Armour Comms

Medicomms - NHS Mobile Image Capture Patient Record Integration Application

Medicomms is a secure communication platform created by Armour Comms including a fully managed service. Medicomms is a government grade secure voice, messaging and chat application that runs on iOS/Android/Windows devices. Patient records and workflow integration capability ensures completeness of service Advanced security techniques, accredited(NCSC/GPG/DSP) to OFFICIAL-SENSITIVE(OS).

Features

• Secure voice calls, video calls, messaging, group chat and conferencing
• Integration into Patient Records and Tasking solutions using FHIR gateway
• Supports popular COTS devices such as Android, iOS, Windows desktop
• Image capture and delivery to patient record
• Secure scalable UK hosted managed platform accredited OFFICIAL-SENSITIVE
• Secure connection to desktop solutions inc Teams, Zoom, Jitsi etc
• Compatible with Samsung Knox, Trustzone, Samsung DeX, Chromebook
• Compatible with supporting software such as MDM MAM EMM UEM
• Task and patient record integration options available
• Message Burn/Time to Live (TTL) determines message life

Benefits

• Native mobile experience for end-users from fully accredited cloud infrastructure
• Secure data from private network to wireless enabled mobile devices
• Complete end-to-end secure managed solution set-up and in service quickly
• Connect mobiles to secure services on NHS/HSCN/PSN/PND via one platform
• 24/7 support options are available
• Secure, NHS DSP IG Standards exceeded
• NHS Interoperability, security and auditability by design
• Government supported alternative to WhatsApp, Viber, SIGNAL.
• Fully Managed secure official-sensitive service NCSC Cloud Security Principles
• Secure-container App Secure-messaging Secure-calls Secure-endpoint secure-cloud Remote Device-wipe

£60 a device a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.holman@armourcomms.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

830144482716086

Contact

David Holman
0203 637 3801
david.holman@armourcomms.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: Medicomms can be applied to iOS and Android phones and tablet devices and Windows Desktop.
• System requirements:
  • System outline will be discussed with client
  • No pre-conditions or extra licences required outside the service
  • COTS Apple devices (phone or tablet) iOS Version 12.5+
  • COTS Android devices (phone or tablet) OS Version 6+
  • Windows 10 Desktop

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within one hour
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: As an ISO 20000 certified service management organisation our partner provides a standardised SLA for clients to ensure the service is understood by you, and is sufficiently supported by their engineers. You will be able to interact directly with engineers who know your account and can deal with issues directly without having to first negotiate an unskilled Helpdesk. Their UK based helpdesk staff are all SC & NPPV3 cleared.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Clients can follow documentation on how to initiate and start receiving our services. This can be augmented with training onsite, or delivered remotely. We deliver a standardised service, honed during deliveries to existing public sector clients, meaning a low risk and swift deployment without unexpected consultancy costs.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Client will provide secure physical media to Armour, which will then be populated with the specified client data and returned to the client.
• End-of-contract process: The client will have extracted the data they need to keep for archive or transition purposes. Any managed devices are taken off management which will wipe enterprise and managed data from the devices. The client is then free to undertake any disposal requirements that may be stipulated under IS5. Hosted areas are then made inaccessible to the internet and deleted. This is all provided without cost to the client. Any additional services will be charged based on the day rates on our SFIA rate card.

Using the service

• Web browser interface: No
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Medicoms is designed to offer the same functionality and similar look and feel on all platforms.
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: No

Scaling

• Independence of resources: Technical separation of resources to client areas is achieved at virtualisation level so that one client is not competing for the same resources as another; client areas are independent private clouds so processing is not shared. Our ITIL aligned service processes have defined scaling markers to ensure the service team is not short-staffed.

Analytics

• Service usage metrics: Yes
• Metrics types: The platform infrastructure is fully reported as per SLA. App deployment is reported via UEM/MDM.

