Oxehealth Limited

Oxeobs

OxeObs digitises patient observations in mental health wards. Information about how patients are doing and vital signs data are captured on a tablet and automatically uploaded to the electronic patient record. The tool enhances workflow efficiencies, encourages protocol adherence, reduces documentation errors and ensures completeness of patient data.

Features

• Digitally timestamped, accurate observations
• A timer shows time since last observation
• Access for all staff including bank and agency
• Offline capabilities for low wifi areas without compromising accuracy
• Record detailed therapeutic observation and engagement notes
• Four configurable observation levels
• Maintain patient risk factors alongside observation levels
• Easily view detailed observation history and track changes
• Management level automated report
• Easy and intuitive design; built for mental health staff

Benefits

• Improves accuracy of observations by replacing handwritten notes
• Reduces documentation errors and ensures completeness of patient data
• Promotes adherence to observations, ensuring they are on time
• Reduces time spent on recording observations releasing time to care
• Personalisation of observation levels to cater to patients individual needs
• Auditability of observation records to improve assurance
• Automated reporting reduces time on assurance
• Automated integration into EPR
• Works even in low wifi areas
• Minimal training required for staff

£12,960 a unit a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at karen.west@oxehealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

866694389115975

Contact

Karen West
+44 (0) 1865 900 599
karen.west@oxehealth.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Oxevision
• Cloud deployment model:
  • Private cloud
  • Hybrid cloud
• Service constraints: Oxeobs receives regular maintenance, updates, upgrades and patches without the requirements for system downtime. In the scenario where downtime is required for maintenance or upgrades, this will be communicated and agreed with the customer to ensure ample time and support for business continuity. The Oxeobs system includes software and hardware. The provision of software, hardware and its maintenance, updating and upgrading is fully included in the service license.
• System requirements:
  • Wifi access throughout ward
  • Adequate, suitable space for local server
  • Suitable broadband connection for the local server to the cloud

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our customer support team is available 24/7, 365 days of the year to answer calls via our Support Line or, responding to feedback forms via the Oxeobs and emails. Response and resolution times are fixed as per the Service Level Agreement, which is comprised of 3 categories - with response and resolution options being 24 hours (7 days a week), 72 hours (7 days a week) and 96 hours (7 days a week). The Service Level Agreement is the same across all customers.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: All support is included in the contract as a standard service provided to all customers. Services include: where a reported issue requires an onsite visit (such as hardware replacement), Oxehealth provides this as part of the service agreement which also details their Service Level Agreement. ; ; Additional training and support is available via OxeAcademy (our online portal) and in person via our Customer Success Team.; ; A dedicated Account Manager is also provided for support throughout.; ; We do not provide a dedicated Technical Account Manager or Cloud support engineer.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We provide and agree a training plan for every customer, specific to their needs. Training can be delivered onsite, virtually or using our online training portal, OxeAcademy. Typically a mix of all three types of training is used to support customers with their training needs. In addition, we are on-site during the go-live and can support customers throughout the lifecycle of their product use with training needs.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats:
  • Word
  • Online via OxeAcademy portal
• End-of-contract data extraction: Oxeobs produces four types of data ("data categories"). Customers are the Data Controller of these data, and therefore determine what happens to these data when the contract ends. The retention and storage of this data is agreed with the customer and written into the contract in the Generated Data Guide and Description of Data Processing.
• End-of-contract process: The Oxeobs system is decommissioned by Oxehealth and the customer. Oxehealth removes the equipment from the customer's locations, seeking access and/or support when the equipment requires their Estates or IT teams (e.g. to access the server room, to access the ward). No additional cost is charged by Oxehealth

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Functionality is the same on Fixed screen displays and Tablet devices.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The Oxeobs User Interface has been designed specifically for mental health care. Digital Observations - makes it easy for staff to carry out timely health and safety checks to ensure patients are safe and well. Information about how patients are doing can be captured quickly on a tablet and automatically uploaded to a patient’s Electronic Patient Record (EPR). This enables staff to have accurate information about a patient’s wellbeing to help personalise care.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: None - the interface does not currently support third party assistive technology as it is a closed system.
• API: No
• Customisation available: Yes
• Description of customisation: Oxeobs can be configured at a ward-level. This means that individual wards can use the functionality that meets the clinical need of the patients receiving care on those wards. For example locations, risk factors and observation levels can be adapted to suit the ward layout, ward type and patient needs.

Scaling

• Independence of resources: The Oxeobs solution runs on-premise with back up to AWS cloud and to a specification that is validated as meeting system and user demand.

Analytics

• Service usage metrics: Yes
• Metrics types: - Oxehealth provides reporting on usage, the compliance to observation policy via metrics on timeliness of observations and, when relevant, the unpredictability of when observations are completed.; - Usage metrics are provided in a weekly and/or monthly report. Metrics are shown day by day, by time of day, and presented as trends over time.
• Reporting types:
  • API access
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Other
• Other data at rest protection approach: The GUI database and all personal data stored on the local server at customer site is encrypted at rest with AES-256bit encryption. All data stored on Oxehealth's 3rd party cloud services is encypted at rest with AES-256bit encryption. ; ; When stored on local servers at customer site physical access control is the responsibility of the customer. When stored in Oxehealth's 3rd party cloud services the service provider has physical access controls which are compliant with ISO 27000 security series and they have a SOC2 type 2 certificate.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Reports are available for export via PDF
• Data export formats: Other
• Other data export formats: PDF
• Data import formats: Other
• Other data import formats: NONE

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Oxehealth provides support and maintenance for the Oxehealth Service as outlined in their Service Level Agreement details of which are included in the Service Definition document. Support is provided without additional charge and is covered within the overall service licence cost. The SLA describes scenarios where support might be required and outlines the service and timing provided including for serious incidents access to 24/7 support. Service Level Failures are reported for resolution and remediation at the Partnership board (steering board comprising customer and Oxehealth) meeting.
• Approach to resilience: Available on request
• Outage reporting: Direct communication with customer, via email or phone. Each customer's system is segregated /ringfenced

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: There is no management interface. All changes are managed by Oxehealth following requests from authorised users.
• Access restriction testing frequency: Never
• Management access authentication: Other
• Description of management access authentication: Not applicable. all changes are managed by Oxehealth following requests from authorised users.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA
• ISO/IEC 27001 accreditation date: 8/9/2022
• What the ISO/IEC 27001 doesn’t cover: The Statement of Applicability includes all controls with the exception of A.14.2.7 Outsourced development - Oxehealth do not outsource development. The physical locations covered are the Oxehealth offices within Magdalen Centre North and Sadler building on the Oxford Science Park, and the Oxehealth inventory storage facility in Merlin House on Grove Business Park in Wantage. Oxehealth AB and Oxehealth Inc. exist at other physical locations which are not within the scope of the Oxehealth ISMS and PIMS, and any assets owned by these entities are treated as assets that are in transit outside the boundary of the Oxehealth security perimeter, and as such, only assets that are intended to be mobile or transported are used by Oxehealth staff in these locations.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: NHS Digital Data security and protection toolkit

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials Plus, NHS DSPT, ISO/IEC 27701
• Information security policies and processes: Oxehealth has implemented a top level information security and privacy policy, as part of our ISO 27001 /ISO 27701 certified information security management system (ISMS/PIMS). This is supported by other policies and procedures including: information and infrastructure assets security classification, risk management, incident management, management review, staff competence and training; access control, cryptographic and key management, media re-use and disposal, etc.; Oxehealth has appointed:; • A Chief Information Security Officer (board report) responsible for the operation of effective security and privacy information controls and chairs the Security Governance Review;; • An Information Security and Privacy Manager supports the CISO and is responsible for the maintenance/effectiveness of the ISMS/PIMS and ensuring that Oxehealth operations within the scope of the ISMS and PIMS are carried out accordingly; and ; • A Data Protection Officer (board report) and is responsible for Oxehealth's privacy information handling regime and chairs the Data Governance Review.; All staff are trained on policies and procedures within the ISMS/PIMS and additional role specific security training prior to granting of access. ; Compliance is monitored through monthly operational security reviews and non-conformances are reported at Security Management Reviews. Monitoring through internal audits and annual surveillance/recertification audits from the ISO 27001/27701 certification body.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Externally audited processes follow industry best practices to ensure reliability, security, and stability.; • Configuration management system tracks the components with version control systems tracking changes to configuration files; • Changes to services, infrastructure and tooling undergo change request processes and assessment of potential impacts and mitigations;; • Changes are tested in isolated environments. Automated testing, peer review and staged deployments minimise risks of introducing errors.; • Software components have their own version and tooling checks and alerts if wrong components are running.; • Production system business continuity plan ensures data and configuration back up and restore previous software versions.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Static analysis of source code. Vulnerability scan of libraries and SOUP within the software against vulnerability databases. Critical/unacceptable high vulnerabilities cannot merge to master until addressed. Grey box scan of Oxevision system including the operating system, server build and application using industry standard tooling. Biannual penetration testing by external CREST accredited security contractors. Monitoring information feeds (NCSC/CISA/MS-ISAC) for threats/vulnerabilities to Oxevision/internal infrastructure. Vulnerability disclosure policy for customers to report vulnerabilities in end-points and network connected devices. Vulnerabilities are assessed; rated for severity (CVSS scoring) and addressed within appropriate timeframes. All patches are tested and incorporated as part of software releases.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Oxehealth has a vulnerability management process in place to identify, triage and mitigate vulnerabilities in all components of the service. Each component is scanned during development and again at release by vulnerability scanners, which adhere to NIST guidance. If a vulnerability is found, it is triaged using the CVSS score and risk management procedures. These vulnerabilities will be mitigated on a criticality based scale, any critical or high vulnerabilities will be mitigated within that release.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The Security and Privacy Incident Management Procedure is used to ensure an effective approach to information security incident management, outlining how security weaknesses/events are identified, defining when a security incident/data breach has occurred, how to be reported/recorded, the requirement for immediate containment and protection of assets, risk analysis, incident management actions, verification of effectiveness requirements for reporting security incidents and data breaches. Customers are notified of incidents which directly impact them.; ; A Vulnerability Disclosure Policy for customers reports any vulnerabilities in the Oxevision system. Security incidents are reported via the 24/7 customer support line; email or the GUI feedback form.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Oxehealth customer facing staff conduct significant travel to and from customer sites as part of delivering the Solution to customers. This includes visits to conduct site surveys, install hardware into the ward environment, deliver face-to-face training sessions and; support go-lives. This travel is typically conducted by car, either in the company’s fleet vehicles (mostly Euro6 diesel vans) or by the employee’s own vehicles, which are mostly petrol or diesel driven. Oxehealth staff may travel a total of 2,200 miles during the; deployment phase of the contract, assuming a customer site to be 100 miles from our central office, and assuming a contract value of around £100,000 (4 wards); Specific initiatives:; As part of delivering the contract, Oxehealth will commit to ensuring that at least 50% of the car miles driven by Oxehealth staff in the deployment phase of the contract will be in low or no emission vehicles (eg plug-in hybrid or fully electric vehicles).; Valuation of the offer equates to c. 3% of contract value; How we will deliver this offer: ; This will require Oxehealth to lease or procure such low emission vehicles to replace our existing standard emission vehicles, which will then be deployed to other projects and generate further carbon savings. Oxehealth have an existing relationship with a leasing car company that have a hybrid and electric vehicle offering and therefore no additional new relationships will need to be developed to deliver this offer.; Oxehealth will then require its staff to input their low or no emission travel mileage against the contract into the existing expense management tool to ensure tracking against the target.

