e-Referral Service (e-RS) HTML Attachments

Owned by norris.orighoye1 (Unlicensed)
Last updated: 29-07-2022 by Charlotte KayeVersion comment
2 min read
ID

RM136

Version1.0.3
TypeRoadmap Item
Frameworks

  • GP IT Futures

  • Tech Innovation


Title

e-Referral Service (e-RS) HTML Attachments

Description

Disallow HTML attachments from being uploaded to e-RS

Date Added

 

Standards and Capabilities

e-Referrals Service (e-RS) 

Change Route

Managed Capacity - Minor/Patch uplifts

Change Type

Uplift

Status

Closed

Publication Date 
Effective Date

 

Incentives / Funding

No

Incentive Dates

N/A


Background

The e-RS programme team enabled access of e-RS over the internet in 2021. As part of this project, we carried out a review of the Open Web Application Security Project (OWASP) standards and identified a number of risks which require mitigation. One of these risks is relating to HTML files and the security risk they pose (as dynamic content could be included within a HTML file, which could be turned into an attack vector).


Outline Plan

Disallowing HTML – e-RS will no longer accept files attached as .HTML or .HTM from August 2022, therefore it would be prudent to reject HTML uploads earlier in the process as to not get rejected by e-RS.

Also for information, relating to future e-RS attachment developments, we are making suppliers aware that new FHIR4 APIs will be available in future, which will allow uploading and downloading of 100MB attachments, should suppliers wish to provide this integrated capability for their users.


Summary of Change

The uploading of HTML files will be disallowed (note that existing HTML files will still be downloadable). 

GP System Suppliers will need to ensure descriptive error message handling informs the user that these files are not allowed; and ensure any documentation/screens detailing allowed/disallowed file types presented to the user are updated.

It would be preferable to reject/disallow HTML uploads earlier in the process as to not get rejected by e-RS.

Suppliers may also wish to consider existing HTML files already stored in patient records.

The e-RS specification has been updated to disallow .HTML and .HTM files from being uploaded to e-RS. Within the GPIT Futures Standards and Capabilities Model, the eRS Interoperability Standard will be updated with the latest specification.

For information, the NHS Digital e-RS Team are carrying out a wide reaching communications plan regarding this change, including NHS bulletins, e-RS system alerts to users, contacting sites currently attaching HTML files to referrals, and information on the website, including some guidance on converting HTML files to accepted file types: https://digital.nhs.uk/services/e-referral-service/document-library/convert-files-to-formats-supported-by-ers


Full Specification



Assurance Approach

The supplier solution to meet the updated specification and provide a statement to notify the e-RS team that .HTML and .HTM are now a disallowed file type.