Industry · Healthcare

Healthcare-grade IT, designed by people who know what a clinical-safety case is

Private hospitals, clinics, dental groups, and life-sciences research organisations run on IT that touches patient data and clinical decisions. We run the cloud, identity, endpoints and network with the NHS DSPT, DCB 0129/0160 and US-equivalent HIPAA controls baked in — not bolted on after a near miss.

Speak to a healthcare specialist

What's at stake

NHS DSPT & clinical-safety

If you take NHS referrals or share data with NHS bodies, the Data Security and Protection Toolkit is your annual gate. DCB 0129 and DCB 0160 require named clinical-safety officers and documented hazard analysis. Your IT supplier can't be the gap.

PHI segmentation

Patient-identifiable data has to be ring-fenced from corporate IT, encrypted at rest and in transit, with access logged and reviewed. A leak isn't just a fine — it's a clinical-safety incident.

On-call you can ring at 02:00

Clinical software going down at 02:00 isn't a ticket — it's a patient-safety problem. You need a service desk that escalates to a human inside 15 min, regardless of the hour.

How we help

NHS DSPT submission support

We'll help you complete the annual DSPT submission, mapping our services to the assertions you're asked about (mandatory training, IG controls, asset register, incident response). For your assertions, our evidence is ready.

DCB 0129 / 0160 clinical-safety inputs

We provide the IT-supplier hazard analysis and clinical-safety case inputs your clinical safety officer needs. We're not the CSO — you are — but we won't leave you to fill in the IT side blind.

PHI segmentation & encryption

Network and identity-layer separation between clinical, research and corporate IT. Encryption at rest (AES-256) and in transit (TLS 1.3); customer-managed keys available. Access to PHI logged and reviewable per clinician, per session.

24×7 clinical-grade on-call

P1 incidents (clinical software down, PACS unavailable, EHR latency) get a 15-min response, 24×7. Direct escalation to engineer who knows your stack — no 4-stage IVR menu at 02:00.

HIPAA Business Associate Agreements

If you have US affiliates handling US patient data, we sign a HIPAA BAA covering the controls your US compliance team needs to see. Equivalent control mappings to UK GDPR & DSPT documented.

Frameworks we map to

DCB 0129 / 0160 Cyber Essentials Plus UK GDPR HIPAA (US affiliates) NHS DSPT (registration Q3 2026)

See /trust/ for the full controls-to-frameworks mapping.

Selected client work

Available on request

Healthcare client work

Detailed writeups are shared under NDA on a 30-minute discovery call. Published case studies are coming soon, with each named client's explicit sign-off.

All case studies →

Frequently asked questions

Are you registered for the NHS Data Security and Protection Toolkit?

DSPT registration is in progress (target September 2026). We can already supply evidence at the supplier level for the assertions in our scope, and we map our internal controls to the DSPT asserts so your DSPT submission can reference us. If you'd like an evidence walk-through ahead of your annual submission, we'll book one in.

How do you support DCB0129 / DCB0160 clinical-safety obligations?

We provide the IT-supplier inputs to your clinical-safety case: hazard log entries for changes that touch clinical workflow, mitigations we've applied, and an escalation path to a named individual at Vitalytics for clinical-safety-relevant incidents. Your CSO writes the clinical safety case; we don't pretend to. But the IT-supplier section is documented before the change goes live, not after.

How do you segment PHI, and what's your encryption-at-rest story?

PHI lives in dedicated network segments separate from corporate IT and research, with explicit allow-list traffic between them. Access via SSO with WebAuthn enforced. AES-256 at rest on all storage tiers, with customer-managed keys available on the Regulated tier (see /service-levels/). All access logged per clinician per session, log retention 7 years on immutable storage.

What's your on-call cover for clinical-grade incidents?

P1 (clinical software down, PACS unavailable, EHR latency, theatre IT outage) gets a 15-min initial human response, 24×7. Direct escalation to an engineer who already knows your stack — no IVR menu, no "please open a ticket". We've handled live theatre IT outages mid-procedure; we know the answer is the response, not the documentation.

For US affiliates, do you sign a HIPAA Business Associate Agreement?

Yes. We have a standard BAA covering Vitalytics as a Business Associate to your US covered entity, including the required HIPAA Security Rule administrative, physical and technical safeguards. We can map our UK controls to HIPAA section by section so your US compliance team has a single document to review. We're not US-incorporated, so consult your counsel on whether that's acceptable for your specific use case.

Speak to a healthcare specialist

30-minute discovery call. No slide deck — we'll ask about your auditor, your incumbent supplier, and what would change if your IT actually understood your sector.

Book a consultation