MIG Primary Care Data Set Service

Service scope

Software add-on or extension: Yes, but can also be used as a standalone service
What software services is the service an extension to: Health information exchange, portal, electronic medical records, electronic patient records, integration engines, healthcare clinical systems, patient apps.
Cloud deployment model: Private cloud
Service constraints: • Core systems being EMIS Health, Vision, TPP or Microtest
• Full streaming to Vision 360 for Vision sites
• PDS and/or MIG Trace, Extended Patient Trace
• Sharing Agreements in place with relevant endpoints as per content model
• Healthcare Gateway have a monthly maintenance window for 1 hour per month on a Wednesday between the hours of 12:00 and 13:00.
System requirements: Health and Social Care Network or N3 access required

User support

Email or online ticketing support: Email or online ticketing
Support response times: Users can report an incident to our service desk via an online service portal, telephone or email. All incidents logged over the weekend receive an automated response however, incidents are not actioned until next working day. Email response time is within 30 minutes.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: No
Support levels: All incidents/service requests are recorded within the service desk system and allocated a priority depending on severity. When an incident is reported to the Healthcare Gateway Service desk, the team will create an incident log and assign a priority level which will dictate the target incident resolution time. The priority is derived from the assessment of the impact and urgency of the reported issue. The priority levels and target resolution times are as follows: level 1 - 4 hours level 2- 8 hours level 3 - 16 hours level 4 - 48 hours level 5 - 144 hours Healthcare Gateway use reasonable endeavours to resolve each incident in accordance with the relevant target resolution time as described. The counter will run within the support hours relevant to the priority of the incident. Incidents will be closed once resolved, or where a suitable workaround has been provided. Healthcare Gateway delivers a standard support contract as part of any contract agreed with customers. The support levels are included as part of the MIG service annual licence charge. Each Healthcare Gateway customer is assigned their own account manager who will assist with issues and provide commercial guidance where appropriate.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: HGL apply a tried tested approach to the deployment of MIG services. Within this context all the project management activity is based upon a tailored plan to meet the individual project requirements, taking into account the varied system estate and resource allocation, which can determine the rate and complexity of the implementation.

HGL will appoint a project lead to progress the project implementation of the services ordered. The HGL Project lead will organise a project initiation call or meeting with the customer. This expected outcome from this meeting is to discuss and agree the following:
• Roles and Responsibilities
• Commercial Review
• Project dependencies including Supplier Accreditation and Information Governance
Agree the Project Plan
• Discuss the HGL Implementation Process
• Support and Service arrangements
• Training Requirements

HGL will provide an Implementation Plan outlining the activities required by all stakeholders to enable a successful deployment; the HGL project manager will update this plan as the project progresses. The HGL project manager will ensure regular checkpoint calls are scheduled with all stakeholders to discuss progress, raise risks and/or issues and review progress in line with the implementation though the go live of the service
Service documentation: Yes
Documentation formats: HTML

PDF

Other
Other documentation formats: Microsoft Excel

Microsoft Word
End-of-contract data extraction: As the MIG is a bi-directional brokering service it does not hold or store and any data, therefore at the end of the contract there is no data for a customer to extract. The only element that our customer may request is a CSV file which confirms their configuration for example what connectivity there was between organisations . This will be available on request at no extra charge
End-of-contract process: At the end of a contract the Specialist Dataset service will be decommissioned. As no data is stored in the MIG service, no data extraction is required. We simply remove the consuming and providing organisations that come under the contract from our sharing agreement configuration using the MIG management portal. There is no additional charges incurred by the customer.

Using the service

Web browser interface: No
Application to install: No
Designed for use on mobile devices: No
Service interface: No
User support accessibility: None or don’t know
API: Yes
What users can and can't do using the API: Via our API, customers can locate patient information using NHS number or patient demographics. Across multiple care settings and systems, users obtain details about where the patient is registered and what data is available. User select what information they which to retrieve from care setting or system, this can be taken as structured or unstructured patient data depending on system. Data is then shared in real time and presented to accredited MIG client systems based on local sharing agreements.

Healthcare Gateway have in place a robust accreditation process for partners who wish to connect to our API. Partners will be provided access to our development pack and sandpit environment. Dedicated support is given by our technical integration team. Once connectivity has been achieved, partners will attain MIG accreditation status.

