bbRad security

Security of data in transit

bbRad has always strong-encrypted all data. This page gives details of the encryption used.

Encryption between bbRad Gateways, including Gateway<->Serverless

bbRad conforms to the highest standards of security, including those required by the NHS, namely

• AES-256 encryption

All data - metadata as well as patient data such as images, reports, memos, attached files, requests etc - is encrypted using public key cryptography.

The patient data (ie images, reports, memos, attachments, requests) are encrypted to the recipient's public key. The corresponding private key is held on the bbRad Gateway itself.

Only the meta-data is encrypted to bbRad's public key. The metadata has routing information telling our system where to send the encrypted payload.

This means that all patient data is encrypted end-to-end in bbRad it is not decrypted until safely on the recipient hospital's network - not even within our secure bbRad.net data centre.

bbRad uses RSA keys with 2048 bit key-lengths. The keys also indicate which symmetric encryption algorithm to use - so far always AES. By default we create all Gateways keypairs to require the military-strength algorithm called AES-256 when data is encrypted to their public key.

This architecture means that it is easy for bbRad to upgrade encryption by simply means that it is trivial to upgrade encryption

The transfer is done using Secure FTP - bbRad uses the latest Secure FTP protocol called Explicit FTPS, also known as FTP over SSL/TLS. This means that hospitals do not need to make any firewall rule changes beyond enabling FTP. As at bbRad Version 2.13, only the Control Channel is encrypted, but an option to also encrypt of the Data Channel is scheduled for bbRad Version 2.14.