The Anti-virus Times

Friday, January 22, 2021

In today's issue, we will talk about a hot topic: the various initiatives underway to introduce so-called "health passports" — in response to the coronavirus pandemic. This topic is directly related to the processing of personal data and, therefore, is nuanced in terms of possible improper usage and leakages.

Recently, it was reported that global giants of the IT industry—Microsoft, Oracle and Salesforce—are intending to develop a mobile application that will track a user's current vaccination and COVID-19 testing data. Ideally, this should allow people to return to their normal lives more quickly. The application will be developed within the Vaccination Credential Initiative (VCI) programme.

It is noted that the application will be directly connected to an "affiliated laboratory". Those without a smartphone would receive a paper version of the record containing a QR code that can be scanned in order to access their credentials.

Mike Sicilia, an Oracle executive, said: "As the world begins to recover from the pandemic, having electronic access to vaccination, testing, and other medical records will be vital to resuming travel and more. This process needs to be as easy as online banking."

Apparently, because it is to be used in a similar way as online banking systems, the application is to be given the name Health Wallet.

We’ll immediately note that the ease of access to such systems always has a flip side: many threats designed to steal money via online banking systems are present—there is clear confirmation of this, especially when it comes to Android devices.

Another question to which the authors of the initiative (and not only this one) are still not providing an answer: what will happen with the collected data after it loses its relevance? The pandemic will be over sooner or later, and restrictions will be removed, while the sensitive medical data is likely to remain in the system, tempting cybercriminals. All the more so because we are talking about a global database that a priori may turn out to be vulnerable because of the huge number of people and organisations connected to it. We can assume that, at some level, there could at least be a partial data disclosure. In addition, in future, this database could include more information. So, organisations that are interested in receiving user personal information (for example, advertisers and marketing specialists) will find it a useful way to strengthen their control over people's actions. Thus, having lost its "health" relevance, the database could remain popular for other purposes. And hackers will have tremendous opportunities—tons of useful information will be collected in a single location.

The issue of securing such data has been repeatedly raised in light of discussions about various "health passports". The fact that information about a person can wind up in the possession of a user's employer or government authorities are a particular cause of concern for critics of this format.