Skip to content

Example: Medwick Healthcare Trust -- MyMedwick Patient Portal

About This Example

This is a fictional but realistic Solution Architecture Document for Medwick Healthcare Trust’s MyMedwick Patient Portal. It demonstrates the Architecture Description Standard at Comprehensive depth for a Tier 1 Critical clinical system governed by MediCore clinical safety standards and UK data protection law. Every section is completed with realistic content showing what a mature, well-documented SAD looks like for a Trust-class solution where patient harm is a credible risk.

Fictional organisation: Medwick Healthcare Trust – a mid-sized national-health-service-style hospital trust, approximately 12,000 staff, serving 800,000 patients across three acute sites and a network of community clinics. Fictional solution: MyMedwick Patient Portal – a web and mobile application providing outpatient appointment management, test results, letters, and prescription management to patients, integrated with the Trust’s Electronic Patient Record (EPR), the MediCore Spine, and MediCore e-Referral Service.


Field Value
Document Title Solution Architecture Document – MyMedwick Patient Portal
Application / Solution Name MyMedwick Patient Portal
Application ID MHT-APP-0208
Author(s) Dr Raj Doe (Solution Architect, Digital Clinical Systems)
Owner Dr Raj Doe
Version 2.0
Status Approved
Created Date 2025-02-10
Last Updated 2026-03-28
Classification Confidential – Healthcare
Version Date Author / Editor Description of Change
0.1 2025-02-10 Dr Raj Doe Initial draft with executive summary, scope, and logical view
0.2 2025-03-04 Dr Raj Doe Added physical view, data view, integration with EPR and Spine
0.3 2025-03-25 Jane Bloggs Information security review feedback incorporated
0.4 2025-04-08 Dr Amir Doe Clinical safety review; Hazard Log reference added (CS-129/0160)
0.5 2025-04-22 Sally Bloggs Information Governance review; DPIA and CS-160 status incorporated
1.0 2025-05-14 Dr Raj Doe First approved version following Design Authority and CSG sign-off
1.1 2025-09-02 Dr Raj Doe Added GP Connect integration (Phase 2 – appointment availability)
1.2 2025-11-19 Dr Raj Doe Updated following annual DSPT submission and MediCore Digital assurance review
2.0 2026-03-28 Dr Raj Doe Major revision: Azure AD B2C for patient auth (ADR-003 superseded), SMS fallback redesign, updated clinical safety case v3
Name Role Contribution Type
Dr Raj Doe Solution Architect (clinical background – former ICU consultant) Author
Dr Amir Doe Clinical Safety Officer (CSO) – consultant haematologist Author / Approver
Sally Bloggs Information Governance (IG) Lead & Data Protection Officer Author / Approver
Jane Bloggs Chief Information Security Officer (CISO) Reviewer / Approver
Mark Doe Principal Infrastructure Engineer (Azure Landing Zones) Reviewer
Priya Bloggs Data Architect (MediCore healthcare data standards, FHIR R4) Reviewer
Tom Doe Head of Service Management (ITIL) Reviewer
Helen Bloggs Caldicott Guardian (Medical Director) Approver
Dr Fiona Doe Chief Clinical Information Officer (CCIO) Approver
Robert Bloggs Chief Digital Information Officer (CDIO) Approver
Nisha Doe Director of Patient Experience Reviewer
Paul Bloggs Senior Responsible Officer (SRO) / Deputy CEO Approver
Design Authority (Medwick) Architecture Review Board (chaired by Robert Bloggs) Approver

This SAD describes the architecture of MyMedwick, Medwick Healthcare Trust’s patient-facing digital service. The portal gives patients secure, self-service access to their outpatient appointments, clinic letters, test results, and repeat prescription requests. It reduces clinic DNA (Did Not Attend) rates, eases the administrative burden on outpatient booking teams, and supports the Trust’s commitment to the MediCore National Digital Health Plan objective of digital-first patient access.

In scope:

  • MyMedwick web application (React) and mobile applications (iOS, Android)
  • Azure landing zone resources in UK South (primary) and UK West (DR)
  • Integration with Trust EPR (Cerner Millennium), Pharmacy (JAC), Pathology (Clinisys WinPath), PACS (GE Centricity)
  • Integration with MediCore Spine (PDS, SCR), MediCore e-Referral Service, GP Connect (appointment availability only)
  • Patient identity (Azure AD B2C) and clinician identity (MediCore CIS)
  • Azure Communication Services SMS and email (appointment reminders, OTP, notifications)
  • Clinical safety case (CS-129) and deployment safety case (CS-160)
  • Operational tooling: Microsoft Sentinel, Azure Monitor, App Insights

Out of scope:

  • Trust EPR (Cerner Millennium) internals – documented in SAD MHT-APP-0010
  • Clinician-facing EPR workflows – out of scope for patient portal
  • Medicines prescribing decisions (handled by EPR and JAC; MyMedwick only surfaces prescriptions issued by clinicians)
  • Video consultation platform (SAD MHT-APP-0157, Attend Anywhere)
  • Staff SharePoint intranet and non-clinical systems

Related documents:

  • Trust Digital & Data Strategy 2024-2029 (STRAT-DDS-2024)
  • Medwick Information Security Policy (MHT-SEC-POL-001)
  • Medwick Clinical Risk Management Policy (MHT-CRM-POL-003)
  • CS-129 Hazard Log – MyMedwick (MHT-HAZ-LOG-0208)
  • CS-160 Deployment Safety Case – MyMedwick (MHT-DSC-0208)
  • MediCore Data Security & Protection Toolkit Submission 2025/26 (Organisation Code: RX9)

MyMedwick is a web and mobile patient portal that gives patients of Medwick Healthcare Trust secure, real-time access to their outpatient care. Patients can view and reschedule appointments, read clinic letters, see pathology and radiology results released by their clinical team, request repeat prescriptions, update contact preferences, and opt in or out of SMS reminders.

The solution is built on Microsoft Azure (UK South primary, UK West DR) using a layered architecture: React single-page application for the web front end; Ionic/Capacitor hybrid mobile apps; .NET 8 microservices behind Azure API Management; Azure SQL for portal-owned data; and an integration layer that exposes and consumes FHIR R4 APIs against the Trust EPR, the MediCore Spine, and the MediCore e-Referral Service. Patient identity is provided by Azure AD B2C with MediCore-compatible identity proofing; clinician identity (for staff administration functions) is provided by MediCore CIS.

Clinical safety has been assessed under CS-129 (manufacturer) and CS-160 (deployment). A Clinical Safety Officer (Dr Amir Doe) has signed off the clinical safety case; the Hazard Log is actively maintained. The service is included in Medwick’s annual Data Security and Protection Toolkit (DSPT) submission.

Driver Description Priority
MediCore National Digital Health Plan – digital-first patient access National commitment for every patient to have digital access to their outpatient records, appointments and prescriptions Critical
Reduce outpatient DNA rate Trust DNA rate for outpatient appointments is 9.4% (national benchmark 6.7%); target reduction of 2 percentage points through self-service rescheduling and SMS reminders High
Reduce call centre burden Outpatient booking team handles approximately 3,200 calls/day, of which 62% are appointment enquiries resolvable via self-service High
Improve patient experience and CQC Well-Led evidence Patient survey satisfaction with appointment communications at 58%; target improvement to greater than 75% High
Replace ageing patient portal (Patient Knows Best pilot) Existing PKB pilot covers only 40,000 patients, lacks mobile app, and contract expires 2026-Q3 High
Support ICS-wide digital front door objective Align with Medwick Integrated Care System (MICS) digital strategy for a unified patient-facing channel Medium
Question Response
Which organisational strategy or initiative does this solution support? Trust Digital & Data Strategy 2024-2029, Priority 2: Empowering Patients; Priority 4: Reducing Unwarranted Variation
Has this solution been reviewed against the organisation’s capability model? Yes – mapped to Patient Digital Engagement, Identity & Access (Patient), Clinical Messaging, and Records Access capabilities
Does this solution duplicate any existing capability? Partially – supersedes the Patient Knows Best pilot (being decommissioned); complements (does not replace) Attend Anywhere video consultation platform
Capability Shared Service / Platform Reused? Justification (if not reused)
Patient Identity MediCore login (national service) No Evaluated in ADR-003; rejected in favour of Azure AD B2C due to Trust control over identity proofing journey, faster enrolment, and ability to federate MediCore login as an external IdP later if required
Clinician Identity MediCore CIS (Clinician Identity Service) Yes Mandatory for MediCore staff accessing patient-identifiable data; used for admin / service desk functions
Spine Integration MediCore Spine (PDS, SCR) via TLS-MA Yes National service, mandatory for Patient Demographic Service lookups
e-Referral MediCore e-Referral Service (e-RS) Yes National service, mandatory for outpatient referral lifecycle
SMS / Email Azure Communication Services (ACS) Yes Trust has enterprise Azure agreement; ACS supports UK data residency
Secure Email MediCoreMail Yes Used for clinical correspondence notifications where appropriate
SIEM Microsoft Sentinel (Trust tenant) Yes Corporate SIEM
CI/CD Azure DevOps Yes Trust standard
Secrets Azure Key Vault Yes Trust standard
EPR Cerner Millennium (Oracle Health) Yes Authoritative record of clinical care
  • MyMedwick React web application (responsive) hosted on Azure App Service
  • iOS and Android mobile applications (Ionic + Capacitor) published via Apple App Store and Google Play
  • Backend-for-Frontend (BFF) and domain microservices on Azure App Service (Linux, .NET 8)
  • Azure API Management (external and internal products) with WAF (Azure Front Door Premium)
  • Azure SQL Database for portal-owned state (preferences, consent, sessions)
  • Azure Service Bus for asynchronous notification and integration events
  • FHIR R4 facade microservice integrating EPR (Cerner Millennium HL7v2 + FHIR), PACS, Pathology, and Pharmacy
  • Integration with MediCore Spine via national healthcare secure network/Message Exchange for Social Care and Health (MESH) and TLS-MA
  • Azure AD B2C for patient identity (custom policies, MFA, step-up for sensitive actions)
  • MediCore CIS for clinician identity (service desk admin)
  • Azure Communication Services for SMS and email (appointment reminders, OTP, notifications)
  • Microsoft Sentinel SIEM integration and Azure Monitor/App Insights observability
  • Clinical safety (CS-129/CS-160) artefacts and Hazard Log
  • Annual DSPT submission content relating to this service
  • Trust EPR (Cerner Millennium) clinical workflows and configuration (SAD MHT-APP-0010)
  • Prescribing decision logic (handled by JAC / EPR)
  • Attend Anywhere video consultation platform (SAD MHT-APP-0157)
  • Non-patient-facing data warehouse and BI reporting (SAD MHT-APP-0055)
  • Direct GP system integration beyond GP Connect appointment availability (Phase 2 descope; Phase 3 candidate)
  • MediCore Spine PDS / SCR availability and interface versions
  • MediCore CIS availability for clinician authentication
  • MediCore e-Referral Service API availability and version
  • Cerner Millennium HL7v2 and FHIR interface availability
  • Azure UK South and UK West regional availability

The Trust currently offers limited digital patient access:

  • A Patient Knows Best (PKB) pilot covering ~40,000 patients across renal and diabetes services, providing records access only (no appointment management, no prescriptions). PKB is contracted until 2026-Q3.
  • A text reminder service (commercial SMS gateway, Firetext) sending appointment reminders two days before appointment. This has no patient interaction – patients cannot confirm, cancel, or reschedule from the SMS.
  • An online appointment cancellation form (SharePoint-based) which posts to a shared mailbox and is manually processed by the booking office during working hours.

Key limitations of the as-is:

  • No unified patient-facing portal; patients must telephone the booking office for all changes
  • No mobile app; PKB web app is not usable on mobile
  • DNA rate 9.4% (above national benchmark of 6.7%)
  • Approximately 62% of booking office calls are resolvable by self-service
  • No surfacing of test results to patients; results are conveyed by letter (typically 2-3 week delay) or phone call
  • Patient Knows Best contract ends 2026-Q3 – mandatory replacement

What is being retained: Cerner Millennium EPR (authoritative clinical record); MediCore Spine and e-RS integrations (reused via new FHIR facade); MediCoreMail; MediCore CIS. What is being replaced: Patient Knows Best pilot (decommissioned 2026-Q3); Firetext SMS (replaced by Azure Communication Services); SharePoint cancellation form. What is being decommissioned: PKB integration, Firetext contract, SharePoint appointment cancellation form – all after 3-month parallel run.

Decision / Constraint Rationale Impact
Microsoft Azure as hosting platform Trust enterprise Azure agreement; Azure UK South/West provide sovereign UK data residency; ISO/IEC 27018 assurance for cloud PII; NCSC/MediCore Authority pattern alignment All infrastructure on Azure; no AWS or GCP
All data (including PII and clinical data) in UK regions UK GDPR, MediCore Data Security & Protection Toolkit, and Caldicott Principle 7 (data sharing) UK South primary, UK West DR; no data replication outside UK
FHIR R4 as the canonical clinical data contract MediCore Authority interoperability standards and forward compatibility with ICS-wide data sharing FHIR facade microservice required; HL7v2 from EPR translated to FHIR
Azure AD B2C for patient identity (not MediCore login) Trust control over identity proofing, enrolment UX, and MFA policy; MediCore login can be added as federated IdP in a later phase Custom B2C policies to be maintained; explicit ADR (ADR-003)
CS-129 and CS-160 clinical safety compliance mandatory MediCore Digital’s mandatory clinical safety standards for any health IT system with clinical impact Clinical Safety Officer required; Hazard Log maintained; deployment safety case signed before go-live
Two-factor authentication required for all patients UK GDPR Article 32 and MediCore CIS assurance equivalence SMS OTP (default), TOTP authenticator (advanced); step-up MFA for prescription requests
Field Value
Project Name MyMedwick Patient Portal
Project Code / ID PROJ-0208
Project Manager Claire Bloggs
Senior Responsible Officer (SRO) Paul Bloggs (Deputy CEO)
Estimated Solution Cost (Capex) GBP 1,450,000 over 2 years (discovery, alpha, beta, live)
Estimated Solution Cost (Opex) GBP 420,000 per annum (hosting, licences, support, clinical safety maintenance)
Target Go-Live Date Public beta: 2025-05-14 (achieved); general availability: 2025-11-04 (achieved); Phase 2 (GP Connect): 2025-09-02 (achieved); Phase 3 (results summary dashboards): 2026-Q3

Selected criticality: Tier 1: Critical

Justification: MyMedwick is a Tier 1 Critical clinical system because failure modes include potential patient harm:

  • Clinical safety: Incorrect results display, mis-identification of a patient’s record, or silent failure of appointment reminders could contribute to patient harm (missed appointment for time-sensitive oncology follow-up; acting on wrong results). Clinical risk assessed and documented in the Hazard Log (MHT-HAZ-LOG-0208).
  • Service continuity: At steady state, MyMedwick is the primary digital channel for ~280,000 enrolled patients. Extended outage would substantially increase call centre load (projected x3.5 call volume within 24 hours of outage).
  • Regulatory exposure: A confidentiality breach of patient data would require ICO notification within 72 hours (UK GDPR Art 33) and trigger mandatory reporting under the MediCore DSPT.
  • Reputational: Patient trust and Trust Board reputation sensitivity is high; CQC Well-Led and Responsive domains reference digital access.
  • Financial impact: Not the primary driver, but DNA reduction target (2 pp) represents ~GBP 1.8m/year of recovered clinic capacity.

