Close Close

Life Health > Running Your Business

Cybersecurity and Digital Vaccine Passes

Your article was successfully shared with the contacts you provided.

What You Need to Know

  • You take care to protect sensitive client health information.
  • Suddenly, everyone from concert halls to wineries is also asking for sensitive health information.
  • Everyone will have to face the same kinds of data security and data compatibility issues that have haunted your nightmares.

At a recent concert at a small winery, the door attendant checked my New York state digital vaccine record on my smartphone — the first of its kind in the country — against my photo ID, along with those of everyone else coming through the door.

The experience was quick and easy, and I felt safe knowing that I was joining a gathering of people who were all vaccinated — not to mention, I didn’t have to worry about keeping track of a vulnerable paper handwritten card that doesn’t fit neatly in my wallet.

As the Delta variant spreads in tandem with vaccinated Americans like me starting to resume these kinds of social activities, and particularly as we get ready to travel again, the demand for digital proofs of vaccination is beginning to rise.

So are concerns that a digital record could put Americans’ data at risk and violate HIPAA — the Health Insurance Portability and Accountability Act of 1996, which protects sensitive patient health information from being disclosed without their knowledge or consent.

This issue is of interest to financial professionals, because your own clients could end up having to document their vaccination status when interacting with life and health insurers in this country or when traveling to other countries to resolve financial matters there.

Some states have already launched digital vaccine passes, while others have gone so far as to ban them, citing privacy and equality of access to services. There are broader organizations that are and will continue to include vaccine verification in their authorization services and it’s likely that consumers will increasingly seek to embed vaccination status into applications that afford them access to transportation, border crossings, etc. Today, the disconnected approach is creating many challenges, and additional options from the private sector are also in development.

The disparity of these vaccine passes means people will need to have multiple apps and passes, because they are not interconnected. Further, it gives rise to falsification of credentials, which is already happening in the market, both digitally and on paper. User information needs to be protected, and validation of a credential needs to be considered.

The good news is that there are existing principles we can leverage to secure credentials, such as blockchain, as well as smart health card frameworks that use open-source code and interoperate with other similar credentials.

As a cybersecurity professional with more than 25 years of experience, I urge leaders to adopt these safety standards and to prioritize and frame cybersecurity as a business imperative from the very beginning. Embedding security as part of design is always much more effective and less expensive than retrofitting a system built without such standards in mind.

As they do, leaders would be smart to think through a matrix of questions, such as: Are we developing a system with security standards in mind? What would be the downstream impact if the system were compromised? If someone falsified a digital vaccine pass to cross international borders, what types of harm could result?

These are just some of the pressing questions that have been raised in recent conversations with both government agencies and commercial enterprises to discuss digital vaccine credentials and how they can be protected.

Without question, the rapid onset of the pandemic, coupled with the exceptional development and release of the vaccine, represents another leap forward in the rapid advancement of data retention and cybersecurity capabilities. How today’s leaders value and approach trust as they guide the evolution of our digital identities will make a difference in the lives of us all.

(Image: jijomathaidesigners/

Fountain pen (Image: iStock)Liz Mann is the EY Americas life sciences and health cybersecurity leader.