Government bans fax machines in the NHS


(Adrian Wilkins) #1

And this is why a simple protocol for data exchange that takes no account of content is needed, rather than the current messaging which demands that you write complex transformations for each message type (e.g. GP2GP), and that the receiving end also understands how to process it.


(Kev Mayfield) #2

interesting idea. A no frills system.

What about security though, the fax trusts the phone network, an email equivalent trusts NHS.net

Can we trust N3 in a similar manner? What’s the minimum security for this - https. That should prove the endpoint identity - how do you prove the senders id (would you encrypt the jwt using your own nhs cert??)


(Kev Mayfield) #3

Put another way … If I was sending a ‘fax’ document to this endpoint (this works)

POST https://data.developer-test.nhs.uk/ccri-fhir/STU3/Bundle

You know the receiver is legitimate and the payload is encrypted. How do I prove I sent this from https://west.riding.nhs.uk (so no user id, just organisation to organisation). It’s not my area of expertise but I assume I encrypt the secret part of the JWT using the certificate for https://west.riding.nhs.uk (which I believe proves the payload hasn’t been tampered with)


(Adrian Wilkins) #4

Signatures : you hash the document and perform a cryptographic operation on the hash that you can only do with a private key you hold.

You don’t have to stop at one, of course. If you hold a smart card it ought to be able to do this. Then you can apply them to attest to your message source.


(adamlees) #5

There is an NHS-wide service that meets your criteria already.
Secure, trusted sender/receiver identity, content-agnostic. And it’s already IG certified for clinical data.

NHSmail :grinning:


(Kev Mayfield) #6

I’m writing a blog on this … and it’s built on your(/our) design :slight_smile:

but I’ll raise your NHSMail to MESH.