Using Healthcare IT to adapt to a Pandemic without losing privacy.

Sharing Protected Healthcare Information (PHI) is very complex. Complex for healthcare providers and researchers. Complex for HIPAA Business Associates. Patient mediated exchange based on informed consent rights can simplify permissions and improve security but other stakeholders such as EHR vendors must follow the intent of 21st Century Cures Act and deliver equally validated data to patients that they deliver to their federally mandated data consumers such as Immunization Information Registries. Patients need access to provably valid data regarding their vaccinations, and tests where they have an assurance that it has data integrity. Currently this takes place in EHRs, however most Labs that do Covid-19 have their own smart phone apps.

Current Tested patient driven workflow as implemented by Apple, Epic and VCI using FHIR with a presentation layer in the IOS digital wallet

The patient has gotten vaccinated with n vaccinations, they upload a photograph of the paper CDC shot card to the medical povider patient portal. The provider updates the EHR and marks the FHIR Immunization resource as "self reported", there is now a valid record in the EHR, (unless the patient loaded a fake CDC card) in which case there is a validation step against a state vaccination registry. Since the EHR and Registry are now in allighment from a data perspective, the immunization recrod is then digitally signed (ensuring authenticity by the provider) and resides in the Apple Health App as a consolidate HL7 record/history, and can be optionally outputto a wallet as a validated credential showing the status of vaccination, with a readable barcode. The provider can request out of band validation of the data from the pharmacy if they wish, The data from the patient is formatted and sent via the previously enrolled FHIR proxy server to the SMART on FHIR client. Not all providers have FHIR access to their EHR, but a significant number of them do provide access. I tested this with EPIC. The vaccinations then display as Immunization records on the Phone, within the Smart On FHIR application. The provider or pharmacy must also update the state IIS and will likely update the insurance company paying for the procdure. The data may also take a shortcut for the end user and be displayed from a link provided to a permanent cloud based storage of delivered vaccinations by a HIPAA based HISP, that ends up in an Apple Wallet, Google Wallet. In some mass vaccination sites they skipped the paper cards entirely and used a trusted HISP partnet to deliver the records directly to the phone.

