Digital Technology Assessment Criteria (DTAC)

NHS England’s Digital Technology Assessment Criteria for health and social care (DTAC) gives staff, patients and citizens confidence that the digital health tools they use meet our clinical safety, data protection, technical security, interoperability and usability and accessibility standards. This page outlines Concentric Health’s conformance with the DTAC.

Last updated: 21st December 2023

Value proposition

Who is this product intended to be used for? Patients and clinical workforce.

What is the product designed to do and how is it used? Concentric is a digital consent to treatment (aka econsent) application that is used in place of traditional paper consent forms. Concentric supports clinicians and patients with evidence-based information that can be personalised to the individual. Consent information is made available to patients outside their consultation, including the ability to give consent remotely where appropriate.

What are the intended or proven benefits for users?

At a high level, the benefits for digital consent are outlined on our ‘Why switch to digital consent?’ page. The following are the intended or proven benefits:

• Consent process flexibility - Consent process becomes more flexible and adaptable to the needs of the individual and the system, including access over time, access from anywhere, and remote consent functionality through an intuitive application.

• Consent information personalisation - Consent information can be easily adapted and personalised to the individual.

• Integration delivering joined-up care - Integration of the consent process into other systems to deliver joined-up care, including (where available) a main electronic health record (EHR) and patient held record (PHR).

• Trusted content across all specialties - Standardised, evidence-based information and risk profiles across over 2,000 treatments to support use across the organisation as the default mechanism of consent. Trusted across multiple NHS and private sector organisations.

• Supporting best practice - Support in meeting best practice consent processes through visibility of process (e.g. rate of consent on the day of surgery), and nudges (e.g. personalisation of information and documenting personalised notes).

• Reduced clinical errors - Reduced risk of wrong site surgery and patient identification errors through legible consent PDFs.

• Accessible from anywhere - Cloud-based, integrated system meaning that the clinical consent record can be accessed and amended from anywhere without the need for complex paper logistics.

• Full audit trail, cryptographically secured - Full audit trail maintained and available for each consent episode, including any customisations, when information was shared, and when consent was given. Cryptography ensures that the audit trail cannot be tampered with and the state of the episode at each stage can be demonstrated.

• Advanced Electronic Signature - The patient signature recorded within Concentric is classed as an advanced electronic signature by eIDAS UK regulation and is fully admissible in a court of law.

• Improved clinician experience and wellbeing - Improved clinician experience of the consent process, including the ability to deal with complex clinical scenarios (e.g. combined procedures). Improved clinician wellbeing due to reduced clinical risk associated with the consent process.

• Saves clinicians time - Reduced consent process administration time due to integration with patient demographics, document storage, and user authentication, and an intuitive application with procedure-specific templates.

• Reduced day-of-surgery cancellations and delays - Increased completion of consent prior to the day of surgery (supported by remote consent) and improved visibility of the consent status within Concentric and the EHR reduces day of surgery delays and cancellations.

• Reduced medico-legal risk from lost forms - The risk of losing legal consent forms is removed with a digital process.

• Reduction to near zero use of paper for consent forms and information leaflets - Use of paper, both carbon-copy consent forms and paper information leaflets can be reduced, with paper copies printed only where necessary for a patient without digital access.

What are the user journeys when using the product?

• Our onboarding guide describes the user flow, and the different ways Concentric is used.
• Our information security page outlines the data flows between clinician, patient, Concentric, and the healthcare organisation’s other systems.

Technical questions

Clinical safety

Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129? Yes.

Please supply your clinical risk management plan: Incorporated within our clinical safety case report.

Please supply your Clinical Safety Case Report and Hazard Log:

• Clinical safety case report
• Clinical safety hazard log

Clinical Safety Officer (CSO) details: Dr Dafydd Loughran | GMC 7265351 | CSO training completed (NHS Digital)

Is the product registered with the Medicines and Healthcare products Regulatory Agency (MHRA)? Not applicable, outside of the scope of the UK Medical Devices Regulations 2002.

Do you use or connect to any third party products? If yes please detail relevant Clinical risk management documentation.

Yes, the following are third-party products used to deliver the Concentric product. The clinical risks associated with each are considered as part of our clinical safety case report and clinical safety hazard log.

