Patients Know Best reaches and exceeds NHS Information Governance Toolkit level 3 for handling and managing data and associated security. Information is kept confidential so that only the patient, and the people the patient chooses, are able to access the patient’s medical records. PKB encrypts data so that it is unable to access the data, let alone leak it, therefore only patients or clinicians can leak patient data. PKB is responsible for the encryption in its software. Patients and clinicians are responsible for not leaking the data they have access to.
Non-clinical information stored unencrypted include the patient’s: Name, Date of birth, Address, Identifiers (national, organisation and team). These are unencrypted so as to identify the record into which new clinical data must be stored with the correct patient’s public key. These data points are stored with ISO 27001 security i.e. so that no PKB staff have access rights to the data.
PKB’s encryption has three layers:
- Medical record data storage layer: encrypts medical data using DESede (Triple DES), a unique public and private key for each patient. Only the patient, and the people the patient chooses, have a copy of the private key. The secret key is stored with each document after being encrypted using the 1024-bit RSA public key that is unique to that patient account. Only the private key allows accessing the patient’s data. Therefore, no other parties are able to access the patient’s data.
- Secure server holding the data: this is hosted to ISO 27001 standard inside the NHS Health and Social Care Network (HSCN) network - formerly the N3 Network -, behind the NHS firewall. This protects against malicious hacking attempts and provides uptime, disaster recovery and business continuity guarantees.
- Transport through TLS with high grade (AES-256) encryption. We do not support unencrypted HTTP for browser requests, and internal communication between the web application, EJBs, LDAP, and database are all over SSL as well.
Every authorised user is either a patient who has been identified and consented by a medical professional; or a professional whose employer (e.g. NHS hospital or County Council social worker) has identified and authorised them to use the system. The patient may choose to invite a carer or professional who has not been formally identified, but these unverified accounts cannot be used with any other patients. There is a full audit trail of who gave who access to which accounts.