Stakeholder Role / Group Key Concerns Relevant Views
Paul Bloggs SRO / Deputy CEO Strategic alignment, benefit realisation, political and regulatory risk Executive Summary, Governance
Robert Bloggs CDIO Architecture alignment, Azure strategy, cost, assurance All views
Dr Fiona Doe CCIO Clinical workflow alignment, clinical risk, clinician adoption (admin users) Logical, Data, Security, Scenarios
Dr Amir Doe Clinical Safety Officer Clinical safety (CS-129/0160), Hazard Log, clinical risk controls Security, Data, Scenarios, Lifecycle
Helen Bloggs Caldicott Guardian Information governance, Caldicott Principles, patient confidentiality Security, Data, Governance
Sally Bloggs IG Lead / DPO UK GDPR, DPIA, DSPT, ROPA, consent, subject access Data, Security, Governance
Jane Bloggs CISO Threat model, UK GDPR Art 32 controls, DSPT, Cyber Essentials Plus Security, Physical
Dr Raj Doe Solution Architect Design integrity, clinical usability, standards compliance, interoperability All views
Mark Doe Principal Infrastructure Engineer Azure landing zone, network, resilience, DR Physical, Reliability
Priya Bloggs Data Architect FHIR conformance, data classification, sovereignty, retention Data, Integration
Tom Doe Head of Service Management Operability, incident response, ITIL processes Operational Excellence, Lifecycle
Nisha Doe Director of Patient Experience Accessibility (WCAG 2.2 AA), digital inclusion, patient usability Scenarios, Quality Attributes
Clinical safety panel (CSG) Multi-disciplinary panel chaired by Dr Fiona Doe Clinical risk review, Hazard Log, deployment approvals Security, Scenarios, Governance
Patient Participation Group (PPG) Patient representatives Usability, trust, transparency, accessibility Scenarios
Booking office team (operational) Outpatient booking team leader Call volume reduction, admin exception handling Scenarios, Operational Excellence
ICO (external) Information Commissioner’s Office UK GDPR, ICO registration ZA123456 Data, Security, Governance
MediCore Authority (external) Digital policy and assurance Interoperability, DSPT, CS-129/0160 conformance, DSCRO Data, Security, Governance
MHRA (external, watching brief) Medicines and Healthcare products Regulatory Agency Whether the portal meets criteria for a medical device (assessed – no, not a clinical decision-support tool) Security, Governance
Patients (end users) Registered enrolled patients Usability, trust, accuracy, accessibility, privacy Scenarios, Integration, Security
Clinical teams Outpatient clinicians (secondary users via EPR) Data accuracy, results release workflow, not introducing additional admin Integration, Data, Scenarios
Concern Stakeholder(s) Addressed In
Clinical safety – risk of patient harm from system failure or misuse Dr Amir Doe, Dr Fiona Doe, Helen Bloggs, CSG 1.8, 3.5, 3.6, 4.2, 5.1, 5.2, 6.3, 6.8
Patient confidentiality and UK GDPR compliance Sally Bloggs, Helen Bloggs, Jane Bloggs, ICO 3.4, 3.5, 6.8
MediCore Data Security & Protection Toolkit (DSPT) conformance Sally Bloggs, Jane Bloggs, MediCore Authority 3.5, 6.8
Clinical data accuracy and interoperability (FHIR R4, HL7v2) Priya Bloggs, Dr Fiona Doe, Dr Amir Doe 3.2, 3.4, 3.6
Patient identity assurance (preventing misidentification) Sally Bloggs, Helen Bloggs, Dr Amir Doe 3.5, 3.6 (UC-04)
Availability and DR (clinical continuity) Tom Doe, Mark Doe, Dr Fiona Doe 4.2
SMS delivery failure for appointment reminders Dr Amir Doe, Tom Doe 3.2, 4.2, 6.3
GP system integration failure (GP Connect) Priya Bloggs, Tom Doe 3.2, 4.2, 6.3
Accessibility (WCAG 2.2 AA, digital inclusion) Nisha Doe, PPG 3.6, 4.3
Cost and benefit realisation Paul Bloggs, Robert Bloggs, Finance 4.4
Cyber security (ransomware, credential stuffing, denial of service) Jane Bloggs 3.5, 6.3
Operational support model and ITIL alignment Tom Doe 5.5
Regulation / Standard Applicability Impact on Design
UK GDPR & Data Protection Act 2018 Mandatory – processes special category personal data (health) Lawful basis (Art 6(1)(e), Art 9(2)(h)); DPIA completed; data minimisation; right of access/erasure/rectification; data residency UK
MediCore Data Security & Protection Toolkit (DSPT) 2025/26 Mandatory – annual submission; status Standards Met 10 DSPT assertions applicable; evidence mapped; submitted 2025-06-30
CS-129 – Clinical Risk Management: Manufacturer Mandatory for health IT systems with clinical impact Clinical Safety Officer (Dr Amir Doe) appointed; Clinical Safety Case v3 approved; Hazard Log maintained
CS-160 – Clinical Risk Management: Deployment Mandatory for deploying health IT in health / social care settings Deployment Safety Case signed off by Trust CSO before each major release
Common Law Duty of Confidentiality Mandatory – Caldicott Principles Caldicott Guardian (Helen Bloggs) approval required for data uses; explicit patient consent for SMS
Human Medicines Regulations 2012 Applicable – prescription request surfacing Portal does not prescribe; only surfaces prescriptions issued in EPR/JAC. No clinical decision support.
MHRA – Medical Device assessment Assessed – not a medical device (no diagnosis/treatment/prevention function) Assessment documented; reviewed annually
Accessibility Regulations 2018 (public sector body) Mandatory WCAG 2.2 Level AA conformance; annual accessibility statement published
MediCore Authority Interoperability Standards Mandatory for new health IT FHIR R4 for external clinical APIs; National Patient ID as primary identifier
ICO registration Mandatory Registered (ZA123456); Data Protection Officer: Sally Bloggs
Cyber Essentials Plus Trust certified annually Inherits Trust certification; additional controls evidenced
ISO/IEC 27001 Trust-wide ISMS Solution included in statement of applicability
  • Yes – processes special category personal data (health) under UK GDPR Article 9. Not a regulated medical device (formally assessed). Subject to MediCore-specific clinical safety standards (CS-129 manufacturer, CS-160 deployment).
Standard Version Applicability
MediCore Data Security & Protection Toolkit 2025/26 All sections – security, IG, training, incident reporting
CS-129 Clinical Risk Management (Manufacturer) 2018 Security, Scenarios, Lifecycle – Hazard Log, clinical safety case
CS-160 Clinical Risk Management (Deployment) 2018 Lifecycle, Governance – deployment safety case
MediCore Authority Interoperability Standards 2025 Integration – FHIR R4, HL7v2 transition path
WCAG 2.2 Level AA Scenarios, Performance – accessibility
NCSC Cloud Security Principles 14 principles Physical, Security
MediCore Authority Data Protection Impact Assessment Framework 2024 Data, Security
ISO/IEC 27018 2019 Data, Security – Azure’s assurance for cloud PII

graph TD
  Patient[Patient - Web / iOS / Android] --> FD[Azure Front Door + WAF]
  Clinician[Service Desk Admin - MediCore CIS] --> FD
  FD --> APIM[Azure API Management]
  APIM --> BFF[Patient BFF]
  APIM --> AdminAPI[Admin API]
  BFF --> Apt[Appointments Service]
  BFF --> Results[Results Service]
  BFF --> Rx[Prescriptions Service]
  BFF --> Pref[Preferences Service]
  Apt --> SQL[Azure SQL - Portal DB]
  Results --> SQL
  Rx --> SQL
  Pref --> SQL
  Apt --> SB[Azure Service Bus]
  Results --> SB
  Rx --> SB
  SB --> Notif[Notification Service]
  Notif --> ACS[Azure Communication Services - SMS / Email]
  SB --> Audit[Audit Sink - ADLS Gen2]
  Apt --> FHIR[FHIR Facade]
  Results --> FHIR
  Rx --> FHIR
  FHIR --> EPR[Cerner EPR - HL7v2 / FHIR]
  FHIR --> Spine[MediCore Spine PDS / SCR]
  FHIR --> eRS[MediCore e-Referral]
  FHIR --> GPC[GP Connect - Appointments]
  FHIR --> Path[Pathology - WinPath]
  FHIR --> PACS[PACS - GE Centricity]
  BFF --> B2C[Azure AD B2C]
  AdminAPI --> CIS2[MediCore CIS]
Component Type Description Technology Owner
Web App Web Application Responsive patient web front end React 18 + TypeScript on Azure App Service (Linux) behind Front Door Digital Product Team
iOS App Mobile Application Native-feel hybrid iOS app Ionic 8 + Capacitor 6 (Swift plugins for biometric unlock) Digital Product Team
Android App Mobile Application Native-feel hybrid Android app Ionic 8 + Capacitor 6 (Kotlin plugins for biometric unlock) Digital Product Team
Patient BFF API Service Backend-for-Frontend – aggregates downstream services for each patient session .NET 8 on Azure App Service (Linux, Premium v3) Digital Product Team
Admin API API Service Service desk administrative endpoints (read-only patient enrolment lookups, suspend account) .NET 8 on Azure App Service Digital Product Team
Appointments Service API Service Reads appointment lists, enables reschedule/cancel; integrates with EPR and e-RS .NET 8 on Azure App Service Digital Product Team
Results Service API Service Reads pathology, radiology results released by clinical team; enforces results release rules .NET 8 on Azure App Service Digital Product Team
Prescriptions Service API Service Displays active prescriptions and repeat request workflow .NET 8 on Azure App Service Digital Product Team
Preferences Service API Service Patient contact preferences, consent, SMS opt-in, notification settings .NET 8 on Azure App Service Digital Product Team
FHIR Facade Backend Service Canonical FHIR R4 adapter in front of EPR (HL7v2), Pathology, PACS, Spine, e-RS, GP Connect .NET 8 with Firely .NET SDK; HL7v2-to-FHIR mapping Integration Team
Notification Service Backend Service Consumes Service Bus events; drives SMS/email via ACS with retry and delivery receipt tracking .NET 8 Azure Functions (Premium plan) Integration Team
Audit Sink Batch Job Persists structured audit events to immutable ADLS Gen2 (7-year retention) and forwards to Sentinel Azure Functions + Azure Data Lake Storage Gen2 Platform Team
Portal DB Database Patient preferences, consent, SMS opt-in, session and step-up MFA state, enrolment records Azure SQL Database (Business Critical, Zone Redundant) Platform Team
Azure Service Bus Message Broker Async events: appointment changes, new results available, prescription status, audit Azure Service Bus Premium (Zone Redundant) Platform Team
Azure API Management Gateway External API product (Front Door origin) and internal product for partner integration APIM Premium (UK South + UK West regions) Platform Team
Azure Front Door + WAF Gateway / Load Balancer Global edge entry, TLS 1.3 termination, WAF (OWASP Core Rule Set 3.2), DDoS Standard Azure Front Door Premium Platform Team
Patient IdP Gateway (identity) Azure AD B2C with custom policies; MFA (SMS OTP default, TOTP optional); step-up MFA Azure AD B2C (UK tenant) Security Team
Clinician IdP Gateway (identity) MediCore CIS OIDC for staff service desk admin functions MediCore CIS (external national service) Security Team
Service ID Service Name Capability ID Capability Name
SVC-01 Appointments Service CAP-APPT Patient Appointment Self-Service
SVC-02 Results Service CAP-RSLT Patient Results Access
SVC-03 Prescriptions Service CAP-PRX Repeat Prescription Request
SVC-04 Preferences Service CAP-PREF Patient Contact Preferences
SVC-05 FHIR Facade CAP-INT Clinical System Interoperability
SVC-06 Notification Service CAP-NTF Patient Digital Notifications
Application Name Application ID Impact Type Change Details Comments
Cerner Millennium EPR MHT-APP-0010 Use Consume HL7v2 ADT/ORM/ORU feeds; consume Cerner FHIR R4 for patient and appointment read; no changes to EPR configuration Read-only from portal perspective
JAC Pharmacy MHT-APP-0012 Use Consume repeat prescription status; post request to JAC queue Existing HL7v2 interface extended
Clinisys WinPath (Pathology) MHT-APP-0045 Use Consume ORU results messages via FHIR facade Existing feed
GE Centricity (PACS) MHT-APP-0067 Use Consume imaging availability metadata (report text; images not shown to patients in this phase) Phase 3 candidate for image thumbnails
Patient Knows Best (PKB) MHT-APP-0180 Decommission Retire after 3-month parallel run; contract ends 2026-Q3 Migration of 40,000 PKB enrolled patients
Firetext SMS MHT-APP-0142 Decommission Replaced by Azure Communication Services
MediCore Spine External Use PDS for patient demographic verification; SCR not directly consumed Via national healthcare secure network
MediCore e-Referral Service External Use Read UBRN, appointment slots, worklists
GP Connect (Appointments) External Use Phase 2 – read GP appointment availability for cross-care navigation Limited to appointment availability in this phase
Microsoft Sentinel MHT-APP-0099 Use Receive security events Existing SIEM
Pattern Where Applied Rationale
Backend-for-Frontend (BFF) Patient BFF aggregates downstream services for the web/mobile clients Limits data exposure; reduces client chattiness over mobile networks; simplifies front-end security
API Gateway Azure API Management + Front Door Centralised TLS termination, authentication enforcement, rate limiting, JWT validation, request shaping
Facade FHIR Facade in front of legacy HL7v2 / proprietary interfaces Presents a single, standards-aligned (FHIR R4) contract to downstream services; isolates legacy change
Event-Driven (pub/sub) Service Bus topics for appointments, results, prescriptions, audit Decouples notifications and audit from the synchronous request path; absorbs downstream variability
Circuit Breaker FHIR Facade integration to EPR, Spine, GP Connect Prevents cascade failure when downstream systems degrade (Polly library)
Retry with Exponential Back-off Notification Service (SMS delivery), FHIR Facade outbound calls Tolerates transient failures, especially for critical SMS reminders
Outbox Appointments/Results/Prescriptions Services writing integration events Ensures at-least-once delivery of integration events alongside SQL transactions
Idempotent Consumer Notification and audit consumers Handles duplicate delivery from Service Bus without double-notifying patients
Defence in Depth Front Door WAF, APIM policies, pod-level input validation, field-level encryption UK GDPR Art 32 and NCSC Cloud Security Principle 4
Cache-Aside Appointments read caching (short TTL, 60s) via Azure Cache for Redis Reduces load on EPR for heavy read scenarios

