It is apparent that discussions are underway within the European Union as well as the UK, in terms of proposals for coronavirus vaccine passports aimed at reviving international travel. This is based on the idea that documents identifying those who have been inoculated could help governments reopen after lockdown.
The counter response is in relation to privacy and patient rights. On the security front, there are some fears that vaccine passports could be easily forged.
To look at the cybersecurity and fraud issues, Digital Journal sought the views of Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre.
Mackey pinpoints several challenges, starting with: “The definition of “vaccinated”. Outside of the Yellow Card, more formally known as the international certificate of vaccination for yellow fever, there really isn’t an internationally accepted means to confirm if an individual has met a vaccination requirement.”
Looking further, he notes: “Considering the Yellow Card is itself a paper document signed by a medical professional who supervised the actual vaccination, that model would be difficult to replicate given the scale of Covid-19 vaccination requirements – and that’s before we get to the potential security implications.”
Mackey says that several mobile app providers are working on a scheme: “A number of businesses have been founded to provide mobile apps that attest to the COVID-19 state of the bearer. The security implications of those mobile apps are similar to any healthcare app – any medical data on a person is of prime value to an attacker.”
Here lies a problem, says Mackey: “The reason medical data is so valuable stems from how personal it is. Even if the medical data is limited to a simple statement of vaccination, the nature of the pandemic makes even that data rather valuable. For example, if there were a bug in the app or underlying service that caused it to display to someone that a vaccination protocol hadn’t been completed when it had, then such an error could result in the traveller being denied entry or worse.”
A robust, risk-centric approach is needed, Mackey explains: “We need only look back at the challenges faced with contact tracing applications to recognize that a technologically acceptable solution might not address privacy concerns. That’s in part because there is no single solution to any problem, and often cool new technologies like “blockchain” or complex technologies like “encryption” are applied without understanding how they might function under adverse conditions like those found during a cybersecurity attack.”
In terms of the optimal measures, Mackey recommends: “Once in the app, the data needs to be verifiably secure and stored in a tamper evident form that itself can’t be modified. Building confidence around this process requires some of the transparency seen within open source software development where skilled practitioners are able to review the implementation and configuration of the proposed solution. Missteps along this path could easily tarnish the reputation of digital health passports and form a setback to the return to a pre-COVID-19 travel experience.”