Frequently Answered Questions (FAQs)
Frequently Answered Questions (FAQs) about PatientSource including the IT installation environment, business continuity, corporate risk and territory of data residence
What is PatientSource?
PatientSource is a clinician-designed Electronic Medical Record solution for hospitals and community care. It works cross-platform on any device with a web browser (desktops, laptops, tablets, smartphones). It is extremely easy to use.
Why is PatientSource better than other Electronic Medical Record solutions?
PatientSource is clinician-designed where real doctors and nurses came up with the design and worked with software developers to make it a reality. So it is fast and very easy for a doctor or nurse to use.
We didn't simply pay a doctor to rubber stamp our software at the end as "clinician approved"!
PatientSource is built on much newer technology, which is more secure and lower cost to implement than legacy systems. You can take PatientSource up to a patient’s bedside with a tablet computer. You can’t do that with legacy electronic medical record systems!
What’s wrong with using paper for patient records?
Three main things: paper harms patients, paper is expensive and inefficient, paper prevents you from learning how to improve your organisation.
Paper harms patients:
25% of hand-written inpatient medication charts have at least one error of moderate or worse clinical severity. (Derived from Seden at al 2013).
Critical clinical information is missing in 15% of outpatient clinic appointments where paper records are used, with 20% (3% absolute) causing significant risk of severe patient harm. (Burnett et al 2011).
52% of handwritten clinical notes have “bad readability” and 4% are completely illegible, meaning that care plans can be misunderstood. (Hartel et al 2011).
Medication errors and misdiagnosis are the two biggest causes of medical litigation. Computerised systems with clinical decision support can minimise these, paper cannot.
Critical patient information cannot be found easily when buried in a paper folder.
Paper is expensive and inefficient:
In paper-driven hospitals, 15% of front-line doctors and nurses time is wasted in searching for paper notes, waiting for the notes to be free, deciphering bad handwriting, or duplicating information from one page to another. This costs a typical paper-driven hospital £10.5m per annum.
The average hospital spends £8m per annum in filing, transporting and storing paper patient records.
A typical paper-driven hospital spends a further £500k on paper materials and in printing forms.
A typical paper-driven hospital spends a further £700k on faxing and postage stamps.
Paper prevents you from learning how to improve your organisation:
Data stored on paper is very time consuming and expensive to compile and analyse. Paper-based clinical audits typically take 30 minutes per patient. It is too time consuming to manually audit enough notes to draw conclusions at the hospital-wide level. Therefore clinical audits tend to be small samples (10-20 patients), and infrequently done.
Digital clinical data in PatientSource can be automatically analysed to give real-time KPI measures, and to perform audits over hundreds of patient cases in minutes.
A quick method of analysing clinical data means you can make real-time assessments and adjustments on your healthcare organisation performance.
Digital analytics can spot patterns you would have missed otherwise informing new ways of working.
How much can PatientSource save me?
We've modelled this on a UK average sized hospital operator (approx 700 inpatient beds). Properly deployed across all clinical areas, PatientSource can save an average hospital £16m (sixteen million pounds) per annum compared to using paper patient records / charts / request forms.
For that same hospital, the cost of ownership of PatientSource would be less than £0.5m per annum. That's a 30-times return on investment.
What happens if PatientSource crashes (downtime)?
Downtime is a very important question. PatientSource demonstrated a measured uptime of 99.996% last year (0.004% downtime).
PatientSource runs in high-availability Tier 4 data centres with full redundancy, backup and disaster recovery, so downtime is very unlikely and extremely brief. In the rare minutes of downtime, we recommend keeping a computer or tablet to hand on each ward / clinic with the PatientSource downtime app installed. The downtime app can cache newly input data securely and upload it automatically when the service comes back online.
For the paranoid among you, PatientSource can automatically push PDF copies for all patients who are inpatients or have scheduled appointments, each day to your local machines so that you are covered in the case of a catastrophic internet connection failure at your site.
Paper records on the other hand do not have 100% uptime. Every time a patient folder goes missing, or is in use by someone else, or where the information you need is illegible; that is effectively “downtime”. Paper medical records have a 10-15% downtime.
Why does ease of use matter?
Surely usability is just a skin?
Ask your doctors and nurses why ease of use matters. Then go and read The Digital Doctor by Bob Wachter.
The biggest cost on any hospital’s balance sheet is staffing. Any time you can save your doctors and nurses time means saving on staffing costs. If your permanent doctors and nurses can spend more time caring for patients and less time battling with bad IT, you can employ fewer agency staff. You will also retain your doctors and nurses longer because they’ll like working in a low friction environment.
Usability is not “just a skin”. It’s not just the layout of a screen which matters, it is the workflow (what action the user needs to do next), the number of steps / clicks needed to do something, automating the right actions, digitally assisting data input, choosing the right data to display at the right time, displaying useful data output in a clinically recognised format and getting the most out of the ergonomics of the device being used. It is far more than just a skin.
PatientSource is proven to be easy to use by doctors and nurses. This saves them a lot of time. This reduces your staffing bill and helps you retain staff.