Smartphones are better than paper and easy to use with NFC

iPhones are typically backed up to iCLoud, so one does not need worry about losing a paper based card. It also is simpler loading records if the medical provider already has a method of updating records electronically. In this workflow no app is required, but many people have developed apps for different political divisions leading to an interesting political/medical overlay This overlay ended up being significant. It pointed out that the solutions could not be strictly political, national, state based, travel industry based, border control based but required some overarching paradism to escape lockdown, including the medical response to the panademic itself. While the 1918 FLu pandemic had been modeled at Johns Hopkins using coronaviruses, after a million deaths over two years later, it can be safely said that things did not entirely go smoothly or according to plan. Antoine Artaud noted the changes that took place during the Plague. Things broke because the normal flow of people and goods was broken, but covered up by normality pre pandemic. One of the ways the electronic vaccination certificate record is better than the CDC shot card is that modern identity management and legal privacy requirements such as the GDPR can require selective disclosure of attributes. This is important since circa 1990 digital identity was either anonymous or identified without dynamic selection of attributes. This led to a huge schism between the Nym group and the Identity group. We discussed this many years ago at NIH in a meeting entitled the "TAO of Attributes" which can be found on the Internet. Essentially authenticating who you are is an important part of the puzzle, but not the entire puzzle. The data must be "bound" specifically to one specific person in permanent manner, then and capable of being updated without disturbing the timestamped, signed and sealed record. Attribute certifictes are discussed in and could be used to describe immunizations. The collective identity discussion community post 2000 (AKA the Identity Gang and earlier The Usual Suspects along with many others) normalized a great deal of the lexicon surrounding the vague concept that eventually ended up in NIST 800-63 for terms like relying parties, etc. and the group decided that it was perfectly fine to produce custom identity documents for different purposes based on different attributes. This is due to the fact that no schema specifically addresses all use cases as a 'golden certificate.' That why an attribute certificate could be linked to an identity certificate. The trend for state DL have been further requirements for states to follow Federal "Real ID" requirements especially after 9/11. This came after I introduced the concept of "Identity Management" in a very early form in 2000 at EEMA at the request of David Goodman to describe the next step forward after x.500 Directories were already a very powerful back end data center technology, aka "The Directory", but primarily was organization based at boundaries and not a general Internet service during the NSF grant as it had been since 1988. Large organizations needed a consistent directory and some organizations like Boeing led in the use of Open System Directories. Boeing also developed a proxy so some data could be selectively exposed to the Internet. The University of Michigan had already developed an open source LDAP server designed for the internet and versions of that code were very popular. Multiple directory models emerged attempting to replicate data between different directories that had different schemae. Microsoft pushed Active Directory which still commands a huge market share for Microsoft dominated corporate environments abd the Azure cloud. LDAP sever schema design tended to be fairly bespoke depending on the use case and necessary attributes, and more of a custom fit, than the consistent view of data in x.500 where the schema was fairly stable. The Cosine pilot attributes were largely retained from when I ran the c=US 1988 version. While x.509v3 certificate storage was native to x.500 but had to be compiled in which was a fairly intense process, we had to add the binary element into the IETF specifications to allow for digital certificates to be stored in LDAP. When the end user faced privacy threats regarding their personal identity, from conventional threats like database breaches, the formal ITU big telecom approach did not entirely fit on a very wild west Internet that was happy with no encryption and very little data integrity. The end user was pretty much separated from the data base administrators, but not from their errors. Once hackers figured out how to leverage zero day attacks (still ongoing) to forge administrator super user credentials, or system credentials, in state sponsored attacks like Heartbleed, it was impossible for security people to patch fast enough and breaches occured via APT groups of large and very sensitive person information. While reasons for cyberwarfare would vary, some very large breaches of personal information occured in very sensitive systems without a corresponding urgency to improve security and often without major consequences for the failed policy that allowed the breaches to take place. The healthcare community that typically did not take security that seriously being in a fairly closed off friendly environment was hit particularly hard. Currently security failures have been widespread with ransomwhere that makes a company's data useless since it has been encrypted with a key the organization does not own. This literally paralyzes business processes. Obviously encryption, x.400 email and directories were very big in the miliary that had already had defined security models and chains of command not necessarily applied formally in most business. We see a flavor of this in the Byzantine Generals problem of how one establishes distributed trust in a message that has a command. Is the message from the right general or the corrupt general in a distributed system? The typical solution is to way is to cryptographically sign the message, such as is proposed by the IG, but not the only way. It is certainly a way for the EU and WHO to apply a non-discriminatory policy that would naturally occur with vaccination passports. This brings up the requirement that both user consent and a shared policy must be negotiate between stakeholders using different legal covenants. For super national organizations like the EU or organizations like the UN they must derive their policy from human rights. This is not true for every government that have used citizen vaccination data to enable different purposes such as law enforcement. Due to the very close integration of cell phone data in South Korea, covid-tracking was very successful, but also highly privacy intrusive creating a tradeoff between privacy and covid tracking effectiveness that was structural due to the way the government maintained data.

