Cybersecurity and Digital Vaccine Passes

At a recent concert at a small winery, the door attendant checked my New York state digital vaccine record on my smartphone—the first of its kind in the country—against my photo ID. The process was identical for everyone coming through the door. The experience was quick and easy, and I felt safe knowing that I was joining a gathering of people who were all vaccinated. Not to mention, I didn’t have to worry about keeping track of a vulnerable paper handwritten card that doesn’t fit neatly in my wallet.

As the delta variant spreads in tandem with vaccinated Americans (like me) starting to resume social activities, and particularly as we get ready to travel again, the demand for digital proof of vaccination is beginning to rise.

So are concerns that a digital record could put Americans’ data at risk and violate HIPAA, the Health Insurance Portability and Accountability Act of 1996, which protects sensitive patient health information from being disclosed without their knowledge or consent.

Some states have already launched digital vaccine passes, while others have gone so far as to ban them, citing concerns about privacy and equality of access to services. Some organizations are providing vaccine verification services, and additional options from the private sector are in development. This disjointed approach is creating challenges.

For one thing, the fact that vaccine passes and related apps are not all interconnected means each person will need to have multiple digital documents proving their vaccination status. For another, the lack of coordination in the market makes it easier to falsify credentials. Fraud is already happening, both digitally and on paper. It’s likely that consumers will increasingly seek to embed vaccination status into applications that afford them access to transportation, border crossings, etc. Companies in impacted markets need to protect consumers’ information and consider how to validate their credentials.

The good news is that we can leverage existing principles, such as blockchain, to secure credentials. In addition, there are already “smart” health card frameworks that use open-source code and interoperate with other similar credentials. As a cybersecurity professional with more than 25 years of experience, I urge leaders to adopt these safety standards and to prioritize cybersecurity from the very beginning of developing a vaccine-verification process. Embedding security into system design is always much more effective and less expensive than retrofitting a system built without such standards in mind.

Leaders developing a vaccine verification system would be smart to think through a matrix of questions, such as:

• Are we developing a system with security standards in mind?
• What would be the downstream impact if the system were compromised?
• If someone falsified a digital vaccine pass, what types of harm could result?

These are just some of the pressing questions that have been raised in recent conversations with both government agencies and commercial enterprises discussing how to protect digital vaccine credentials.

Without question, the rapid onset of the pandemic, coupled with the exceptional development and release of the vaccines, represents a leap forward in the rapid advancement of data retention and cybersecurity capabilities. How today’s leaders value and approach trust as they guide the evolution of our digital identities will make a difference in the lives of us all.

Liz Mann is the EY Americas life sciences and health cybersecurity leader.

From: ThinkAdvisor