3.1.6 Technology & Vendor Lock-in Assessment

Section titled “3.1.6 Technology & Vendor Lock-in Assessment”
Component / Service Vendor / Technology Lock-in Level Mitigation Portability Notes
Azure App Service Microsoft Azure Moderate Apps are standard .NET 8 containers; deployable to Kubernetes or any container host Container image portable (ACR to any registry)
Azure SQL Database Microsoft Azure (SQL Server) Moderate Standard T-SQL; no Always Encrypted-specific SKUs; bacpac export Portable to managed SQL Server elsewhere
Azure API Management Microsoft Azure Moderate OpenAPI specs portable; policies XML-based (specific to APIM) Policies would need re-authoring for Kong/Apigee
Azure Front Door + WAF Microsoft Azure Moderate Managed service; DNS-based switchover possible WAF ruleset would need re-authoring
Azure AD B2C Microsoft Azure High Custom policies deeply integrated Exit to Keycloak/Auth0 would be substantial (6 months)
Azure Service Bus Microsoft Azure Low AMQP 1.0 standard; portable to RabbitMQ, ActiveMQ, ASB on-prem Low effort
Azure Functions Microsoft Azure Moderate Isolated worker pattern portable as containers; HTTP triggers standard Timer triggers would need replacement
Azure Monitor / App Insights Microsoft Azure Moderate OpenTelemetry used in services; dashboards Azure-specific Telemetry exportable
Microsoft Sentinel Microsoft Azure High Analytics rules Sentinel-specific High effort; mitigated by SIEM being a Trust-wide service
Azure Communication Services Microsoft Azure Moderate Standard SMS/email APIs; portable to GOV.UK Notify or Twilio Provider swap evaluated and tested as a fallback pattern (see 4.2.4)
Azure Data Lake Storage Gen2 Microsoft Azure Low Standard HDFS-compatible object storage Portable to any S3/ADLS-compatible store
Question Response
Caching to avoid recomputation Yes — Azure Front Door + CDN cache static assets at the edge (~92% cache hit rate); Azure Cache for Redis (Premium) for session state, API response caching for the patient portal (TTL 60s for non-PII reference data). Spine demographic look-ups cached for the duration of a patient session.
Batch processes consolidated rather than continuously polling Yes — appointment reminder generation runs as nightly batch (00:30 UTC) rather than per-event; PDS demographic refresh runs weekly per cohort, not on every login; clinical-letter ingestion via webhook from EPR rather than polling.
Async / event-driven patterns to flatten peak load Yes — Service Bus + Azure Functions for SMS/email dispatch, EPR sync, audit log shipping. Consumer functions auto-scale on queue depth; capacity returns to zero at idle.
Heavy framework choices weighed against lighter alternatives Considered — .NET 8 / ASP.NET Core retained for the patient portal API (existing Trust skill, AOT compilation reduces start time and memory). Azure Functions Isolated Worker selected over in-process; chosen for clearer dependency isolation and a smaller memory footprint per invocation.

graph LR
  Patient[Patient Device] -- TLS 1.3 --> FD[Front Door + WAF]
  FD --> APIM[APIM]
  APIM -- OAuth2 JWT --> BFF[Patient BFF]
  BFF --> Svc[Domain Services]
  Svc --> SQL[Azure SQL]
  Svc -- async --> SB[Service Bus]
  SB --> Notif[Notification Service]
  Notif --> ACS[ACS SMS / Email]
  Svc --> FHIR[FHIR Facade]
  FHIR -- HL7v2 over VPN --> EPR[Cerner EPR]
  FHIR -- TLS-MA over national healthcare secure network --> Spine[MediCore Spine]
  FHIR -- TLS over national healthcare secure network --> eRS[e-RS]
  FHIR -- TLS + MediCore CIS --> GPC[GP Connect]
  SB -- audit --> Audit[ADLS Gen2 Audit]
  Audit --> Sentinel[Microsoft Sentinel]
Source Component Destination Component Protocol / Encryption Authentication Method Purpose
Web / Mobile App Azure Front Door HTTPS / TLS 1.3 None (client) Patient entry point
Front Door Azure API Management HTTPS / TLS 1.3 (Private Link) mTLS (Front Door-managed cert) Origin routing
API Management Patient BFF HTTPS / TLS 1.3 (VNet integration) Managed Identity Route BFF traffic
API Management Admin API HTTPS / TLS 1.3 (VNet integration) Managed Identity Route admin traffic
Patient BFF Appointments/Results/Prescriptions/Preferences Services HTTPS / TLS 1.3 (Private Endpoint) Managed Identity (AAD tokens) Service composition
Domain Services Azure SQL TDS / TLS 1.3 (Private Endpoint) Managed Identity (AAD) Portal data read/write
Domain Services Azure Service Bus AMQP 1.0 / TLS 1.3 (Private Endpoint) Managed Identity Event publication
Notification Service Service Bus AMQP 1.0 / TLS 1.3 Managed Identity Event consumption
Notification Service Azure Communication Services HTTPS / TLS 1.3 Managed Identity (Entra ID) Send SMS / Email
Notification Service Azure Key Vault HTTPS / TLS 1.3 (Private Endpoint) Managed Identity Retrieve ACS endpoint secrets / connection strings
Patient BFF Azure AD B2C HTTPS / TLS 1.3 OIDC authorization code + PKCE Patient authentication / token exchange
Admin API MediCore CIS HTTPS / TLS 1.3 OIDC authorization code Clinician authentication
FHIR Facade Azure Cache for Redis TLS 1.3 (Private Endpoint) Managed Identity Short-TTL read cache
Domain Services App Insights HTTPS / TLS 1.3 Instrumentation key (Key Vault) Telemetry
Audit Sink ADLS Gen2 HTTPS / TLS 1.3 (Private Endpoint) Managed Identity Append audit blobs (immutable, WORM)
Audit Sink Microsoft Sentinel HTTPS / TLS 1.3 Managed Identity Forward security events
Source Application Destination Application Protocol / Encryption Authentication Security Proxy Purpose
Patient web/mobile app Azure Front Door HTTPS / TLS 1.3 Azure AD B2C JWT (per request) Front Door WAF, Azure DDoS Standard All patient traffic
FHIR Facade Cerner Millennium HL7v2 listener MLLP over IPsec VPN Network-layer auth + service account Trust internal firewall HL7v2 ADT/ORM/ORU (legacy interfaces)
FHIR Facade Cerner Millennium FHIR R4 HTTPS / TLS 1.3 OAuth 2.0 client credentials Trust internal firewall Patient/Appointment FHIR reads
FHIR Facade MediCore Spine (PDS) HTTPS / TLS 1.2-MA Mutual TLS with Spine certificate Spine Core via national healthcare secure network Patient demographic lookups
FHIR Facade MediCore e-Referral Service HTTPS / TLS 1.2 OAuth 2.0 + MediCore Digital assurance key national healthcare secure network Outpatient referral reads
FHIR Facade GP Connect (Appointments) HTTPS / TLS 1.2 JWT + MediCore CIS organisation certificate national healthcare secure network Cross-organisation appointment availability (Phase 2)
Notification Service Azure Communication Services (SMS / Email) HTTPS / TLS 1.3 Managed Identity Private Endpoint Appointment reminders, OTP delivery, notifications
Service Desk Clinician Admin Portal (Admin API) HTTPS / TLS 1.3 MediCore CIS OIDC + MFA (smart card or FIDO2) Front Door WAF Read-only enrolment lookups, account suspension
Microsoft Sentinel Azure AD B2C / App Insights / ADLS Gen2 Azure diagnostic settings Managed Identity Azure-internal Security analytics and alerting
Patient web/mobile app Microsoft Intune (for MDM-managed Trust devices only) HTTPS / TLS 1.3 Intune-managed N/A Managed device posture (corporate-issued devices only)
User Type Access Method Authentication Protocol
Patient (web) Responsive web app Azure AD B2C (OIDC) + MFA (SMS OTP default / TOTP) HTTPS / TLS 1.3
Patient (mobile) iOS / Android app Azure AD B2C (OIDC, refresh token rotation) + biometric unlock HTTPS / TLS 1.3
Service desk admin (clinician) Admin portal (responsive web) MediCore CIS (OIDC) + smart card or FIDO2 HTTPS / TLS 1.3
Operations / SRE Azure Portal + Bastion Entra ID SSO + conditional access + PAM (Just-in-Time elevation) HTTPS / TLS 1.3, SSH over Bastion
API / Interface Type Direction Format Version Documentation
MyMedwick Patient API REST (FHIR-aligned where applicable) Exposed JSON v1.2 Internal developer portal (APIM)
MyMedwick Admin API REST Exposed JSON v1.0 Internal developer portal
Cerner Millennium FHIR R4 REST (FHIR R4) Consumed JSON (FHIR) R4 Cerner vendor docs
Cerner Millennium HL7v2 MLLP Consumed HL7v2.5 pipe-delimited 2.5 Trust integration wiki
MediCore Spine PDS REST / SOAP Consumed XML / JSON 3.0 MediCore Digital developer portal
MediCore e-Referral Service REST Consumed JSON (FHIR R4) v2 MediCore Digital developer portal
GP Connect Appointments REST (FHIR STU3) Consumed JSON (FHIR STU3) STU3 v1.4 MediCore Digital developer portal
WinPath Pathology HL7v2 / MLLP Consumed HL7v2.5 2.5 Clinisys docs
Azure Communication Services REST Consumed JSON 2023-08 Microsoft docs
MediCore CIS OIDC REST (OIDC) Consumed JSON OIDC 1.0 MediCore Digital developer portal

graph TD
  DNS[Trust DNS] --> FD[Azure Front Door Premium + WAF]
  FD --> APIM1[APIM - UK South]
  FD --> APIM2[APIM - UK West DR]
  subgraph UKS[Azure UK South - Primary]
      APIM1 --> AppSvc[App Service Environment v3]
      AppSvc --> SQL1[Azure SQL BC Zone Redundant]
      AppSvc --> SB1[Service Bus Premium ZR]
      AppSvc --> Redis1[Azure Cache for Redis Premium]
      AppSvc --> KV1[Key Vault - UK South]
      AppSvc --> ADLS1[ADLS Gen2 - UK South]
      AppSvc --> PE[Private Endpoints]
      AppSvc --> B2C[Azure AD B2C UK Tenant]
  end
  subgraph UKW[Azure UK West - DR]
      APIM2 --> AppSvc2[App Service - Warm Standby]
      AppSvc2 --> SQL2[Azure SQL - Failover Group]
      AppSvc2 --> SB2[Service Bus - Geo-DR]
      AppSvc2 --> KV2[Key Vault - UK West]
  end
  SQL1 -- Auto Failover Group --> SQL2
  SB1 -- Geo-DR Pairing --> SB2
  ADLS1 -- GRS / RA-GRS --> ADLS2[ADLS Gen2 - UK West]
  AppSvc -. HL7v2 over IPsec VPN .-> EPR[Cerner EPR - Trust Data Centre]
  AppSvc -. TLS-MA via secure network .-> SecNet[National Healthcare Secure Network]
  SecNet --> Spine[MediCore Spine]
  SecNet --> eRS[MediCore e-Referral]
Attribute Selection
Hosting Venue Type Public cloud (Azure) with national healthcare secure network connectivity to MediCore national services
Hosting Region(s) UK South (primary – London), UK West (DR – Cardiff)
Service Model PaaS (App Service, Azure SQL, Service Bus, APIM, Functions) and SaaS (Azure Communication Services, Front Door, Sentinel)
Cloud Provider Microsoft Azure
Account / Subscription Type Medwick Healthcare Trust Enterprise Agreement – dedicated “mymedwick-prod” subscription; separate subscriptions per environment
Landing Zone Pattern Medwick ALZ (Azure Landing Zone) – MediCore Authority-aligned, hub-and-spoke with platform hub (shared connectivity, shared services) and workload spoke
Data residency All data (primary, DR, backups, logs) in UK regions only – UK South and UK West. Enforced by Azure Policy “Allowed Locations”.
Attribute Detail
Compute Type PaaS – Azure App Service (Linux, Premium v3) and Azure Functions (Premium plan)
App Service Plan P2v3 (2 vCPU, 8 GB RAM) per service, 2 instances (scale-out to 10 via autoscale) in Production
Functions Plan Premium EP2 for Notification Service and Audit Sink
Runtime .NET 8 (LTS)
Web Application Hosting Azure App Service (Linux) with per-service slots for blue/green deployment
Mobile Build Ionic + Capacitor; iOS signed via Apple Developer Enterprise account; Android signed via Google Play console
Isolation Dedicated App Service Environment v3 (ASEv3) for all production services; VNet-integrated; zone redundant
  • Microsoft Defender for Cloud – enabled across the subscription (Defender for App Service, SQL, Storage, Key Vault, Containers)
  • Microsoft Defender for Endpoint – on all admin jump boxes (via Intune)
  • Microsoft Sentinel – SIEM / SOAR
  • Azure Policy – enforces NCSC / MediCore / Medwick baselines
  • Microsoft Purview – data classification and sensitivity labels on Azure SQL
  • Vulnerability scanning (Defender for Cloud built-in + OWASP ZAP in CI)
Question Response
Is this an Internet-facing application? Yes – Front Door is the only public entry point; APIM is not public (Private Link only)
Outbound Internet connectivity required? Limited – only via Private Endpoints and Azure-managed egress. Outbound to ACS, B2C, Apple/Google push services via Managed Firewall allow-list
Cloud-to-on-premises connectivity required? Yes – IPsec VPN + ExpressRoute (1 Gbps) to Trust core data centre for Cerner EPR HL7v2 and ancillary systems
Wireless networking required? No (within Azure); Trust-site wireless is used by Trust devices and is out of scope here
Third-party / co-location connectivity required? No – all MediCore national services via national healthcare secure network; no private co-location links
national healthcare secure network connectivity required? Yes – dedicated national healthcare secure network CN-SP link for MediCore Spine, e-Referral Service, and GP Connect
Attribute Selection
User access method Web (HTTPS), mobile app (HTTPS)
User locations Patients – Internet, primarily UK, occasional overseas
Administrator access method Azure Bastion for VM/jump-box access (rare); Azure Portal via Entra ID + MFA + conditional access + PIM for privileged roles
VPN required No for patients; administrators use conditional access (no VPN)
ExpressRoute / VPN Yes – ExpressRoute (UK South) + IPsec VPN backup to Trust on-premises for EPR
Protocol Used? Purpose
HTTPS (TLS 1.2+) Yes All patient, clinician, and service traffic – TLS 1.3 enforced where possible, TLS 1.2 minimum
MLLP over IPsec Yes HL7v2 from Cerner EPR (legacy, encrypted over private VPN)
AMQP 1.0 Yes Azure Service Bus
SFTP No N/A
TCP (other) Yes Redis protocol (6380, TLS) within VNet
WebSocket No N/A
Metric Value
Peak egress bandwidth to Internet 400 Mb/s (projected Year 3)
Peak ingress bandwidth from Internet 150 Mb/s
Peak bandwidth between on-prem and cloud (EPR) 250 Mb/s (over 1 Gbps ExpressRoute)
Peak national healthcare secure network bandwidth 50 Mb/s (Spine, e-RS, GP Connect combined)
Traffic characteristics Daily peaks 07:30-09:00 (appointment reminder windows) and 18:00-20:00 (after-work access); weekend slow
Latency requirements Patient-perceived TTFB < 300ms P95
Control Implemented Detail
DDoS Protection Yes Azure DDoS Standard on the VNet; Front Door absorbs volumetric attacks at edge
Rate Limiting Yes APIM rate limit policies (per subscription key and per user); Front Door WAF rate-based rules
Source IP Restrictions Yes Admin portal: geo-blocked outside UK + allow-list for Trust IPs; patient portal: no IP restriction (open)
Web Application Firewall (WAF) Yes Front Door Premium WAF with OWASP Core Rule Set 3.2, bot manager, custom rules (National Patient ID format, block common path traversal)
Client Verification Controls Yes Patient JWTs from Azure AD B2C bound to session, short-lived (30 min access token, 8h refresh with rotation)
File Upload Protection Limited Only repeat prescription note field accepts text (no file upload)
Environment Description Count & Venue Compute Solution
Development Individual developer environments using shared dev subscription 1 x Azure UK South App Service Basic tier, Azure SQL General Purpose (small)
Test / QA Automated integration and regression testing 1 x Azure UK South App Service Standard S2, SQL GP, synthetic data only
Staging / Pre-Production Production-mirror for UAT, clinical safety testing, accessibility testing 1 x Azure UK South App Service P1v3, SQL Business Critical (smaller), masked production-like data
Training Clinical training environment for service desk staff 1 x Azure UK South Shared with Staging compute, separate SQL (synthetic)
Production Live service 1 x Azure UK South (3 zones), DR in UK West ASEv3, App Service P2v3, SQL BC Zone Redundant, Service Bus Premium
DR Warm standby 1 x Azure UK West App Service P1v3 (scaled up during failover), SQL Auto-Failover Group secondary
  • No – production and non-production environments live in separate Azure subscriptions with no VNet peering. Promotion is via Azure DevOps pipelines only. Production data is never copied to non-production; masked synthetic data is used.