• Google Cloud Platform (cloud hosting). Google Cloud Platform data processing and security terms
• Postmark (patient and clinician emails). Postmark / Concentric Health data processing addendum
• Twilio (patient SMS). Twilio data processing addendum

Data protection

• Are you required to be registered with the Information Commissioner? No - as per ICO self-assessment questionnaire, as an organisation which is only a data processor, not a data controller, there is no expectation to be registered with the Information Commissioner (ICO).

• Do you have a nominated Data Protection Officer (DPO)? Yes - Martyn Loughran | CTO | Contact via our contact form

• Does your product have access to any personally identifiable data or NHS held patient data? Yes

• Please confirm you are compliant with the annual Data Security and Protection Toolkit Assessment. Confirmed - Concentric DSPT

• Please attach the Data Protection Impact Assessment (DPIA) relating to the product. Different integrations mean that organisations put in place slightly different DPIAs based on the data flows occurring within the organisation. This is the template DPIA used by deploying organisations.

• Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer. Confirmed

• Please confirm where you store and process data: For UK healthcare organisations Google Cloud Platform is used for cloud hosting (storage), within UK-based data-centres. Other third-party processing (Postmark and Twilio) may involve data processing outside of the UK, but all meet UK GDPR requirements in terms of cross-border transfer of data, assured via either Binding Corporate Rules (Twilio) or contractually as part of a data processing addendum (Postmark).

Technical security

Do you maintain Cyber Essentials Plus certification, and undertake annual external penetration testing? Yes, our policy is that both are undertaken between October and December of each year.

• Cyber Essentials Plus certificate

• Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12 month period.

  • Executive summary from Pen Test Partners Web Application Security Assessment conducted between the 12th and 18th December 2023:

  Introduction Concentric Health Limited (Concentric) required Pen Test Partners to conduct a web application assessment of their Concentric platform, an application which manages the consent flow between clinicians and patients for medical interventions. The testing was conducted in line with Pen Test Partners’ standard methodology which is based on the Open Web Application Security Project (OWASP) web application security guidelines.

  Key Findings During the assessment, no critical or high-risk vulnerabilities were identified in the application. The issues that have been discovered during the test could not be directly exploited to allow an attacker to access sensitive patient data or application functionality, either from an authenticated or unauthenticated perspective. Issues identified during previous assessments of the application have been resolved, indicating that the application is undergoing continual improvement of its security posture. Particular focus during this engagement was given to newly implemented features, including adjustable session timeouts per tenant, an NHS CIS2 Open ID Connect authentication flow, and a super admin role. All of these features were found to be well implemented and did not introduce vulnerabilities into the environment. As the application is multi-tenanted, and due to the sensitive data stored surrounding patient’s medical histories, particular focus was given to cross-tenant access. The horizontal access restrictions preventing cross-tenant attacks were found to be well implemented and robust, and no vector to access another organisation’s data was discovered. A single informational issue has been raised in the report relating to a lack of input validation in fields across the application. As a result, it was possible to embed payloads for vulnerabilities such as Cross-Site Scripting in numerous areas. Exploitation of this issue was not found to be possible, due to strong output filtering in all assessed areas of the application.

  Conclusion The Concentric application was found to be well secured from both an authenticated and unauthenticated perspective, with clear implementation of security best practice throughout. The main concern facing the application relates to disclosure of sensitive patient information to unauthorised parties, for which no attack vector was identified during the engagement. Concentric should continue to apply the security principles and best practices present within the application to any new features or functionality as they are developed.

• Please confirm whether all custom code had a security review: Yes, internal code review

• Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)? Yes

• Please confirm whether logging and reporting requirements have been clearly defined: Yes

• Please confirm whether the product has been load tested: Yes

Interoperability criteria

• Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers? Yes - details relating to our integrations, including FHIR integrations are found within this publicly available integration documentation.

• Do you use NHS number to identify patient record data? Yes

  • Is this done via NHS Login? No
  • If no, please set out the rationale, how your product establishes NHS number, and the associated security measures in place: Secure integrations are put in place between Concentric and the PAS database for the healthcare organisation, including search by NHS number where available. For patient access, a secure link is shared with the patient and authenticated with the patient’s date of birth. Read more about our authentication approach.

• Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability? Yes. Industry standard approaches for secure interoperability are preferred, such as FHIR APIs for patient demographics and document storage. Regarding data security in transit, web and API servers only allow requests made using TLS version 1.2 or above, which provides protection against snooping and man in the middle attacks on data. Non-HTTPS requests are denied by API servers.

• Is your product a wearable or device, or does it integrate with them? No

Usability and accessibility

Understand users and their needs in context of health and social care

• Do you engage users in the development of the product? Yes, in the following ways:

  • User research: Throughout development and live use, user research insights - both patient and clinician - have driven development decisions. An example of user research insights during early development of the product are described in this summary document.

  • Patient feedback: If wished by the healthcare organisation (as the data controller) a patient feedback survey is sent digitally to all patients following consent to get their feedback on experience, ease of use, quality of information, and areas for improvement. Approximately 55,000 patient feedback responses have been received since 2020 (average overall experience = 4.6/5). Patient feedback can also be shared within the application at any time.

  • Clinician feedback: Collected within the application and feedback survey sent out at intervals, asking for feedback on overall experience and areas for improvement.

  • Publications: The Concentric team, alongside academics, have published findings relating to the problems of traditional paper-based consent processes, and early work demonstrating the impact of introducing digital consent. Examples include:

    • Assessment of the introduction of semi-digital consent into surgical practice - BJS
    • Completion of hand-written surgical consent forms is frequently suboptimal and could be improved by using electronically generated, procedure-specific forms - Surgeon
    • Surgical consent: the world’s largest Chinese Whisper? A review of current surgical consent practices - BMJ Medical Ethics

  • Search data and analytics: Real world use of the product is monitored to guide improvements in product, content, and process. Examples include:

    • Consent statistics demonstrating use of ‘on the day’ consent, guiding quality improvement programmes.
    • Custom modifications to templates allowing content review based on real-world use.
    • ‘No treatment search results’ allowing addition of missing but required content.

Work towards solving a whole problem for users

• Are all key user journeys mapped to ensure that the whole user problem is solved or it is clear to users how it fits into their pathway or journey? Concentric has a clear role in the treatment pathway, with consent being a required step prior to undergoing invasive treatment. Clinicians initiate a Concentric episode for patients, and share the information with patients during or following a consultation. A system map was developed during development to ensure consideration of all key user journeys.

Make the service simple to use

• Do you undertake user acceptance testing to validate usability of the system? Patients are routinely asked post-consent for their feedback on the usability of the system. Quality assurance testing is undertaken on common browsers prior to each release (see our browser support policy for details. Concentric is a responsive web application with all functionality available across all screen sizes.

Make sure everyone can use the service

• Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant? Yes, most recent accessibility audit 4 Aug 2020. Published accessibility statement.

Miscellaneous

• Does your team contain multidisciplinary skills? Yes, the Concentric web application is developed by a multidisciplinary team including developers, clinicians, designers, and service users.

• Do you use agile ways of working to deliver your product? Yes, product development is undertaken in two week sprints in response to user requirements and research insights.

• Do you continuously develop your product? Yes, continuous updates are released approximately every 2-4 weeks. Updates may include new features, bug fixes, security patches, and other changes in response to feedback and changes in user needs, clinical evidence, or policy - these are summarised in our release notes. There are mechanisms and appropriate resource in place to identify and respond to feedback, review content, understand user priorities.

• Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking? Yes, this can be found here.

• Does this product meet with NHS Cloud First Strategy? Yes. Concentric Health advocates a cloud first approach (all current deployments are cloud deployments).

• Are common components and patterns in use? Yes, common components such as the Common User Interface patient banner are used, and data patterns such as the FHIR patient demographic lookup. Integration with national infrastructure such as NHSmail login and the NHS FHIR PDS API (demographics search) are in place.

• Do you provide a Service Level Agreement to all customers purchasing the product? Yes, a service level agreement of 99.9% uptime or above is offered to all healthcare organisations.

• Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? Yes, uptime reporting is made available to customers. A template report is shown here.

• Average service availability for past 12 months: >99.95%. Status page with latest uptime data available at our statuspage.