Thus a vaccination certificate design must be both privacy preserving and effective for the end users that need to use it in different use cases. It's not enough to say it is temporary as predicted for the pandemic, even though that is true. The user and various governments requiements must align around the typical privacy issues of transparency or vaccine hesitancy will be the result. The MVP will address those issues by data mimimization, flexible contracts and effective cryptography. Since this is a FHIR IG, FHIR is a given, along with typical protocols that go along with FHIR. XML signing for integrity is not typically supported but clearly applicable, other parts of the MVP represent practical choices but in an open architecture should have easily subsitutable and modular options. This is pretty typical of security solutions that accomodate a variety of approaches that may be more or less appropriate to a variety of factors such as cost. Does the application require zero knowledge proofs, FIDO2, hardware tokens and HSMs for private key storage? Does it need to operated without access to the Internet? All these choices belong to the developer but a verifiable result acceptable to a relying party is a given. In our Iceland use case the epidemiological officer maintains the final approval and there are other factors outside the scope of the use case regarding access beyond just being vaccinated. Other factors will enter into the decison. Also two certificates were required, one for encryption, and one to do digital signing, and since digital signatures are equally as valid as wet ink signatures for contracts, the digital signature part was harder than just turning on encryption for email. Fairly long debates followed in the healthcare community when we tried to come up with simpler ways to send messages with HL7 records as attachments, as to what level of assurance was required for patients and healthcare providers, but everyone agreed encryption was necessary for privacy. They didn't get around to agreeing that data needed to also be broken up and signed per field into more discrete parts, but in order to prevent fraud at CMS regarding expensive durable medical devices like power wheelchairs (advertised on late night cable), the electronic signature of medical documents was set up. Encryption certificates set up encryption, very important for confidential transport, or subsequent storage, but signing was important for data integrity, especially signing computer code. Mutiple certificates for different purposes. It should be noted that many things can update automatically in the computer world, and a signature, (especially a time stamped XML digital signature is a permanent artifact in time). Signing an entire document is fairly common, like in Adobe Acrobat, and electronic signatures, but permanently signing just one field in an XML based specification like FHIR is more difficult and not a popular usecase. Who needs to sign their Immunization data? All of a sudden there is a reason to prevent fake paper certificates like the CDC short card, or vaccine certifictes with potentially faked bar codes like in Israel or a college dormitory to make fake ID for drinking. The motivation for fake ID varies. However if we make employment conditional on getting a vaccine, and the person is ANTI-VAX the motivation to order a fake Shot card on the Dark Web goes up. So people sell them. There are almost no consumer apps that do this sign XML it was briefly popular and there is a book, as well as published standards for companies that do this, but it is in a lot of software libraries and the standard is mature, and maintained by ETSI including a testing platform. The EU and Who realize this and as a result are offering PKI x.509v3 implementation guides for vaccination certificates. One EU compatible certificate will work in the entire Shengen zone. Note the use of "immunity passport" dates back to March of 2020, as well as "vaccination passport" For two important reasons, no one can accurately predict immunity, and two they don't want to make a vaccination mandatory to do things. However, just like wearing a mask, this does not stop a bar owner, employer or anyone else from requiring a vaccination and proof. So despite no official mandate in an attempt to prevent discrimination, people will still require proof of negative covid testing or a full vaccination, or prior exposure to Covid-19 as a requirement for different activities. The use cases are likely to be vast until the end of the pandemic and these become obsolete.

ICAO and IATA Important Guidelines for Machine Readable Travel Documents

Historically airlines have played a very important role to prevent pandemics since they are logically one of the first vectors to spread a global pandemic, and thus have a great deal of experience in dealing with international medical agreements for almost 100 years. This is because they have a lot to lose when tourist dollars go away, and borders lock down. We in the U.S. famously mismanaged the Pandemic and are only now getting back in the game, but whether the Biden pandemic plan that has tasked the State Department for International Certificates of Vaccination, is actually fair to individual patients or skewed is TBD, since they are looking at the 100's of proposals on the table. The airlines are a logical home for vaccination passes, it greatly affects the tourism and business travel industry so their revenue and flights are way down.

A historical and fun use case

My use case involves a reverse Viking trip from Boston to Iceland and one can use the Viking thought process to get there. The Vikings used polarized light and chunks of "Iceland Spar" which has a very specific calcite crystal twin refraction (see IBM digital twin design pattern) that allows one to navigate an ocean accurate to 1 degree when it is cloudy and one can not use a sun dial to find North. They apparently made it all the way down to Martha's Vineyard, (as yet unproven) and your Icelandair flight leaves from Boston. Iceland is a very unique place, geologically. They based their policial system (Althing) right at the point between the North American and European continental shelf and one can insert one's self at that exact spot to experience the idea of the use case to harmonize the EU and North America on vaccine certification requirements since Iceland has gotten really good at covid-19 travel requirements and with a proper vaccination certificate you stand a very good chance of passing the epidemiological control point since the requirements are aligned. Although you could go full Viking and cruise via ship, in this case the travel use case begins at Logan Airport but first one must prepare at home and read the Iceland Covid-19 requirements from the Embassy and timing is crucial. I would suggest a fully refundable flight.