Patients use their own devices (BYOD). Minimum supported platforms:

  • Web: last two major versions of Chrome, Edge, Safari, Firefox; WCAG 2.2 AA conformance
  • iOS: 16.0+ (aligned with Apple support lifecycle)
  • Android: 11.0+ (API level 30)

Trust service desk staff use Intune-managed Windows laptops for administrative functions.

Not applicable – no IoT devices are part of this solution. Trust Internet-of-Things programmes (e.g., remote vital signs monitoring) are separate initiatives.

Question Response
Hosting region chosen for low carbon intensity Azure UK South (London) primary and UK West (Cardiff) DR — chosen for data residency and MediCore DSPT requirements. Microsoft has committed to 100% renewable energy matching across UK regions by 2025. UK West’s published grid mix is on average cleaner than UK South.
Non-production environments auto-shutdown Yes — non-prod App Service plans scaled-in 19:00-07:00 weekdays + weekends via Azure Automation; non-prod Azure SQL auto-paused after 1 hour idle. Estimated saving £800/month (referenced in 4.5).
Compute family chosen for performance-per-watt Yes — Premium v3 (Pv3) App Service plan SKUs throughout; Microsoft published data shows ~25% better performance-per-watt than Pv2 with faster warm-up. ADLS Gen2 uses latest-generation Microsoft hardware.
Auto-scaling configured to release capacity when idle Yes — App Service Plan auto-scale: scale-out at >70% CPU 10 min, scale-in at <30% CPU 20 min. Azure Functions consumption plan scales to zero between bursts.
DR strategy proportionate to recovery objective Active-passive (warm) with Azure SQL geo-replica + ADLS Gen2 RA-GRS + App Service in UK West deployed via IaC on failover. RTO 4 hours, RPO 15 minutes meets clinical-safety RTO. Hot active-active rejected: would have doubled compute footprint without RTO benefit beyond what’s clinically required.

Data Name Store Technology Authoritative? Retention Period Data Size Classification Personal Data? Special Category? Encryption Level Key Management
Patient enrolment records (National Patient ID, portal user ID mapping, verification evidence references) Azure SQL Yes Life + 8 years (Records Management Code of Practice) 5 GB Restricted Yes Yes (health status inferred) TDE + Always Encrypted (deterministic on National Patient ID) Customer-managed key (HSM-backed)
Patient preferences (contact, consent, SMS opt-in) Azure SQL Yes Life + 8 years 1 GB Restricted Yes Partial TDE + Always Encrypted Customer-managed key
Appointment cache (read-through cache from EPR) Azure SQL + Redis No (EPR authoritative) 30 days rolling 20 GB Restricted Yes Yes TDE (SQL); in-memory TLS (Redis) Customer-managed key
Results metadata (result ID, released flag, view timestamps) Azure SQL Yes (for view tracking); No (result content in EPR) 8 years 15 GB Restricted Yes Yes TDE + Always Encrypted Customer-managed key
Session state / MFA state Azure SQL Yes 24 hours less than 1 GB Restricted Yes No TDE Customer-managed key
Audit log ADLS Gen2 (WORM immutable) Yes 7 years (DSPT / MediCore Records Management) 150 GB / year Restricted Yes Yes Azure Storage SSE + immutable blob policy Customer-managed key
Application logs (PII-redacted) Log Analytics (Sentinel workspace) No 2 years (hot) + 5 years (archive) 80 GB / year Internal No (redaction enforced) No Azure Storage SSE Microsoft-managed
Integration event store (Service Bus messages) Azure Service Bus Transient 14 days max less than 10 GB Restricted Yes Yes Service Bus encryption (TLS + at-rest) Customer-managed key
Attribute Detail
Storage Product Azure SQL Database (Business Critical, Zone Redundant), Azure Data Lake Storage Gen2, Azure Cache for Redis (Premium)
Storage Size SQL: 500 GB provisioned (Business Critical); ADLS Gen2: estimated 1.5 TB over 7 years; Redis: 6 GB
Replication SQL: zone-redundant + geo-failover group to UK West; ADLS: RA-GRS to UK West; Redis: not replicated (cache only)
Minimum RPO 5 minutes (SQL geo-failover group asynchronous)
Classification Level Data Types Handling Requirements
Public Public-facing documentation, accessibility statement Open access
Internal Redacted application logs, infrastructure metrics, aggregated usage statistics Trust access controls
Restricted (Official-Sensitive) All patient-identifiable data, enrolment records, preferences, audit logs referencing patients, clinical messages Encrypted at rest (TDE + Always Encrypted for PII fields) and in transit (TLS 1.3); access-controlled (RBAC + PIM); audited; 7-year audit retention

MediCore healthcare data classification: All patient-identifiable data is “Official-Sensitive” with the MediCore handling caveat “PERSONAL”. The Caldicott Principles are applied to every data use.

Stage Description Controls
Creation / Ingestion Patient enrolment (self-service with National Patient ID + PDS verification); clinical data read-through from EPR via FHIR facade; no primary clinical data created in portal PDS demographics match; National Patient ID validation (Modulus 11); consent captured and logged
Processing Domain services resolve each request against EPR / Spine in real time, applying results release rules and consent checks Every patient data access logged with National Patient ID, user session, and purpose; Caldicott justification coded per access type
Storage Portal-owned data in Azure SQL (TDE + Always Encrypted); immutable audit logs in ADLS Gen2 Customer-managed keys in Azure Key Vault (HSM); automated daily backups; geo-redundant for audit
Sharing / Transfer To MediCore Spine (TLS-MA), to e-RS, to GP Connect (Phase 2), to ACS (patient contact details for SMS/email delivery only); no third-country transfer Data minimisation – only send what is required; DPIA DPIA-2025-004 assesses each flow
Archival Audit log transitions from hot (1 year) to cool (years 2-7) in ADLS lifecycle policy; SQL archival is application-level (mark as archived) Lifecycle policies, WORM immutability on audit container (7-year legal hold)
Deletion / Purging On patient request (UK GDPR Art 17 with MediCore records caveats) or at end of retention; pseudo-anonymised research aggregates may be retained Data Retention Committee approves; tombstone records preserved for audit trail integrity
Assessment Type ID Status Link
DPIA DPIA-2025-004 Completed, approved by DPO (Sally Bloggs) and Caldicott Guardian (Helen Bloggs) Trust IG Library: /ig/dpia-2025-004
DPIA – GP Connect extension (Phase 2) DPIA-2025-018 Completed Trust IG Library: /ig/dpia-2025-018
Transfer Risk Assessment N/A No data transferred outside UK
Approach Selected
Sensitive data is masked (describe method below) [x]

Production data is never copied into non-production environments. Staging uses a masked dataset derived from EPR test data where all National Patient IDs, names, addresses, dates of birth, and contact details are replaced by realistic synthetic values using a deterministic tokenisation approach. Referential integrity (appointment-to-patient, result-to-patient) is preserved using the tokens. Approved by IG Lead (2025-04-08).

  • Yes – structural integrity enforced via Azure SQL constraints; clinical data integrity enforced by reading through to the EPR (the authoritative source) for any decision-relevant values; hash verification on audit log blobs (ADLS append-blob with content MD5).
  • Patient identity integrity is an explicit Hazard Log hazard (HAZ-04 – see 3.6) and is mitigated by PDS demographic verification on every enrolment and on any change to patient demographics.
  • Minimal – no clinical data stored on patient devices. Mobile apps persist an encrypted refresh token in device secure storage (iOS Keychain / Android Keystore). Biometric unlock gates access. Apps enforce no-screenshot on sensitive screens (iOS only; Android best-effort via FLAG_SECURE).
Destination Data Type Classification Transfer Method Protection
MediCore Spine (PDS) National Patient ID, demographic query Restricted TLS-MA over national healthcare secure network Mutual TLS with Spine-issued certificate; minimum data for lookup
MediCore e-Referral Service Patient UBRN, appointment references Restricted HTTPS over national healthcare secure network OAuth 2.0; MediCore Digital assurance key
GP Connect Patient National Patient ID for appointment availability (Phase 2) Restricted HTTPS over national healthcare secure network JWT + CIS2 organisation certificate
Microsoft Azure Communication Services (subprocessor) Patient mobile number / email (ephemeral at time of send) Restricted HTTPS / TLS 1.3 Microsoft is contracted subprocessor under Trust enterprise agreement; UK region only; subject to Microsoft Online Services DPA
Microsoft Sentinel (Trust internal SIEM) Pseudonymised security events Internal Azure diagnostic settings Internal Trust service
  • Yes – all customer data (PII and clinical data) remains within the United Kingdom. Primary in UK South (London); DR in UK West (Cardiff). Azure Policy “Allowed Locations” rejects any resource deployment outside UK. ACS SMS / email uses UK region endpoints. The Microsoft Online Services DPA, combined with Microsoft’s UK data residency commitments for ACS and Azure SQL, is assessed as adequate for UK GDPR purposes. Any future third-country transfer would require a Transfer Risk Assessment (TRA) and Standard Contractual Clauses.
Question Response
Retention periods minimised to regulator + business need Yes — patient identifiable data retained per MediCore Records Management Code 2021 (ranges 8 years for adult outpatient records to lifetime+8 for some categories); audit logs 25 years (MediCore DSPT requirement); session data ≤ 24 hours. ADLS Gen2 lifecycle policies enforce automatic expiry; no “indefinite” retention.
Older data tiered to cold/archive storage Yes — ADLS Gen2 lifecycle: Hot for current year, Cool for years 2-3, Archive for years 4+. Azure SQL longer-term retention (LTR) backups stored in cool tier. ~70% of historical data in Cool/Archive.
Unused or duplicate replicas Single Azure SQL primary + 1 DR geo-replica; no read replicas (the application is light-read for individual patients). Quarterly review of storage accounts via Azure Advisor recommendations.
Compression applied Brotli on HTTPS responses (~70% reduction on FHIR JSON payloads); gzip on audit log uploads to ADLS; FHIR resources are stored compressed in cold tiers.
Cross-region replication justified Azure SQL geo-replica required by clinical-safety RTO. ADLS GRS chosen over LRS specifically to support DR; LRS would not have met the RPO. No cross-region replication outside UK regions.
Large data transfers off-peak Nightly EPR ingest 02:00-04:00 UTC; weekly Spine batch reconciliation Saturday 03:00 UTC. Both align with low UK grid carbon intensity.

Question Response
Does the solution support regulated activities? Yes – processes special category personal data (health). Subject to CS-129/0160 clinical safety standards. Not a medical device (assessed).
Is the solution SaaS or third-party hosted? No – hosted on Azure (IaaS/PaaS) by the Trust; Microsoft is the cloud provider (subprocessor)
Has a third-party risk assessment been completed? Yes – Microsoft Azure: MHT-TRA-2024-001 (approved); Cerner (EPR vendor): MHT-TRA-2023-007 (approved); ACS: inherits Microsoft TRA
Impact Category Business Impact if Compromised
Confidentiality Critical – exposure of patient records would breach UK GDPR, require ICO notification within 72 hours, and cause lasting loss of patient trust; potential fines up to 4% of Trust turnover
Integrity Critical – incorrect display of results or appointments could contribute to patient harm (missed appointment, acting on wrong result) – see Hazard Log HAZ-02, HAZ-03, HAZ-04
Availability High – extended outage would increase booking office load ~3.5x and may delay access to clinical information; not life-critical because EPR and clinical services remain available
Non-Repudiation High – inability to prove a patient’s consent or a specific action (cancellation, prescription request) would undermine clinical and legal accountability

A STRIDE-based threat model was conducted (MHT-TM-2025-008). Healthcare-specific threats are highlighted.

STRIDE Threat Attack Vector Likelihood Impact Mitigation
Spoofing Attacker impersonates patient to view records Credential stuffing from other-site breaches; SIM-swap to intercept SMS OTP Medium Critical Azure AD B2C + MFA (SMS OTP default; TOTP upgrade recommended); breached-password detection; step-up MFA for prescription actions; FIDO2 option
Spoofing Attacker impersonates Trust clinician to service desk admin portal Stolen smart card / coerced clinician Low Critical MediCore CIS smart card + FIDO2; IP geo-restriction; session recording; behavioural analytics (Sentinel)
Tampering Man-in-the-middle alters appointment details in transit TLS downgrade Low High TLS 1.3 enforced; HSTS + preload; certificate pinning on mobile apps
Tampering Modification of audit log Insider with storage access Low Critical ADLS Gen2 WORM immutable policy (7-year legal hold); Key Vault access separated from audit writers; alerted on access
Repudiation Patient denies an action (cancellation, Rx request) Session hijack or dispute Medium High Immutable audit trail including device, IP, session ID, MFA method; step-up MFA for sensitive actions
Information Disclosure Data breach exposing patient records SQL injection, misconfigured storage, stolen credentials Low Critical Parameterised queries; Defender for SQL; Private Endpoints only; Always Encrypted on PII; Sentinel UEBA
Information Disclosure Wrong patient’s record shown to another patient (misidentification) – clinical safety hazard HAZ-04 Logic bug in session/context handling; identity merge error Low Critical Strict session-to-MediCore-Number binding; automated clinical safety regression tests; manual clinical safety review per release (CS-160)
Denial of Service Volumetric DDoS on public endpoint Botnet attack Medium High Azure DDoS Standard; Front Door absorbs edge; APIM rate limiting; graceful degradation
Elevation of Privilege Standard user escalates to admin Broken access control Low Critical RBAC + ABAC (patient can only see own National Patient ID data, enforced at service layer and re-validated in FHIR facade); pen testing annually (NCC Group)
Clinical safety (cross-cutting) Silent SMS delivery failure causing missed critical appointment – hazard HAZ-02 ACS outage, mobile number out of date Medium High Delivery receipts tracked; fallback to email; booking office manual check for high-priority appointments; patient UI shows “last notified” timestamp
Clinical safety (cross-cutting) Wrong results shown to patient – hazard HAZ-03 EPR interface defect, mapping error Low Critical Results release only after clinician review and explicit release; FHIR conformance tests; contract tests; sample reconciliation with EPR nightly
Access Type Role(s) Destination(s) Authentication Method Credential Protection
Patient (web / mobile) Patient MyMedwick Azure AD B2C (custom policy) – username / password + MFA (SMS OTP default; TOTP or FIDO2 optional) B2C password policies: 12 char min, complexity, breached-password check via Have-I-Been-Pwned-style service; PBKDF2 storage
Access Type Role(s) Destination(s) Authentication Method Credential Protection
Service desk admin (clinician / admin) Service Desk Admin, Read-Only Admin Admin portal MediCore CIS OIDC – smart card or FIDO2 (phishing-resistant) CIS2-managed; Trust enforces smart card for clinical users
Operations / SRE Platform Engineer, DBA, Security Engineer Azure Portal, ADO, runbooks Entra ID SSO + MFA (FIDO2 / Microsoft Authenticator) + Conditional Access + PIM (JIT) Entra ID policies; PIM 8-hour max elevation
Service accounts Internal services Azure resources Azure Managed Identity (system-assigned or user-assigned) No passwords; tokens short-lived and Entra-managed
Control Response
Does the application use SSO? Yes – Azure AD B2C for patients; MediCore CIS for clinicians; Entra ID for staff/ops
What is the unique identifier for user accounts? Patients: Azure AD B2C user objectId mapped to National Patient ID (verified via PDS during enrolment); clinicians: CIS2 UUID
What is the authentication flow? Authorization code + PKCE for all web/mobile; token exchange at BFF
Credential issuance Patient: self-service enrolment with PDS demographic match + email verification + SMS verification; service desk admin: CIS2 smart card issued by MediCore Registration Authority
Credential complexity Patient: 12+ chars with complexity, breached-password check; clinician: CIS2 policy
Credential rotation Patient: 180-day password rotation recommended (not enforced – aligned to NCSC guidance); CIS2: MediCore CIS policy
Account lockout Patient: 5 failed attempts -> 15 minute soft lockout; 10 attempts -> account locked, manual unlock via service desk after verification
Password reset Patient: self-service with registered email + SMS OTP verification of National Patient ID + date of birth
Control Response
Session establishment OIDC session cookie (HttpOnly, Secure, SameSite=Strict); access token 30 min; refresh token 8 hours (rotation on use)
Mobile sessions Refresh token in iOS Keychain / Android Keystore with biometric unlock; device posture check on Trust-managed service desk devices
Session protection JWTs signed (RS256); audience-bound to MyMedwick BFF; token binding to session; nonce and state on authorization code flow
Session timeout / concurrency 30 min idle timeout (patient); 15 min (admin); no concurrency limit for patients, single-session for admin
Access Type Role / Scope Entitlement Store Provisioning Process
Patients Fine-grained access bound to own National Patient ID only Azure SQL (enrolment table) Self-service enrolment + PDS verification
Service desk admin Admin Read-Only, Account Suspend MediCore CIS attributes + Trust role mapping Via Trust RA process
Operations / SRE Platform Operator, DBA, Security Entra ID groups + PIM Manager approval + PIM JIT elevation
Service accounts Per-service Managed Identity (least privilege) Azure RBAC IaC-managed (Bicep)
Control Response
Account re-certification Quarterly for admin roles; annual for patient accounts (dormant > 18 months auto-suspended)
Segregation of duties Developers cannot deploy to production (pipeline enforced); admins cannot modify clinical data in EPR from portal; ops cannot read patient clinical data (access to PII columns via Always Encrypted requires explicit Key Vault grant with break-glass logging)
Delegated authorisation Proxy access (e.g., parent for child aged under 13) is NOT supported in v2.0 – documented limitation; planned for v3.0 subject to IG assurance
Account Type Management Approach
OS privileged accounts PaaS – no OS access for dev/ops; Azure Bastion + PIM for any VM access (jump boxes rare)
Infrastructure admin Entra ID + PIM JIT (8-hour max); all actions logged in Entra ID Audit and Sentinel
SQL administration DBA role via PIM; SQL ledger enabled; SQL Audit logs to Log Analytics
Break-glass Two named emergency accounts stored in physical safe (CISO + CDIO); usage triggers high-priority Sentinel alert

