Patients Know Best has completed the 2019/2020 NHS Digital Data Security and Protection Toolkit, our ODS Code being 8HM56, certification viewable here for 2018-2019/2019-2020, (formally the NHS Information Governance Toolkit - of which PKB consistently met and exceeded level 3 status) for handling and managing data and associated security. PKB also holds a Cyber Essentials Plus certification - viewable here.
PKB encrypts all data in transit and at rest.
PKB mandates the use of TLS 1.2 or above for web and REST API sessions, and at least TLS 1.0 for HL7 sessions.
PKB applies another, unique encryption to Special Category data to mitigate against internal adversaries, data leaks due software bugs, etc.
There are some important concepts in PKB’s security model:
When PKB stores a data point, it obtains an AES256 key, encrypts the data, stores it in the account, and encrypts the AES256 key with an account public key. When PKB retrieves a data point, it obtains the user private key (using the secret the user provides), then the account private key, then the account symmetric key, then decrypts the data.
Data sharing is achieved by decrypting account private keys and re-encrypting them with the recipient user’s public key.
The above means that: