Electronic Health Reporter

By Josh Horwitz, COO, Enzoic.

With vaccinations underway, it’s becoming possible to envision the light at the end of the pandemic tunnel; however, the post-COVID world will have some notable differences. One such example is the likely requirement of “immunity passports” to do any number of things: have elective surgery, attend college, or travel internationally.

The European Union, China, Israel and Japan are among the nations that have launched or plan to unveil such programs. In the U.S., states will be in charge of developing their programs with federal support as required. Given the partisan differences surrounding the pandemic response and economic recovery, this is likely to introduce numerous challenges in and of itself. But political concerns aside, the emergence of more coronavirus tracing apps and programs also brings some serious security challenges.

As PBS’ Laura Santhanam recently put it, “Unlike the physical [vaccination card used to track Yellow Fever], there are growing concerns about data privacy as documents verifying COVID-19 vaccination would exist and generally be accessed digitally.”  In fact, these concerns are so pressing that a new Forrester report includes the vulnerability of COVID-19 apps as one of the five major problems which could impede post-pandemic progress in 2021.

With that in mind, let’s take a look at some of the chief vulnerabilities and what governments and businesses alike should be cognizant of as these apps become more mainstream.

• Improper Access Controls. Hospital administrators. Physicians. Insurance adjusters. Claims specialists. Pharmacy techs. The list of potential roles that could access vaccination data is massive, and that’s just within the healthcare setting. When you expand to other industries, the list is virtually endless. In order to protect sensitive data, it’s important that all COVID-19 apps and programs are designed with strong role and event-based access controls.

For example, a doctor may require “Write” access in order to edit or add information pertinent to a patient’s immunity or reaction to the vaccine. However, this permission should be the exception rather than the norm as hackers could wreak havoc should they be able to manipulate data within these apps and programs.

• Lack of Data Encryption. The Forrester report mentions one app from Qatar in which the national ID numbers and health status of more than one million people were exposed. As such, ensuring that data is pseudonymized and encrypted at all times is another of the firm’s recommendations for bolstering COVID-19 app security.
• Poor Data Retention Practices. Another security pitfall to be mindful of is, what happens to the data contained in “immunity passports” when it is no longer needed? It’s important that any organization involved in the development and deployment of COVID-19 apps and programs define and enforce strict data retention policies. Holding on to unnecessary data or failing to delete data once it’s no longer required significantly increases the likelihood of this information falling into the wrong hands.
• Poor Password Management. Multifactor authentication (MFA) is often touted as a key component of healthcare security, however there have been increasing examples of vulnerability in messaging based user verification. No single factor should be considered secure on its own. When it comes to the password layer, if proper steps aren’t taken to ensure credential security, this can introduce a significant vulnerability. This means that, whether it’s an individual logging into their own vaccination data, a physician accessing it to annotate the file, or an airline employee scanning it before an international flight, the extent to which this information is protected ultimately hinges on password security. It’s incredibly common for people to reuse passwords across multiple accounts, and if the credentials have been exposed in a prior breach, hackers can easily obtain the password via the Dark Web and gain unauthorized access to COVID-19 data from there.

Including credential screening as part of any COVID-19 program can mitigate the poor password threat, as credentials are vetted against a live database of breached passwords at every login. If an exposure is detected, companies can then force a password reset or prompt another action to ensure the information remains safeguarded.

While it’s too early to say exactly how “immunity passports” will affect our lives, it’s safe to assume that vaccination data will be contained in an increasing array of digital apps and programs. And even if these are developed and housed by third-parties, the risk to healthcare institutions is just as pressing as if it were an EHR system or another hospital account. The healthcare industry must be vigilant about COVID-19 app security to ensure sensitive data isn’t compromised in our attempts to safely return to life as we once knew it.