3.5.3 Network Security & Perimeter Protection

Section titled “3.5.3 Network Security & Perimeter Protection”
Control Implementation
Network segmentation Azure Landing Zone hub-spoke; VNet per environment; subnets per tier (app, data, management); NSGs with deny-by-default; Azure Firewall at hub; Private Endpoints for all PaaS; no public network access to SQL, Key Vault, Storage, Service Bus
Ingress filtering Azure Front Door Premium with WAF (OWASP CRS 3.2 + Microsoft managed rulesets), bot protection, rate-based rules, geo-rules; APIM policies (JWT validation, schema validation, rate limit)
Egress filtering Azure Firewall; explicit allow-list (ACS, Microsoft Graph, Spine/national healthcare secure network targets, Apple/Google push); deny-all-else; NAT Gateway with fixed egress IPs
Encryption in transit TLS 1.3 enforced for all external; TLS 1.2 minimum internally; private CA for service-to-service mTLS optional; Azure Key Vault + Managed HSM for certificate management
national healthcare secure network boundary Dedicated national healthcare secure network CN-SP connection (2 links, diverse carriers) with MediCore-approved firewalling
Attribute Detail
Encryption deployment level Storage (all data stores) + Application (Always Encrypted on PII columns in Azure SQL)
Key type Symmetric (AES-256)
Algorithm / cipher / key length AES-256-GCM (Always Encrypted column enclave); AES-256 (TDE, Storage SSE, Service Bus)
Key generation Azure Key Vault Managed HSM (FIPS 140-2 Level 3)
Key storage Azure Key Vault Managed HSM (customer-managed keys); separate key per environment and per data class
Key rotation schedule Annual automatic rotation for TDE CMKs; 180-day rotation for Always Encrypted column master keys; rotation orchestrated by IaC + Key Vault rotation policies
Attribute Detail
Secret store Azure Key Vault (Premium, HSM-backed) + Managed HSM for CMKs
Secret distribution Runtime retrieval via Managed Identity + Key Vault references; never written to disk or config files
Secret protection on host Memory only; Key Vault access logged; Private Endpoint for Key Vault
Secret rotation Automatic via Key Vault rotation policies (connection strings, APIM subscription keys, ACS access keys); certificate lifecycle managed by Key Vault + Azure Front Door

3.5.5 Security Monitoring & Threat Detection

Section titled “3.5.5 Security Monitoring & Threat Detection”
Capability Implementation
Security event logging All authn/authz events, patient data access (with National Patient ID, action, result), admin actions, privilege elevation, WAF blocks, configuration changes. Forwarded to Sentinel.
SIEM integration Microsoft Sentinel (Trust tenant) – all Azure diagnostic logs + App Insights security events. Custom analytics rules: patient-credential-stuffing (failed MFA > 10 in 15 min across unique patient IDs from one IP), impossible travel, admin after-hours access, mass-export pattern, prescription request anomaly
Infrastructure event detection Microsoft Defender for Cloud (Defender for App Service, SQL, Storage, Key Vault, Containers); Microsoft Defender for Identity on Entra ID
Security alerting Sentinel playbooks (SOAR): automatic account lockout on credential stuffing pattern, Teams notification to SOC, ServiceNow ticket creation; 24x7 SOC (outsourced to Trust MSSP)
Threat intelligence MISP feed, MediCore Digital Data Security Centre (DSC) alerts ingested into Sentinel
Clinical safety monitoring Dedicated Sentinel workbook with clinical-safety-relevant KPIs: SMS delivery failure rate, FHIR facade error rate against EPR, session-to-MediCore-Number binding anomaly count

UC-01: Patient views upcoming appointments

Attribute Detail
Actor(s) Enrolled patient
Trigger Patient opens app and navigates to “My Appointments”
Pre-conditions Patient is enrolled, authenticated (Azure AD B2C session valid), has given consent to SMS/email communications, has at least one scheduled outpatient appointment
Main Flow 1. App calls GET /appointments on Patient BFF with Bearer JWT. 2. BFF validates token (JWT signature, audience, not expired). 3. BFF calls Appointments Service with patient context (National Patient ID from session). 4. Appointments Service checks Redis cache (60s TTL) for patient appointments. 5. Cache miss: Appointments Service calls FHIR Facade. 6. FHIR Facade calls Cerner FHIR R4 Appointment search by patient identifier. 7. FHIR Facade normalises to MyMedwick canonical model. 8. Appointments Service filters to outpatient-type only and applies results release rules. 9. Appointments Service caches and returns response. 10. BFF aggregates and returns to app. 11. Audit event emitted to Service Bus.
Post-conditions Patient sees list of appointments; audit event recorded with National Patient ID, session ID, timestamp, purpose=view-appointments
Views Involved Logical, Integration & Data Flow, Physical (App Service, SQL, Redis, ExpressRoute to EPR), Data (cache, audit), Security (JWT, RBAC, audit)

UC-02: Patient cancels or reschedules an appointment

Attribute Detail
Actor(s) Enrolled patient
Trigger Patient selects “Cancel” or “Reschedule” on an appointment
Pre-conditions UC-01 pre-conditions; appointment is within the 24-hour-plus-before cut-off; the appointment type permits self-service (some oncology appointments are flagged “clinician-managed only”)
Main Flow 1. App calls POST /appointments/{id}/cancel with reason. 2. BFF validates JWT and business rules (cut-off, type). 3. Appointments Service writes intent (status=cancel-requested) to SQL and emits event to Service Bus (Outbox pattern). 4. FHIR Facade consumes event and issues Appointment.status=cancelled to Cerner via FHIR R4. 5. Cerner acknowledges; FHIR Facade records success. 6. Notification event emitted. Notification Service sends SMS + in-app notification: “Your appointment on DATE has been cancelled.” 7. Booking office worklist updated (Cerner handles downstream).
Post-conditions Appointment cancelled in EPR; patient notified; immutable audit event recorded
Views Involved Logical, Integration & Data Flow, Security (authentication, step-up MFA not required for cancel; required for repeat Rx), Scenarios, Reliability (Outbox ensures durability)

UC-03: Appointment reminder SMS – with delivery failure handling

Attribute Detail
Actor(s) Notification Service, Azure Communication Services, Patient
Trigger 48-hour-pre-appointment scheduler job runs
Pre-conditions Patient has an active appointment; patient has opted in to SMS reminders; mobile number verified at enrolment
Main Flow 1. Scheduler publishes “send-reminder” event for each qualifying appointment. 2. Notification Service retrieves patient’s preferences. 3. Notification Service calls ACS SMS with message. 4. ACS returns delivery status within 60 seconds (typical). 5. If delivered: audit success. 6. If failed / undelivered: Notification Service schedules retry after 15 min (max 3 retries with exponential back-off). 7. If all retries fail OR patient has no valid mobile: fall back to email. 8. If email also fails OR patient has no valid email: add to booking office exception worklist for manual follow-up call (hazard mitigation for HAZ-02). 9. Patient app shows “reminder sent at TIME” on the appointment card for transparency.
Post-conditions Patient reminded via one or more channels OR appointment added to manual-call worklist; audit trail complete
Views Involved Logical (Notification Service), Integration (ACS), Reliability (retry, fallback, manual exception), Security (audit), Scenarios, Governance (HAZ-02 mitigation)

UC-04: Patient mis-identification prevention – clinical safety hazard control HAZ-04

Attribute Detail
Actor(s) Enrolled patient, FHIR Facade, Cerner EPR, MediCore Spine PDS
Trigger Any patient data read or write
Pre-conditions Patient authenticated and enrolled
Main Flow 1. Session JWT contains patient_nhs_number (verified at enrolment via PDS). 2. Every call to FHIR Facade asserts patient_nhs_number as both HTTP header and query parameter. 3. FHIR Facade verifies patient_nhs_number exists in PDS cache (TTL 24h) and has not been merged/retired. 4. FHIR Facade calls Cerner FHIR with National Patient ID as identifier – never with Cerner internal IDs. 5. Returned resources are verified to have matching patient identifier; mismatched responses raise MHT-HAZ-04 alert, block the request, and log to Sentinel. 6. If PDS returns “merged”, Facade fetches new identifier, updates enrolment, logs clinical-safety event, and forces patient re-verification on next login.
Post-conditions Patient receives only their own data; any mismatch is blocked and raises a clinical safety event
Views Involved Security (identity binding), Data (identity controls), Scenarios, Governance (Hazard Log)

UC-05: Results release and view

Attribute Detail
Actor(s) Patient; Clinician (via EPR, out of band)
Trigger Clinician releases a pathology or radiology result via EPR workflow (not via MyMedwick)
Pre-conditions Clinician has reviewed result and clicked “Release to Patient Portal” in Cerner; result is at least 24 hours old (safety delay per policy)
Main Flow 1. Cerner emits ORU message with MyMedwick-release flag. 2. FHIR Facade ingests ORU, normalises to FHIR DiagnosticReport. 3. Results Service stores metadata and release flag in SQL. 4. Notification event published. 5. Notification Service sends SMS / push notification to patient. 6. Patient logs in and views result. 7. First view triggers a “patient-has-seen-result” audit event back to EPR (via outbound FHIR Facade call).
Post-conditions Patient sees result; clinical team can see patient-viewed status in EPR; Caldicott-compliant audit trail maintained
Views Involved Integration, Data, Security, Scenarios – explicit safety delay per clinical policy

3.6.2 Architecture Decision Records (ADRs)

Section titled “3.6.2 Architecture Decision Records (ADRs)”

ADR-001: Microsoft Azure over AWS as hosting platform

Field Content
Status Accepted
Date 2025-02-05
Context The Trust has a sovereign UK cloud hosting requirement and operates an enterprise agreement with Microsoft. A technology choice was made between Microsoft Azure (UK South / UK West) and AWS (London / Ireland). Evaluation criteria: UK data residency assurance, alignment with MediCore Authority patterns, existing Trust skills, identity integration (Entra ID already Trust standard), regulatory attestations (ISO/IEC 27018), and cost.
Decision Adopt Microsoft Azure with UK South (primary) and UK West (DR).
Alternatives Considered AWS: Strong services and mature UK presence. Rejected because: (a) Trust existing Entra ID / Intune investment favoured Microsoft stack for identity; (b) Existing staff skills heavily Azure-weighted (migration from on-premises to Azure for non-clinical systems); (c) AWS UK regions do not yet have the same UK sovereignty contractual commitments as Azure’s UK regions for Trust’s specific workloads; (d) ISO/IEC 27018 certification and MediCore alignment patterns more mature on Azure. Google Cloud: insufficient UK coverage and Trust skills at decision time. On-premises: inconsistent with Trust “cloud-first-where-appropriate” policy for non-clinical-record workloads.
Consequences Positive: unified identity stack (Entra ID, B2C, CIS2 federation pattern); mature MediCore landing zone patterns; Trust staff skills aligned; integrated Sentinel SIEM. Negative: Azure-specific skills required for deep ops; Moderate lock-in to Azure AD B2C and APIM (see 3.1.6).
Quality Attribute Tradeoffs Operational Excellence: positive (tooling alignment). Security: positive (unified IAM). Cost: neutral (comparable to AWS). Portability: neutral-to-negative (B2C is high lock-in, mitigated by IdP facade pattern).

ADR-002: FHIR R4 over HL7v2 as the canonical clinical data contract

Field Content
Status Accepted
Date 2025-02-20
Context Downstream clinical systems (Cerner, WinPath, JAC) historically integrate via HL7v2 messaging (MLLP). MediCore Authority’s Interoperability Strategy mandates FHIR R4 for new clinical APIs. The FHIR Facade pattern allows both in parallel. The decision is whether MyMedwick’s internal clinical data model should be HL7v2 (the data’s native form) or FHIR R4.
Decision Use FHIR R4 as the canonical internal model; the FHIR Facade performs HL7v2-to-FHIR mapping at the ingestion boundary.
Alternatives Considered HL7v2 as canonical: Lower impedance with legacy systems but rejected: (a) Inconsistent with MediCore Authority standards for new systems; (b) HL7v2 is poorly suited to JSON/REST consumption by modern web clients; (c) Would lock MyMedwick out of the ICS-wide FHIR-based data sharing roadmap. Bespoke domain model: Rejected – reinvents the wheel; FHIR R4 is a recognised MediCore standard and has mature .NET SDKs (Firely).
Consequences Positive: standards-aligned; forward-compatible with ICS Shared Care Record; strong tooling (Firely SDK); easier external audit. Negative: HL7v2-to-FHIR mapping is non-trivial for edge cases (address types, telecom systems) and must be clinically validated; FHIR conformance testing added to CI.
Quality Attribute Tradeoffs Operational Excellence: positive (single internal model). Performance: neutral (mapping overhead marginal). Reliability: positive (tested mapping layer isolates EPR changes). Cost: slight increase in initial development, net positive over 3-year life.