Changes cannot be made to the MIG schemas to accommodate bespoke solutions. The MIG messaging interface is the foundation of the service we provide and facilitates interoperability through the use of a shared standard.
API documentation: Yes
API documentation formats: HTML

Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: The service can return the patient information as either as a series of 10 tab html views or as structured data. Data is presented as 10 views • Patient summary • Problems • Diagnosis • Medication (current, past and issues) • Risk and warnings • Procedures • Investigations • Examinations (Blood pressure measurements) • Events (Encounters, admissions and referrals) • Patient demographics Users can choose to take all of the above views or a subset of these views as HTML In the case of structured data, users can manipulate and present the data to appear native to the host application, persist this data and amalgamate data to create graphs, charts and dashboards Customisation would be done by the consuming system supplier

Scaling

Independence of resources: Our infrastructure provides highly optimised services which have been designed to be horizontally scaled.
Each service call is initially load balanced across our service infrastructure to several potential service nodes so that any load is spread evenly across them.
The number of these service nodes has been chosen to far exceed our current load capacity expectations so that any spikes in service usage or long running requests won’t impact our expected response times.
All of our infrastructure components have been carefully chosen to be the best in practice where performance, scalability, and resilience are concerned.

Analytics

Service usage metrics: Yes
Metrics types: Healthcare Gateway service metrics by way of a monthly report to customers on request . This demonstrates the total number of transactions for the reported period by organisation. This also includes a breakdown of those successful and failed transactions along with raw data for the period. Enhanced reporting is available at an additional charge. Bespoke analytical reports are available from the service desk on request subject to availability.
Reporting types: Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with another standard
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: As the MIG is a bi-directional brokering service it does not hold or store and any data, therefore at the end of the contract there is no data for a customer to export.
Data export formats: Other
Other data export formats: Not applicable no data to export
Data import formats: Other
Other data import formats: Not applicable no data upload required

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network
Data protection within supplier network: Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability: We do not guarantee any level of availability, we use reasonable endeavours to provide at least 99% availability in respect of the relevant service during its standard support hours.
Service availability shall be represented as a percentage, calculated as follows:
• actual minutes in month – planned downtime minutes = total service minutes
• total service minutes – unplanned downtime minutes*100% = Availability

Service availability is measured at the end of each calendar month.
For the avoidance of doubt, issues and downtime caused by the acts or omissions of the customer or any third party caused outages or disruptions will be taken into account by HGL on an appropriate basis when determining the availability measure achieved.
Users are not refunded in the event of HGL not meeting SLAs
Approach to resilience: We operate the service from multiple availability zones to ensure redundancy in case of disaster.
Our application infrastructure is designed to provide resilience through multiple deployments of application nodes within each data centre. Each application node consists of multiple containers where we deploy our application services. This micro-service-based architecture pattern provides resilience through isolation as any failing service is highly unlikely to affect other running services on the same application node. All application nodes are backed by a cluster of databases where data is replicated between them and in the event of any failure, failover can take place to an alternative database. Databases use tiered storage structure to provide a facility to take snapshots at regular intervals to secondary storage so that, in case of any failures, we can restore all data to the last snapshot.
Outage reporting: All outages and/or scheduled maintenance are reported to stakeholders using the Atlassian Status Page Software. This software is the method used for all Services provided by Healthcare Gateway by default all updates are also set to update the Service Delivery Twitter feed.
Stakeholders sign up for this reporting service using the webpage and from their can choose how they receive the alerts (email, text or RSS feed) specifically for them and how often.
The page is updated manually be the Service Delivery team at each stage of an outage (issue, monitoring, resolved) then a root cause analysis provided if appropriate. The API of this software is also linked to our Social Media account on Twitter should the stakeholder prefer this method of communication.

Identity and authentication

User authentication needed: Yes
User authentication: Public key authentication (including by TLS client certificate)

Limited access network (for example PSN)

Dedicated link (for example VPN)

Username or password
Access restrictions in management interfaces and support channels: Restricted access to our management interfaces is provided by a firewall IP whitelist. Once the firewall has established a users IP as valid, a user must also have valid username/password credentials to access any of the web portals developed for various elements of our infrastructure. We limit the ability to provide maintenance to a limited number of technical staff and whose access has been approved by heads of departments and elevated by a change process to an internal technical services team for review. The maintenance staff can only access lower levels of our infrastructure by using SSH public-key authentication.
Access restriction testing frequency: At least once a year
Management access authentication: Public key authentication (including by TLS client certificate)

Limited access network (for example PSN)