  Tackling economic inequality

  People who have suffered from mental ill-health may often find it more challenging to get a job or work experience. But jobs can provide a clear sense of belonging, purpose and friendship that are incredibly helpful to sustaining good mental health. Oxehealth will sponsor a work placement in support of the contract for a person who has struggled with getting work experience. The company will work in conjunction with the healthcare provider’s service user and carer representative (s) to identify an individual; who is local to the healthcare provider (potentially a past patient or carer) who would welcome the opportunity to gain valuable skills over a period of no less than 6 weeks. Oxehealth works closely with service user and carer representatives of each healthcare; provider as part of each engagement. The company also has a growing network of experts by experience who would be able to support identification of people who may benefit and be able to help advice on crafting personalised work experience that takes; account individuals capabilities, interests and acknowledging any reasonable adjustments that may be required.; There are number of roles that would support the successful implementation of the contract including:; ● Support engagement work with patients and carers;; ● Project management; ● Supporting customer success in training sessions; ● Supporting on site installation teams ; The work placement would be paid at no less than the real living wage and employment would be with Oxehealth Ltd over 6 weeks based on a 36 hour working week. As part of the work experience, Oxehealth will provide induction training and support at the end of the placement for the individual to create a CV and undertake interview training.

  Equal opportunity

  As a company working in science and technology, it may also be less attractive to women in general, exacerbating gender pay disparities. To further support the company’s aim to be an employer providing equal opportunity and pay for women, the company will measure and report on gender pay for the company and put in place a programme of initiatives to encourage and support interest in women applying for roles in healthtech. Contracts will; typically directly involve up to 20 employees of Oxehealth. These numbers may be unrepresentative for gender pay information, so figures will be based on the whole company. Contracts are usually of multiple year duration, so initiatives will be based on these longer term timeframes.; Specific initiatives:; 1.The company will analyse and report on gender pay figures for the company on an annual basis.; 2. Review our recruitment and promotion processes to ensure they are skills based, free from unconscious bias, use structured questions to ensure fairness and are transparent so everyone is clear about the processes, policies and criteria for decision making. Where any roles offered to women have been rejected, the company will look at the reasons behind the decision with a particular focus on any; reasons that have a disproportionate impact on women.; 3. The company will promote the role of women in healthtech by providing platforms for women in Oxehealth to talk about their role and provide evidence of where Oxehealth’s policies, culture and ways of working support women in the workplace.; The analysis and reporting on gender pay gap will be done by the finance department. Recruitment and promotion processes will be reviewed by the company's HR lead. To promote the role of women in technology, we will encourage and support women in the business to share about their experiences.

  Wellbeing

  Oxehealth is a company that is focused on mental health and supports many initiatives to complement our core service of delivering technology to support diagnosis, care and treatment of patients with severe and enduring mental illness.; As part of this contract, Oxehealth will target for 25% of staff working on the contract to be mental health first aider trained. Mental health first aider training provides not only a broad; understanding of mental health, its causes and how it might present but also provides a framework for people to engage with those in need of help. This understanding helps to tackle stigma about mental health, often formed by lack of awareness and enable the; Oxehealth team to become mental health ambassadors. Oxehealth already has a relationship with Mental Health First Aid England and some staff have already undergone training utilising their own training budget. This option for training will be in addition to the; personal training budget.; This offer is valued at c. £1.5k per contract.; How we will deliver this offer:; The opportunity to undertake mental first aid training will be discussed both at company wide level and then highlighted in all personal development discussions as an opportunity. Key information about courses available will be posted on the appropriate company communications platform and training records will track individual attainment. Project leads for each contract will be responsible for encouraging individuals working on each contract to undertake the course and incorporate this into the overall project plan.

Pricing

• Price: £12,960 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at karen.west@oxehealth.com. Tell them what format you need. It will help if you say what assistive technology you use.