Imprivata's Gus Malezis on vaccine passports and safety
We talk vaccine passports and data security with Imprivata CEO Gus Malezis.
There are multiple digital vaccine passports created by different companies. Without a standardised pass isn't this going to create issues for operators to recognise them?
Having multiple vendors rush into the digital vaccine passport does offer some viable options, however this likely will create interoperability, usability, and security issues. This is a natural consequence of the rush to market and will ultimately resolve over time – but it does mean customers will have to do their thorough due diligence, make careful choices, and upgrade frequently as the technology matures.
For example, we expect interoperability issues across the various solution providers, state agencies and the service vendors requiring this validation. An additional and perhaps bigger issue(s) are the validity & trust of the digital document and security of these passports. We are very early in this space, and if we are to compare and contrast to US state driver’s licenses which are standardised and carry security and validation controls – in this case of the vaccine passport we don’t yet see common standards on those critical aspects.
This means that current and early efforts will most likely have to iterate in order to adopt a trusted, interoperable and secure certificate design. Additionally, a rush to release early technology merits a thorough look and review of vendor security controls, as confidential personal data is now stored in yet another location.
How can this be resolved?
The appropriate solution will be a standardised passport that is recognised regionally, nationally, and ultimately internationally. Security controls would need to be of the highest levels with sufficient accreditations, as an attack or breach would lead to release of highly confidential information. Since many vendors are already on their way to creating their own passports, the onus is on them to make sure they have the right security precautions in place to thwart cyberthreats.
Is it possible to tell the difference between a fake vaccine passport and a genuine one?
Although data is limited, we have seen reports of fake vaccine cards and we don’t yet have a read on how broad this issue is, or where there might be a higher concentration. The current crop of passports, including the CDC version, are primarily designed to communicate information, while a series of desirable controls, including authenticity, trustworthiness, digital controls, and readability need to be augmented and enhanced.
In looking closely at the current CDC document, it is clear it is not designed as a passport - a passport inherently being a high-trust, validated and secure document authored by a state authority. The current crop of CDC vaccine passports lacks visible and invisible security controls and digital data such as a data strip or other machine-readable controls.
Concerns have been raised over whether data in vaccine passports can be misused. What is your view on this and how can it be prevented?
Regarding the security of the vaccine passport there’s a clear view that any type of data could potentially be accessed and be misused, and vaccine passports are no exception. Someone who shouldn’t have authority could possibly access the data and misuse it.
Any number of malicious actors interested in profiting from this information, carrying out corporate espionage, disrupting the market at some level, or simple overjealous curiosity would be a threat. Implementing and maintaining an effective Digital Identity framework with Zero-Trust architecture is a well-respected way to prevent the wrong people from accessing certain information, especially sensitive patient data.
Taking a zero-trust approach inherently trusts no one - hence the name. Before obtaining access to a piece of information, a user must pass checkpoints that authorise and authenticate them at every digital identity event. This ensures right access to the right resources for the right reasons. In the end, this is not only beneficial to vaccine passport users who have their data protected, but also developers and tech companies from dealing with a case of compromised data.
If digital passports become widely adopted, will they become a target for cybercriminals?
We’re already seen vaccine data become a popular target for cybercriminals - in December 2020, hackers unlawfully accessed documents related to the COVID-19 vaccine from Pfizer and their German partner BioNTech. This type of information is already at the forefront of cybercriminals’ minds, so I believe digital vaccine passports will become a main target.
Hospitals and healthcare organisations are a popular target for cybercriminals. For starters, many of these organizations rely on legacy systems, which don’t always have modern security controls and countermeasures, or the capacity to deal with 21st century threats.
Additionally, the sensitive and private patient information that healthcare workers interact with daily is appealing to hackers who can sell it on the dark web for a lot of money. When you tie in the fact that healthcare workers have been stretched to their limits since COVID-19, you’re left with an environment that is unfortunately an easy target for cyberattacks.
How can tech companies and users ensure data is safe?
Tech companies looking to get into the digital passport industry need to take action right now to make sure their platforms can keep a user’s vaccine information secure. As noted earlier, adopting a zero-trust architecture insures only the right person can gain access to secure patient vaccine information for the right reasons.
Another security measure, and probably a necessary control, for both tech companies and users to take to keep their information safe is non-SMS 2FA , or multi-factor authentication. This protection makes mobile devices more secure, more private, and allows for a better workflow.
Lastly, both tech developers and users should be using real, complex passwords. By this I mean 12+ character, strong passwords that will prevent unauthorised threat actors from accessing your data. Password autofill is one way to encourage users to create strong passwords, without having to spend time typing it all out or remembering every complexity.
Password autofill is even more appealing to tech companies and medical professionals working on the backend of vaccine passports, since it takes time out of their busy schedules to grant them quick access to the information they need.