Making COVID-19 vaccination reliable

COVID-19 vaccines have arrived. The biggest product launch in human history has officially started as the emergency approval to start vaccinating with Pfizer/BioNTech vaccine was given by UK, Canadian and US regulators. The European Union is expected to follow the suit before the end of 2020.

This is hoped to become the start of freeing the world from year-long restrictions on travel and social interaction.

What follows is a description of a comprehensive digital solution that would help vaccination programs to become a success instead of a mess: linking globally recognised COVID-19 vaccination certificate to supply-chain of authentic vaccines and real-time public health monitoring.

The World Health Organization (WHO) is already putting together a working group on specifications and standards on Smart Vaccination Certificate as part of digital health collaboration with Estonia.

But for a certificate to be smart, WHO also expects it to facilitate monitoring of national COVID-19 vaccination programs. Similarly, in order to provide assurance that an individual has been truly and effectively vaccinated a vaccination certificate solution should provide a link to authentic vaccines and reliable supply-chain.

From privacy angle any such certificate solution should abstain from creating a global (or sometimes even national) database of individuals and their vaccinations as this would certainly be against justified processing of personal health data. Health and personal data should remain only with the healthcare provider and the person her-/himself. Showing this info, for example on the border, should happen with the consent of the person and directly from the certificate without any outside data exchange.

So, how can we achieve globally reliable vaccination certificate while preserving the privacy?

This entails combining several independent datapoints into a single statement that can be taken as a fact (eg “this person received an authentic vaccine on a specific date”) and making the fact-checking possible anywhere and anytime. The trick lies in the understanding that it is not needed, nor is it practical to keep all that information for every person in a single database. Instead, we should use the blockchain for one thing that it is really good for — making data and records of separate activities (a.k.a. “process”) immutable and hence — reliable.

Important to notice here is that health data itself should never be stored in the distributed ledger, nor should the blockchain be used for “data transport” purposes. The first would violate “right to be forgotten” principle for privacy protection and the latter makes it impractical due to low throughout capacity for any service with meaningful scale (and I’m even not talking about the carbon footprint here). As an example, that’s what is addressed at the industrial level by KSI blockchain of Guardtime, which stores in the blockchain only the unique time-stamped cryptographic proof, which is computed from aggregated Merkle-tree of multiple hashes, to prove the authenticity, time and origin of a data asset.

With this in mind it is possible to imagine a distributed service that is built upon combining the three components into a Smart Vaccination Certificate solution that can be reliably recognised globally:

1. Trust framework of authorised providers — to prove the reliable source of certificates and the fact of actual vaccination of the individual.
2. Authentic vaccines — to prove the reliability of vaccine with the intended effect.
3. Immutable certificate with privacy-preserving verification — to prove the reliability of vaccination statement, while protecting the personal and health data from misuse.

By creating a reliable link between the individual, the specific (functional) vaccine and a trustworthy healthcare institution where the vaccination was given we can provide assurance that the individual has been truly and effectively vaccinated.

Trust framework of authorised providers

If somebody shows to you a document (for example a certificate) one of the first “reliability checks” is to understand where it came from. In other words — is the source reliable?

Most vaccination or test certificate solutions bundle together the trust anchor for the certificate (a document) and that of the issuer (a provider). This is impractical, because the standardisation effort in order to agree, who is authorised to perform certain task is much easier that to agree on standardisation on all the potential documents that may be issued. With the response to COVID-19 it has become clear that certifying a lab result is a very different task from certifying a vaccination fact.

Also, the variability of privacy restrictions for processing the “identities” of healthcare providers are incomparable with the requirements defined for personal or health data in various countries. Adding the option of making also other healthcare documents globally interoperable suggests that governing the system participants separately from the services the participants are using is much more resilient towards the yet unknown future needs.

Hence, authenticating and authorising trustworthy certificate issuers is a task, which has its challenges, but is perhaps feasible even at the global scale. Technologically there are a few (but not unlimited) ways to build such Trust Framework. Estonian government has suggested one solution that is based on open standards and software and is successfully used by various countries.

