tracing apps

COVID Tracing Apps. Mask Up, Digitally.

Many people are feeling hopeful in many areas about receiving their COVID vaccine. A welcome shift from the uncertainty and confusion of the last year. But there are now new challenges to be faced.

Among them, the discussion of requiring a vaccine or immunity passport for individuals to take part in activities like international travel, as well as more minor activities like dining indoors or attending school in person. However, the question of how and when governments are going to tackle such projects is not clear. Especially as the parallel projects of COVID tracing apps have already invited privacy issues.

According to the White House, the U.S. is not currently planning to create an immunity passport. Instead, they indicated that individual states would be responsible for coming up with their own projects, while the federal government “is helping to develop standards for equity and privacy that these programs need to uphold”. 

This is in contrast to European officials who have announced plans for a “Green Digital Certificate,” which would allow anyone vaccinated against Covid to travel within the EU.

Pandemic politics aside, there are other issues at stake. It’s not likely that any vaccination or immunity document would be physical (too easy to lose a card or fake one). With the assumption that the information about an individual’s health and vaccination status would be accessed digitally, there are major problems to tackle in the cybersecurity world.

In a recent article, Enzoic COO Josh Horwitz reflects on this: “the emergence of more coronavirus tracing apps…brings some serious security challenges.” In fact, the BBC also reported that COVID-related items (from alleged vaccines to faked immunization paperwork) are already being sold on the dark web. 

What exactly is at stake? How can governments, businesses, and individuals protect themselves from resulting vulnerabilities?

Too Many Cooks in the Kitchen?

What happens in preparation for individuals to access their COVID vaccine record online depends on what systems are built. The sheer number of people involved could be massive: administrators, physicians, insurance representatives, pharmacy specialists – and if the information is in passport form, the list expands exponentially. With many people involved, there are that many access points for a hacker to exploit.

To protect any sensitive health care related data, all COVID-19 apps or tracing programs must be designed with intentional access controls. By giving access to only the people who absolutely need it, we can reduce the chances that a hacker could gain editing privileges or data from the app.

Weak Password Management

Though strong multifactor authentication (MFA) can be a reliable component of security, there are still examples of weaknesses in the system. Especially in healthcare, where many users are accessing the same system. The bottom line is that no single authentication factor should be considered secure on its own.

Passwords are not only the most common layer but also the most vulnerable one. Ironically, it is one of the easiest to reinforce. Almost every user on every system uses some kind of password or passcode. Unfortunately, password reuse is incredibly common. Once a set of credentials have been exposed in a breach, bad actors have effective methods for using that information to compromise accounts, hack into networks, and access private health information, like COVID-19 data.

But as mentioned, the password layer is one of the easiest to strengthen, ideally by introducing credential screening into the process. With credential screening, passwords are compared to a blacklist of breached passwords and vetted on an ongoing basis. If this were a part of a COVID-related tracing app or program, exposure could be detected early, and the compromised users could be warned or have their passwords automatically reset to protect them.

Data Disposal

Down the line, we won’t constantly need access to the data kept in our immunity passports or any other contact tracing application. However, as they become obsolete, the data contained within doesn’t. Unfortunately, it’s still very desirable to hackers. Therefore, it’s crucial to develop, clarify, and stress data retention policies. As Horwitz writes, “failing to delete data once it’s no longer required significantly increases the likelihood of this information falling into the wrong hands.” As we’ve seen in other health care data breach scenarios, these are real dangers.

No Matter What, Prioritize Security

It’s reasonable to assume that vaccination data will be desirable to hackers no matter what form the information ends up being collected in—whether an app, program, or microchip—and no matter who the software or applications are developed by—whether government or third party.

And if that is the only thing we can be certain of in the post-Covid cybersecurity landscape, it’s high time we vaccinate ourselves digitally as well as physically.