wGrow - Team Notes

Sharing Expertise: Tech Insights and Case Studies

Implementing a Secure and Compliant Visitor Logging System for a Singapore Hospital using .NET, MS SQL, and Windows Server 2019

Abstract:
This article describes a secure and compliant visitor logging system for a Singapore hospital that ensures unique visitor identification while adhering to PDPA regulations. The solution uses a combination of hashed IC numbers and partial IC number verification. The implementation is built on the Microsoft .NET Framework, MS SQL, and Windows Server 2019.

Note: this article only documents the key part, without reveal actual workflow not related to the data security.

  1. Introduction

    During the Covid-19 pandemic, hospitals must limit the number of visitors to patients, ensuring that only a specific number of unique individuals are allowed per day. However, due to the Personal Data Protection Act (PDPA), hospitals are not allowed to record full IC numbers. This article details a solution using hashed IC numbers and partial IC number verification to achieve secure and compliant visitor logging.

  2. System Overview

    The system is comprised of the following components:

  • A front-end application for security guards to scan visitor ICs
  • A back-end server running on Windows Server 2019, hosting a .NET application and an MS SQL database
  • A hashing algorithm to securely store and compare visitor IC numbers
  1. Solution Design The solution combines hashing and partial IC number verification to maintain uniqueness while complying with PDPA regulations.

3.1 Hashing IC Numbers

To avoid storing full IC numbers, a one-way cryptographic hash function is applied to the IC number. This generates a fixed-length hash value that cannot be easily reversed to obtain the original IC number. The SHA-256 algorithm is used for its strong collision resistance and wide adoption in security applications.

3.2 Partial IC Number Verification

In addition to hashing, a small portion of the IC number (e.g., the last 4 digits) is stored to allow security guards to perform manual verification. This ensures uniqueness without violating PDPA regulations.

  1. Implementation

4.1 Database Schema

The MS SQL database stores the following information for each visitor:

  • VisitorID (int, primary key)

  • HashedIC (varchar(64), unique)

  • PartialIC (varchar(4))

  • VisitDate (datetime)

4.2 .NET Application

A .NET application is developed to manage visitor logs and perform the following tasks:

  • Capture and hash IC numbers

  • Check for existing hashed ICs in the database

  • Verify partial IC numbers

  • Record visitor entry

4.2.1 Hashing IC Numbers

The .NET application uses the System.Security.Cryptography namespace to implement the SHA-256 hashing algorithm. The following function demonstrates hashing an IC number:

private static string GenerateHashedIC(string icNumber)
{
    using (SHA256 sha256 = SHA256.Create())
    {
        byte[] inputBytes = Encoding.ASCII.GetBytes(icNumber);
        byte[] hashBytes = sha256.ComputeHash(inputBytes);
        StringBuilder stringBuilder = new StringBuilder();

        for (int i = 0; i < hashBytes.Length; i++)
        {
            stringBuilder.Append(hashBytes[i].ToString("x2"));
        }

        return stringBuilder.ToString();
    }
}

4.2.2 Check for Existing Hashed ICs

The application queries the database to check for an existing hashed IC. If the hashed IC exists and the visit date is the same, the visitor is considered a duplicate and is not allowed entry.

4.2.3 Verify Partial IC Numbers

Security guards manually verify the partial IC number against the visitor's physical IC to confirm their identity.

4.2.4 Record Visitor Entry

Once the visitor passes both the hashed IC and partial IC checks, the visitor's information is stored in the database, and they are granted entry.

  1. Conclusion

    This article presented a secure and compliant visitor logging system for a Singapore hospital that effectively manages visitor logs while adhering to PDPA regulations. By using a combination of hashed IC numbers and partial IC number verification, the solution ensures unique visitor identification without storing full IC numbers. The system is built using Microsoft .NET Framework, MS SQL, and Windows Server 2019, making it a scalable and reliable choice for managing visitor access during the Covid-19 pandemic and beyond.
     
  2. Future Improvements

    There are several potential improvements to enhance the solution further:

    6.1 Enhance Security with Salted Hashes

    To increase the security of the hashed IC numbers, salts can be added to the hashing process. A salt is a random value generated for each visitor and combined with their IC number before hashing. The salt is then stored alongside the hashed IC in the database. This prevents attackers from using precomputed hash tables (e.g., rainbow tables) to reverse-engineer the original IC numbers.

    6.2 Implement QR Code-based Visitor Tracking

    To streamline the visitor check-in process, a QR code-based system can be implemented. Visitors would receive a unique QR code upon registration, which would be scanned upon entry and exit. This would reduce manual input errors and speed up the verification process.

    6.3 Integration with National Verification Systems

    The solution could be integrated with national verification systems like Singapore's SingPass, allowing visitors to use their SingPass credentials for secure and convenient visitor management. This would also provide an additional layer of security through two-factor authentication.

    6.4 Reporting and Analytics

    Advanced reporting and analytics capabilities can be incorporated into the system, providing hospital management with valuable insights into visitor trends and patterns. This data could inform decisions about hospital policies, resource allocation, and visitor management strategies.
    ​​​​​

By continuing to enhance the visitor logging system, hospitals can further improve security and compliance while delivering a seamless experience for visitors and staff alike

Related

Successful E-commerce Solution for Vitasg.SG: A Comprehensive Case Study

Successful E-commerce Solution for Vitasg.SG: A Comprehensive Case Study

Aright Tech Pte Ltd (subsidiary of wGrow), an experienced eCommerce service and solution provider, h...

Read More >
Cloud Server Security Architecture for Medical Service Group

Cloud Server Security Architecture for Medical Service Group

This document provides a detailed overview of the security architecture we implemented for a medical...

Read More >
Secured 3G/4G SMS Gateway with HTTP API

Secured 3G/4G SMS Gateway with HTTP API

Constructed by our expert team in Singapore, this industrial-grade SMS Gateway boasts a minimum of 8...

Read More >
Creating a Desktop Application to Backup Gmail Emails and Restore to Gmail or Yahoo Email using C#

Creating a Desktop Application to Backup Gmail Emails and Restore to Gmail or Yahoo Email using C#

Backing up important emails from your Gmail account is essential to ensure data security and availab...

Read More >
Unlocking Possible Supports: A Guide to Grants for Singapore SMEs

Unlocking Possible Supports: A Guide to Grants for Singapore SMEs

If you are a small or medium enterprise (SME) in Singapore, you may be looking for ways to grow your...

Read More >
SQL Server Hardening Checklist & Best Practices

SQL Server Hardening Checklist & Best Practices

It's essential to ensure that SQL Server is secure and protected against potential cyber threats...

Read More >
Contact Us
  • Our Address:
    114 Lavender Street, #07-51, CT Hub 2, Singapore 338729
    Malaysia Johor - 99-01 Jalan Adda 3/1 Taman Adda Height 81100 Johor Bahru Johor, Malaysia
  • Phone Number:
    +65 6652 3398
  • WhatsApp:
    WhatsApp Us
  • Email:
    [email protected]