bbRad security

Revision as of 18:38, 10 April 2016

bbRad Security and encryption details

Note: This page describes security details of bbRad for technical readers.
For our Information Governance and Security Compliance Statement please see here. 

Security of data

bbRad has always strong-encrypted all data. This page gives details of the encryption used.

Encryption when using bbRad Serverless

bbRad uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data. This means that all data - metadata as well as patient data such as images, reports, memos, attached files, requests etc - is sent across an encrypted TLS channel when you're communicating with bbRad Serverless.

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are mechanisms for safely transmitting data. On the web, SSL and TLS try to do two things:

• Encrypt and verify the integrity of traffic between the browser and the server.
• Verify the browser is talking to the correct server.

Whilst the SSL protocol is both outdated and insecure, and has since been replaced by TLS, the term "SSL" continues to be colloquially used, referring to a general mechanism for protecting transmitted data.

HTTPS (Hypertext Transfer Protocol Secure) is the combination of SSL/TLS and HTTP to secure communications between the browser and the server.

Encryption between bbRad Gateways (including Gateway<->Serverless)

bbRad conforms to the highest standards of security, including those required by the NHS, namely

• AES-256 encryption
• SSL/TLS connections

All data - metadata as well as patient data such as images, reports, memos, attached files, requests etc - is first encrypted on the Gateway or Serverless, using public key cryptography. The patient data (ie images, reports, memos, attachments, requests) are encrypted to the recipient's public key. The corresponding private key is held on the bbRad Gateway itself. Only the meta-data is encrypted to bbRad's public key. The metadata has routing information telling our system where to send the encrypted payload.

This means that all patient data enjoys end-to-end encryption. Patient data is not decrypted until safely on the recipient hospital's network, or in the case of gateway to Serverless transfers, on the recipient bbRad Serverless infrastructure.

bbRad uses RSA keys with 2048 bit key-lengths. The keys also indicate which symmetric encryption algorithm to use - so far always AES. By default we create all Gateways keys to require the military-strength algorithm called AES-256 when data is encrypted to that public key. In addition we never do 'roll your own' cryptography (see also [Bruce Schneier article]). Within bbRad, cryptographic operations are performed by OS calls to GPG, an open source implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). As as a result of using out-of-process calls to the GPG executable, possible security problems in the application do not propagate to the actual crypto code, due to the process barrier.

Furthermore, this architecture future-proofs bbRad because it is easy to upgrade your encryption without even needing to change bbRad. For example if a flaw were found in AES256, we or a hospital's IT department can rapidly upgrade GPG on the Gateway server, and/or we can re-generate and replace encryption keys and corresponding signatures. No new bbRad version is needed.

The transfer protocol used is Secure FTP, using the latest Secure FTP protocol called Explicit FTPS, also known as FTP over SSL/TLS. This means that hospitals do not need to make any firewall rule changes beyond enabling outbound FTP (no inbound FTP is needed). Hospitals can also double-encrypt data by setting an option to use Secure FTP for the FTP data channel too. This is appropriate for countries or company policies that specifically mandate SSL/TLS.

Within the hospital LAN, all communications from the client in the Radiology department to the bbRad gateway are also encrypted using SSL/TLS.