MAXIMS Cloud ED

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: There will be times when the system is unavailable for scheduled maintenance. These times will be agreed in advance with the client.

User access to the system is limited by Username and strong password/passphrase enforcement. These will need to be set up for each user in conjunction with the client.

Data centre access is available to our staff only

Support for specific hardware configurations only

Must include specified top-of-rack/end-of-rack network switches
System requirements: Access through Health and Social Care Network

End-user devices running MS Edge Chromium/Chrome/Safari

Software licences for each end user

Suitable network connection between end-user device and central serve

GBgroup Matchcode licence

VMWare licence

Windows 2019 and MSQL 2019 and above

Suitable firewall

Customers will require appropriate network connectivity

Customer responsible for data security over their connectivity method

User support

Email or online ticketing support: Email or online ticketing
Support response times: As per the service level agreement response times
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: We provide several support options to our customers.
However, we can be flexible and offer variations to this.
• Standard - 9am to 5pm, Monday to Friday, excl. Bank and Public Holidays;
• Extended - 8am to 6pm, Monday to Friday with the possibility of weekend cover and including Bank and Public Holidays;
• Premium - 24/7/365 for mission critical solutions

There is an uplift to the standard and extended packages if 24/7/365 is required. Cost is dependent upon the size and scope of the service required.

Yes we provide a technical account manager
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Our approach would be to work collaboratively with each Trust using our standard, tried & tested, implementation methodology to implement our application. Our implementation approach has been developed over many years of experience of managing and implementing healthcare solutions throughout the UK and Ireland.

Our plan provides a very detailed, standardised and repeatable approach for implementation, augmented with new data after each implementation and will be refined through discussions with each Trust during the Project Initiation Stage to take into account local variances in approach.

It has been validated in several successful implementations and can be taken as a proven ‘model’ of how the project will proceed and provide confidence in the delivery of the contracted deliverables to agreed deadlines.

Project governance and benefits realisation are intrinsic to the approach. Risks and Issues are managed following the framework set out by the OGC, whereby they are assessed and scored against likelihood and consequence across multiple domains and plans put in place to monitor and mitigate. Embedded controls include regular reviews to allow a realistic look at the project’s direction and performance at critical stages and to adjust as needed.
Service documentation: Yes
Documentation formats: HTML

PDF

Other
Other documentation formats: Microsoft Word

ELearning Packages
End-of-contract data extraction: The customer has complete autonomy of how data is stored and managed within their virtual environment. Data can be extracted either from within the VM (for example, copying data over virtual networks), or the entire VM (for example, exporting as a VMDK or OVF).
End-of-contract process: We will return all your data and materials which cannot be deleted or exported by you, and securely destroy all copies of your data on your written instruction. We will return any pre-paid sums for services not delivered to you. We will not penalise you for terminating your contract with us unless specifically stated in the Service Definition. We will also return all of your confidential information, unless there is a legal requirement that we keep it.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: The differences are in the screen size available for viewing the system. This is taken into account for mobile access.

The technology used is different between mobile and desktop.

We have specific applications for both iOS and Android
Service interface: No
User support accessibility: None or don’t know
API: Yes
What users can and can't do using the API: IMS MAXIMS is a founding member of the INTEROPen group which was formed to accelerate the development of open standards for interoperability in the health and social sector. We are currently working within INTEROPen in the design and curating of the technical interoperability standards, this includes areas such as data exchange, data validation, defining APIs and governance. We are currently in the process of developing and in publishing our APIs based on the INTEROPen CareConnect candidate FHIR resource profiles: http://interopen.org/candidate-profiles/care-connect/. This will provide support for resources such as:
•         Allergy Intolerance
•         Condition
•         Encounter
•         Family Member History
•         Flags
•         Locations
•         Medication
•         Observation
•         Patient
•         Practitioner
•         Procedure

We are working on the current DSTU 2 final version of the HL7 FHIR standard. Our roadmap includes support for current draft standards e.g. FHIR STU3. Our currently developed FHIR standard implementation supports the REST API through HTTPS protocol, enabling any application to safely/securely consume our implementation of FHIR standards. Via our FHIR based APIs we can expose the patient’s longitudinal patient record and support flow of data between care settings.

See later q/a for configurability
API documentation: Yes
API documentation formats: Open API (also known as Swagger)

HTML

PDF
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: MAXIMS has a variety of functionality to provide a high degree of local configurability. Local patient journeys are supported through the MAXIMS configuration features listed below:
        Configurable starting form for each role supporting different entry points
        User defined navigations allowing clients to match the navigation to the workflow. The navigations may contain system forms, user defined forms and reports. The content, groupings and order are all configurable.
        Configurable top menu bar allowing different menu bars for each user role. The contents of the menu can be customised and allows links to URLs to support the patient journey and workflow
        Configuration forms allowing administrators to customise the behaviour of some areas of MAXIMS.
        System and role based configuration flags to allow the tailoring of MAXIMS to support many different health care agencies
        User Defined Assessments to allow clients to recreate paper assessments within MAXIMS and build them into the workflow
        Configurable lookups and hotlists providing control over the contents and order of drop down menus through the system.
        Role based access rights and flags allow further tailoring of the behaviour of MAXIMS at a local level

Scaling

Independence of resources: We provide a guaranteed service delivery and system response time for each user. We also provide Guaranteed resources that are a stated minimum of memory, CPU and disk size or space for each customer.

The service is not affected by the demands of other users. We do have resource reservations and shares on our connectivity services that are not dedicated to our customers - such as internet bandwidth. In addition, the capacity planning team ensure that connectivity usage in terms of all resources are constantly monitored and increased accordingly to demand

Analytics

Service usage metrics: Yes
Metrics types: The SLA details the hours of cover as well as the target response and resolution times for each Incident Severity.
Our Service Delivery Manager utilises the system to generate data extracts for our customer performance monitoring reports. The system contains several standard data extract reports as well as an ad-hoc reporting module which enables us to produce customer specific reports when required. These reports can be generated by our Service Management team at any time for any given time period.
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least every 6 months
Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest: Physical access control, complying with CSA CCM v3.0
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: The customer has complete autonomy of how data is stored and managed within their virtual environment. Data can be extracted either from within the VM (for example, copying data over virtual networks), or the entire VM (for example, exporting as a VMDK or OVF).
Data export formats: CSV
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Bonded fibre optic connections

Legacy SSL and TLS (under version 1.2)

Other
Other protection between networks: Our hosting partner offers the choice of connecting:
• Via the internet using additional encryption such as TLS 1.2
• IPSec VPN tunnels
• Via private networks such as leased lines or MPLS
• Via public sector networks such as PSN, N3, HSCN, Janet
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Legacy SSL and TLS (under version 1.2)

Other
Other protection within supplier network: Our hosting partner uses dedicated CAS-T circuits between each of their sites to ensure the protection of customer data in-flight. The partner additionally encrypts this data within their Elevated OFFICIAL platform. All data flows are also subject to a protective monitoring service.

Availability and resilience

Guaranteed availability: We confirm that the application can be hosted within an environment that provides full disaster recovery services.
We will configure the MAXIMS solution according to local requirements but for most procurements we are assuming system availability is paramount and so we would propose to provide a high-availability, dual-datacentre (DC) solution, which is disaster resilient and will enable all environments to continue to operate in the event of a disaster impacting either of the datacentres.
Service credits are awarded when performance falls below the contracted level, The number of Service Points awarded to each Service Failure in that Service Period.
The accumulated total of Service Credits available.
A rolling total of the number of Service Failures that have occurred and the amount of Service Credits that have been incurred over the past six months;
Approach to resilience: Multiple MAXIMS Application Servers and Report Servers will be configured as a cluster of VMs across these hosts and, should one of these servers fail or be taken out of service for maintenance work, then the remaining servers in the VM cluster will take up the additional workload. With the rapid recovery features in VMware your preferred method for resilience may be to dynamically provision new servers as and when a failure occurs. Your local preferences will dictate your approach to resilience and availability but be assured that MAXIMS can be configured to meet your needs.

A number of options enable you to build resilience into your applications. We offer Private Cloud Compute from two geographically distinct sites, both located in the UK and separated by over 100km for excellent geo-diversity.
Outage reporting: All outages will be reported via the Service Status page and the notifications service within the Cloud Portal. Outages are identified as Planned maintenance, Emergency maintenance, and platform issues. In addition, the designated Technical Account Manager will proactively contact customers as appropriate.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Limited access network (for example PSN)

Username or password

Other
Other user authentication: Username and strong password/passphrase enforcement
Access restrictions in management interfaces and support channels: Separation and access control within management interfaces
User access control within management interfaces
Consumers manage only their own service, and cannot access, modify or otherwise affect the service of other consumers via management tools and interfaces.