Is PatientSource a multitenancy solution?
Or will I have my own firewalled system?
This depends on the size of your healthcare organisation.
Hospitals, large community teams and large clinics are deployed on their own, unique, single tenancy virtual server cluster. You will have your own single tenant instance on your own virtual machines.
Small team practices and independent private practitioners are deployed on a multitenancy solution for a lower fee, with tight restrictions preventing a different organisation from seeing your patient’s data (unless you explicitly “share” a patient’s record with them).
Is PatientSource available as an on-premise solution?
By special arrangement, yes, we can do an on-premise installation. On-premise installations attract a 6x premium over cloud based installations.
We also suggest the following minimum for on-premise specifications:
Tier 4 grade data centre with fully redundant cooling, power, network, storage & server hardware
3 x dedicated virtual machines for PatientSource with sufficient RAM and CPU (depends on peak users)
Compartmentalised security with user access monitoring, intrusion detection and response systems
24 hour access to authorised persons
Does PatientSource have management dashboards?
Yes, PatientSource has a range of management dashboards in our module DynReports. With DynReports you can configure your own real-time reports with tables, graphs, gauges. You can also generate reports for any past data period, which is useful for tracking improvement over time and for submitting data back to regulators / insurers / tariff payers.
PatientSource DynReports provides you with useful real-time KPIs:
Real-time CQUIN performance calculations
Referral to treatment times (18-week wait times)
Cancer target performance (2 week waits)
4 hour A&E target
Custom RAG statuses
What happens if you go bust?
PatientSource Ltd has been going strong for 5 years now. We have two large investment groups behind the company. We supply to healthcare organisations through Trustmarque who are a multi-billion GBP supplier of public sector IT solutions. We have full business continuity and code escrow arrangements with Trustmarque to ensure your service continues uninterrupted in the unlikely event that this happens.
My healthcare organisation is big with a budget of a few hundred million.
Wouldn't I be better speaking to someone big like IBM?
PatientSource is supplied through our partners Trustmarque, a division of Capita PLC. They have an annual turnover of £4.5bn, which is five times larger than the largest hospital operator organisation (in the UK). Trustmarque have over 25 years experience of supplying IT to healthcare organisations including the NHS. You are contracting with Trustmarque when you deploy PatientSource.
The PatientSource IT infrastructure is provided and managed by our partners Microsoft. Microsoft have an annual turnover of £66 billion.
PatientSource instances are therefore supplied and managed by two very large organisations with a long history of providing IT to large healthcare organisations. The business risk in going with PatientSource is extremely low.
Can I get my patient data back out again?
Yes, at any time. Users at your health organisation who are authorised by you can extract patient data in the following ways:
- Automatically render to PDF
- In digital JSON or XML format via our API
- Direct database extract
We also offer bespoke data migration services both into and out from PatientSource.
Isn’t it safer to keep patient data on my premises?
No. Your patient data is almost certainly safer on properly certified and maintained cloud infrastructure than on-premises.
The May 2017 WannaCry outbreak which heavily affected over 40 NHS hospitals has demonstrated beyond reasonable doubt that healthcare organisations struggle to run properly secure IT environments. Many healthcare organisations have underinvested in their IT for years with the result that there are not enough in-house staff to keep their software and hardware up to date. When you have unreliable patching processes affecting your on-site networks and out of support software on your computers, it’s far better to store your mission-critical patient data elsewhere!
In 2012 a large hospital in the South of England was fined £325k when 252 its hard drives containing readable patient data ended up for sale on eBay. The cause was lack of encryption at rest, insufficient physical security practices in their on-site data centre room and insecure data disposal practices. The hospital was not ISO27001 certified.
PatientSource was not affected by WannaCry because we maintain our virtual machines with a proactive patch cycle. We have undertaken full threat modelling and applied appropriate mitigations for all risks. We are also ISO27001 certified and use only ISO27001 certified data centres from Microsoft, ensuring that only authorised persons can access the physical machines under strict monitoring and auditing. We employ full encryption at rest with strict per-client key management. Microsoft digitally wipe all end of life hard drives before physically destroying them.
With PatientSource, all the maintenance, patching and security is done for you by people who specialise in doing it. We also work with your in-house IT teams to provide Knowledge Transfer, so they become fully skilled in managing their PatientSource Azure cloud server provisions, and their PatientSource instance configuration.
By default, your patients’ data will stay within your country so long as we have Tier 4 ISO27001 certified cloud data centres available in that country. So data for UK healthcare organisations is kept in UK data centres.
PatientSource is deployed on Microsoft data centres operated by the subsidiary of Microsoft that is registered in your country.
Single tenancy PatientSource clients can therefore choose to have data stored in any one of the following countries:
Europe (distributed across Ireland, Netherlands and Germany)
Germany (T-Systems International GmbH)
United Kingdom (distributed across England and Wales)
So PatientSource instances for UK sites are deployed in UK data centres, instances for German sites are deployed in German data centres etc. Our routing tests show that data moving between UK hospitals and UK data centres never leaves the UK.
Which country will my patients’ data reside in if it’s on PatientSource?
