyable PHI, which is held separately in an encrypted database. United Image and PHI data only occurs in system memory, either at the time of reciept or request. In addition all data carried to and from our service is either over N3 exlusively, or over HTTPS (256 bit AES or DES encrypted). ; ; Cimar is also accessible as an Internet service, but only as an HTTPS protected connection. this can be through N3's internet Gateway or externally - e.g. by patients.

Availability and resilience

• Guaranteed availability: Service Level (System Level Uptime) is determined as a percentage of time in a month that the system is available and functioning properly as defined below. Cimar will provide the uptimes listed in the chart below. Recurring maintenance windows, scheduled downtime, and emergency updates are excluded from the system level uptime percentage calculation. Additionally, any downtime caused by the Subscriber environment is not considered downtime for any component of the Cimar application. (i.e. Subscriber internet connection is down, a power outage at a Subscriber site, etc.); ; System Component/Function Service Level (System Uptime): Application Suite 99.9 % Gateway 98%; ; Regular maintenance windows are agreed upon as needed with our clients.
• Approach to resilience: The AWS S3 global infrastructure utilised is built around Regions and Availability Zones. AWS Regions provide multiple, physically separated and isolated Availability Zones that are connected with low latency, high throughput, and highly redundant networking. These Availability Zones offer an effective way to design and operate applications and databases. They are more highly available, fault-tolerant, and scalable than traditional single data centre infrastructures or multi-datacenter infrastructures. Replicating objects can be used, which enables automatic, asynchronous copying of objects across buckets in AWS.; Applications can be deployed across multiple Availability Zones in the same Region for fault tolerance and low latency. Availability Zones are connected to each other with fast, private fibre-optic networking, enabling the ability to architect applications that automatically failover between Availability Zones without interruption.; Lifecycle configuration, versioning, S3 object lock and storage classes are also deployed to ensure additional resilience. Versioning is a means of keeping multiple variants of an object in the same bucket. With versioning, you can easily recover from both unintended user actions and application failures. Using S3 Object Lock, we can prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely.
• Outage reporting: All of these can be configured if required.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password
• Access restrictions in management interfaces and support channels: Customers have the option to raise a support request via telephone or email. Cimar authenticates the enquirers identity by validating known phone numbers and asking them for specific characters within their pre-agreed memorable word. Application administrative access is only available to those users, that our clients permit. this is only application level admin, and no deeper system access is possible. Such access is used to configure the clients own account settings, which is entirely separate from all system and infrastructural configuration settings.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS-303492019
• ISO/IEC 27001 accreditation date: 05/04/2019
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Cyber Essentials
  • ISO27001
  • ISO9001
  • FDA 21CFRPart11
  • The Health Insurance Portability and Accountability Act (“HIPAA”)
  • Cyber Essentials Plus
  • NHS DSP Toolkit [Exceeded]

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We adhere to a formal, monitored and reported information and system security program. This is comprised of our own policy library as is reflected in our ISO 9001 accreditation and GDPR policy documentation. Policy documents include; hazard analysis, information security program, 3rd party integration policy, breach policy, incidence response policy, system access policy, disaster recovery and business continuity policy, privacy policy, encryption policies and additional systems specific monitoring and reporting policies. Our policies provide the structure for periodic and continued monitoring and reporting. Exceptions are reported upstream through management, with ultimate responsibility sitting with the CEO.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Cimar uses the Github System for configuration management of source code. All application change development is managed on a siloed principle, before deployment to a complete UAT environment with full roll-back capability. A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP test principles. Once a new releases resilience and performance is validated, security and stress tested, deployment to live cloud is implemented.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Cimar has a documented vulnerability management policy and process with Ambra Health, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3. Where technically possible, real-time updates and status reports are identified and sourced from credible sources. For other systems and software, assigned Ambra personnel have responsibility for regularly reviewing technical forums and specialist groups to promptly identify and evaluate any emerging patches or updates which require technical attention or preventative action.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: In accordance with best practice from the National Cyber Security Centre, and Cyber Essentials, Cyber Essentials Plus, Cimar thoroughly protects its applications and systems at the hypervisor level and below. Our approach to protective monitoring includes realtime checks on malicious threats, Portscan attacks, evidence of unauthorised access to privileged accounts and anomalous occurrences that are not related to specific applications on the host, suspicious activities at a boundary, network connections and the status of backups, amongst others. All alerts are immediately notified to us for prompt investigation.
• Incident management type: Supplier-defined controls
• Incident management approach: Incident Management is managed through our own/Ambra policies which conform to the requirements of 21CFRPart11 and as detailed in our ISO9001 procedures. Our Incident and security monitoring policies define the chronological processes and remedial activities in the event of a detected threat that requires action above our systems automated threshold of control. Such action is reported through a predefined command/responsibility structure, and all such reports are recorded.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Social Value

• Fighting climate change:

  Fighting climate change

  451 Research show that AWS’s infrastructure is 5 times more energy-efficient than the median surveyed. More than two-thirds of this advantage is attributable to the combination of a more energy-efficient server population and much higher server utilization.; Cimar will continue to review and apply best practice to reduce our impact on the environment.
• Covid-19 recovery:

  Covid-19 recovery

  Cloud and cloud technology providers allow for the re-use of common components, during the Covid recovery period and beyond this will enable government and private healthcare digital service teams to respond to digital transformation needs in a matter of days, and at scale. This was proven through the remote reporting capabilities Cimar enabled during the pandemic.
• Tackling economic inequality:

  Tackling economic inequality

  Measurement of income inequality is generally concerned with inequality in disposable incomes. Cimar measure staff economic equality against the Gini coefficient aiming to remain below the UK average of 0.35.
• Equal opportunity:

  Equal opportunity

  Cimar recognises that it is essential to provide equal opportunities to all persons without discrimination. Our policy sets out the company's position on equal opportunities in all aspects of employment, including recruitment and promotion, and provides guidance and encouragement to the staff at all levels to act fairly and prevent discrimination on the grounds of sex, age, disability, race, nationality, ethnic or national origin, gender, religion, beliefs, sexual orientation, domestic circumstances, social and employment status, gender reassignment, or political affiliation or trade union membership. This list is not exhaustive. The company policy aims for the elimination of unlawful discriminatory practices and the promotion of measures designed to combat the effects of past discrimination. The policy aims to work within the legal context of The Disability Discrimination Act (2005), The Equality Act (2010), The Sex Discrimination Acts (1975 (Amendments Regs 2008)), The Race Relations Act (1976) and The Race Relations (Amendment) Act (2003), The Rehabilitation of Offenders Act (1974), The Health & Safety at Work Act (1998) and all other statutes as and when introduced.
• Wellbeing:

  Wellbeing

  The Cimar wellbeing policy strive to: To create a culture in the workplace, promoting and supporting the health and wellbeing of our team. To support the team in regular physical exercise To encourage employees to make healthy eating choices To provide the team with information on mental health issues to help raise awareness To deliver non-judgemental support to any team member experiencing a mental health issue To ensure the business has well-being champions who can support the team with mental ill-health Give any team member access to the mental health policy Deliver a thorough induction for all new starters, providing an outline of the organisation, the policies and the role they are expected to play The company aim to regularly monitor team wellbeing in order to check effectiveness of this policy.

Pricing

• Price: £0.10 to £5.00 a transaction a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Full access to a trial account including all available functionality.; By negotiation, inter-system (PACS, RIS, EMR) Gateway communications can be provided.; Trials are limited to PoC principles for our clients

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at d.wait@cimar.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.