Our Responses to the DTAC Questions
A. Company Information
A1 | Provide the name of your company
A2 | Provide the name of your product
A3 | Provide the type of product
A4 | Provide the name and job title of the individual who will be the key contact at your organisation
Rosie Davies, Account Manager
A5 | Provide the key contact's email address
A6 | Provide the key contact's phone number
+44 (0)1273 325136
A7 | Provide the registered address of your company
168 Church Road, Brighton BN3 2DL UK
A8 | In which country is your organisation registered?
A9 | If you have a Companies House registration in the UK please provide your number
A10 | If applicable, when was your last assessment from the Care Quality Commission (CQC)?
A11 | If applicable, provide your latest CQC report.
B. Value Proposition
B1 | Who is this product intended to be used for?
B2 | Provide a clear description of what the product is designed to do and of how it is expected to be used
Be Mindful is a web-based Mindfulness-based Cognitive Therapy (MBCT) course that guides participants through all the elements of MBCT in a minimum of 4 weeks. It is an asynchronous online course which can be followed on any internet connected device with a web-browser, including smart phones, tablets, laptops and computers.
B3 | Describe clearly the intended or proven benefits for users and confirm if / how the benefits have been validated
The intended user benefits of the Be Mindful course are improvements in mental health with reductions in anxiety (GAD-7), depression (PHQ-9) and stress (PSS). These are achieved through mindfulness practice and cognitive behavioural approaches learnt throughout the course.
The effectiveness of the Be Mindful course is proven by published research studies in scientific journals. Studies validating user benefits are available on request.
B4 | Please attach one or more user journeys which were used in the development of this product. Where possible please also provide your data flows
Documentation of user journeys and data flows available on request.
C. Technical Questions
C1. Clinical Safety
Establishing that the product is clinically safe to use.
C1.1 | Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129?
C1.1.1 | Please detail your clinical risk management system
Clinical Risk Management System documentation available on request.
C1.1.2 | Please supply your Clinical Safety Case Report and Hazard Log
Clinical Safety Case Report and Hazard Log available on request.
C1.2 | Please provide the name of your Clinical Safety Officer (CSO), their profession and registration details
John O’Dowd – Orthopaedic Spinal Surgeon GMC Registration reference number: 2601616
C1.3 | If your product falls within the UK Medical Devices Regulations 2002, is it registered with the Medicines and Healthcare products Regulatory Agency (MHRA)?
C1.3.1 | If yes, please provide your MHRA registration number
C1.3.2 | If the UK Medical Device Regulations 2002 are applicable, please provide your Declaration of Conformity and, if applicable, certificate of conformity issued by a Notified Body / UK Approved Body
C1.4 | Do you use or connect to any third-party products?
C1.4.1 | If yes, please attach relevant Clinical Risk Management documentation and conformity certificate
C2. Data Protection
Establishing that the product collects, stores and uses data (including personally identifiable data) compliantly.
C2.1 | If you are required to register with the Information Commissioner, please attach evidence of a current registration.
Evidence of registration with Information Commissioner is available on request.
C2.2 | Do you have a nominated Data Protection Officer (DPO)?
C2.2.1 | If you are required to have a nominated Data Protection Officer, please provide their name.
Willem Mulder, CTO
C2.3 | Does your product have access to any personally identifiable data or NHS held patient data?
C2.3.1 | Please confirm you are compliant (having standards met or exceeded status) with the annual Data Security and Protection Toolkit Assessment.
Yes, exceeded status.
C2.3.2 | Please attach the Data Protection Impact Assessment (DPIA) relating to the product.
DPIA available on request.
C2.4 | Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer (if one is in place) or an accountable officer where exempt in question C2.2.
C2.5 | Please confirm where you store and process data (including any third-party products your product uses)
C2.5.1 | If you process store or process data outside of the UK, please name the country and set out how the arrangements are compliant with current legislation
C3. Technical Security
Establishing that the product meets industry best practice security standards and that the product is stable.
C3.1 | Please attach your Cyber Essentials Certificate
Cyber Essentials Plus certificate available on request.
C3.2 | Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12-month period.
Compliant external penetration test summary report available on request.
C3.3 | Please confirm whether all custom code had a security review.
C3.4 | Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)?
C3.5 | Please confirm whether logging and reporting requirements have been clearly defined.
C3.6 | Please confirm whether the product has been load tested
C4. Interoperability Criteria
Establishing how well the product exchanges data with other systems.
C4.1 | Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers?
C4.1.1 | If yes, please provide detail and evidence:
- The API’s (e.g., what they connect to) set out the healthcare standards of data interoperability e.g., Health Level Seven International (HL7) / Fast Healthcare Interoperability Resources (FHIR)
- Confirm that they follow Government Digital Services Open API Best Practice
- Confirm they are documented and freely available
- Third parties have reasonable access to connect
We expose a very basic public API - full access to and usage of this is only possible using one of three levels of secure access where applicable. It follows Government Digital Services Open API Best Practice and is fully-documented and freely available.
C4.2 | Do you use NHS number to identify patient record data?
C4.2.1 | If yes, please confirm whether it uses NHS Login to establish a user’s verified NHS number.
C4.3 | Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability (e.g. OAuth 2.0, TLS 1.2)
C4.3.1 | If yes, please detail the standard
- SSL/TLS server certificates are Amazon issued, Public key: RSA 2048-bit, Signature algorithm: SHA256WITHRSA.
- Our AWS ELBs (Elastic Load Balancers) listen only for HTTPS connection requests.
- Elastic Load Balancing uses a security policy to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers that ensures that all data passed between the client and the load balancer is private. The ELBSecurityPolicy-2016-08 security policy is always used for backend connections. For front-end connections we selected AWS Load Balancer ELBSecurityPolicy-FS-1-2-Res-2019-08. This is the most re-strictive policy available. FS stands for Forward-Secrecy. This policy supports TLS 1.2 only and includes only ECDHE (PFS) and SHA256 or stronger (384) ciphers.
- ELBs do not support SSL renegotiation for client or target connections.
- We do NOT use oAuth.
C4.3.2 | If no, please state the reasons and mitigations, methodology and security measures.
C4.4 | Is your product a wearable or device, or does it integrate with them?
C4.4.1 | If yes, provide evidence of how it complies with ISO/IEEE 11073 Personal Health Data (PHD) Standards.
D. Key Principles for Success
D1. Usability and Accessibility
Establishing that the product has followed best practice.
D1.1 | Understand users and their needs in context of health and social care
Do you engage users in the development of the product?
D1.1.1 | If yes or working towards it, how frequently do you consider user needs in your product development and what methods do you use to engage users and understand their needs?
User needs and preferences in regard to accessibility and ease-of-use were a key focus for the design and launch of the Mindfulness-based Cognitive Therapy (MBCT) digital course in 2011. Since then, we have actively promoted several different means to ensure users give feedback about their experience including web-based forms at the end of learning modules. This feedback over the years has led to improvements to the user interface and the engagement related content of the course.
D1.2 | Work towards solving a whole problem for users
Are all key user journeys mapped to ensure that the whole user problem is solved, or it is clear to users how it fits into their pathway or journey?
D1.2.1 | If yes or working towards it, please attach the user journeys and/or how the product fits into a user pathway or journey
User journeys and data flow documentation available on request.
D1.3 | Make the service simple to use
Do you undertake user acceptance testing to validate usability of the system?
D1.3.1 | If yes or working towards it, please attach information that demonstrates that user acceptance testing is in place to validate usability.
Documentation demonstrating user testing and usability validation is available on request.
D1.4 | Make sure everyone can use the service
Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant?
D1.4.1 | Provide a link to your published accessibility statement.
D1.5 | Create a team that includes multi-disciplinary skills and perspectives
Does your team contain multidisciplinary skills?
D1.6 | Use agile ways of working
Do you use agile ways of working to deliver your product?
D1.7 | Iterate and improve frequently
Do you continuously develop your product?
Yes – there is continuous development to improve user experience and engagement with the core therapeutic content.
D1.8 | Define what success looks like and be open about how your service is performing
Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking?
Yes. The Be Mindful course has been shown to effectively deliver all elements of MBCT and has achieved exceptional mental health outcomes for users, which are demonstrated in published research studies by leading academic institutions.
D1.9 | Choose the right tools and technology
Does this product meet with NHS Cloud First Strategy?
Yes - using AWS cloud
D1.9.1 | Does this product meet the NHS Internet First Policy?
D1.10 | Use and contribute to open standards, common components and patterns
Are common components and patterns in use?
D1.10.1 | If yes, which common components and patterns have been used?
D1.11 | Operate a reliable service
Do you provide a Service Level Agreement to all customers purchasing the product?
D1.12 | Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers?
D1.12.1 | Please attach a copy of the information provided to customers
Performance report information available on request.
D1.12.2 | Please provide your average service availability for the past 12 months, as a percentage to two decimal places
See Uptime Robot for service availability
Get in touch today to discuss your specific requirements and discover how Wellmind Health’s digital therapeutics can benefit the work of your organisation.