Very likely, yes. We already have HL7 interfaces which will work with many third party clinical systems.
Where we need to come up with something new, PatientSource Ltd employs some of the brightest software engineers who all graduated from the University of Cambridge. Our teams regularly undertake systems integration work for clients to get PatientSource talking to your third party systems.
Examples of interfaces we have achieved in real clinical environments:
TIE / interoperability platforms (such as Mirth, Ensemble and Rhapsody)
Automatic importing of blood test results the moment the results are announced by blood analysers.
Real-time operating on top of legacy Patient Administration Systems and Patient Master Index systems.
Automatic exporting of PatientSource data securely into a legacy PDF archiving system.
We don’t usually need the third party vendor’s assistance to do this, just API schema or permission to probe the third party system for tap points.
Can PatientSource interface with on-site system X?
Why does PatientSource cost less than the big USA electronic medical record vendor systems?
The total cost of ownership of PatientSource is usually one sixth to one twentieth of the price of the legacy US vendor systems (Cerner, Epic etc). In other words, PatientSource costs six times less to twenty times less. The reasons for this are:
We deploy on the cloud which is far cheaper than keeping an on-premises data centre going.
We use agile software development methods, so our development and maintenance overheads are much smaller.
PatientSource is deployed on tried and tested open source components (such as Python-Django), so there are no hidden third party software licence fees contributing to your bill.
We use newer technologies such as HTML5, so you don’t have to buy any special devices to get up and running.
We designed PatientSource to scale well from the start.
Why aren’t more hospitals using PatientSource?
The majority of hospitals in the world still use paper medical records, this is because technology in the healthcare industry generally lags behind the rest of the world by about 10-15 years. The world is also transitioning from on-site expensive systems to more secure and agile cloud solutions.
So we’re still comparatively young company working in an industry where the idea of going paperless is still relatively new and where using the cloud is still relatively new.
In healthcare, Fear Uncertainty and Doubt keeps the paper status quo going well past its sell by date. Many hospitals are blind to their current risks and will put up with an enormous patient risk (such as medication errors in a quarter of their paper drugs charts) out of fear of a new tiny risk which would replace it (such as a 15 minute period of downtime of digital prescribing charts once in a year). Nevertheless, every month more and more healthcare providers are waking up to their existing risks and turning to PatientSource.
PatientSource is written mostly in Python using the Django Framework.
We chose Python-Django because it offers superior security over alternatives, and because we knew that data analytics and Artificial Intelligence was going to be a big part of PatientSource. Python is the preferred language of scientists so has more third party libraries devoted to data analysis and scientific applications than alternatives. Python also has extensive capability to interface with hardware and external feeds, which allows PatientSource to speak directly to external equipment such as laboratory blood analysers!
PatientSource is able to run on an open-source stack with full database abstraction allowing PatientSource to run on your choice of: PostgreSQL, MariaDB, MySQL, Oracle and Microsoft SQL Server.
The same packages (Python, Django, PostgreSQL, HTML5) are trusted and used by: gov.uk (UK Government), Police.uk, NASA, Instagram, Pinterest, Spotify, Reddit, Dropbox, The Washington Post.
what programming language is patientsource written in?
What Security Measures does PatientSource employ?
Our partners, Microsoft, provide most of our security measures. We use a systematic iterative approach to security as recommended by industry specialist Bruce Schneier:
- We register our Data Assets
- We undertake Threat Modelling of credible internal and external threats
- We undertake Risk Stratification of the risk threats pose to our data assets
- We apply Risk Control Measures including Prevention, Detection, Response and Mitigation strategies for all significant risks
- We test and audit our risk control measures regularly
- We employ strict key management controls and key expiry to reduce the possibility of key misused
- We repeat and update the security analysis exercise at least every 6 months
- We use Penetration Testing to discover any new vulnerabilities
- We have a proactive patching cycle with the ability to push patches every week and within 24 hours if a critical vulnerability exists
- We are ISO27001 certified, as are all data centre providers we use
Patient Data at Rest
Patient data is encrypted using Microsoft's Azure database storage technology using AES256. There is a unique key per enterprise customer of PatientSource. We employ database activity monitoring and intrusion detection, coupled to a rapid response team.
Back ups use a hybrid encryption with Elliptic Curve brainpoolP512 asymmetric keys to encode a separate backup AES256 encryption key. Only the client possesses the relevant brainpoolP512 private key.
Patient Data in Transit
We use HTTPS (TLS1.2) with strong cipher suites employing Perfect Forward Secrecy. We employ user activity monitoring and full user access logging with intrusion detection alerts coupled to our rapid response team.
Passwords are stored as per-user salted hashes using PBKDF2 24,000 - 100,000 iterations. Our password policy is in line with recent NIST recommendations. We use a principle of "minimum entropy" where as you set or change your password, it is examined on the client-side for complexity, and must have sufficient bits of entropy to be accepted. This means you can choose to have a shorted string with a wide keyspace (numbers, symbols, mixed case letters), or longer letters-only passwords, or something in between; so long as the entropy is sufficient.