ADR-003: Azure AD B2C over MediCore login for patient authentication

Field Content
Status Accepted (revised 2026-03-28; supersedes v1 which had proposed MediCore login)
Date 2026-03-28
Context Patient authentication choice. MediCore login is the national patient identity service; Azure AD B2C is Microsoft’s customer identity. National policy encourages MediCore login adoption but does not mandate it for Trust patient portals. Evaluation criteria: control over enrolment UX, MFA options, verification journey speed, ability to step-up MFA for sensitive actions, future optionality.
Decision Use Azure AD B2C as the primary patient IdP; design the architecture to allow MediCore login to be federated in as an additional IdP in a future phase (target 2026-Q4).
Alternatives Considered MediCore login as primary: Recognised national identity; would avoid duplicate enrolment. Rejected for v2.0 because: (a) Trust requires explicit control over the enrolment UX to reach 800,000 patients quickly (including digitally-excluded patients who fail MediCore login’s identity proofing); (b) MFA method flexibility (SMS + TOTP + FIDO2) is richer in B2C; (c) Patients who fail MediCore login verification would be blocked whereas Trust can provide an “in-person at the Trust” fallback verification through its service desk. A facade (AuthGateway) is in place so MediCore login can be federated without breaking downstream services. Bespoke Trust IdP: rejected – reinventing identity is high-risk.
Consequences Positive: faster enrolment path for patients; Trust controls verification journey (including in-person fallback); future-proofed for MediCore login federation. Negative: risk of fragmented identity between MediCore login and Trust portal (mitigated by later federation); Trust bears responsibility for identity proofing to MediCore-equivalent standard (documented in DPIA-2025-004).
Quality Attribute Tradeoffs Operational Excellence: neutral (extra policies to maintain). Security: positive (step-up MFA richer in B2C). Cost: negligible difference. Patient experience: positive (faster, more forgiving enrolment journey).

ADR-004: Outbox pattern for EPR-affecting write operations

Field Content
Status Accepted
Date 2025-03-12
Context Patient actions (cancel appointment, prescription request) must result in a reliable write to the EPR and a reliable notification to the patient. Naive implementation (call EPR then publish event) introduces a dual-write problem – either can fail.
Decision Write intent to SQL and to a local outbox table in the same transaction; a background dispatcher publishes events to Service Bus once committed.
Alternatives Considered Distributed transactions (MSDTC): not supported with Azure SQL + Service Bus. Saga (compensating actions): feasible but over-engineered for these flows. Event-first (publish before write): risks publishing events without persistent state.
Consequences Positive: at-least-once delivery guarantee; idempotent consumers handle duplicates; resilient to partial failures. Negative: outbox table requires cleanup; small latency added (typically less than 200ms).
Quality Attribute Tradeoffs Reliability: strongly positive. Performance: marginal negative. Operational Excellence: positive (clear failure semantics).

Log Type Events Logged Local Storage Retention Period Remote Services
Application logs Request/response metadata (PII-redacted), service errors, business events App Insights (immediate) 2 years hot + 5 years archive Log Analytics + Sentinel
Patient access audit National Patient ID, session, action, purpose (Caldicott), outcome ADLS Gen2 (WORM immutable) 7 years Sentinel
Clinical safety event log Hazard trigger events (HAZ-01..HAZ-07), clinical-safety-relevant errors ADLS Gen2 WORM + Sentinel workbook 25 years (per MediCore clinical records) Sentinel + Trust Clinical Safety portal
Security event log Authn/authz, WAF, PIM activations, key vault access Log Analytics 2 years hot + 5 years archive Sentinel
Infrastructure diagnostic Azure diagnostic logs (App Service, SQL, APIM, Front Door) Log Analytics 90 days hot + 1 year archive Sentinel subset
Access logs Front Door, APIM, App Service HTTP logs Log Analytics 90 days Sentinel

4.1.2 Observability – Monitoring & Alerting

Section titled “4.1.2 Observability – Monitoring & Alerting”
Alert Category Trigger Condition Notification Method Recipient
Portal availability (Front Door) External probe failure > 2 min PagerDuty P1 + Teams SRE on-call
P95 latency P95 > 800ms for 5 min PagerDuty P2 SRE on-call
FHIR Facade error rate (EPR) > 2% errors over 5 min PagerDuty P1 SRE on-call + Integration Lead
MediCore Spine error rate > 5% errors over 5 min Teams + PagerDuty P2 SRE on-call
SMS delivery failure rate > 5% failures over 15 min PagerDuty P2 + Teams + Email to Patient Experience SRE on-call + Tom Doe
Clinical safety event raised Any HAZ-* event PagerDuty P1 + SMS to CSO Dr Amir Doe (CSO) + CSG
Authentication failure spike > 20 failures / 5 min from same IP Sentinel alert + SOC SOC on-call
Data export / mass read anomaly UEBA high-severity event Sentinel SOAR playbook + SOC + CISO Jane Bloggs
SQL CPU / DTU > 85% sustained for 10 min Teams + PagerDuty P3 SRE + DBA
Certificate expiry Any cert < 30 days to expiry Email Platform team
Patient support backlog > 20 unresolved support tickets Email Service Desk
Capability Tool Coverage
APM Application Insights All services (request, dependency, exception, custom clinical-safety events)
Infrastructure Monitoring Azure Monitor All Azure resources
Log Aggregation Log Analytics (Sentinel workspace) All logs
Distributed Tracing OpenTelemetry into App Insights All microservices
Dashboards Azure Workbooks (6 workbooks: SLO, clinical safety, security, integrations, patient journey, cost) All stakeholders
Alerting & Incident PagerDuty + Microsoft Teams All P1-P3 alerts
Synthetic Monitoring Azure Monitor Availability Tests Top 10 critical user journeys
Question Response
Metrics collected App Service CPU/memory/instance count, SQL DTU/CPU/storage, Service Bus queue depth/active messages, APIM request count, FHIR Facade outbound latency, Redis hit ratio
Trend analysis Weekly automated workbook export; monthly capacity review
Thresholds Warning 70%, Critical 85%
Capacity planning Annual plan; quarterly refresh aligned to enrolment projections
Procedure Description Owner Documentation
Incident response (ITIL) P1: 15-min response, resolve 4h; P2: 30-min, 8h; post-incident review within 5 working days Tom Doe Runbooks in ADO wiki
Clinical safety incident handling Triggered on any HAZ-* event; CSO paged; 15-min engagement; CS-160 incident report within 48h; SI if actual harm (Datix) Dr Amir Doe Trust Clinical Safety Management System (CSMS)
Change management Normal: ARB ticket + 2 technical approvals + CSO sign-off for clinical-impact changes; Emergency CAB for P1 fixes Robert Bloggs ServiceNow change module
On-call rotation 24x7, 1-week, 6 engineers; clinical safety secondary rota (3 clinical safety officers) Tom Doe PagerDuty schedule
Patient support Digital-support helpline 08:00-20:00 Mon-Sun; service desk L1 + portal L2 Service Desk lead Internal KB
DSPT annual maintenance Evidence refresh and re-submission by 30 June annually Sally Bloggs DSPT portal
Clinical safety case review Every major release and annually; CSG sign-off Dr Amir Doe CSMS

4.2.1 Geographic Footprint & Disaster Recovery

Section titled “4.2.1 Geographic Footprint & Disaster Recovery”
Question Response
Multi-venue deployment? Yes – UK South (primary) + UK West (DR)
DR strategy Warm standby: App Services running (scaled down), SQL auto-failover group, Service Bus geo-DR, ADLS RA-GRS
Data sovereignty constraints Yes – all regions UK only; no cross-border replication
RTO 1 hour (P1 regional failure)
RPO 15 minutes (SQL async replication lag)
Attribute Response
Scaling capability Full auto-scaling (App Service autoscale rules on CPU + queue depth; SQL vCore elastic; APIM unit scaling)
Scaling details App Service: 2-10 instances per service, scale-out in 90 seconds. SQL Business Critical: vertical scale in minutes. Front Door: unlimited edge. ACS: managed throughput.
Dependencies adequately sized Yes – ExpressRoute 1 Gbps (25% utilised at peak); EPR interface tested at 3x projected peak.
Dependency details MediCore Spine: national service, published SLA; EPR: tested to 5,000 concurrent sessions; GP Connect: limited per MediCore national throttles.
  • Yes
    • Component failures: All services 2+ instances, zone-redundant within UK South.
    • Graceful degradation: If EPR is unavailable, portal shows cached appointments (read-only) with staleness warning; writes (cancel/reschedule) are queued and shown as “pending” to the patient. If Spine is unavailable, enrolment is blocked but existing users continue to function.
    • Circuit breakers (Polly): EPR (5 consecutive failures -> open 30s), Spine (3 -> 60s), GP Connect (3 -> 60s).
    • Health checks: Liveness + readiness endpoints; App Service built-in plus custom health that checks SQL and Redis connectivity and EPR smoke call.
    • Testing practices: Quarterly DR drill (failover to UK West and back); monthly chaos test (Azure Chaos Studio – EPR outage simulation, Spine timeout, SMS provider outage); annual game day.
Component / Dependency Failure Mode Detection Recovery User Impact
Single App Service instance Instance crash App Service health probe Auto-restart; traffic rerouted Transparent
Availability Zone (UK South) Zone outage Azure zone health Zone-redundant instances absorb; SQL ZR automatically Brief degradation (< 60s)
Primary region (UK South) Regional outage Azure region health + Front Door probes Manual DR activation to UK West; DNS/Front Door failover; scale up App Service; promote SQL secondary RTO 1h; patients see a branded maintenance page during failover
Azure SQL Primary unavailable SQL HA probe Auto-failover group fails over; connection string unchanged 30-60s interruption
Service Bus Primary namespace unavailable Delivery failures Geo-DR pairing promotes secondary Brief async latency
Cerner EPR Interface down FHIR Facade error spike Circuit breaker opens; cached read data served; writes queued in Outbox; booking office notified for manual backfill Degraded: read stale data; writes delayed (hazard HAZ-05 mitigation)
MediCore Spine Outage FHIR Facade timeout Enrolment blocked; existing user impact limited (demographics verified at login daily) New enrolment suspended; banner shown
GP Connect Outage Integration error spike Feature hidden; banner shown: “GP appointment view temporarily unavailable” Partial feature degradation
Azure Communication Services (SMS) SMS delivery degraded/outage ACS delivery receipts < threshold Automatic retry; email fallback; booking office manual-call worklist if neither delivered (HAZ-02 mitigation); evaluated fallback to GOV.UK Notify (validated in staging quarterly) Patient may receive email instead of SMS or receive a phone call from booking office
Azure AD B2C Outage Login failure rate Cached refresh tokens allow existing sessions to continue up to 8h; new logins blocked; banner shown; incident P1 New logins blocked during outage
ExpressRoute Link failure BGP / probe Automatic failover to IPsec VPN (30-60s BGP convergence) Brief EPR read degradation
Attribute Detail
Backup strategy Azure SQL point-in-time (35 days) + LTR (10 weekly / 12 monthly / 10 yearly); ADLS audit WORM immutable (7 years); Key Vault soft-delete 90 days + purge protection
Backup type Continuous (transaction log) + daily full (SQL); append-only WORM (audit)
Backup frequency SQL: continuous + daily snapshot; ADLS: real-time append; LTR weekly/monthly/yearly
Retention SQL: 35 days PITR + LTR schedule; ADLS: 7 years immutable
Immutability SQL LTR cannot be deleted by service principals (management lock); ADLS Gen2 immutable blob policy (7-year legal hold)
Encryption All backups CMK-encrypted; cross-region copies re-encrypted with UK-West CMK
# Scenario Recovery Approach RTO RPO
1 Zone failure (UK South) Zone-redundant resources absorb automatically 5 min 0
2 Region failure (UK South) Manual DR activation to UK West 1 hour 15 min
3 Service component failure App Service auto-restart; blue/green rollback via slot swap 10 min 0
4 SQL corruption Point-in-time restore to last known good 2 hours 1 min
5 Ransomware / cyber incident Isolate via Sentinel playbook; restore from immutable backups (Key Vault purge protection; SQL LTR; ADLS WORM) 4 hours 1 hour
6 EPR interface outage Cached reads + queued writes; manual reconciliation Continuous (degraded) 0
7 Data sovereignty breach (e.g., log accidentally exported) ICO notification within 72h; Sentinel investigation; isolate and purge export 24 hours N/A

Metric Target Measurement
P50 response time < 200ms App Insights
P95 response time < 800ms App Insights
P99 response time < 2s App Insights
Throughput 3,000 req/s sustained, 6,000 peak APIM metrics + load test
Error rate (5xx) < 0.05% APIM + Front Door
Patient sign-in time < 5s P95 (web); < 3s P95 (mobile with biometric) RUM via App Insights
SMS delivery within 90s > 98% ACS delivery receipts
EPR FHIR read P95 < 1s FHIR Facade dependency telemetry
Results release to patient-visible latency < 10 min (excluding 24h safety delay) End-to-end trace
Accessibility WCAG 2.2 AA Axe automated + manual audit (annually, external)
Attribute Detail
Approach Load (sustained 3,000 req/s for 1h); stress (ramp to 8,000); soak (1,500 req/s for 24h); spike (0-6,000 in 60s)
Tools Azure Load Testing (k6-based)
Environment Staging (production-mirror)
Frequency Every release + quarterly full regression; accessibility re-test on every major release
Metric Current (Mar 2026) 1 Year 3 Years 5 Years
Enrolled patients 280,000 520,000 720,000 800,000 (ceiling)
MAU (monthly active) 120,000 260,000 430,000 520,000
Peak req/s 1,800 3,000 4,500 6,000
SMS messages/month 340,000 650,000 950,000 1,200,000
Data volume (SQL) 40 GB 80 GB 150 GB 250 GB
Audit volume (ADLS) 120 GB/yr 220 GB/yr 350 GB/yr 450 GB/yr

Design scales to 5-year horizon. Seasonal demand pattern: +40% in January (New Year health engagement); +25% each Monday morning; lulls in August.