Collusion, collision, navigation and Google in Florida

A key example in the reverse Viking voyage use case is the use natural indicators of navigation, perfected by both the Vikings and Pacific Islanders. The Pacific Islander navigation is part of the mythology of the Sipapu of the Hopi. The Vikings I used in my first Broadband development effort in NY state in 1990, the trading post at Aptuxcet which I established on both the Parc and Media Moo as an early social media effort. I got the navigation idea from a number of sources, but Moxie Marlinspike who wrote Signal and looked very closely at the operation of Sextants, was influential because he figured out how to break x.509v3 certificates by hacking the hash code message digest 5 or MD5, which was subsequntly deprecated. Moxie faked Google's SSL certificate and put them in Florida. As a result some real improvements have been made to PKI by Google. That information is in the distinquished name or DN or RFC 1218 which created the virtual or C=US pilot domain that I later turned into a startup. It is the original Internet and ISO naming structure from 1988 x.500 that I am using to make scalable vacination certificates. This location naming has meaning since from an official US perspective, even if you are at Guam, your US rights derives from a simple binary or being a US citizen or not. Your right to use strong cryptography derives from citizenship not technology but it is highly supported in the EU and UN. So in the virtual version of the US this is important in making your identity portable. The benefits of the Internet accrue to you in the "flow" of data, and the recognition of your passport through the State department PKI, and also the claim of vaccination verified by PKI. Or a CDC shot card. It's not being a citizen of the Internet as John Perry Barlow famously argued at that point the Internet was a separate special place with its own rules, an entity from everyday like, now it is woven into everyday life and like water. we want good access everywhere. In the US special rights apply and are recognized at borders. It's an actual healing of the U.S. recognizing the entire history of the U.S. which is at least somewhat mythological like Turtle Island, but still makes sense. Apatuxcet was the first Trading Post, both in MA, and virtual reality, a diplomatic device visited by the Norse, and the Mayan Quetzal feather allowed native traders to go along the trade paths between tribes without getting killed. It had deep significance for being left alone, which is one definition of privacy. Chances are those goods were going to your own tribe as trade surplus and the quetzal feather was a sign of royalty and trade between tribes in Mexico and Guatemala. It was the TLS (transport layer security) and Jason Web Token of the Aztec and the Maya commerce since Quetzalcoatl, (serpent snake) could travel through those hoops that turned into time dimensional portals. Certainly a nice trick during March Madness. Addtionally Kille, who authored x.500 at UCL in 1988 at UCL, named the software Quipu, after his INCA project, and after the string accounting method one can see example of at the Peabody museum at Harvard. Hence x.500 administrators at NASA and Sandia etc., referred to themselves as "Quipucamayocs" after the native officials who maintained inventory ledger using colored strings and knots. Commerce using a token such as a JWT token, alone the routed paths of the Internet where e-commerce only came into being in 1994 afer being Arpanet, that launched the famous dot com boom and bust that formed our current version of services delivered in the cloud. And it puts Google where it logically should be, which they keep an eye on via their Certificate Transparency project. For more detials look at the FBPKI or Federal Bridge that shows how different PKI systems can validate against each other using the current version of x.500 and cross certification.

Google in Florida does it matter?

The fact is that Google was not in Florida and this fake certificate set up the perfect MITM attack. OF course the fake certificate was booted from most browsers quickly, as were all MD5 based certificates eventually since a hash collision and collusion was possible. The viable MVP has multiple steps to prevent collusion. While most people would know this digital certificate was fake, because the signed real certificate put Google in California, some one in Syria would not, and that's how their government spied on dissidents. The location of the certificate (evident if you have ever made your own with OpenSSL) is part of the distinguished name that becomes certified.

fields of the CDC shot card and making a schema

A entry has to be unique in a Directory, but in a fake vaccine certificate or self signed digital certificate you can make up any lot number you want. An out and out fake is easily spotted on a CDC shot card paper form or in a vaccine certificate. Collusion as has been reported by pharmacy techs that steal shot cards, is more complicated (since they will have actual valid lot numbers). Clearly additional verification can be applied after the fact on any shot card. In addition the ICAO plays an important role in this as well as the IATA that plays an important role in setting ICAO standards for machine readable travel documents. Certificate Authorities using PKI software can and do create digital passports every day. You also can create your own self signed certificate using OpenSSL or the MacOS certificate authority since it is an open standard. However no border control officer will acknowledge it as valid primarily because it is not "bound" to your Identity as it is in the orginal X.500 model where you could have a distinguished name, and a certificate bound to that distinguished name. Actually that is the format that most but not all digital certificates already use from a certificate authority if one looks at the certificate at a lower level. None of this is especially user friendly which is why distinguished naming is largely only used for x.400 Mail and X.509v3 certificates, and you are more likely to come across the little brother of x.500, LDAP which you can run on your own server and works with this technology.

