X-Lab Limited

Labgnostic

Labgnostic (previously known as NPEx) enables any diagnostic laboratory to electronically refer test requests or results to any other laboratory on our network, through a single interface.

Features

• Integrate with any other lab on the network
• Send requests and get results via a single interface
• Support for numeric, enumerated, free test and PDF results
• Use the same Lab <> Lab workflow with EQA providers
• View the status of shipments with sample tracking
• Cloud-hosted, regularly updated and highly available

Benefits

• Remove unnecessary, manual processes for Lab <> Lab workflows
• Reduce turnaround times
• Improve patient safety by reducing transcription errors to zero
• Reduce unnecessary chasing with sample tracking and audit trails

£15,000.00 to £43,945.00 a licence a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at commercial@x-labsystems.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

739292878367056

Contact

Commercial Department
07787656851
commercial@x-labsystems.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements: N/A - we cater for the buyers requirements.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Online ticketing support (Jira Service Desk) is provided 9:00 and 17:30 Monday to Friday, excluding Bank Holidays. Within these hours the tickets are responded to as follows: ; ; 1) Urgent severity - Before the start of the next Business Day;; 2) High severity - Before the end of the next Business Day;; 3) Medium - 2 Business Days;; 5) Low - 3 Business Days
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: The below is a summary of the support levels covered under Annual Maintenance and Support costs. Tickets are resolved and responded to via Customer Support Analysts and the Service Manager.; ; Support levels:; 1) Urgent severity - The whole site affected - Before the start of the next Business Day;; ; 2) High severity- Key business affected, no workaround - Before the end of the next Business Day;; ; 3) Medium- The whole department affected, not a key business, workaround possible - 2 Business Days;; ; 4) Low- Individual user affected - 3 Business Days; ; ; Out of Hours: ; On call 3rd line engineering is provisioned as part of this service. This support is triggered by internal alerting and monitoring of key components of the system, which are designed into the service to minimise the risk of loss of service. No formal service management is provided outside of our standard working hours, which means any support requests logged outside working hours will be dealt with between 09:00 and 17:30 (Mon-Fri).
• Support available to third parties: No

Onboarding and offboarding

• Getting started: X-Lab prides itself on excellent customer service with each of our Labgnostic customers assigned a dedicated Account Manager. The Account Management team is an integral part of the organisation and works closely with the Onboarding and Support team as part of the wider Customer Success function.; ; The Account Managers work closely with the Sales team and are introduced to new Labgnostic customers during the sales process. Prior to customers' onboarding to the Labgnostic service, we ensure a contract is agreed and that all labs joining the network comply with information governance (in the form of a Data Protection Agreement). The Account Manager will work closely with the customer to maintain engagement, agree a utilisation plan, deal with any escalations, communicate service developments, and continually review the customer experience.; ; We provide a welcome pack containing a high-level overview of what to expect during the Labgnostic onboarding process (including supporting documentation, prerequisites, required stakeholders, key milestones, and a bespoke onboarding plan.; ; Training and support are offered online however there is scope for training to be delivered onsite.; ; Testing scripts are provided to the customer to validate testing ahead of sign off and cutover into production.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
  • Other
• Other documentation formats:
  • Word
  • Excel
• End-of-contract data extraction: We don't explicitly extract/remove data when a contract ends. We have a Retention Policy which is available on request. Data is removed from the production system after 4 months by default and will be removed from the archive after a further 2 years. Customers can reduce their retention period for production to a shorter period (we recommend no less than ~1 month, but this could be shorter if required).Upon request from an exiting customer a final data extract can be provided. This is a complex process as we would need to obtain agreement from all third party organisations that hold data sharing agreements with the off-boarding customer.
• End-of-contract process: Labgnostic customers usually renew their contract at the end of the subscription term. Should a customer decide to end the contract, the termination terms form part of the contractual documentation. The dedicated Account Manager would work with the customer to ensure any outstanding invoices have been paid and would facilitate an off-boarding plan with the relevant teams. The tasks carried out by the X-Lab team include the deletion of the connection profiles, the decommissioning of the Customer VPN and the removal of web access configuration. The team would be required to wait until the archive period elapses and delete the laboratories. End users would need to be removed from Jira (the Customer Relationship Management - CRM) system. Users would also need removing from any service communications. The customers would be expected to liaise with other Labgnostic partners to communicate and manage the process, although the team at X-Lab could assist and advise where necessary.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Interactions with Labgnostic are either through a set of user interfaces, or via connections to Laboratory Information Management Systems (LIMS); ; There are two key user interfaces - delivered as web applications and accessed via a supported browser - one managing administration and configuration, and the other managing bookings, orders and shipments.; ; Labgnostic has a number of interfaces for common LIMS used by pathology labs that have been developed to LIMS vendor's HL7 interface specifications. There is also a LIMS type-agnostic specification available that connecting customers are able to develop to if a vendor specific module is not available.
• Accessibility standards: None or don’t know
• Description of accessibility: The service is accessed via a browser based user interface.
• Accessibility testing: None.
• API: Yes
• What users can and can't do using the API: Labgnostic relies on APIs to function, allowing service users to send requests and get results from any other system on the network. Most systems are integrated via HL7 over MLLP, but support also exists for connecting via S3, or over SFTP, FTP or FTPS.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: Labgnostic is built to scale horizontally and vertically making best use of available managed cloud services. Given the nature of the service providing a network of customers together, no guarantee can be made that an abnormally high load from one customer would not affect another.

