Electronic Prescription Service (EPS) - All Prescriptions must be signed using SHA-256
ID | RM257 |
|---|---|
Version | 1.0.1 |
Type | Roadmap Item |
Contracting Vehicle(s) |
Title | Electronic Prescription Service (EPS) - All Prescriptions must be signed using SHA-256 |
|---|---|
Description | All Prescriptions sent via the Electronic Prescription Service (EPS) must be signed using SHA-256 |
Date Added | Feb 25, 2025 |
Standards and Capabilities | Prescribing, Electronic Prescription Service (EPS) - Prescribing, Interoperability Standard |
Change Route | Managed Capacity - Other |
Change Type | Uplift |
Status | Closed |
Publication Date | Apr 4, 2025 |
Effective Date | Jul 4, 2025 |
Incentives / Funding | No |
Incentive / Funding Dates | N/A |
Background
Prescribing Solutions are using an out-of-date digital hashing method for securely signing electronic Prescriptions, when using the Electronic Prescription Service (EPS). The hash being used is the Secure Hash Algorithm 1 (SHA-1), which was deprecated in 2011 and will become obsolete in 2030.
The National Institute of Standards and Technology (NIST) has announced the retirement of SHA-1, and recommends that any Suppliers using SHA-1 for security should migrate to SHA-2 or SHA-3 as early as possible. Therefore, the Authority has made SHA-2 Signing API packages available and all Prescriptions must be signed using SHA-256. SHA-3 is not in scope for this change as Solutions across the Authority are not aligned to SHA-3 for securely signing electronic Prescriptions.
Note: “Signing Service API” within the Dependencies section of the uplifted Standard is being renamed to “Digital Signature Service API” as part of this Roadmap Item uplift.
Outline Plan
Supplier Solutions must be fully compliant with this change by the Effective Date.
Summary of Change
Electronic Prescription Service (EPS) - Prescribing: MUST requirement added | |||
Applicable Suppliers | ID | Requirement | Level |
GP Suppliers | EPSP05 | All EPS Prescriptions to be signed using SHA-256. The Authority has made SHA-256 Signing API Packages available that Suppliers could optionally use as part of their implementation. See NIST - Hash Functions for further information. | MUST |
Electronic Prescription Service (EPS) - Prescribing: Dependencies section updated |
DependenciesEPS FHIR API - Prescribing APIFor Suppliers of new services or applications: Creating a compliant implementation requires implementing the following dependent interface standards:
|
Full Specification
Electronic Prescription Service (EPS) - Prescribing V4
Assurance Approach
Assurance will be carried out by the Electronic Prescription Service (EPS) Live Service Team. Once development is complete, contact the EPS team via epssupport@nhs.net to arrange testing of SHA-256 signed Prescriptions.
Test Overview
The testing steps could change depending on the Supplier Solution and the outcomes of testing.
Create and sign Prescriptions (up to 5).
Provide confirmation Prescriptions have been successfully created and the Prescription IDs to the Electronic Prescription Service (EPS) Live Service Team (indicate whether these were created with a Series 8 or Series 9 smart card).
Electronic Prescription Service (EPS) Live Service Team will verify they have been created and signed correctly.
Electronic Prescription Service (EPS) Live Service Team will then dispense the Prescriptions to verify that the end-to-end process has worked successfully and that no errors are generated in the Dispensing system.
Electronic Prescription Service (EPS) Live Service Team will confirm whether this has been successful or unsuccessful, and provide further advice if unsuccessful.
Regression testing of SHA-1 electronically signed Prescriptions, to ensure they are still supported.
Bulk signing of Prescriptions testing is optional.