For example to prove age to drink in a bar requires a birthdate, but by showing a DL one also shows a home address. So while the DL is acceptable, it is not privacy protective for the user, while a proof of age without the DL would be, even if it was based originally on the DL and other factors.

The risks around not validating data and making data validation simple to use

There can be no "man in the middle" attack that can modify health data on the way to patient. In order to prevent these various attacks we use cryptography, already standardized X.509v3 cryptography standards that are accepted world wide. The most important thing to understand is that this is not based on trust but math. We call the entire system Trust Frameworks because they integrate a lot of legal conditions and policy along with the cryptography. Ultimately the epidemiological control officer who has the final say on the validity of the user supplied document is using the exact same system to verify a passport, so we know it works and is provably secure. Making it easy enough for the end user is another matter entirely, so the UX is very important in regards to making the highly complex set of exchanges involving cryptography easy to use. Notably, some of the open source crypto in the last twenty years has been notoriously difficult to use. This is changing as evidenced by the rapid increase of TLS 1.3 on the Web and the recent deprecation of earlier versions, and it was only a few years ago we were debating on whether the now deprecated versions should be included in IHE. Things are becoming more secure, and easier to use and the IETF plays an important role of integrating the Internet into everyday encounters.

Where privacy violations occur is where governments have access to multiple matching databases, or whether they use healthcare data for purposes other to which it was intended or consented by the end user. These violations have taken place and are very serious and so privacy by design solutions are based on human rights with proven cryptography.

Go to the SMART on FHIR website and download one of the apps. SMART on FHIR is favored by many of the alliances that look to create vaccine credentials. One of the first things you will notice is that the data for the app is not HIPAA "protected" as a disclaimer.

This is because the SMART ON FHIR app vendor is not a HIPAA "business associate" of a medical provider. There is an exception of HIPPA requirements of business associates when data is tunneled, (like a VPN), between two endpoints because there is no man in the middle that can CRUD data and therefore requires trust on a business layer. If you trust someone to haul confidential paperwork to a shredder, they have to be a business assocate.

If it was a business associate it would have a business agreement with a provider, and therefore be required to report any possible data breach. Someone collecting paper trash in a hospital might come across unshredded patient records that had a SSN, and that employee could possibly sell that data that would in turn create identity theft. That would be a breach caused by a business associate, and there could be liability and prosecution. This is not unusual with many contractor employees that handle sensitive personal information in a healthcare system. To create accountability, a Business Associate Agreement is part of the normal contract process required.

Now consider the role of a patient. It is entirely different. They also have a contractural role with a provider, also a complex role, but it is not as a supplier. However, the provider clearly consumes and processes a great deal of data from patients, formats it, dervives value from it, and uses it to provide customized services. However the primary role of healing takes place with the patient, in conjunction with the doctor as part of a relationship. The early theraputae relied on their knowledge of herbs etc to create medicines, the Greeks used dreams to diagnose illness, and monks were especially good at identifying natural plants for common illness. In a more complex society involving MRNA vaccinations, and virus variants, the complexity of healthcare shifted away from the patient, and over the last 20 years has actively engaged the patient in their own cures which is always based on consent across a diverse set of circumstances. The lazaretto or quarantine station is a very old concept to prevent the spread of disease, or what is called community spread, and in small enough numbers, (along with contact tracing) can help lower the reproducibilty rate.

Patients manage their own data privacy. THey can share that data either informally or based on privacy contracts. The patient can also profit or get a discount from selling that data. People may participate in clinical trials for drug testing and in general the entire clinical testing process is normalized for pharmaceutical companies with massive amount of documentation that is all digitally signed using X.509v3. In this case the patient is the arbiter of how their personal data is used, and this again is contract based depending on the use case. Yet they are not business associates, so after a long history of information blocking, healthcare systems are required to share medical data in an easily consumable form with patients.

In general, this progressed from doctors charging high fees to duplicate medical records in the past, (since they felt they owneed the records to data and services being provided) to data being provided in easy to consume forms via various electronic and paper formats, such as after visit summary reports, but alos including secure mail, web portals, and direct to device FHIR downloads using SMART on FHIR apps like Apple Health. The gap is that validating the data is optional in FHIR, and this implementation addresses that gap. Could a EHR provide a web service to create a vaccine certificate? Of course. Will it meet all the necessary use cases? Maybe. Partially because although the pandemic is an International concern, it's not really in the core business model of the EHR vendor so they treat it as a non-profit adjunct and communication strategy to their business as a public good. A HISP that acts as a HIPAA storage in the cloud under contract to a health department is for profit, as is the company that sells that cloud storage. AWS is not giving away free cloud storage for vaccination credentials yet, but they could. Microsoft Azure signed an agreement with the Vaccination Credential Initiative that they would not profit from vaccine credentials, however despite some offers, I don't see free HIPAA storage while they offer some very innovative cloud based HIPAA products in this area.

I don't see a lot of transparency from the Vaccine Credential Initiative to see if they plan on something like this in the future. They may in fact offer free vaccination certificates to patients at some point. Healthcare consumes almost 20% of US GDP compared to other countries according to the OECD so money is being made and the cost of the pandemic has been astronomical. The point of this IG is to rebalance some of those forces to engage the patient in the process lowering, not increasing economic disruption. Security makes things more predictable, adding security to FHIR for Immunization data records makes many economic factors caused by the pandmic more stable. In a separate policy section I want to examine how human rights drive standardization and predictable outcomes via policy that does not create additional barriers and actually enhances privacy. Part of this is the balance in markets between interactions at a micro level, and interactions mediated by large platforms. This is very specific to surveillance captitalism.

Generally any module that works as an add on as part of an EHR must meet certification credentials that are tested by the Federal Government and these critera are published to encourage developers to add value to electronic health records. There is extensive documentation that exists to see if any part of the HIT system works in a certified manner. In this FHIR IG we are primarily concerned with security and how systems treat patient shared data that has personal healthcare data that is embedded.There are two major ways convey vaccination information, either via a web app, or a phone app, but also as a cart inserted into a digital wallet on iPhone or Android as done by the Los Angeles Public Health Department at mass vaccine sites.

In this case the vaccination data is conveyed via a HIPAA vendor process from the Health Department, (a health information service provider or HISP) that does not practice medicine, but conveys medical information) stored in the cloud, and voluntarily loaded into the phone wallet via the Internet


Identity Management

I coined the phrase "Identity Management" at EEMA when were looking to update the ISO .x500 Identity model. It was based on a specific Diplomatic type of vague language which allows people to fill in meaning. This goes back to the Greek idea of the "Pharmakos" which is highly relevant to a Pandemic. Both Socrates and the Postmodernists understood the problem of duality in writeen lanaguage. Identity used for a vaccine passport we are looking at both a cure and a poison. IDM was a big leap forward for provisioning services. Since 2000, many people have subsequently have deeply considered and matured this IDM technology. Several industry groups and non-profits have endorsed a rethinking of identity. While FHIR uses OAUTH2 on an authentication and authorization layer, FHIR is actually agnostic. In XML format is works particularly well with XML Digital Signatures.