Analytics

• Service usage metrics: Yes
• Metrics types: On request we can provide performing & referring transaction volumes for each customer, and can provide more detailed analysis (e.g. turnaround times or transaction volumes segmented by test type and partner lab) on request. This would require work from Engineers to provide.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Test configuration data can be exported from the application in JSON format on a per test basis. Order and Results data can not be exported from the system by the users, but they are exported/delivered outbound to LIMs systems via a selection of formats and protocols.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • JSON
  • HL7
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • JSON
  • HL7

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We aim to ensure that the service is available throughout the Subscription Term for 99.7% of the time.
• Approach to resilience: We use Azure's cloud native redundancy and resilience tooling to ensure our platform is spread over multiple datacentres and regions within the UK
• Outage reporting: - Jira Service Desk Portal Banner; - Email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Azure AD group membership with conditional access and MFA.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials Plus expected June 2022

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: N/A
• Information security policies and processes: We employ a suite of ~20 information security policies loosely based on ISO27001 ISMS format to govern our security policies and procedures.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We ensure that security requirements are captured as far left in the SDLC as possible to ensure we have resources to appropriately remediate. All changes are developed using pair programming, and scanned for static code analysis including infrastructure as code static analysis (policy-as-code)
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerabilities identification is done by our vulnerability management tool and reported back every 6 hours. Vulnerabilities are then logged automatically as tickets for the respective team to remediate within our SLAs, with reporting on adherence to SLAs fed up to senior management.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Logging from endpoints, IaaS , PaaS, SaaS tools are ingested by our SIEM and monitored by our SOC on a 24/7 basis with proactive threat hunting activities conducted monthly.
• Incident management type: Supplier-defined controls
• Incident management approach: Our incident management approach is holistic as part of our risk management and BC/DR management approach. All suspected or confirmed security incidents are reported to the infosec team who triage and follow the predefined playbooks for various common incidents. Any live incidents have a PIR conducted with the Lessons Learned captured and remediated within SLAs. Incident Reports are provided to the customer within 48 hours of closure of the incident.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • NHS Network (N3)
  • Scottish Wide Area Network (SWAN)
  • Health and Social Care Network (HSCN)

Social Value

• Fighting climate change:

  Fighting climate change

  N/A
• Covid-19 recovery:

  Covid-19 recovery

  Labgnostic (formerly NPEx) plays a key role in lab-to-lab pathology test referring and reporting. As such, in relation to Covid-19 recovery and support of NHS labs, Labgnostic is critical in providing pathology networks with core technologies and solutions.
• Tackling economic inequality:

  Tackling economic inequality

  N/A
• Equal opportunity:

  Equal opportunity

  N/A
• Wellbeing:

  Wellbeing

  Labgnostic (formerly NPEx) provides lab-to-lab pathology networks across the UK. It is central infrastructure to numerous NHS lab services and is such is pivotal to healthcare across the UK.

Pricing

• Price: £15,000.00 to £43,945.00 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at commercial@x-labsystems.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.