Speeding up PKB’s decryption and upgrading encryption

From this week, new data in PKB will display faster and be locked up more securely.

A quick reminder about PKB’s security: we encrypt each patient’s record with a unique public key. Only the users with the private key (i.e. the patient, plus professionals and carers that the patient has consented to) can decrypt the record.

Encryption is the equivalent of putting a letter through a letter box, and decryption is equivalent to unlocking the door of the letter box. Anyone can put a letter through this, adding data to a patient’s record, but only someone with the key to the door can get the letter out, seeing the patient’s data. Of course PKB does not have any of these keys so it’s all under the patient’s control and consent.

Encryption Decryption

We are encrypting data in a patient’s record with just one key in one go. Previously each data point was encrypted separately, the equivalent of having a separate letter box for each letter, requiring unlocking each door for each letter. Now decryption happens in one transaction, unlocking just one door to get to all the letters in a patient’s record.

So seeing data is much faster. (You can track how fast our servers are showing data on pkbstatus.com). Decrypting one data point used to take 1 ms so showing 5,000 test results took 5 seconds of decryption. Now decrypting all 5,000 data points in one go will take 1 ms. This is great for usability.

This optimisation is critical as our customers start on-boardings tens of thousands of patients per month. Our mass-registration APIs allow hospitals to securely register patients without taking employee time. Some hospitals are registering patients through letters with unique decryption keys, others are using clinic kiosks to do so.

At the same time we are moving to a stronger encryption algorithm: 256-bit AES. We had previously been using 3DES. AES is the successor of DES as industry standard symmetric encryption algorithm.

One comment

Leave a Reply