FHIR is a fast method of accessing healthcare data via web services. Old SOAP based connections between providers had to be hand built and could easily cost thousands of dollars to implement. Now smart phones, and smart on FHIR applications can contact a provider FHIR server and download your PHI easily from the POV of the consumer. Once you authorize a connection to your provider health records arrive automatically. Test results are available as soon as they are entered into the EHR. This is a radical improvement in consumer driven healthcare. Since vaccination data is just another resource you have access to it as a record and can begin to effectively use that data. Keep in mind however that this is different from your Passport. Passports are essentially electronic based on ISO standards for storing data on chips. That means a border control agent can examine it in a contactless manner. She compares the photo on the passport with you. The data itself is verified cryptographically using PKI and specifically digital signatures. That technology is based on country specific x.500 and x.509v3, and not decentrialized IDs. A remote viewer can verify the signature of the data. This has implications on the FHIR vaccination resource data you already have on your phone because that is not signed. To recap, passport signed, FHIR data not signed. So this is a real problem and consequently solved in the Implementation by using XML compatible digital signatures that allow one to add data to a health record which still keeping some records permanently time stamped, much like the idea behind a block chain.


Old school storage

Your phone has a lot more storage than a smart card chip. As a result you can import your Passport to your phone. But unlike old Visa stamps (which somewhat equate to vaccine mutations) adding records is not that easy. However it is easy on your phone. Now what makes more sense? Trading a personal identifier like a biometric that you can never change and will be stored in another countries database, or just giving them verifiable vaccination or testing? information besides the identity information you need to use for your passport?. Once you have legally given up the rights to your biometric to avoid quarantine Facial recognition can subsequently track you anywhere. Even better can you create a personal privacy contract that says to wipe out this provided data after a certain amount of time based on the GDPR and EU right to forget? Or better yet can you allow an epidemiological officer the ability to verify you got a vaccination without actually showing her the paper copy or the electronic copy? That's possible with advanced cryptography which can prove without showing!


Beating Covid-19

Beating Covid-19 is a numbers game. One has to reduce the virus reproduction rate. When it has no more hosts, it dies. However if one person can spawn 20 mutations, the game is afoot to stay ahead of the virus variants. That means vaccines may need to be boosted and the results recorded to stay ahead of the curve. We want to chart that.


We can do better than the CDC paper shot card for vaccination records.

The data is already available but not entirely under the control of the individual patient, what will it take for a vaccinated person to make a claim regarding a vaccination attribute that can be subequently vefified by an epidemiological border control agent considering the fraud already exists with paper documents? We are beginning to find out. Our use case has published an extensive list of requirements to visit Iceland, and they have a very easy to use web form that can be filled out before you go. The various complexities (and there are many depending on your country of origin and purpose of visit) will determine Covid-19 testing, and thus which certificates can be generated for consumption at the epidemiological control point. Many things are covered by their pre-registration which takes place 72 hours before the scheduled flight. They have taken the logic on visiting Iceland and put it on the web. If you try to book before the allowed time, it will kick you out presumably due to covid-19 test requirements. If you are vaccinated and have valid credentials you do not need to quarantine. As Denmark has noted, much of the technology is already in place, now the discussion is about interoperability. Hl7 FHIR is an international standard for healthcare data that is easy to implement with SMART on FHIR clients, like Apple Health. That gets the data to your phone, but how is it verified? I propose an XML digital signature of the FHIR data applied either by the EHR, the Pharmacy, or injection site, to validate the data. Or via an application that can take unsigned FHIR data and get verifiers like provider, pharmacies, and state IIS to validate and sign the data you already have, but without proof that a relying party in Iceland can verify over the existing PKI. In slower times the "Carte Jaune" was perfectly acceptable to travel to less protected areas of the world.The problems with vaccination are not only highly technical how can get the body to produce the right immune response, but also very social. Messaging is important and we also need to accomodate the wishes of the vaccine hesitant. We can not only find out the requirements of visiting a country but also clear that information electronically before arrival. A photoshopped vaccination receipt can be obtained on the internet like a fake mask exemption and people will try to use them. Is it highly serious? We don't know but in other countries quarantine evasion is taken very seriously with arrest and drones tracking people's movements. So we need to avoid additional surveillance capitalism regarding people's freedom to travel. I am going to try out David Chadick's approach of combining FIDO2 with W3C Verifiable Credentials. This ticks off the security boxes and Professor Chadwick literally wrote the book on understanding x.500 back in the day. The developer web site on will have a link to Professor Chadwickss new company and how they build vaccination credentials, with Fido2 and Verifiable credentials. I am not planning on putting this on a blockchain at theis moment, or using Decentralized IDs, or DIDs. Much of that heavy lifting is already accomplished using the ISO protocols in the core of the project and their Internet equivalents. Looking forward to trying this approach and conforming this to GDPR for the MVP and then signing the FHIR electronic version of the CDC shot cards using my CA server which will be eventually connected to the European and Who PKI infrastructure that will be used for relying parties and should be accessible via the Federal Bridge Trust Framework to validate my beta testers along with the ETSI FHIR digital signatures. Depending on the complexity of programming the client in the iPhone, I may consume that initially as a service. The client will be very simple, get the signed Immunization records and display them using Apple Card kit, or if they are not signed get them signed by stakeholders. They already have wet ink signatures on the pharmacy paperwork but for security reasons that should only be done in the digital domain to meet best practices. Immunization doctors did sign and stamp the Carte Jaunee previously so that is certainly possible to do in the digital version. The vaccination record is not the only determining factor for travel in order to prevent discrimination. It should be noted that the FHIR download and export is already dirt simple in Apple Health or any Smart on FHIR app. My app will consume that Immunization and Covid-19 test data on the behalf the the end-user and will go get the necessary signatures from any missing stakeholders if necessary, or do verification loops to the authoritative IIS for any of the 50 states on behalf of the patient. I then will store the completed signed vaccination certificates, generated by the end user and validated by the stakeholders in LDAP or database in a HIPAA certified cloud and then store that for display in a Apple or Google Wallet. Following that I will have it security certified by any useful accreditation and software audit companies such as EHNAC to sniff out any potential backdoors. The Google Android version will do essentially the same thing, SMART on FHIR client, download Immunization record either already signed, or unsigned, and then get it signed, and then display it in the wallet. This seems like the shortest path but I am open to suggestions if it can be made simpler other than laminating the shot card and sticking it in one's Passport.


