EMIS Ltd

MIG Shared Record Viewer (SRV)

MIG Shared Record Viewer is an independent web portal which provides healthcare professionals with instant access to the Medical Interoperability Gateway (MIG). It allows users to search for patients and view their medical records without an existing clinical system.

Features

• Compatible with all mobile devices
• Can be used in conjunction with any MIG datasets
• Internet browser based technology
• Fully auditable
• Designed to be fully adaptable to any screen size
• Smart card access not required
• Quick to implement
• Fully managed end to end service
• Cost effective

Benefits

• Implement without any development work
• Stand alone access, no dependency on existing clinical system
• Simple technology, quick and easy to deliver
• Can be used in any health or social care setting
• Tactical solution whilst systems or settings are accredited
• Perfect for data on the move
• Faster, improved decisions as access to real-time patient data
• Patients tell their story once
• Real-time sharing ensures clinical decisions are based on latest information

£4,850 an instance a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@emishealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

829637567894358

Contact

Bid Team
0113 380 3000
bids@emishealth.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: MIG consuming portal which allows the MIG shared record viewer to be embedded in EMIS Web frame a system provided by EMIS Health.
• Cloud deployment model: Private cloud
• Service constraints: • There is a monthly maintenance window for 1 hour per month on a Wednesday between the hours of 12:00 and 13:00.; • Relevant sharing agreements in place
• System requirements:
  • Health and Social Care Network or N3 access required
  • Browser version IE7+ on Microsoft platforms, Chrome, Firefox, Safari

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times as detailed in MSA depending on incident level. Help Desk available 9am to 6pm Mon to Fri. Help desk remotely monitored at the weekend.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: N/A
• Onsite support: Yes, at extra cost
• Support levels: Service design and system training support is provided by the Professional Services Team. Commissioners can attend free masterclass sessions held at multiple venues that cover use of the platform but onsite training and support can be provided at a day rate cost of £495.00 plus VAT. Technical support is provided by the technical team. This support type is usually to investigate interoperability using APIs, creating bespoke reports etc. The rate for technical support is £895.00 plus VAT per day. Commissioners can purchase support packs. A three day support pack is available to cover training and service design at a rate of £1200.00 plus VAT.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: There is a tried tested approach to the deployment of MIG services. Within this context all the project management activity is based upon a tailored plan to meet the individual project requirements, taking into account the varied system estate and resource allocation, which can determine the rate and complexity of the implementation.; ; A project lead will be appointed to progress the project implementation of the services ordered. The MIG Project lead will organise a project initiation call or meeting with the customer. This expected outcome from this meeting is to discuss and agree the following:; • Roles and Responsibilities; • Commercial Review; • Project dependencies including Supplier Accreditation and Information Governance; Agree the Project Plan; • Discuss the EMIS Implementation Process; • Support and Service arrangements; • Training Requirements; ; EMIS will provide an Implementation Plan outlining the activities required by all stakeholders to enable a successful deployment; the project manager will update this plan as the project progresses. The project manager will ensure regular checkpoint calls are scheduled with all stakeholders to discuss progress, raise risks and/or issues and review progress in line with the implementation though the go live of the service
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • Microsoft Excel
  • Microsoft Word
• End-of-contract data extraction: As the MIG is a bi-directional brokering service it does not hold or store any data. The Shared Record Viewer does however store users and audit information. At the end of the contract the customer has the option to extract the users and audit information stored in the Shared Record Viewer. This is done by way of a CSV export facility. All data can be exported via the auditing export functionality.
• End-of-contract process: At the end of a contract the Shared Record Viewer service will be decommissioned. On receipt of confirmation from the customer for decommission of the Shared Record Viewer, there will be one Auditor (customer) set up who’s responsibility it is to remove all of the data from the Shared Record Viewer. The customer will receive an email notifying them they have 3 months from this date to remove all of the data from the Shared Record Viewer. After 2 months has passed the customer will be notified that they have 1 month remaining. The final email will be notification of decommissioning and access will be removed. There is no additional cost for this process

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There is no difference between the mobile and desktop service
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: No

Scaling

• Independence of resources: Our infrastructure provides highly optimised services which have been designed to be horizontally scaled.; Each service call is initially load balanced across our service infrastructure to several potential service nodes so that any load is spread evenly across them.; The number of these service nodes has been chosen to far exceed our current load capacity expectations so that any spikes in service usage or long running requests won’t impact our expected response times.; All of our infrastructure components have been carefully chosen to be the best in practice where performance, scalability, and resilience are concerned.

Analytics

• Service usage metrics: Yes
• Metrics types: EMIS service metrics by way of a monthly report to customers on request . This demonstrates the total number of transactions for the reported period by organisation. This also includes a breakdown of those successful and failed transactions along with raw data for the period.; Enhanced reporting is available at an additional charge. Bespoke analytical reports are available from the service desk on request subject to availability.
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: All data can be exported from the Shared Record Viewer using auditing functionality. Filter options are available;; Time - to select any, last hour, today and yesterday.; Date - to select a date range.; Users - to select the a single or multiple user; Actions -to the specific actions that you wish to view; Detail - to filter the actions by a detail combined with the Action filter applied above; Filter - The value that applies to the detail filter; There is an option to bulk export all information.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network: Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: No level of availability is guaranteed, we use reasonable endeavours to provide at least 99% availability in respect of the relevant service during its standard support hours.; Service availability shall be represented as a percentage, calculated as follows:; actual minutes in month – planned downtime minutes = total service minute; total service minutes – unplanned downtime minutes /total service minutes * 100 = Availability; ; Service availability is measured at the end of each calendar month.; For the avoidance of doubt, issues and downtime caused by the acts or omissions of the customer or any third party caused outages or disruptions will be taken into account by EMIS on an appropriate basis when determining the availability measure achieved.; Users are not refunded in the event of EMIS not meeting SLAs
• Approach to resilience: EMIS operate the service from multiple availability zones to ensure redundancy in case of disaster.; Our application infrastructure is designed to provide resilience through multiple deployments of application nodes within each data centre. Each application node consists of multiple containers where we deploy our application services. This micro-service-based architecture pattern provides resilience through isolation as any failing service is highly unlikely to affect other running services on the same application node. All application nodes are backed by a cluster of databases where data is replicated between them and in the event of any failure, failover can take place to an alternative database. Databases use tiered storage structure to provide a facility to take snapshots at regular intervals to secondary storage so that, in case of any failures, we can restore all data to the last snapshot
• Outage reporting: All outages and/or scheduled maintenance are reported to stakeholders using the Atlassian Status Page Software. This software is the method used for all Services provided by EMIS by default all updates are also set to update the Service Delivery Twitter feed.; Stakeholders sign up for this reporting service using the webpage and from their can choose how they receive the alerts (email, text or RSS feed) specifically for them and how often.; The page is updated manually be the Service Delivery team at each stage of an outage (issue, monitoring, resolved) then a root cause analysis provided if appropriate. The API of this software is also linked to our Social Media account on Twitter should the stakeholder prefer this method of communication.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Restricted access to our management interfaces is provided by a firewall IP whitelist. Once the firewall has established a users IP as valid, a user must also have valid username/password credentials to access any of the web portals developed for various elements of our infrastructure. We limit the ability to provide maintenance to a limited number of technical staff and whose access has been approved by heads of departments and elevated by a change process to an internal technical services team for review. The maintenance staff can only access lower levels of our infrastructure by using SSH public-key authentication.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Less than 1 month

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI Group
• ISO/IEC 27001 accreditation date: 10/09/2022
• What the ISO/IEC 27001 doesn’t cover: A 14.2.7 Outsourced Development
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: EMIS follow ISO 27001 methodology and are independently certified to the ISO/IEC 27001: 2013 standard.; EMIS are committed to establishing, implementing, operating, monitoring, reviewing and maintaining an Information Security Management System.; EMIS have an overarching information security policy with clear aims and objectives set throughout the business with robust processes in place, which are as follows;; • Information security risk assessment process that assesses the business harm likely to result from a security failure and the realist likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and controls currently implemented;; • Defined security controlled perimeters and access controlled offices to prevent unauthorised access, damage and interference to business premises and information;; • Data classification and exchange guidelines, including compliance with regulations;; • Development and maintenance of an appropriate business continuity plan to counteract interruptions to business activities and protect critical business processes;; • Information security awareness guidance for all company employees;; • Incident management and escalation procedures for reporting and investigating security incidents and;; • A senior management team that supports the continuous review and improvement of the companies Information Security Management System.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: This is controlled by our Development policy where all releases and development work is risk assessed. This process is controlled and managed by the Development team, Product Owner and Clinical Safety Officer. Services are managed during the lifecycle by monitoring their usage, this task is performed by our Product team.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: EMIS follow our secure development policy which outlines a development process that covers secure development coding guidelines. Each development work item is validated by a definition of done which includes having an assessment by an external clinical safety officer. The clinical safety officer is responsible for classifying each work item according to criteria defined by our Safety Hazard Log and, if a vulnerability is identified, then the emergency release process is followed. This is assessed by a change advisory board and the system will be patched at a time and date specified by the change advisory board (within 24 hours)
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: EMIS perform regular PEN tests by external contractors that assess the accessibility of our application programming interfaces (API) against current security standards which are covered by Cyber Essentials, PCI Security Council Standards, CHECK, Crest, and TigerScheme accreditation's. Our PEN tests are scheduled every year or upon any major API changes and any issues are categorised from low to critical. Any issues that are identified as high or critical are address immediately. All other issues are assessed and prioritised by the seriousness of their nature and if any clinical safety is involved and then scheduled into our normal development life cycle.
• Incident management type: Supplier-defined controls
• Incident management approach: EMIS have a predefined process in place for all incidents. Users will report this incident via a set template giving a description and severity of the incident this is then handled by the information security officer who will report back to user when the incident has been logged and resolved. During handling the information security officer will resolve the incident via the correct department and put in service improvement if required to prevent re-occurrence.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  EMIS employees are educated annually on environmental matters with an emphasis on personal responsibility regarding energy consumption and waste management. This is supported by relevant policies, such as EMIS’s Group Environmental Policy Statement and company benefits, e.g. during 2021 the Group launched a salary sacrifice scheme for employees to lease electric cars and for individuals to fund tree planting with Ecologi, who provide a route for organisations and individuals to fund climate action projects.; Through Ecologi, EMIS planted 25 saplings for each new employee who joined the business during the previous twelve months, resulting in approx. 7,300 new saplings planted in countries badly affected by deforestation.

Pricing

• Price: £4,850 an instance a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@emishealth.com. Tell them what format you need. It will help if you say what assistive technology you use.