Strategy Implementation
Right-sizing Premium v3 App Service plans chosen for faster warm-up; reviewed quarterly against Azure Advisor
Caching Redis for appointment reads (60s TTL); APIM response caching for static reference data (5 min)
Asynchronous processing All notifications and audit writes async via Service Bus
Network Private Endpoints avoid public egress fees; CDN (Front Door) for static web assets
Database optimisation Indexed columns; pg-equivalent query tuning; read replicas for reporting if needed; Always Encrypted deterministic only where queryable
Attribute Detail
Latency requirements Patient-perceived TTFB < 300ms P95; EPR round-trip < 1s P95
Bandwidth requirements 400 Mb/s peak egress; 150 Mb/s peak ingress
CDN Azure Front Door edge caching for static assets
Optimisation HTTP/2; Brotli compression; connection keep-alive; ExpressRoute for EPR

Posture Selected Detail
Some options more expensive chosen for non-cost reasons [x] SQL Business Critical Zone Redundant selected over General Purpose (approximately 2.8x cost) for zone redundancy and faster failover, justified by Tier 1 Critical rating; dedicated ASEv3 chosen over shared App Service plan for isolation; Premium Key Vault HSM chosen over standard for FIPS 140-2 Level 3.
  • Yes – detailed cost modelling performed using Azure Pricing Calculator; TCO compared with maintaining PKB pilot + building new in-house solution shows 35% reduction over 5 years.
Component Monthly Cost (GBP) Notes
App Service Environment v3 + Premium v3 plans 7,800 ASEv3 isolation premium + 6 P2v3 instances average
Azure SQL Database (Business Critical Zone Redundant) 5,400 8 vCore Business Critical + Auto Failover Group secondary
Azure API Management (Premium, 2 regions) 4,200 Premium unit UK South + UK West
Azure Front Door Premium + WAF 1,900 Premium tier + WAF policies
Azure Communication Services (SMS + Email) 3,200 ~650,000 SMS/month at UK rates
Azure Cache for Redis (Premium) 700 P1 tier
Azure Service Bus (Premium, Zone Redundant + Geo-DR) 900 Premium Messaging Unit
Azure AD B2C (P2) 1,600 Active users (MAU) pricing
Key Vault Managed HSM 2,200 Dedicated HSM + transactions
ADLS Gen2 + immutable blob + LTR 400 150 GB/yr + long-term retention
Log Analytics + Sentinel 1,800 Data ingestion + retention
Azure Monitor + App Insights 600 Telemetry
ExpressRoute (UK South) 900 1 Gbps port + data transfer
Azure Firewall + VNet + Private Endpoints 1,100 Hub firewall attribution
Azure Bastion + Defender for Cloud 500
Other (DNS, Backup, miscellaneous) 300
Total monthly (production) 33,500
Total annual (production) 402,000
Non-production environments 3,500/month Dev + Test + Staging + Training
Total annual (all environments) 444,000 Aligned to Opex estimate
  • No – design meets all requirements within envelope. Reserved instances (1-year) reduce App Service and SQL spend by ~25%.
Practice Implementation
Cost monitoring Azure Cost Management + custom workbook; weekly report to Robert Bloggs (CDIO)
Cost allocation Tagging strategy: CostCentre=CC-4820, Service=MyMedwick, Environment=prod/staging/test/dev, Owner=Dr-Raj-Doe
Reserved capacity 1-year reserved instances for App Service, SQL, APIM
Rightsizing Azure Advisor monthly; formal quarterly review
Waste elimination Non-prod auto-shutdown 19:00-07:00 weekdays, all weekend (via Azure Automation)
Budget governance Azure Budget alerts at 80% and 100% forecast; change > GBP 500/month requires Platform Lead approval

Question Response
Hosting location chosen to reduce environmental impact? No – chosen for data residency. Azure UK South’s carbon intensity is moderate; Microsoft’s 2025 commitment to 100% renewable matching will improve this further.
Workload demand pattern Variable predictable – daily peak 07:30-09:00 and 18:00-20:00; lulls overnight
Question Response
Continuous availability required? Yes – Tier 1 Critical
Scale down off-peak? Partially – minimum 2 instances always; scale out on demand
Non-prod auto-shutdown? Yes – saves approximately GBP 800/month
Question Response
Rightsized? Yes – monthly Azure Advisor review
CPU utilisation monitored? Yes – target 40-60% business hours
Highest performance-per-watt hardware? Azure manages underlying hardware; workload placed on Premium v3 SKUs which use newer, more efficient silicon
Question Response
Language / framework efficiency .NET 8 is highly optimised; AOT compilation evaluated for Notification Service (deferred due to ACS SDK incompatibility)
Optimised for platform and workload? Yes – connection pooling (Npgsql / SqlClient), efficient JSON serialisation (System.Text.JSON), source-generated serializers
Efficient algorithms / data structures? Yes – indexed lookups, pagination enforced
vCPU hours per request minimised? Yes – async offload reduces per-request compute
Question Response
Data close to compute? Yes – same region, Private Endpoints
Replicas minimised? Only regulator-justified replicas (SQL ZR, DR, WORM audit)
Old / unused data removed? Yes – SQL archival, ADLS lifecycle to cool tier after 1 year
Efficient formats / compression? Brotli compression on HTTP; gzip on audit blobs before upload
Jobs prioritised and distributed? Yes – nightly reconciliation jobs scheduled 02:00-04:00 local
Efficient networking? Yes – Private Endpoints; no NAT for internal traffic

  • Internally developed by Trust Digital Product + Integration teams (12 FTE combined).
Attribute Detail
Source control Azure DevOps Git (Trust org)
CI/CD platform Azure DevOps Pipelines
Build automation Pipelines on PR and main; .NET build + test; npm build + test; container images to Azure Container Registry
Deployment Bicep IaC; pipelines deploy to dev -> test -> staging -> prod with manual approvals; blue/green via App Service slots
Test automation xUnit (.NET), Jest (web), integration tests (Testcontainers); FHIR conformance (Inferno); contract tests (Pact); Axe for accessibility
Control Implementation
Security requirements identification Threat model MHT-TM-2025-008; clinical-safety stories in backlog; OWASP ASVS L2 baseline
SAST SonarQube (Azure DevOps integration); quality gate blocks on Critical/High
DAST OWASP ZAP nightly against staging
SCA Mend (formerly WhiteSource); blocks on High/Critical CVEs
Container scanning Microsoft Defender for Containers; ACR-native scanning
Secure coding OWASP guidelines; annual training; security champion per squad
Patch management Critical CVE: 24h mitigation plan, 7-day patch; High: 30 days; base images rebuilt weekly
Clinical safety testing Dedicated clinical-safety regression suite run on every release; CSO sign-off on the suite quarterly
Classification Selected? Description
Replace [x] PKB pilot replaced by in-house MyMedwick
Attribute Detail
Deployment strategy Phased rollout: Trust staff (dogfooding) -> invited cohort 5,000 patients -> public beta -> general availability. PKB decommissioned after 3-month parallel run.
Data migration mode Continuous sync – MyMedwick reads through to EPR; no bulk migration from PKB; PKB patient enrolment list used to invite PKB users to re-enrol in MyMedwick
Data migration method Azure Data Factory one-time extract of PKB user list (National Patient IDs only) for invitation mailing
Data volume Approximately 40,000 National Patient IDs
End-user cutover Phased – patients invited in cohorts over 3 months
External system cutover Phased – PKB interface disabled after final patient migrated
Max acceptable downtime Zero (parallel run)
Rollback plan PKB remained live throughout; any issue could route traffic back to PKB via Trust web-site banner and direct link
Acceptance criteria ≥ 95% of active PKB users re-enrolled in MyMedwick or formally opted out; CSG sign-off on post-live clinical safety case
Transient infrastructure Yes – ADF pipeline for PKB extract (decommissioned post-migration)
Test Type Scope Approach Environment Automated?
Unit All code xUnit, Jest CI Yes
Integration Services + SQL + Service Bus Testcontainers CI + Test env Yes
Contract FHIR against Cerner, Spine mocks Pact + Inferno FHIR test harness CI + Staging Yes
FHIR conformance FHIR R4 resources conformance Inferno (ONC) CI + Staging Yes
Accessibility WCAG 2.2 AA Axe + manual audit (annual external) Staging + Prod Partially
Clinical safety regression All HAZ-* mitigations Dedicated suite; CSO sign-off Staging Yes
Performance Load / stress / soak / spike Azure Load Testing Staging Yes
Penetration Annual NCC Group Pre-prod No
DR Region failover Quarterly drill Prod + DR Partial
Attribute Detail
Release frequency Fortnightly (every other Thursday) with ability for hotfix any day
Release process Feature branch -> PR (2 approvals + CSO sign-off if clinical-safety-impacting) -> merge to main -> auto-deploy to staging -> clinical safety regression + accessibility + load -> manual approval -> blue/green slot swap in production
Release validation Smoke tests + canary (5% traffic for 30 min) + auto-rollback if error rate > 0.1%
Feature flags LaunchDarkly for phased rollout (per-patient-cohort, per-clinic)
Clinical-safety change control Any change touching a HAZ-tagged component requires CSO review and CSG sign-off before promotion to production
Attribute Detail
Support model L1 Trust Service Desk (08:00-20:00); L2 SRE on-call (24x7); L3 Digital Product + Integration team (08:00-18:00 working days); L4 CSO + Solution Architect
Support hours 24x7 on-call for Tier 1
SLA 99.9% monthly availability (external commitment); P1 acknowledge 15 min; P2 30 min; P3 4h; clinical safety P1 -> CSO within 15 min
Escalation L1 -> L2 (15 min P1) -> L3 -> L4 + CSO + CISO as appropriate
Clinical safety escalation Any HAZ-* event -> CSO (Dr Amir Doe) -> CSG if confirmed -> Datix + CQC if actual harm
Question Response
Non-prod auto-shutdown schedule and enforcement Azure Automation runbook scales-in non-prod App Service plans 19:00-07:00 weekdays + weekends; Azure SQL auto-pause on non-prod databases. Azure Policy “deny on tag missing” prevents new non-prod resources without an auto-shutdown tag.
Right-sizing review cadence Quarterly via Azure Advisor + Application Insights metrics. Last review (2026-Q1) downgraded the staging Pv3 from P1v3 to P0v3, recovering ~£140/month.
Unused / orphaned resource reclamation Monthly review of orphaned managed disks, unattached public IPs, stale storage account containers; deleted after 30 days idle without recorded exception.
Carbon footprint reported alongside cost Yes — Azure Emissions Impact Dashboard reviewed monthly alongside cost; reported quarterly to Trust Sustainability Committee against the MediCore Net Zero target (2040).
Environment retirement actually deletes (vs stops) Yes — decommissioning runbook requires Bicep destroy + Storage Account deletion + Key Vault soft-delete purge after retention. Trust CMDB (ServiceNow) entry marked Retired only after Azure Cost Management confirms zero spend for 30 days.
Skill Area Current Level Action
Azure (App Service, SQL, APIM, Front Door) High Ongoing – 3 Azure Solutions Architect Expert certs in progress
Bicep / IaC High None
.NET 8 High None
FHIR R4 Medium Action – Firely training for 2 integration engineers (Q2 2026)
MediCore interoperability (Spine, e-RS, GP Connect) Medium Action – MediCore Digital partner programme training
Clinical safety (CS-129/0160) Medium Action – second CSO designate in training (supports succession planning)
Information Governance High None
Security / Sentinel Medium Action – SOC MSSP engaged to cover 24x7
  • A: Fully capable – established SRE team plus clinical safety officer succession plan.
  1. Azure PaaS resources are always running (App Service, SQL, APIM).
  2. On deployment, App Service slot-swap is the activation step; health checks verify all dependencies.
  3. After any DR failover, startup sequence: promote SQL secondary -> scale up App Service in UK West -> update Front Door origin -> verify EPR connectivity via ExpressRoute backup path -> enable external traffic. Full cold-start ~25 minutes.
Concern Approach
Software versions current .NET: within 90 days of LTS release; SQL: minor patches in monthly maintenance window; mobile OS support: last 2 major versions per Apple/Google policy
Certificate management Azure Key Vault + Front Door managed certificates; auto-renewal; alerts at 30/14/7 days
Dependency management Mend + Dependabot; quarterly review
MediCore Spine / e-RS / GP Connect interface updates MediCore Digital issues are tracked via the Digital Assurance Manager; change windows coordinated
Attribute Detail
Intended lifespan 7-10 years; major review at 5 years
End-of-life triggers ICS-wide patient portal adoption (possible 2028+); MediCore login mandated
Decommissioning blockers 7-year audit retention; patient records retention under Records Management Code of Practice
Data disposal Patient data: secure deletion (NIST 800-88 equivalent via Azure Storage secure delete + Key Vault key destruction); audit: retained to legal minimum then lifecycle-expired
Infrastructure disposal Bicep what-if + Terraform destroy; Azure resources deleted; DNS removed; ADO project archived
Attribute Detail
Exit strategy Domain services are standard .NET 8 containers; SQL is standard SQL Server; FHIR facade and contract are portable; audit is object storage; identity (B2C) is highest lock-in
Data portability SQL bacpac; ADLS standard object storage export; FHIR data re-exposable through another facade
Vendor lock-in Overall Moderate. Primary lock-in: Azure AD B2C (High) and APIM policies (Moderate). Exit effort: approximately 4-6 months for a similar-sized team.
Exit timeline 6-9 months

