Ortivus UK Ltd

MobiMed ePR

Ortivus MobiMed provides paramedics with an electronic Patient Care Record, ePCR, using a structured workflow and support that enhances the clinical decision making process. The eCPR in combination with vital signs monitoring ensures that the patient gets the right care, at the right time, in the right place.

Features

• Smart-card login
• Summary Care Record (SCR) access
• Monitoring with clinical background from cardiac critical care
• Easy to configure/adapt to any clinical standard.
• Integrate with CAD, Defibrillators, information systems at hospitals
• Web browser
• Dynamic reports for Hospital and General Practitioner output form.
• Camera support - taking/incorporating images in the ePR and reports.
• Vital signs are automatically transmitted to the ePR.

Benefits

• Facilitates collaboration between paramedic and receiving hospital
• Comprehensive set of fields, supporting adaptation to working practices

£126 to £143 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at philip.swan@ortivus.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

891727035872107

Contact

Philip Swan
07525277218
philip.swan@ortivus.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: MobiMed ePR is part of a suite of solutions that includes Patient Monitoring. With MobiMed Monitor healthcare personnel can monitor, analyse and in real-time share the patient’s vital parameters when out in the field. Combined with MobiMed ePR this provides safer care and saves time in critical situations.
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: Ortivus will schedule and plan any necessary maintenance or releases / upgrades with customers to ensure minimal service disruption.
• System requirements:
  • Microsoft Windows based server environment.
  • Microsoft Windows, iOS or Android client devices.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Ortivus Support mailbox is monitored during normal business hours, 9am-5pm GMT/BST, Monday to Friday (excluding Bank Holidays) and all emails are responded to within 24hrs. Ortivus also provide an online service portal which is available 24x7 through which customers can raise Incidents and Service Requests.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 1st line call qualification and validation is typically performed by the Customer who would receives incoming calls from the end users and would attempt to resolve incidents in the first instance. Ortivus provide 2nd and 3rd line support for incidents raised that are unable to be resolved by 1st Line.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We can customise training for starting organisations - primarily onsite training, with provision of user guides and materials. The service also mirrors the live service with the provision of training server, so that organisations can arrange for user education in a 'safe' environment.; We also offer administrator level training for application administration, and 'train-the-trainer' sessions to support organisations educational department needs.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: At the end of contract customer data will be transferred in XML format. There is also an option of a continuous integration transfer during the contract period (e.g. to Customer Data Warehouse).
• End-of-contract process: Data in XML format will be provided within one month after contract end. Ortivus can also supply the data according to specific schemas and formats as requested by the customer. That would incur an additional cost depending on the details of the request.

Using the service

• Web browser interface: No
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Windows, iOS or Android Tablets are the pre-hospital clinician interface to the solution for documenting the care episode.; Clinical Workstations are the desktop, intended for Acute use, receiving ePCR, notifications, alerts etc. Mobile version is ePCR, primary method for completing ePCR, and alerting Acute.; MobiMed Pocket allows for clinical access to ePCR data in real time, and allows communication to full MobiMed ePCR users,
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Ortivus provides a browser based management tool - Admintool for the administration and management of service elements.; Support is also available using the Ortivus (ServiceNow based) service portal.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: None
• API: Yes
• What users can and can't do using the API: MobiMed includes a web service API that can be used to consume ePCR data. The API is available on the server side. Bandwidth and polling frequency restrictions apply and depend on the infrastructure chosen.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: The MobiMed ePR is completely customisable and can be tailored to the customer need and processes. Customisation can be managed solely by appointed users at the customer. This presupposes using the Ortivus SDK along with associated training. Ortivus also provide ePR configuration work at cost.

Scaling

• Independence of resources: Infrastructure is scaled, partitioned and sized according to specific customer need to ensure that availability of resources are independent of those required for other system users.

Analytics

• Service usage metrics: Yes
• Metrics types: Device connections, last active connection date/time.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: MobiMed ePR comes with several options for data export: 1) XML WebService intended for system integration of ePR data. 2) Data Warehouse intended for business reporting and intelligence. 3) Integration framework intended for system integration with downstream systems. Specific integrations come at additional cost.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XML
  • PDF
• Data import formats: Other
• Other data import formats:
  • XML
  • JSON
  • Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: The service is provided to 99.6% availability with Service Point penalties in place for any deviation. This is based on incident severity with any Service Points accrued on a sliding scale.
• Approach to resilience: Available on request
• Outage reporting: Service outages are communicated according to an agreed communications matrix which would include email alerts and telephone notifications depending on severity.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
• Other user authentication: Mobile access can also be restricted to specified sim-cards.; Micosoft Entria ID authentication is also supported.
• Access restrictions in management interfaces and support channels: Management interfaces only run locally within the data centre. Data Centre access is restricted to appointed personnel using two factor authentication over VPN link.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Issued by Intertek Certification AB, accredited by UKAS management systems
• ISO/IEC 27001 accreditation date: Initial certification date 12 December 2014
• What the ISO/IEC 27001 doesn’t cover: No exclusions
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Incidents will be addressed in accordance with the Information Security Policy, which is ISO 27001 compliant and includes appropriate escalation and resolution activities. In the event of an actual or suspected incident, weakness, or problem which may have an impact on any aspect of the service, the Information Security Officer will be informed promptly.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Ortivus have implemented Change Management, Release and Deployment Management procedures. All Requests for Change(RFCs) go through an initial risk assessment with Quality and compliance officers and when risks, clinical safety and security verifications have been clarified, appropriate actions and requirements on the RFC are initialized. Customer approvals are handled through established governance structures involving all relevant stakeholders. The main interfaces being the Operational Board, the Project Board and the Steering Board depending on the RFC. All assets, documents, training and configuration changes are constantly updated within the Asset Management module within the service management tool following standard ITIL V3 procedures.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Otential threats and vulnerabilities are assessed to determine deviations from acceptable configurations. Risk assessment is carried out and recommendations or appropriate mitigation countermeasures are developed in accordance with stakeholder agreements. Evaluation of network vulnerability and the risks associated with external connections is done through risk assessment by security specialists. Patches are identified and applied in accordance with customer and authority agreements.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential compromises are identified through screening of servers, firewalls, routers and devices for system control and system administrations carried out on a weekly basis. Specific intrusion detection software is deployed and monitored by a SOC. This includes checking the content of the access logs and logs from intrusion detection. Audit logging is enabled to identify all successful and failed logins, and logouts. Logs are retained for a minimum of six months and in the event of an incident, logs can be made available to the appropriate authorities such as NHS Digital for investigation.
• Incident management type: Supplier-defined controls
• Incident management approach: Incidents will be addressed in accordance with the Information Security Policy, which is ISO 27001 compliant and includes appropriate escalation and resolution activities. In the event of an actual or suspected incident, weakness, or problem which may have an impact on any aspect of the service, the Information Security Officer will be informed promptly. Incidents may be escalated to other parties including NHS, NHS-Digital, and any other affected body and any corrective action identified during incident resolution will be added to the improvement plan. Security incidents will be reported and corrective actions tracked as part of the monthly performance reporting.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Fighting climate change; ; Our environmental policy is to use as few hazardous substances as possible in the manufacture of our products and shipment to our customers. Our packaging, accessories and repairs are examined from an environmental perspective to have as little impact as possible. Subcontractors manufacture some of our proprietary hardware according to our specifications, and none of our hardware components are produced in-house. Environmental management is essential in the selection criteria of or subcontractors. We chose consumables, components and production methods in cooperation with our subcontractors. All of our products comply with the RoHS Directive on the restriction of use of hazardous substances in electrical and electronic products.

Pricing

• Price: £126 to £143 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: A local test installation to be evaluated during a period of up to 6 months. Only MobiMed licenses are included, cost for hardware and 3rd party licenses not included.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at philip.swan@ortivus.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.