FEEDBACK MEDICAL LIMITED

Bleepa - CareLocker

Bleepa is the only CE/UKCA accredited medical app that enables medical professionals to remotely discuss clinical decisions and help deliver safer, more efficient patient care.

CareLocker is a patient-centric cloud architecture that supports Bleepa’s functionality whilst simultaneously creating patient-specific records of care episodes to support care delivery across provider settings.

Features

• secure patient-centered clinical communication
• medical grade imaging exchange (e.g., DICOM)
• clinical referral management
• clinical pathway management
• clinical photography
• review and annotate clinical grade imaging
• encrypted, zero-footprint application
• cloud-based architecture to support patient-centered data storage
• customised workflows to optimise care pathways
• supports cross provider (e.g. Primary/Secondary/Tertiary, CDC) workflow

Benefits

• Enables remote discussion and clinical decision making
• Supports clinical referrals and treatment decisions across care settings
• Review and annotate clinical grade imaging
• Integrates with other clinical and information systems
• Secure, encrypted, zero-footprint application
• CE/UKCA accredited medical app
• ISO 13485, ISO 27001 and the Cyber Essentials Plus compliant
• Cost effective and optimized cloud data storage
• Deliver safer, more efficient patient care
• Improve workflows, processes and team collaboration

£2.49 to £6.00 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at stephen.mcateer@fbkmed.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

752336827688660

Contact

Stephen McAteer
+44 (0) 7472391260
stephen.mcateer@fbkmed.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Electronic patient records (EPR) ; Electronic Health Record (EHR) ; Picture archiving and communication system (PACS); Radiology Information System (RIS) ; Laboratory Information Management System (LIMS)
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: Short time window required monthly to apply system updates. ; This is arranged and planned in advance with the customer.
• System requirements:
  • For end users https internet access to Bleepa system
  • For PACS data ability to configure DICOM settings on PACS
  • For medical information systems input ability to configure HL7 feed
  • For mobile devices under MDM access to Bleepa app

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We work within Response and Resolution Service Level Agreements as agreed with the customer.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Our web chat is for basic assistance and guidance, such as help with user login issues, and is accessible both within the app, and from any web browser.
• Web chat accessibility testing: We use a well known industry standard third party application for web chat
• Onsite support: Yes, at extra cost
• Support levels: The support levels and costs are described in our terms and conditions and price guide. ; We have a support ticket escalation process in place which allows us to rapidly allocate the appropriate level of support personnel to each and every incident.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: New users receive an email notification with detailed instructions and a link to activate their accounts. ; ; Training materials are saved within the app and/or made available locally depending on the organisation. These include a mix of bespoke guides, presentations, FAQs and training videos. ; ; Online training in small group and 1:1 is made available. A train-the-trainer model is recommended.; ; Onsite training can be done depending on need. ; ; Our dedicated support desk - accessible by phone and email - is also available to troubleshoot and provide training.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: All data can be exported as a set of structured information, in the format of the customer's choosing. In a typical use case, patient centric PDF exports are created on patient discharge, and then sent via HL7 or FHIR to an Electronic Patient Record system.
• End-of-contract process: All data can be exported via existing HL7 or DICOM interfaces. The cost of exporting using these interfaces is included as part of the contract. If there is a need, however for new interfaces to be established, or for the data export process to project managed there may be an additional charge for time and materials.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Bleepa is implemented as a "Progressive Web Application", which automatically detects the capability of the device upon which it is running. The behaviour on mobile and desktop are very similar, although the application layout varies depending upon screen size. Bleepa is also able to use built in camera on mobile devices to allow photo-capture. Bleepa is touch screen enabled, but can also be controlled via a mouse.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The service interface for system admins allows for user account administration, and workflow configuration.
• Accessibility standards: None or don’t know
• Description of accessibility: Normal users to not have access to the service interface.
• Accessibility testing: Not applicable.
• API: Yes
• What users can and can't do using the API: We provide interfaces that natively use HL7, FHIR or DICOM communication. We also integrate with existing user authentication systems such as Active Directory.
• API documentation: Yes
• API documentation formats: Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Bleepa and CareLocker are designed to integrate with existing hospital systems, such as Patient Administration Systems, Radiology Administration Systems, Order Comms, Pathology Information systems or Picture Archive and Communication Systems. We can provide interfaces that natively use HL7, FHIR or DICOM communication. Our systems can be customised to fit the particular data model used by the customer. We can also integrate with existing user authentication systems such as Active Directory.; ; Once integrated with hospital systems, help our customers to design a set of workflows to help manage the flow of patients though care pathways - all implemented within Bleepa.