ID Constraint Category Impact on Design Last Assessed
C-001 All data must reside in the UK (UK GDPR, DSPT, Caldicott) Regulatory UK South primary, UK West DR; Azure Policy “Allowed Locations”; ACS UK region 2026-03-01
C-002 CS-129 and CS-160 mandatory for any change with clinical impact Regulatory Clinical Safety Officer required; Hazard Log; Clinical Safety Case per release 2026-03-01
C-003 Must integrate with Cerner Millennium EPR (legacy HL7v2) Technical FHIR Facade pattern required; no changes to EPR in scope 2025-12-01
C-004 Must comply with MediCore DSPT (annual submission) Regulatory Extensive security and IG controls; evidence maintained continuously 2025-06-30 (last submission)
C-005 WCAG 2.2 Level AA accessibility required (public sector body regs) Regulatory Accessibility built in from alpha; external audit annually 2026-01-15
C-006 99.9% availability SLA committed in Trust Digital Strategy Commercial Zone-redundant SQL; multi-region DR; App Service Premium v3 2026-03-01
ID Assumption Impact if False Certainty Status Owner Evidence
A-001 Cerner FHIR R4 interface will remain available and contractually supported for the life of MyMedwick Would require re-engineering to HL7v2-only integration High Closed Dr Raj Doe Cerner contract extension to 2030; FHIR R4 on roadmap
A-002 Azure AD B2C will remain a Microsoft strategic service Would require migration to Entra External ID Medium Open Jane Bloggs Microsoft has announced B2C long-term support and Entra External ID convergence; migration path understood
A-003 Patient enrolment growth 180k/year for 3 years Capacity plan under- or over-sized Medium Open Nisha Doe Alpha + beta uptake consistent with trajectory
A-004 MediCore login federation remains optional for Trust portals Would require emergency MediCore login integration Medium Open Sally Bloggs Current MediCore Authority policy position; monitored
A-005 Patients have reliable mobile signal for SMS OTP MFA failure rate could increase; requires TOTP fallback adoption High Closed Dr Raj Doe Research shows ≥ 97% UK mobile coverage in Trust catchment
ID Risk Event Category Severity Likelihood Owner
R-001 Clinical safety incident: wrong results displayed to patient leading to patient harm Compliance / Safety Critical Low Dr Amir Doe
R-002 GP Connect outage prevents Phase 2 cross-care appointment feature Technical High Medium Priya Bloggs
R-003 SMS delivery failure causes missed critical appointment (e.g., oncology follow-up) Operational / Safety High Medium Tom Doe
R-004 Patient mis-identification (wrong patient’s record shown) Compliance / Safety Critical Low Dr Amir Doe
R-005 Data breach requiring ICO notification within 72 hours Security Critical Low Jane Bloggs
R-006 Cerner EPR upgrade breaks FHIR interface Technical High Medium Dr Raj Doe
R-007 Azure AD B2C outage blocks patient logins Technical High Low Jane Bloggs
R-008 DSPT submission failure / downgrade from Standards Met Compliance High Low Sally Bloggs
R-009 Accessibility regression fails WCAG 2.2 AA Compliance Medium Medium Nisha Doe
R-010 Clinical safety case lapses (annual review overdue) Compliance / Safety High Low Dr Amir Doe
R-011 Credential-stuffing attack compromises patient accounts Security High Medium Jane Bloggs
R-012 ACS (SMS provider) outage; no alternative contracted Operational High Low Mark Doe
ID Mitigation Plan Residual Risk Last Assessed
R-001 Mitigate Clinical safety regression suite; CSO sign-off per release; 24h release delay for first-time viewing; clinician release control in EPR; audit trail Low 2026-03-01
R-002 Mitigate Feature flag allows instant disable; cached availability with banner; read-only fallback Medium 2026-03-01
R-003 Mitigate Retry + email fallback + booking office manual exception worklist (HAZ-02); patient UI shows “last notified” timestamp; monthly reconciliation report Low 2026-03-01
R-004 Mitigate Strict National Patient ID binding; PDS verification; clinical safety control HAZ-04; automated regression test; CSO sign-off Low 2026-03-01
R-005 Mitigate Defender for Cloud + Sentinel + annual pen test; ICO breach process documented and rehearsed; DPO engaged; DSPT incident reporting Low 2026-03-01
R-006 Mitigate Contract tests + FHIR conformance; Cerner change notice process (60 days); facade pattern isolates change Medium 2026-01-15
R-007 Accept (with mitigation) Cached refresh tokens for existing sessions up to 8h; maintenance banner; P1 incident process Low 2026-03-01
R-008 Mitigate Continuous evidence gathering; quarterly dry-run review with IG team; scores tracked Low 2025-12-01
R-009 Mitigate Axe automated + manual audit + user testing with disabled-users panel; annual external audit Low 2026-02-10
R-010 Mitigate CSMS ticket scheduler; dual CSO rota; automated reminders 30/14/7 days Low 2026-03-01
R-011 Mitigate Breached-password detection; adaptive rate limits; MFA mandatory; Sentinel UEBA; SOC 24x7 Medium 2026-03-01
R-012 Mitigate Email fallback; GOV.UK Notify fallback validated in staging; booking office manual call process Medium 2026-02-15
ID Dependency Direction Status Owner Evidence Last Assessed
D-001 Cerner Millennium EPR HL7v2 + FHIR R4 interfaces available Inbound Resolved EPR team Operational since alpha 2026-03-01
D-002 MediCore Spine PDS availability Inbound Committed MediCore Digital National service 2026-03-01
D-003 MediCore CIS for clinician admin auth Inbound Committed MediCore Digital National service 2026-03-01
D-004 MediCore e-Referral Service API Inbound Resolved MediCore Digital Integration live since 2025-09 2026-03-01
D-005 GP Connect Appointments Inbound Committed MediCore Digital Integration live since 2025-09 (Phase 2) 2026-03-01
D-006 national healthcare secure network CN-SP connectivity Inbound Resolved Trust Network Dual-link live 2026-01-10
D-007 Azure Communication Services UK region Inbound Resolved Microsoft Enterprise agreement; UK region available 2025-11-15
D-008 DSPT 2025/26 submission Outbound Resolved Sally Bloggs Submitted 2025-06-30; Standards Met 2025-06-30
D-009 CS-160 deployment safety case for each release Outbound In progress (continuous) Dr Amir Doe Approved for v2.0 2026-03-28
ID Issue Category Impact Owner Resolution Status Last Assessed
I-001 Cerner FHIR R4 interface intermittent 502 errors during overnight batch Technical Medium Dr Raj Doe Cerner aware; FHIR Facade retry with back-off implemented as interim mitigation; permanent fix expected in Cerner 2026.03 release In progress 2026-03-15
I-002 Two patients reported receiving SMS reminders at 03:00 due to scheduler timezone misconfiguration Operational Medium Tom Doe Scheduler corrected to Europe/London; affected patients contacted; CS-160 incident report filed Resolved 2025-12-08
I-003 Accessibility audit identified 3 AA-level issues (focus order on results page, colour contrast on notification chip, aria-label on cancel button) Compliance Low Nisha Doe Fixes in current sprint; external auditor re-test booked for 2026-04 In progress 2026-03-20
Question Response
Does this design create exceptions to current policies and standards? No
Accepted through exceptions process? N/A
Question Response
Creates a process library issue? No
Acknowledged by process owner? N/A
Question Response
Materially changes the Trust’s risk profile? Yes – introduces a new patient-facing external surface and new data processing. Evaluated with Risk Committee; risk appetite confirmed. DPIA DPIA-2025-004 and Clinical Safety Case v3 signed.
Evaluated with Risk and Controls? Yes
ADR # Title Status Date Impact
ADR-001 Azure over AWS as hosting platform Accepted 2025-02-05 Platform direction
ADR-002 FHIR R4 over HL7v2 as canonical clinical data contract Accepted 2025-02-20 Integration model
ADR-003 Azure AD B2C over MediCore login for patient identity Accepted (revised 2026-03-28) 2026-03-28 Identity model; MediCore login federation planned
ADR-004 Outbox pattern for EPR-affecting writes Accepted 2025-03-12 Reliability pattern
Standard / Principle Requirement How the Design Satisfies It Evidence Section
UK GDPR Art 5(1)(c) Data minimisation FHIR facade requests only required fields; PII not logged; API responses tailored to purpose 3.2, 3.4
UK GDPR Art 5(1)(f) Integrity and confidentiality TLS 1.3; Always Encrypted on PII; CMK with HSM; audit; WAF 3.4, 3.5
UK GDPR Art 6(1)(e) + Art 9(2)(h) Lawful basis for special category data Lawful basis documented in DPIA-2025-004 2.3, 3.4
UK GDPR Art 17 Right to erasure Patient-initiated erasure workflow, with records-retention overlay 3.4, 3.6
UK GDPR Art 32 Security of processing Full IAM, encryption, monitoring, threat model 3.5
UK GDPR Art 33 Breach notification within 72h Documented incident process with DPO engagement 4.1, 6.3
UK GDPR Art 35 DPIA DPIA-2025-004 and DPIA-2025-018 completed 2.3, 3.4
MediCore DSPT 2025/26 (10 assertions) Standards Met Evidence package submitted 2025-06-30; scored Standards Met 2.3, 3.5, 6.8
CS-129 (Manufacturer) Clinical risk management (manufacturer) CSO appointed; Clinical Safety Case v3 approved; Hazard Log MHT-HAZ-LOG-0208; regression suite 2.3, 3.5, 3.6, 5.1
CS-160 (Deployment) Clinical risk management (deployment) Deployment Safety Case signed by Trust CSO per release; CSG sign-off 5.4, 6.4
Caldicott Principles Justifiable purpose, minimum necessary, need-to-know Caldicott Guardian approval of data uses; access audit 2.3, 3.4
WCAG 2.2 AA Public sector accessibility Axe + manual + external audit; accessibility statement published 4.3, 5.3, 6.3
NCSC Cloud Security Principles 14 principles Private Endpoints; CMK in HSM; Sentinel; Defender for Cloud; Trust landing zone 3.3, 3.5
MediCore Authority Interop Standards FHIR R4, National Patient ID as primary identifier FHIR Facade; National Patient ID binding 3.2, 3.5
Cyber Essentials Plus Trust certification Inherited; evidenced 3.3, 3.5

Term Definition
ACS Azure Communication Services – Microsoft’s cloud communication platform
ALZ Azure Landing Zone
ASEv3 App Service Environment v3 – dedicated, isolated App Service compute
Caldicott Guardian Senior person in a MediCore organisation responsible for protecting the confidentiality of patient information
CCIO Chief Clinical Information Officer
CIS2 MediCore Care Identity Service 2 – MediCore staff identity and authentication
CDIO Chief Digital Information Officer
CQC Care Quality Commission – England’s health and social care regulator
CSG Clinical Safety Group (Medwick’s multi-disciplinary clinical safety panel)
CSO Clinical Safety Officer – defined in CS-129
CS-129 MediCore Digital standard: Clinical Risk Management – Manufacturer
CS-160 MediCore Digital standard: Clinical Risk Management – Deployment
DPIA Data Protection Impact Assessment
DPO Data Protection Officer
DSPT MediCore Data Security & Protection Toolkit
EPR Electronic Patient Record
e-RS MediCore e-Referral Service
FHIR Fast Healthcare Interoperability Resources (HL7 standard)
GP Connect MediCore service providing GP information via FHIR
HAZ Hazard (entry in Hazard Log)
national healthcare secure network Health and Social Care Network – private MediCore network
ICO Information Commissioner’s Office – UK data protection regulator
ICS Integrated Care System
MESH MediCore Message Exchange for Social Care and Health
MHRA Medicines and Healthcare products Regulatory Agency
MICS Medwick Integrated Care System
MyMedwick The solution described in this SAD
MediCore DSPT MediCore Data Security & Protection Toolkit
PACS Picture Archiving and Communication System
PDS Personal Demographics Service (MediCore Spine)
PKB Patient Knows Best (legacy portal being replaced)
RA MediCore Registration Authority (manages MediCore identity cards)
RoPA Record of Processing Activities (UK GDPR Art 30)
SCR Summary Care Record (MediCore Spine)
SRO Senior Responsible Officer
Spine MediCore Spine – national set of health services (PDS, SCR, etc.)
TLS-MA TLS Mutual Authentication
UBRN Unique Booking Reference Number (e-RS referrals)
WCAG Web Content Accessibility Guidelines
WORM Write Once, Read Many (immutable storage)
Document Version Description Location
MediCore Data Security & Protection Toolkit 2025/26 Mandatory annual MediCore IG assessment dsptoolkit.nhs.uk
CS-129 Clinical Risk Management: Manufacturer 2018 MediCore Digital clinical safety standard MediCore Digital
CS-160 Clinical Risk Management: Deployment 2018 MediCore Digital clinical safety standard MediCore Digital
MediCore Authority Interoperability Standards 2025 FHIR R4 profiles and guidance MediCore Authority
Trust Information Security Policy 4.1 Medwick corporate security policy Trust intranet
Trust Clinical Risk Management Policy 3.2 Medwick clinical risk governance Trust intranet
DPIA – MyMedwick DPIA-2025-004 Data Protection Impact Assessment Trust IG library
Clinical Safety Case v3 – MyMedwick CSC-MHT-0208-v3 Clinical safety case per CS-129 Trust CSMS
Hazard Log – MyMedwick MHT-HAZ-LOG-0208 Live hazard register Trust CSMS
Deployment Safety Case v3 – MyMedwick MHT-DSC-0208-v3 Per CS-160 Trust CSMS
MyMedwick Threat Model MHT-TM-2025-008 STRIDE threat model Trust Security Library
NCSC Cloud Security Principles 2024 14 principles ncsc.gov.uk
Accessibility Statement – MyMedwick 2026-01 Public-facing accessibility statement mymedwick.nhs.uk/accessibility
WCAG 2.2 W3C Recommendation 2023 Accessibility guidelines w3.org/WAI/WCAG22
Standard / Pattern ID Name Version Applicability
HL7-FHIR-R4 HL7 FHIR R4 3.2 Integration
HL7v2 HL7 v2.5 2.5 3.2 Integration (legacy inbound)
OWASP-ASVS-4.0 Application Security Verification Standard 4.0 5.1
OWASP-CRS OWASP Core Rule Set 3.2 3.3, 3.5 WAF
NIST-800-88 Media Sanitisation Rev 1 5.9
WCAG Web Content Accessibility Guidelines 2.2 AA 3.6, 4.3, 5.3
CS-129 Clinical Risk Management (Manufacturer) 2018 3.5, 3.6, 5.1
CS-160 Clinical Risk Management (Deployment) 2018 5.4, 6
C4-Model C4 Model for Software Architecture N/A 3.1
12-Factor The Twelve-Factor App N/A 3.1
Role Name Date Signature / Approval Reference
Solution Architect Dr Raj Doe 2026-03-28 ADO: MYM-ARB-2026-008 (approved)
Clinical Safety Officer Dr Amir Doe 2026-03-26 CSMS: CSC-MHT-0208-v3 (approved)
CCIO Dr Fiona Doe 2026-03-27 ADO: MYM-CLIN-2026-004 (approved)
Caldicott Guardian Helen Bloggs 2026-03-25 IG: CG-2026-011 (approved)
IG Lead / DPO Sally Bloggs 2026-03-25 IG: IG-2026-018 (approved)
CISO Jane Bloggs 2026-03-26 ADO: MYM-SEC-2026-015 (approved)
CDIO Robert Bloggs 2026-03-28 ADO: MYM-ARB-2026-008 (approved)
SRO / Deputy CEO Paul Bloggs 2026-03-28 Board: MHT-BOARD-2026-006 (approved)
ARB / Design Authority Design Authority (chaired by Robert Bloggs) 2026-03-28 ADO: MYM-ARB-2026-008 (approved)

Assessment Summary

This SAD was assessed at Comprehensive depth. The scores below reflect a mature, well-documented architecture for a Tier 1 Critical clinical system under MediCore clinical safety and information governance standards.

Section Score Justification
0. Document Control 5 Full version history, multiple clinical and IG contributors/approvers, clear scope, related documents referenced
1. Executive Summary 5 Business drivers with priority; strategic alignment; reuse assessment; current-state documented; Tier 1 Critical criticality justified by patient-harm analysis
2. Stakeholders & Concerns 5 Comprehensive register including Caldicott Guardian, CSO, CCIO and external regulators; concerns matrix fully mapped; twelve applicable regulations
3.1 Logical View 5 Full component decomposition; design patterns with rationale; lock-in assessment for all components; service-to-capability mapping
3.2 Integration & Data Flow 5 All internal and external integrations documented with protocol/auth; ten API contracts versioned; end user access patterns; national healthcare secure network and MediCore national services modelled
3.3 Physical View 5 Deployment diagram; compute fully specified (ASEv3); full networking including ExpressRoute, national healthcare secure network, Private Endpoints; six environments; security agents
3.4 Data View 5 All data stores classified with retention and encryption; Always Encrypted for PII; UK data sovereignty; two DPIAs; data integrity and patient identity controls
3.5 Security View 5 STRIDE threat model with eleven threats including two explicit clinical safety threats; comprehensive IAM (patient, clinician, service); HSM-backed CMK; Sentinel with clinical-safety analytics
3.6 Scenarios 5 Five architecturally significant use cases including a clinical-safety control scenario (UC-04); four ADRs with alternatives and tradeoffs
4.1 Operational Excellence 5 Centralised logging with Sentinel; Azure Monitor/App Insights; PagerDuty with clinical safety escalation; dedicated clinical-safety workbook
4.2 Reliability 5 Zone-redundant primary with warm-standby DR; RTO 1h / RPO 15min validated through quarterly drill; chaos testing; Outbox for durability
4.3 Performance 5 P50/P95/P99 targets; 3,000 req/s sustained; Azure Load Testing in pipeline; caching; 5-year growth projections
4.4 Cost 5 Monthly cost breakdown by component; reserved instances; FinOps; tagging; rightsizing cadence
4.5 Sustainability 4 Non-prod auto-shutdown; efficient SKUs; Brotli compression; rightsizing. Score reduced from 5: no carbon metrics baselined; formal sustainability KPIs still in development
5. Lifecycle 5 CI/CD with SAST/DAST/SCA and FHIR conformance; phased migration (PKB replacement); clinical safety regression; fortnightly release with CSO sign-off; exit plan
6. Governance 5 Six constraints; five assumptions with evidence; twelve risks with mitigations (incl. clinical safety); nine dependencies; three issues; fifteen-item compliance traceability
7. Appendices 5 Domain glossary (healthcare-specific); fourteen reference documents; ten standards; full approval sign-off with CSO and Caldicott Guardian
Overall 4.9 Comprehensive depth achieved. Exemplary documentation for a Tier 1 Critical MediCore Trust clinical system.