Deprecation notice: SHA-1 signatures

 On 28 January 2026:  

• we deprecated the use of SHA-1 to sign electronic prescriptions

On 30 September 2026:  

• we will retire SHA-1 from operational service, meaning it can no longer be used

Prescribing solutions are using a weak digital hashing method for securely signing electronic prescriptions when using the Electronic Prescription Service (EPS).

The hash being used is the Secure Hash Algorithm 1 (SHA-1) which was deprecated in 2011 and will be retired (and made obsolete) in 2030. This presents a serious risk to the provenance and validity of prescriptions.

Therefore, all solutions handling EPS prescriptions need to be migrated off SHA-1 and onto using SHA-2.

Suppliers of prescribing solutions still using SHA-1 need to make changes to support SHA-2, to support the full retirement and decommissioning of SHA-1.

If you are an NHS customer impacted by these changes, the suppliers of your product are contractually obligated to inform you of upcoming changes.

As of 28 January 2026, no new suppliers can onboard or use SHA1 for any signatures.

As of 30 September 2026, support for SHA1 signing will end and it will not be able to be used.

Please talk to your supplier or contact [email protected] for further information.

• Electronic Prescription Service (EPS) - All Prescriptions must be signed using SHA-256 - Digital Services for Integrated Care (DSIC) Roadmap - Confluence (effective date 4 July 2025)

• Deprecation notice: smartcard series 4, 5 and 6 (Gemplus, JCOP41 & JCOP 41) - NHS England Digital (published 20 May 2025)

• SHA1 SHAttered - NHS England Digital (published 2 March 2017)