Signed sheets can be tampered

[tmv2]

Similar to the topic "Signed ProcNote can be tampered" viewtopic.php?f=2&t=2835&start=0 I posted a year ago, signed sheets can be tampered. I picked the Medical History form that came with the program, checked a few check boxes, and left some blank, and then signed the form. I modified the data on the backend with a direct sql to move a check X around by changing the check X's coordinates with a query like

update sheetfield set xpos = 80, ypos = 90 where sheetfieldnum = 622;

Viewed the form again in OD v7.9.17, the check X is at a different location but signature didn't get invalidated.

To fix this you need to take the hash/MD5 of EVERYTHING relating to the sheets like form element data (coordinates of checkboxes, radio buttons, etc..) and not just the info entered into the form by patients.

[jordansparks]

We hash the data, the values of elements. We didn't include coordinates of the elements in the hash. If any element is removed or added, the signature also shows invalid. There's not going to be a "fix". There might be an enhancement some day, but it would probably involve taking a bitmap of the entire sheet and hashing that. Anything less would not be as rigorously future proof. The disadvantage to that, and the reason we didn't do it in the first place, is that is starts to take up a quite a bit of hard-drive space and creats clutter in the images.

[tmv2]

The signature wouldn't legally hold in court right now since I can make a form element check box appeared to be checked even though it wasn't checked by the patient. There are other scenarios where I can imagine moving the form elements around and come up with a completely different form from the one that the patient signed. I guess I have to continue with paper signings and scan them into OD.

Taking a hash of the sheet bitmap will probably work or you can take the hash of the PDF that generated from the sheet. The only problem with this is that you are also hashing the bitmap/pdf conversion mechanism. If mechanism of generating that bitmap/pdf changes, the content of the bitmap/pdf will be different, and the hash is no longer the same. Taking the hash of the raw data (form values, form elements, background images, etc..) is probably the best.

I'm not sure why you have to store the bitmap/pdf on disk. You can just temporarily create the bitmap so you can get a hash out of it and then delete the bitmap. Every time a sheet is opened you have to go through this process and compare the calculated hash with its previously stored value.

[jordansparks]

We would have to store the bitmap or pdf permanently for the exact reason that you state: otherwise we would have to persist the conversion mechanism. I think your view of the law is far too black and white. The Evidence in a court is used to reasonably support a position. Our sheets are more secure than paper forms and would hold up in court as such. There are very few scenarios like the one you suggested. For example, no text paragraphs could be changed at all. If you are so concerned about a moved checkbox, then don't use checkboxes.

[jordansparks]

I have a few more examples of how paper forms are inferior to our signed sheets. Let's say a patient signs a form, and then you scan that into the computer and shred it. I think we would both agree that the scanned version would provide some degree of legal evidence that the patient signed the form. The patient would have to lie if they wished to dispute the evidence. But when you scan a form containing a signature, you lose a lot of the information about the signature. A scanned signature provides the least information, an ink signature provides more, but a Topaz signature provides the most information because it captures the speed and timing of the strokes. A forensic document examiner could be brought in for any of these kinds of signatures, but the strength of the evidence would vary depending on the kind of signature. In other words, a Topaz signature (or onscreen with a stylus) provides stronger legal evidence than a paper signature. Signature forensics is explained here: http://www.topazsystems.com/Information/forensics.htm

As another example, the dental office could take a paper document, cover one X with whiteout, draw an X in the other box, and then rescan the document. So the scanned paper document can also be manipulated more easily than an original document. However, a scanned document does provide good legal evidence. A sheet signed with Topaz also provides good legal evidence. A signed paper original provides stronger evidence in some cases, but as I explained above, the Topaz signature is superior, so signed sheet still has some advantages over a signed paper document.

[tmv2]

I'm not disputing that the paper form signature is better than the digital signature, but the data that the signature entails could be easily manipulated in OD. You are right that one can change the values on a paper form with whiteout or covering up some information before scanning, but these techniques do leave a trial for the forensic and have been widely known/discussed. In OD, the data can be easily manipulated, audit logs can be wiped out, and then move the entire data onto a new computer will make it much harder to prove that the data was changed.

At our office, we haven't schredded any signed patient forms yet after scanning them in. We just started with signing procedure notes in OD only after I thoroughly tested that the notes cannot be changed without the signature being invalidated.

If you look at a browser's SSL certificate for a site, there is a hash/md5 at the bottom of the certificate that encapsulates the data in certificate. If that data is changed in anyway, the hash value will be different and the certificate will become invalid. When it comes to digital signature is either black or white, no in between about data that signature supposes to represent.

No matter how you slice it, I'm not comfortable using signed sheets in OD when I know the form elements (not just check boxes) can be changed and the signature doesn't get invalidated. Form elements and form values are considered the data that the signature represents analogous to the data in the SSL certificate.

I hope you come up with a solution in the future, but for now I'll stick with paper signings.