Security Risks

There are security risks in everything. Your passport has a metal shield that prevents it from being scanned while closed. Bar codes may be less secure than contactless scanning of a smart card or near field contact at the grocery store, you don't typically see a bar code on a high security gate, but the health club probably uses it. You want high quality cryptography for your data where you won't lose the key. With PKI there is only one key (the private key> that needs to be protected.


Patient view of FHIR in Supply Chain for Vaccination Certificate

Where does the data enter and how is it subsequently verfied, and made verifiable for international travel border clearance? What steps might require intervention? Walk through a patient getting a covid-19 vaccination and CDC paper shot card, ending up with an electronic proof of vaccination suitable for International travel? Some initial happy paths.

Vaccination Certificate Implementation GuideIn arcu accumsan arcu adipiscing accumsan orci ac. Felis id enim aliquet. Accumsan ac integer lobortis commodo ornare aliquet accumsan erat tempus amet porttitor The FHIR implementation guide is being developed with interested stakeholders. A sampling of comments is listed below.

We are the source of "ground truth" regarding vaccination records for our state citizens. We are pleased to mitigate the problem of multiple provider sources of information for vaccination data and provide the ability to offer "verification as a service" using Hl7 protocols to meet our citizen's vaccination record requirements that often go beyond individual provider's information systems. Digitally signed FHIR vaccination resource records are a permanent asset to a patient's overall vaccination strategy. Not only during the current Covid-19 pandemic, but in the long term.

- Jane Doe HL7 technical lead, State Vaccine Registry

DPS4 FHIR security labeling can express the fine grained permissions in required for sharing data. While AUTH-N can be simplified (authentication), AUTH-Z (authorization) is inherently a NP Hard problem of who or what system has access to data for how long that is complicated for interoperability based on business rules and compliance. When is "Break the glass access required"? By pre-computing these requirements in the signed XML including the vaccination resource, patient consent can be captured, as well as regulatory requirements, attached to the record itself when transferred. Vaccine manufacturers rely on informed consent of those that use their products, vaccines rely on a certain degree of adoption and use to acheive critical herd immunity. Informed consent communicated electronically is one critical tool to prevent misuse of patient protected health information.

Nunc lacinia ante nunc ac lobortis ipsum. Interdum adipiscing gravida odio porttitor sem non mi integer non faucibus.

- Janet Smith CEO - ABC Inc.