For over a year and a half now, Canadians have adjusted to a different way of life characterized by social distancing guidelines, virtual work, mask mandates, and, most recently, vaccination requirements. Since vaccine administration began last December, Canada has risen to become a nation with one of the leading Covid-19 vaccination rates in the world, with 72.5% of the total population having received at least one dose.
As organizations return to in-person work, all levels of government are considering vaccine passports to promote safety in professional, social, and recreational spaces. The Canadian government is also planning to use vaccine passports to authorize certain international travel.
On August 23, officials in British Columbia announced that all people over 12 would be required to display proof of vaccination for entry into a variety of indoor non-essential activities. Residents of B.C. will be required to display either digital copies of the provincial vaccine card via their phones or a physical copy. As they become more prevalent, particularly in digitized formats, it will be the government’s responsibility to ensure the security of these vaccine “passports” and the medical data within them.
Who will maintain these passports and their security?
According to the B.C. announcement, it will fall to the provincial government and even governing bodies of smaller jurisdictions to ensure the security of vaccine passports. Provincial officials need to invest in security now, not after these vaccine passport schemes have already been developed. The data stored in these digital documents needs to be protected at every access point. Canadians must be able to access their proof of vaccination via secure networks and have faith that their private health data is safe when reviewed to enter any space – including for travel across provinces and internationally.
Recently, Quebec announced that each vaccinated citizen would receive a custom QR code to display their vaccination records on their phone. Shortly after the announcement, hackers were able to download resident codes via an entry point on the Quebec Government website portal. While we don’t know exactly how the attackers compromised the government portal, their ability to gain access means a vulnerability existed in the system that developers missed before the launch.
While the Quebec Government will certainly patch this vulnerability, incidents like this further reduce confidence. A lack of trust in the security of these apps may become a barrier to uptake in use. The Quebec Government needs to be transparent about its steps for remediation to build back trust with citizens. Likewise, the B.C. provincial government needs to bake in security ahead of the launch of its proof of vaccination requirement on September 13.
How can the B.C. government defend against attackers trying to gain access to vaccine passports?
Given the rise of impersonation attacks in the form of phishing or machine-powered deepfake attempts, cyber-attackers are already adept at stealing and using personal data to gain access to organizations’ digital estates, and subsequently, to compromise sensitive data. If not adequately secured, hackers will use these personal health records to compromise privacy. The B.C. government must set strict audit controls and protocols for warranted access to this private data.
Traditional cyber security tools do not go far enough to account for human error and the disappearance of the cyber ‘perimeter.’ These tools were made to secure medical information stored in hospital data centers, not to be accessed frequently and at your fingertips.
In this new era of cyber-attacks, no organization or government institution is immune to cyber threats. To protect Canadians’ privacy, the government must take steps to ensure that even if attackers manage to breach vaccine passport storage systems, no sensitive data can be manipulated. This means embracing advanced cybersecurity technologies, like self-learning AI, that can learn the “norms” for access to this health data, detect any anomalous behavior, and fight back.
Canadian citizens should not have to choose between their safety and the security of their private health data. In the weeks and months ahead, the government must prioritize using innovative security tools to secure the rollout and storage of vaccine passports.
David Masson is the Director of Enterprise Security for Darktrace.
Photo by Robin Worrall on Unsplash
Leave a Reply