Customers have the option to raise a support request via telephone or email. Our hosting partner will always authenticate the identity of the user by validating known phone numbers and asking them for specific characters within their pre-agreed memorable word. The management interfaces are only available on the network.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Limited access network (for example PSN)

Username or password

Other
Description of management access authentication: This is done through the use of Role Based Access.

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: Between 1 month and 6 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: Between 1 month and 6 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: NQA
ISO/IEC 27001 accreditation date: 24/08/2021
What the ISO/IEC 27001 doesn’t cover: Nothing
ISO 28000:2007 certification: No
CSA STAR certification: Yes
CSA STAR accreditation date: 28th October 2016
CSA STAR certification level: Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover: Nothing
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: Data Protection Act Registration - Z6940443

Certified to ISO9001:2008

MAXIMS conformation ISB0129 Patient Safety Risk Management System

Accordance with BSISO/IEC 27002 Code of Practice Information Security Management

MAXIMS conformation BSISO/IEC 12207 software life cycle processes.

MAXIMS conformation ISB0129 Manufacture of Health Software.

IGSOC V13 connection to NHS Digital

Accreditation to PRSB standards

Records Management – NHS Code of Practice

Access to Medical Reports & Health Records acts

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: IMS MAXIMS has a documented framework for security governance, with policies governing key aspects of information security relevant to the service.

Security and information security are part of the service provider’s financial and operational risk reporting mechanisms, ensuring that the board would be kept informed of security and information risk.
Processes to identify and ensure compliance with applicable legal and regulatory requirements.

Our hosting partner has a number of inter-connected governance frameworks in place which control both how the Company operates and the manner in which it delivers cloud services to its customers. These have been independently assessed and certified against ISO20000, ISO27001 and ISO27018 by LRQA, a UKAS accredited audit body. The service is governed by an integrated suite of information security policies. Under the top level Information Security Policy itself are second-level documents with specific focus on Acceptable Use, Antivirus Protection, Asset Management, Business Continuity Management, Data Protection, Password Management, Personnel Management, Supply Chain Management and many others.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Our hosting partner has documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. Formal configuration management activities, including record management and asset reporting, are monitored and validated constantly, and any identified discrepancies promptly escalated for investigation. A robust, established process for the formal submission of change requests is mandated prior to review and approval of the daily Change Advisory Board, which is attended by a quorum of operational and technical management personnel.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: Potential new threats, vulnerabilities or exploitation techniques which could affect your service are assessed and corrective action is taken
Relevant sources of information relating to threat, vulnerability and exploitation techniques are monitored by the service provider
The severity of threats and vulnerabilities is considered within the context of the service and this information is used to prioritise the implementation of mitigations.
Our change management process ensures known vulnerabilities are tracked until mitigations have been deployed
We ensure we know service provider timescales for implementing mitigations and are happy with them
Patches are applied when necessary depending on their assessed priority
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: The service generates adequate audit events which we use to support effective identification of suspicious activity. Audit reports are run at regular intervals. Any attempts at unauthorised access are alerted to the system manager. These events are analysed to identify potential compromises or inappropriate service use.
We take prompt and appropriate action to address incidents. Incidents are categorised by laid down priorities which each have response times for remedial action.

Following best practice from National Cyber Security Centre, our service has enhanced protective monitoring, including checks on time sources, cross-boundary traffic, suspicious boundary activities, network connections and backup status etc.
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: Incident management processes are in place for the service and are actively deployed in response to security incidents
Pre-defined processes are in place for responding to common types of incident and attack
A defined process and contact route exists for reporting of security incidents by consumers and external entities
Security incidents of relevance to you will be reported in acceptable timescales and formats

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: Yes
Connected networks: NHS Network (N3)

Health and Social Care Network (HSCN)

Fighting climate change: Fighting climate change

IMS MAXIMS are committed to supporting zero carbon footprint. We have invested in technology to support remote meetings via conference calls and video to avoid travel. We encourage staff to use public transport whenever possible and to work from home.
Equal opportunity: Equal opportunity

IMS MAXIMS is committed to the policy of equal treatment of all employees and applicants, and requires all employees, of whatever grade or authority, to abide by and adhere to this general principle and the requirements of the Code of Practice issued by the Equal Opportunities Commission, the Commission for Racial Equality, under the Disability Discrimination Act.

It is IMS MAXIMS’ policy to treat job applicants and employees in the same way, regardless of their sex, sexual orientation, age, race, ethnic origin or disability. Further, the organisation will monitor the composition of the workforce and introduce positive action if it appears that this policy is not fully effective.

Pricing

Price: £2.22 to £2.74 a transaction
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

MAXIMS Cloud ED

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents