The last year has been challenging for everyone. People working from home, together with the family — caregivers who constantly need to go the extra mile, to provide the best care for their patients — people losing their job or are still waiting to reopen — young people who are having, an understandable, difficult time with the current Covid19 restrictions.

But the last year was also a catalyst for digital transformation in healthcare. Where Covid19 increased the adoption of digital technologies by several years and many of these changes could be here for the long term.
Thinking about the deployment of bots, introduction of virtual care in many countries, implementations of A.I. to predict the severity of Covid19, and many more.

Looking at the vaccination strategy, we see a wide adoption of technology to support the vaccination supply chain and ultimately the Vaccination Passport, also known as the Corona passport. Which will serve as a crucial part of reopening the countries and enable citizens to live and travel again.

Vaccination Passport

A vaccination passport is proof that you’ve tested negative for or been vaccinated against certain infections. It can be digital, on a smartphone, or physical, on paper. You can carry it with you and show it if required, like before you go into the office, board an airplane, or attend public events.

As the COVID-19 pandemic continues, the idea is that with a vaccine passport system in place, companies could fully open for business to anyone who shows proof of vaccination. Countries might resume international travel without requiring quarantines. Which would help boost economies while limiting the spread of the disease.

Technical implementations

When looking at the different technical implementations of the vaccination passports, they all start with following base principles.

  • An Issuer, who is responsible to create and provide the verifiable credentials.
  • A Holder who acquires and stores the credentials in a digital or paper form.
  • A Verifier who requests the credentials from the Holder and verifies.

This specification from 2019 has been recommended by the W3C and is known as the Verifiable Credentials Data Model 1.0.

diagram showing how
	       credentials flow from issuer to holder and
	       presentations flow from holder to verifier where all
	       three parties can use information from a logical
	       verifiable data registry
Verifiable Credentials Data Model 1.0 (w3.org)

Within these base principles, I have come across 3 distinct technical implementations that have been implemented in different countries.

Centralized

Countries such as Denmark have implemented a Centralized Approach, where the Issuer connects to the different medical registries, and stores the data in a central place. This means that the Holder needs to install the application of the Issuer to be able to view, consent, .. the verifiable credentials and that the Verifier needs to be able to interact with the API endpoints of the Issuer, or use a dedicated application from the Issuer to verify these credentials.

Decentralized

In countries such as Germany they have chosen for a Decentralized Approach, where the Issuer connects to the different medical registries and stores the verifiable credentials in a QR code that is stored with the Holder. The data is not saved elsewhere and the Holder can store the data on a smartphone, paper or on a thin plastic card with an embedded integrated chip. When the QR code is created, a hash or fingerprint of the data is stored on a blockchain. This means that the Verifier can validate the hash via the blockchain. Depending on the type of blockchain (public, private, consortium or hybrid) the validation will be done differently

Decentralized Identity

Good to know is that Microsoft released the Decentralized identity trust framework, which aligns quite good with the Decentralized Vaccination Passport approach. Where an Issuer can connect to different registries, issue a verifiable credential and put the hash on a public blockchain. It also allows the Holder to store their credentials on a mobile wallet of their choosing. And it allows a Verifier to validate credentials based on open-source specifications and the blockchain. Meaning no API-contract is needed beforehand.

Decentralized Identity, Blockchain, and Privacy | Microsoft Security

Hybrid

With the Hybrid approach, we see companies who initially implemented a centralized approach, extending their solution with decentralized concepts. The goal is to improve the integration with other Verifiers or enable Holders to use their wallet of their choosing. It also allows them to scale in a more independent way, as they don’t need to create and maintain a backend for the verification.

Digital Green Certificate Trust Framework

The European Union has developed a “Digital Green Certificate trust framework”, which would allow citizens who have proof that they’ve been vaccinated, received a negative coronavirus test result, or have recovered from COVID-19 to travel across all 27 member states. They define it as follows

The Digital Green Certificate trust framework, which should ensure,
where possible, interoperability with technological systems established at international level. It also provides for the acceptance of secure and verifiable certificates issued by third countries to EU citizens and family members according to an international standard that is interoperable with the trust framework established by this Regulation and which contain the necessary personal data, following an implementing decision by the Commission.

en_green_certif_just_reg130_final.pdf (europa.eu)

When looking at the main elements of the proposed EU proposal/architecture, it resembles the Verifiable Credential Data Model specification from the W3C. You can clearly see the Issuer, and Verifiers on the architecture below.

The Green Certificate is a hybrid model, where the public keys, which are used to validate the hash of the verifiable credential, are stored in a common directory/gateway (EU Public Key Directory/Gateway). And the healthcare data is stored in a centralized or decentralized approach, depending on which organizations have been approved and implemented by the countries.
With this approach, Verifiers from other countries, would need to go through the EU Public Key Gateway to verify the verifiable claims from other EU countries. There is also support for validating the verifiable credentials via other channels, such as telephone calls.

Open Standards

An important aspect of healthcare data in Vaccine Passports is standards and interoperability. And I am glad to see that FHIR has been proposed to enable cross-border healthcare data. There are still some challenges on this, such as, a FHIR object can become too big after a while and not fit on a QR code anymore. But this can be definitely be resolved.

Beyond Europe

In the U.S. Microsoft joined the Vaccination Credential Initiative, which is a voluntary coalition of public and private organizations committed to empowering individuals with access to a trustworthy and verifiable copy of their vaccination records in digital or paper form using open, interoperable standards.

Josh Mandel, the Chief Architect at Microsoft Healthcare, has been collaborating and creating an open source implementation of the VCI, which is called SMART Health Cards Framework. The SMART Health Cards Framework Implementation is based on the World Wide Web Consortium (W3C) Verifiable Credential and Health Level 7 (HL7) SMART on FHIR standard.

The White House ruled out mandatory Covid-19 vaccination passports, but this does not mean it will not be implemented by member states. Meaning that standards and interoperability will be crucial to let the data flow in a secure and optimal way.

We also see many implementations of Vaccination Passports in different parts of the world, such as in China, Israel, Taiwan, … Who are implementing their own vaccination passport solutions, where almost all of them are based on the 3 principles discussed above.

Privacy and Security

When countries will start to implement their vaccination passport systems they need to be vigilant that health-related data should only be used for the intended purpose, and that only necessary data is collected and used.
It will be crucial that these systems are interoperable and preferable decentralized. We don’t want to get into a situation where users need to install and use different Vaccine Passports, per country. This will create a security and privacy risk, as data could be stored in different applications, which increases the risk that data is used without the consent of the user and increases the risk for data breaches.

Passports should be used to support and protect citizens, they cannot be used to discriminate persons. Guidelines should also be put in place to determine what a verifier can see and how long data is retained in different systems, based on the user consent.

In these hard times, I am excited on how we are using technology to empower every person and organization on the planet to achieve more.

Bert

Sources