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: For security reasons the only data that can be exported from the device is the contacts. A user can export their contacts to an encrypted file and store or email it off their device (platform-dependent).
• Data export formats: Other
• Other data export formats:
  • Encrypted \file
  • Data import formats
• Data import formats: Other
• Other data import formats: Encrypted file

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: Medicomms secure services are protected by at least AES-128 with PKI using MIKEY-SAKKE between end user devices and up to AES-256 with TLS1.2+ in client/server interactions.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: All inter-server communications within the Medicomms secure service use at least TLS1.2+ with AES-256, multi-zone server security, firewalling, intruder detection, monitoring, etc.

Availability and resilience

• Guaranteed availability: We provide SLAs to each client outlining the expected availability of each service. Unplanned outages that lead to decreased availability from the levels set out in the SLAs lead to credits on those services during the next period.
• Approach to resilience: Architectural resiliency is designed into the hosted environment and is backed by the Tier 3+ UK Data Centre. Details can be given to clients upon request.
• Outage reporting: Email alerts to nominated client representatives, with quantitative and qualitative detail.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: End user clients are password protected, based on the unique end point identity used in the MIKEY-SAKKE cryptography; the client itself also authenticates to the servers. Additional user authentication (e.g. 2-factor) is available at additional cost based on user requirements.
• Access restrictions in management interfaces and support channels: We restrict management interface access to known personnel on known devices that are authenticated with 2FA and connect via VPN to secured management hosts with limited permissions.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Intertek
• ISO/IEC 27001 accreditation date: 18/03/21
• What the ISO/IEC 27001 doesn’t cover: NO exclusions
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials and Cyber Essentials Plus
• Information security policies and processes: We apply NCSC and industry best practice to ensure 14 Cloud Security Principles are applied during design, deployment, operation, and decommission. We provide IS1&2 compliant RMADS and maintain our own Security Management Plan which is integral to our ISO 27001 accreditation, which is independently audited every year.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Services are configured and documented for reference. Changes are initiated with internal or external requests that start a Change Acceptance Process, during which the business imperative, security risks, user impact, and costs are considered. A lightweight process is adopted for agility of service, but If necessary, a full security impact assessment is undertaken and when the requisite authorisations are received, the change is effected and documentation updated.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We subscribe to a number of vulnerability and threat monitoring agencies including the NCSC threat newsletter. A baseline patching process is maintained monthly for all services, and emergency responses to critical threats are evaluated and actioned appropriately.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Our protective monitoring tools examine SIEM data from our platform and client areas, including GPG13 compliant reporting. Incidents are responded to based on the severity of the event and can be immediate notification to clients to allow fixes to be effected straight away.
• Incident management type: Supplier-defined controls
• Incident management approach: Our SyOPs and Security Management Plan outline procedures for incident management and reporting. Our SMP is certified ISO27k controls and verified by a CCP qualified IA lead.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • Health and Social Care Network (HSCN)
  • Other
• Other public sector networks: PND

Social Value

• Covid-19 recovery:

  Covid-19 recovery

  Armour Comms support organisations and businesses to manage and recover from the impacts of COVID-19, including where new ways of working are needed to deliver services. This includes improved workplace conditions that support the COVID-19 recovery effort including effective social distancing, remote working, and sustainable travel solutions.
• Tackling economic inequality:

  Tackling economic inequality

  Armour Comms will influence staff, suppliers, customers and communities through the delivery of the contract to support employment and skills opportunities in high growth sectors.
• Equal opportunity:

  Equal opportunity

  Armour Comms supports and promotes in-work progression to help people, including women, those from disadvantaged or minority groups, to move into higher paid work by developing new skills relevant to the contract.
• Wellbeing:

  Wellbeing

  Armour Comms demonstrates its support for the health and wellbeing, including physical and mental health, of its staff through internal wellness programmes.

Pricing

• Price: £60 a device a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We are able to make available a dedicated secure solution that can offer a limited number of test users the ability to trial the service.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.holman@armourcomms.com. Tell them what format you need. It will help if you say what assistive technology you use.