Scaling

• Independence of resources: Our typical deployment model is one where we set up a system that is dedicated to each customer. ; This allows us to scale up each customers system, as appropriate to their demand.

Analytics

• Service usage metrics: Yes
• Metrics types: Our products include a dashboard, to show the number of patients at each point in the workflow. ; We also work with our customers to provide them with appropriate statistics to help support their business need. This can for example, help them to monitor and measure the efficiency of a referral pathway, or to understand the timeline of patients through a particular clinical workflow.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: All data can be exported as a set of structured information, in the format of the customer's choosing. In a typical use case, patient centric PDF exports are created on patient discharge, and then sent via HL7 or FHIR to an Electronic Patient Record system.
• Data export formats: Other
• Other data export formats:
  • HL7
  • FHIR
  • PDF
  • DICOM
• Data import formats: Other
• Other data import formats:
  • HL7
  • FHIR
  • DICOM
  • PDF
  • JPG

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We aim to provide 24x7 uptime, other than when the system is down for scheduled maintenance or upgrades, organised in advance with the customer. ; Required uptime levels are discussed with the customer, and generally based on need.
• Approach to resilience: Our software systems are installed on industry standard datacentres, such as AWS or Azure. ; We utilise best practice on these platforms for data storage, and disaster recovery provision is always part of system design. ; We utilise a "Infrastructure as code" methodology for all deployments, to ensure that each system can be tested prior to use, and re-created rapidly and redeployed if an incident is encountered.
• Outage reporting: We proactively monitor our systems using independent third party tools. ; System health is routinely assessed, with automated system health reports generated by e-mail.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: We have a multi-layered approach to system set up, with application level access via load balancing front ends, with entirely independent channels used to access back end server infrastructure. ; Those channels are firewall controlled, with access via encrypted communications, accessed using 2FA controlled logins.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: SGS
• ISO/IEC 27001 accreditation date: 11.12.2020
• What the ISO/IEC 27001 doesn’t cover: The scope of our certification includes all software development, deployment and maintenance operations.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: NHS DSP Toolkit

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We have a clearly defined internal hierarchy, and have dedicated qualified information security staff. ; We comply with ISO 27001 requirements, and have such have an active programme of internal and external audit, with full management team engagement.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We include a full stack risk review of all software components and systems, compliant with the following standards: ; ISO 13485 Medical Device Quality Management; ISO 14971 Risk Management; ISO 27001 Information Security management; This has led to the development of secure development policies, and "infrastructure as code" mechanisms for system and update deployment.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Secure development process; Incidents are analysed with care, and response is as appropriate to severity and impact of issue. Containment patches processed as rapidly as possible, with long term fixes .; Industry standard alerting systems, such as microsoft and uk cyber security centre
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our systems are set up with active monitoring ang logging to allow us to track system use, and potential misuse. ; We have an internal escalation process, which allows us to respond rapidly, appropriately and effectively to any incident that occurs.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We have an internal incident management process built on the needs of both ISO 13485 and ISO 27001; All reported issues come into our main helpdesk system, to allow effective and rapid triage. ; We have a pre-defined escalation process, to ensure that all relevant members of staff are involved rapidly when the need arises. ; Incidents reports are provided to relevant customers or other third parties as required during the incident.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Social Value

• Fighting climate change:

  Fighting climate change

  N/A
• Covid-19 recovery:

  Covid-19 recovery

  N/A
• Tackling economic inequality:

  Tackling economic inequality

  N/A
• Equal opportunity:

  Equal opportunity

  N/A
• Wellbeing:

  Wellbeing

  N/A

Pricing

• Price: £2.49 to £6.00 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at stephen.mcateer@fbkmed.com. Tell them what format you need. It will help if you say what assistive technology you use.