Concerns over South Africa’s Electronic Vaccination Data System (EVDS) for Covid-19 have smoldered since its launch on April 16.

Designed to handle several aspects of the Ministry of Health’s national immunization campaign, questions were asked about SMS delays, scheduling appointments away from people’s homes, low registration rates in some areas and the so-called “queue jumps,” to name a few.

With the opening of registrations on July 1 for 50-59 year olds, more than 4.8 million additional people can now register on the EVDS. They will join millions before them in providing personal information, including their names, ID numbers, cell phone numbers, and medical help numbers where appropriate.

Driven by a user-friendly web platform, they will upload this data with the aim of obtaining a vaccine and thus both protecting their own health and contributing to the fight against Covid-19.

Without taking a close look at the terms and conditions of the EVDS, however, few of these users know where their data is hosted, what safeguards protect it, and who is responsible for programming, designing, and managing the EVDS.

“We live in an age where cybercrime is prevalent in the world. The kind of information collected on EVDS, if it gets into the wrong hands, could potentially cause a lot of damage, ”says Darelle van Greunen, director of the Center for Community Technologies (CCT) at Nelson Mandela University.

These risks include identity theft and ransomware attacks, the latter of which can force the Department of Health to pay cybercriminals to recover stolen data from EVDS users.

Along with cyber risks, there are issues related to the consent of EVDS users and its security policies. As the Personal Information Protection Act (POPIA) comes into force and digital policies evolve, some believe the transparency around the system could shift from criticism to pride in what EVDS can accomplish.

A complex system

“There are thousands of people working very hard under difficult circumstances to make this system work,” said Nicholas Crisp, deputy director general of the National Department of Health, which oversees the EVDS.

It’s a complex system, he says, that involves a public registration portal and SMS communications. It also keeps track of the vaccination process, including vaccine stocks, individual lot and lot number of vaccines administered and any reported adverse events. It also allows to know if the vaccinations are paid by the State or by private medical aid.

Throughout these processes, a team of Ministry of Health staff, private service providers and field health workers interact with user data, identify bugs and answer questions.

Among them is Mezzanine, a digital technology company and a subsidiary of the Vodacom group. Mezzanine manages updates and adaptations of the EVDS program arising from real-time use and the addition of new cohorts.

“The programming team works hard to fix bugs and respond to queries,” says Crisp. “When we do the check-in, they’re prepared and do some behind-the-scenes testing to make sure there aren’t any data issues.

Crisp says Mezzanine was contracted for work under the direction of National Treasury Vodacom RT15-2016 Cross-cutting contract.

Mezzanine work is completed by a team from the Scientific and Industrial Research Council (CSIR), which manages the EVDS data in its internal facilities. Crisp says the partnership was established through a memorandum of understanding between the CSIR and the Department of Health.

The CSIR and Mezzanine declined to comment for this article, referring the questions to the Department of Health.

Support INSA

The Ministry of Health is responsible for SMS delivery and acts as the owner of all data and components of the EVDS. “We use the NHI data center at CSIR, and all programming hardware and software is owned by NHI,” says Crisp.

According to him, EVDS has only been possible thanks to the development of the NHI digital backbone over the past five years. Indeed, the service is linked to INSA to support the government’s broader goals of advancing universal health coverage.

Speaking at the launch of EVDS, Minister of Health Dr Zweli Mkhize (currently on special leave), mentionned it would support “health system user identity verification systems (both public and private), expanding the capabilities of the Health Patient Registration System (HPRS) platform”.

The HPRS, initiated in 2014 by the Ministry of Health, is an electronic system for registering all patients using health facilities. Collecting personal data similar to that captured by the EVDS, it allows patients to be tracked to improve the quality and continuity of care, said a report.

“What we’re learning in the EVDS process is more information about patient records and how to improve our master list of healthcare facilities across the country,” says Crisp.

With the implementation of POPIA on July 1, Van Greunen says that link raises questions around consent. “With POPIA, you need to be informed immediately of why your data is being collected and the processes in place to protect your data,” she says.

Because there are so few upstream details with EVDS, for example, on its homepage, she says, “you don’t know what you are consenting to and who has access to your data.

So even though Mkhize has publicly stated that EVDS can be used to extend the capabilities of HPRS, it is possible that some people who register with EVDS are nonetheless unaware that the data they provide could be related to HPRS. and help build the data infrastructure for INSA.

POPIA compliant

EVDS complies with all of POPIA’s requirements and guarantees, says Crisp. It also confirms that several security measures are in place, such as firewalls, blockchain security, and physical data center security. EVDS is also regularly audited by the Auditor General of South Africa (AGSA).

“I’m confident it’s secure, and I know the Auditor General is confident it’s secure,” Crisp says.

According to AGSA, the conclusions of their audit will be published when it submits its 2020-2021 consolidated general report on the results of national and provincial audits (PFMA) next year.

But even the best security has vulnerabilities.

Global rankings ranks South Africa 59th out of 182 countries for cybersecurity and eighth on the continent. Among the risks involved are ransomware attacks, which can be costly few millions.

“Since the start of the pandemic, we have seen more ransomware attacks, which is a worrying aspect for EVDS,” says Brett van Niekerk of the School of Mathematics, Statistics and Computer Science at the University of KwaZulu -Native.

Ransomware often involves a cybercriminal holding data hostage until a ransom is paid. If the ransom is not paid, the data remains unavailable. “Since EVDS manages all vaccine information, the government could be susceptible to pay in a ransomware attack,” he says.

However, the risk of cybercriminals stealing data from EVDS users may be low. “I find it hard to see any direct usability of the data that would warrant criticism from the security community,” he said.

The right way

This was not the case with the Covid-19 tracking and traceability system initially proposed by the government. The system allegedly used location data provided by mobile networks.

However, concerns were raised almost immediately, as “location data can be used to create very detailed and invasive records of a person’s movements, public and private activities, and personal contacts”, a. report from the Media Policy and Democracy Project.

The government eventually abandoned the original tracking and tracing approach, but the report said the policy developed around it “represented a step forward in the way the South African state views political guarantees.” .

Since then, the government has implemented an alternative tracking and tracing system that does not use location data and that includes more stringent confidentiality guarantees.

Van Greunen, who is consulting the Ministry of Health on various ICT projects in the Eastern Cape, is convinced that they are taking the issue of security seriously. Still, she says there’s a lot at stake in doing EVDS well.

“As much as security is of the highest priority, we must strike a balance in terms of responding to a massive humanitarian need and registering as many people as possible,” she said.

“If they don’t do it right, we lose the will to register, the will to get vaccinated and the whole pandemic fight is probably on the line.”

* This article was produced by Projector – public interest health journalism.


Leave a Reply

Your email address will not be published.