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: Between 1 month and 6 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: Between 1 month and 6 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: BSI Group
ISO/IEC 27001 accreditation date: 09/03/2020
What the ISO/IEC 27001 doesn’t cover: A 14.2.7 Outsourced Development
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: Healthcare Gateway follow ISO 27001 methodology and are independently certified to the ISO/IEC 27001: 2013 standard.
Healthcare Gateway are committed to establishing, implementing, operating, monitoring, reviewing and maintaining an Information Security Management System.
Healthcare Gateway have an overarching information security policy with clear aims and objectives set throughout the business with robust processes in place, which are as follows;
• Information security risk assessment process that assesses the business harm likely to result from a security failure and the realist likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and controls currently implemented;
• Defined security controlled perimeters and access controlled offices to prevent unauthorised access, damage and interference to business premises and information;
• Data classification and exchange guidelines, including compliance with regulations;
• Development and maintenance of an appropriate business continuity plan to counteract interruptions to business activities and protect critical business processes;
• Information security awareness guidance for all company employees;
• Incident management and escalation procedures for reporting and investigating security incidents and;
• A senior management team that supports the continuous review and improvement of the companies Information Security Management System.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: This is controlled by our internal development policy here all releases and development work is risk assessed. This process is controlled and managed by the Development team, Product Owner and Clinical Safety Officer. Services are managed during the lifecycle by monitoring their usage, this task is performed by our Product team.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: We follow our secure development policy which outlines a development process that covers secure development coding guidelines. Each development work item is validated by a definition of done which includes having an assessment by an external clinical safety officer. The clinical safety officer is responsible for classifying each work item according to criteria defined by our Safety Hazard Log and, if a vulnerability is identified, then the emergency release process is followed. This is assessed by a change advisory board and the system will be patched at a time and date specified by the change advisory board (within 24 hours)
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: We perform regular PEN tests by external contractors that assess the accessibility of our application programming interfaces (API) against current security standards which are covered by Cyber Essentials, PCI Security Council Standards, CHECK, Crest, and TigerScheme accreditation's. Our PEN tests are scheduled every year or upon any major API changes and any issues are categorised from low to critical. Any issues that are identified as high or critical are address immediately. All other issues are assessed and prioritised by the seriousness of their nature and if any clinical safety is involved and then scheduled into our normal development life cycle.
Incident management type: Supplier-defined controls
Incident management approach: Healthcare Gateway have a predefined process in place for all incidents. Users will report this incident via a set template giving a description and severity of the incident this is then handled by the information security officer who will report back to user when the incident has been logged and resolved. During handling the information security officer will resolve the incident via the correct department and put in service improvement if required to prevent re-occurrence.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: Yes
Connected networks: NHS Network (N3)

Health and Social Care Network (HSCN)

Wellbeing: Wellbeing

HGLPD55 Employee Wellbeing Policy outlines the duty of care to manage risks to the health and safety of our workers, including minimising the risk of harm to their wellbeing, and this policy sets out how we go about fulfilling our obligations.

We will seek to foster an appropriate culture by ensuring line managers receive necessary training and by putting in place initiatives that raise awareness of wellbeing issues at work.

• Occupational health
• Employee assistance programme
o confidential short-term counselling
o advice on money and managing debt;
o some basic legal information and guidance.
• The HR department, in close liaison with line managers, will assist the company in achieving he highest levels of wellbeing
• Wellbeing initiatives
o We believe it is necessary to target environmental and organisational factors that are proven to have an impact on wellbeing. In doing so we raise awareness of behaviours that present health benefits or risks and also support lifestyle changes among our workers.
• Ensuring participation in wellbeing activities
o taking a collaborative approach to wellbeing and involving employees in developing any initiatives.
• Health promotion
o stress management;
o disability awareness;
o lifestyle behaviours e.g. excessive use of alcohol/drugs and smoking;
o physical activity and fitness including lunchtime walking and exercise clubs.
• Physical activity
o encourage all our workers to become more active
• Healthy eating
• Stopping smoking
o We understand that smoking is a personal choice, and some workers may not want to stop, but for those that do we will offer appropriate help and advice
• Mental wellbeing
• Workplace stress
• Mental ill health
o We are committed to providing support to workers with a mental health illness and to raising awareness of mental health among the workforce.

Pricing

Price: £5,000.00 a unit a year
Discount for educational organisations: No
Free trial available: No

MIG Primary Care Data Set Service

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

MIG Primary Care Data Set Service

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents