Abstract:
This article describes a secure and compliant visitor logging system for a Singapore hospital that ensures unique visitor identification while adhering to PDPA regulations. The solution uses a combination of hashed IC numbers and partial IC number verification. The implementation is built on the Microsoft .NET Framework, MS SQL, and Windows Server 2019.
Note: this article only documents the key part, without reveal actual workflow not related to the data security.
-
Introduction
During the Covid-19 pandemic, hospitals must limit the number of visitors to patients, ensuring that only a specific number of unique individuals are allowed per day. However, due to the Personal Data Protection Act (PDPA), hospitals are not allowed to record full IC numbers. This article details a solution using hashed IC numbers and partial IC number verification to achieve secure and compliant visitor logging.
-
System Overview
The system is comprised of the following components:
- A front-end application for security guards to scan visitor ICs
- A back-end server running on Windows Server 2019, hosting a .NET application and an MS SQL database
- A hashing algorithm to securely store and compare visitor IC numbers
- Solution Design The solution combines hashing and partial IC number verification to maintain uniqueness while complying with PDPA regulations.
3.1 Hashing IC Numbers
To avoid storing full IC numbers, a one-way cryptographic hash function is applied to the IC number. This generates a fixed-length hash value that cannot be easily reversed to obtain the original IC number. The SHA-256 algorithm is used for its strong collision resistance and wide adoption in security applications.
3.2 Partial IC Number Verification
In addition to hashing, a small portion of the IC number (e.g., the last 4 digits) is stored to allow security guards to perform manual verification. This ensures uniqueness without violating PDPA regulations.
- Implementation
4.1 Database Schema
The MS SQL database stores the following information for each visitor:
-
VisitorID (int, primary key)
-
HashedIC (varchar(64), unique)
-
PartialIC (varchar(4))
-
VisitDate (datetime)
4.2 .NET Application
A .NET application is developed to manage visitor logs and perform the following tasks:
-
Capture and hash IC numbers
-
Check for existing hashed ICs in the database
-
Verify partial IC numbers
-
Record visitor entry
4.2.1 Hashing IC Numbers
The .NET application uses the System.Security.Cryptography namespace to implement the SHA-256 hashing algorithm. The following function demonstrates hashing an IC number:
private static string GenerateHashedIC(string icNumber)
{
using (SHA256 sha256 = SHA256.Create())
{
byte[] inputBytes = Encoding.ASCII.GetBytes(icNumber);
byte[] hashBytes = sha256.ComputeHash(inputBytes);
StringBuilder stringBuilder = new StringBuilder();
for (int i = 0; i < hashBytes.Length; i++)
{
stringBuilder.Append(hashBytes[i].ToString("x2"));
}
return stringBuilder.ToString();
}
}
4.2.2 Check for Existing Hashed ICs
The application queries the database to check for an existing hashed IC. If the hashed IC exists and the visit date is the same, the visitor is considered a duplicate and is not allowed entry.
4.2.3 Verify Partial IC Numbers
Security guards manually verify the partial IC number against the visitor's physical IC to confirm their identity.
4.2.4 Record Visitor Entry
Once the visitor passes both the hashed IC and partial IC checks, the visitor's information is stored in the database, and they are granted entry.
- Conclusion
This article presented a secure and compliant visitor logging system for a Singapore hospital that effectively manages visitor logs while adhering to PDPA regulations. By using a combination of hashed IC numbers and partial IC number verification, the solution ensures unique visitor identification without storing full IC numbers. The system is built using Microsoft .NET Framework, MS SQL, and Windows Server 2019, making it a scalable and reliable choice for managing visitor access during the Covid-19 pandemic and beyond.
- Future Improvements
There are several potential improvements to enhance the solution further:
6.1 Enhance Security with Salted Hashes
To increase the security of the hashed IC numbers, salts can be added to the hashing process. A salt is a random value generated for each visitor and combined with their IC number before hashing. The salt is then stored alongside the hashed IC in the database. This prevents attackers from using precomputed hash tables (e.g., rainbow tables) to reverse-engineer the original IC numbers.
6.2 Implement QR Code-based Visitor Tracking
To streamline the visitor check-in process, a QR code-based system can be implemented. Visitors would receive a unique QR code upon registration, which would be scanned upon entry and exit. This would reduce manual input errors and speed up the verification process.
6.3 Integration with National Verification Systems
The solution could be integrated with national verification systems like Singapore's SingPass, allowing visitors to use their SingPass credentials for secure and convenient visitor management. This would also provide an additional layer of security through two-factor authentication.
6.4 Reporting and Analytics
Advanced reporting and analytics capabilities can be incorporated into the system, providing hospital management with valuable insights into visitor trends and patterns. This data could inform decisions about hospital policies, resource allocation, and visitor management strategies.
By continuing to enhance the visitor logging system, hospitals can further improve security and compliance while delivering a seamless experience for visitors and staff alike