Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gravatar for patient photos - sketch of spec #1

Open
pacharanero opened this issue Jan 25, 2019 · 1 comment
Open

Gravatar for patient photos - sketch of spec #1

pacharanero opened this issue Jan 25, 2019 · 1 comment

Comments

@pacharanero
Copy link
Owner

pacharanero commented Jan 25, 2019
edited
Loading

In the NHS there has been discussion about ways to enable a patient photo to be obtained by legitimate care systems, to enable safer identification of the correct patient, and to help make healthcare more 'human-scale' when dealing with electronic patient records.

Gravatar does this already...

Gravatar (Globally Recognised Avatar) stores an image of the user, but it is only accessible if you know the MD5 hash of the user's email address. Because hashing is a one-way function, you must have access to the email address in the first place. MD5 is considered broken so I would suggest SHA-256 and the use of a 'salt' added to the hash to increase the difficulty of rainbow table or dictionary attacks.

Pavatar (Patient Avatar):

But instead of email address, we could link it to a patient's NHS number. A national central web service (an API) on HSCN would exist so that any EPR, PAS or other system could obtain a patient avatar photo.

NHS number: 123 456 7890
NHS number
SHA256 Hashed NHS number: c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646

Web request: GET https://nww.patient-avatar.nhs.uk/c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646

Response: 200 OK and image file

Additional security:

  • Clearly, Gravatar is by design completely open, which is less secure (although the namespace for requesting random images is huge, so unlikely to be compromisable in a practical amount of time) but we could make it so that requesting systems needed to be registered and have an API key, this would make things much more secure.
  • Hosting on N3/HSCN - again this cuts down the access that 'bad actors' could get.
  • NHS Numbers bear no relationship to any other parameter of the patient - so that other factors such as patient name, DOB, address are of no help if trying to guess the NHS number.
@HarvsG
Copy link
Contributor

HarvsG commented Jul 14, 2021
edited
Loading

although the namespace for requesting random images is huge, so unlikely to be compromisable in a practical amount of time

The namespace of a SHA256 is huge but the namespace of all possible NHS numbers is only about 10^10, with approx 10^8 valid NHS numbers in existence one could expect the hash of a guessed NHS number to return a valid Pavatar endpoint 1 guess out of 10^2 - quite easy. It would take a modern GPU seconds to minutes to generate the SHA-256 hash of every possible NHS number. (10^10/3000 Mh/s)

I think it would make sense to add something to the NHS Number before hashing, as a 'salt' (although it wouldn't be a true salt as it would have to be known to the client) or otherwise. Maybe Date of Birth?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pacharanero @HarvsG