For global governance perhaps the World Health Organization would be a good candidate to set up and maintain such trust framework. There are and will be private initiatives to perform such task, which is probably a practical approach to get the immediate global trusted healthcare networks going. In the longer run, if it is to form a basis for digital health services trusted by sovereign states (eg authorising the entry to a country) there is a good justification for a body for international agreements and standards.

In its simplest form WHO can manage a “secure digital address list” of competent institutions in every country (plus some trusted international organisations) that have the authority to further certify digitally the list of individual trusted healthcare providers or health data managers (eg health information systems) in their jurisdiction. Such a distributed network of trusted digital health system participants will operate under similar technological (standards for exchanging and maintaining information) and organisational principles (adding and removing members).

The Trust Framework can effectively become the anchor of the initial foundation of trust for every global digital service. For each specific service the participants must agree what proofs any network member is trusted for and what additional trust anchors may be needed for a comprehensive reliability guarantee. In the case of Smart Vaccination Certificates the questions of personal identity and vaccine authenticity come to mind first.

How to handle personal identity reliably?

The most widespread global standard for authentication of private individuals is a photoID (usually a passport). However, many people in the world for various reasons do not have means to identify themselves with such a document and so global digital identity solutions are being developed, such as ID2020. Also, an increasing number of countries have introduced unique numeric identifiers with digital verification tools or limited equivalents in the healthcare sector. It is also possible that capturing biometric data for identification purposes can be handled in a privacy-preserving way to become universally accepted.

For any certificate solution to be practically successful, the identity management should be separated from that of the certificate itself. It is important that if needed, various identification means are supported (technologically). Hence, the vaccination certificate can be smart even if it has to be presented together with a separate identification means. What matters is the authentication process that links the ID with the true vaccination fact.

Thus, in the case of vaccination certificates, more important question is who will define the initial link between the individual and the vaccination? Since only the healthcare worker giving the jab can possibly know which individual received what vaccine it is also practical to build the trust architecture of vaccination certificates around the notion that once the healthcare worker creates the mandatory vaccination record with all the relevant data points the vaccination certificate is (cryptographically) linked to this “magic moment”.

In other words, the healthcare provider has to guarantee the authentication of the individual as well as the accuracy of the data entry about the procedure. Smart Vaccination Certificate solution can facilitate various ways to discourage the dishonest use of such privilege by making it effectively discoverable (see below), but the agent of the authentication task has to be assumed a healthcare provider.

Verifying the authenticity of vaccines

Once the source of the certificate can be trusted and the identity of the person also reliably verified the question becomes “does this document certify that the individual was immunised with an effective vaccine?”

Distributing the COVID-19 vaccines on the required scale around the world requires logistical planning and cooperation of multiple organisations within and across countries with clockwork precision. Government authorities and private companies need to work closely. Good and reliable information becomes vital for maintaining public trust under such circumstances.

Roll-out must balance equitable access in the initial shortage phase and overcome skepticism expressed by large part of the population later on. As the need to go back to normal activities and travel is overwhelming there will be a huge incentive for bad actors in public and private organisations, as well across the medical supply chain, to produce fraudulent attestations and incorrect procedures to counterfeit and divert vaccines. Recently Secretary General of Interpol Jürgen Stock has warned all 194 countries that “criminal organisations are planning to infiltrate or disrupt supply chains”.

Actually, the goal of monitoring the supply chain of authentic vaccines for integrity is achievable quite easily, if public health authorities and manufacturers would agree that this is appropriate. Assigning a unique serial number, which is linked to information about the product’s origin, batch number and expiration date to each unit of each medicine or biological, including vaccines (a.k.a. ‘serialisation’) is already a standard in Europe, USA and many other countries. A year ago WHO, UNICEF and GAVI made a statement suggesting a mandatory use of “harmonised identification and serialisation standards on vaccines to improve visibility and traceability”.

If the Smart Vaccination Certificate solution is linked to a repository of unique serial numbers of each vaccine, it is possible to guarantee that every honest healthcare provider will only use authentic vaccines as counterfeit ones will fail validity check for wrong serial number and/or illegitimate supply chain history. Similarly, every vaccination certificate can contain reference to only an authentic vaccine, as no more certificates can be created than there are authentic vaccines produced (each serial number can be used only once for as many certificates as the unit contains).

Thus, truly smart vaccination certificate system can provide anonymously valuable information about the last mile of the vaccine use — where, when and which specific vaccine was used. Note, that no personal information is required to aggregate such intelligence. This will enable to mitigate the risk of vaccine diversion, which is important for equitable distribution of vaccines globally.

As supply chains of medicines and vaccines are quite sophisticated already, a practical approach to integration of Smart Vaccination Certificate solution on top of the existing solutions is needed. Again, pragmatic blockchain-based solutions are perhaps the best candidates to succeed in gradual onboarding of distributed supply chain participants for the above described integrity management and public health support. Moving everyone to a single cloud or onto a single SCM platform is both impractical and unrealistic.

Immutable Vaccination Certificate with privacy-preserving global verification

Finally, if the source, the identity and the vaccine authenticity have been captured into a document — a vaccination certificate — digital cryptography combined with blockchain can make it both immutable and smart. In a nutshell, the Smart Vaccination Certificate solution is fairly straightforward:

1. Cryptographic proof is added to the original Vaccination Certificate dataset so that if any of the data points (issuer, individual or the vaccine) of a certificate would be later changed it disqualifies the verification.

2. Once created, the Vaccine Certificate is issued by healthcare provider as printout or sent via e-mail / mobile phone to the individual. Only the issuer and the individual have a copy of the Certificate — no central database is required for this.

3. Only the individual is carrying and transporting the Certificate. It is important that the Vaccine Certificate itself doesn’t need to contain any personally identifiable information, but only a cryptographic guarantee for its integrity (data has not been tampered) and validity (data belongs to a specific individual). This allows for confident and confidential exchange of the Vaccine Certificates to enable on-demand verification.

4. For verification a verifier (eg border guard) will receive personal information (like photo-ID) accompanying the Certificate directly from the individual with his/her consent. All health and personally identifiable data are processed with his/her consent and for this the verifier does not need any information exchanges with the healthcare provider issuing the Certificate or the Smart Vaccination Certificate service provider. Only proof of Certificate authenticity and the link between the presented photo-ID and non-personal Certificate data hashes are verified against the blockchain.

It is critical that the source code for the verification algorithm is open and freely available for independent audit for its correctness or integrating the system with various verification solutions for interoperability.

The above described method enables a Smart Vaccination Certificate solution that can be adopted anywhere in the world, while remaining compliant with any privacy framework, such as GDPR or others. At the same time, mere QR-code application that links the verifier with a database to look up individual’s vaccination status would not offer the privacy protection, even if the individual shows the QR-code link voluntarily to the verifier, because it requires extensive cross-border data exchange between the millions of verifiers globally with a database containing sensitive health data.

For the public to trust such a solution and in order to make it feasible for truly global application it is also important that the Certificate information has to be possible to read “manually”, without a permanent connection to the internet and/or the availability of any servers outside the verification site, as well as from paper or a digital device. Also, it must be interoperable and adaptable with and between the existing technological solutions operated by any system, organisation, country, culture or environment, without the need to build new IT infrastructure or a single centralised technological solution.

What about public health monitoring of the vaccination campaigns?

A robust public health monitoring system is required to steer the roll-out of COVID-19 vaccination campaigns to balance equitable access in the initial shortage phase and overcome skepticism expressed by large part of the population later on.

It is important to keep track of vaccinations at the individual level (e.g. multiple doses, side-effects etc.) as well as at the population level (priority management, uptake and allocation fairness etc.). Also, quality monitoring (pharmacovigilance) is more important than ever due to record speed of development, the number of totally new technologies used for Covid19 vaccines, and the sheer number of competing vaccines that are being deployed simultaneously.

As more and more people become eligible for vaccination, consumer preferences could become a major factor to help ensure vaccine uptake and minimise concerns over vaccine hesitancy or pandemic fatigue, the latter of which could make individuals more complacent with the notion that the pandemic is now just a part of their lives.

That is why A solution to monitor vaccination campaigns and supply-chain in real time should be connected by Smart Vaccination Certificates.

This is, however, a subject for a separate article.