Covid 19 coronavirus: Privacy breach reveals the mess of software being used to track vaccinations

The aftermath of a privacy breach has revealed that a tangle of different software systems are being used to manage Covid-19 vaccinations in NZ – and that a purpose-built booking system will arrive in late May at the earliest.

On March 28, the Canterbury DHB reported a substantial data breach to the Privacy Commissioner involving its vaccine booking system. The details of some 716 people – including names, dates of birth, and National Health Index numbers – were readily accessible within the public-facing code of the website.

The Herald has also heard anecdotal evidence of confusion over which health workers have been due their second jab.

Beyond the privacy gaffe, there was a second surprise for close followers of the vaccine rollout: The Ministry of Health said it was using a booking system created by the Dublin-based multinational Valentia Technologies.

The MoH confirmed told the Herald that “Historically, there has not been a national booking solution in place as there was not a need for one. DHBs have always taken accountability and responsibility locally for booking, in part to meet the needs of their unique communities.”

The Ministry confirmed Canterbury DHB was using a system created by Valentia, along with the Capital and Coast and Hutt Valley DHBs – although the latter two only use it internally for staff bookings. It also told the Herald that Northern DHBs (Northland, Waitemata, Auckland and Counties Manukau) were using a vaccine booking system created by the multinational software company ServiceNow.

The MoH says multiple investigations into the Canterbury breach are underway.

“The Privacy Commissioner, the Public Services Commission and central Government security expertise will also have input into several reviews to make sure the Canterbury system is secure and compliant,” an MoH spokesperson said.

The ministry did arrange independent security checks of the Valentia system used as the MIQ Border Clinical Management System, the spokeswoman said. While multiple investigations are underway into the Canterbury DHB security breach, the initial take by tech commentators is that it looks like human error. But one insider also told the Herald that risk could have been exacerbated by software designed for one purpose being used for another.

You can go your own way

And the broader question is why DHBs have gone their own way on booking and vaccine management systems.

On January 18, the MoH told the Herald that it was creating a new Covid-19 Immunisation Register (CIR) to track Covid-19 distribution, and the administration of first and second jabs. The budget for the new system was $38 million.

Work was “well underway” on the CIR, an MoH spokeswoman said. The new, cloud-based vaccination register was being created in partnership with US-based multinationals Salesforce and Amazon Web Services. (Salesforce is best known for its customer relationship management or CRM software, used by salespeople to track calls and take notes, but in September last year it created a database aimed at government vaccine rollouts). The CIR will replace the old National Immunisation Register (NIR) which was developed in the early 2000s, pre-cloud, and focused primarily on early childhood immunisation.

While the full CIR system would not be ready by the time the first Pfizer/BioNTech doses arrived, “We have already built a new ‘interim’ solution that can be used now, if required.” The interim solution was a “cut-down” version of the Salesforce-based solution, she said.

So why did major DHBs go with different software?

Because a new, Salesforce-based national booking system is not yet ready.

“The national online booking system is being built on the same Salesforce platform as the CIR uses but with an additional plug-in called Skedulo [made by an Australian company of the same name],” the MoH spokeswoman said.

“This platform has been successfully used internationally for similar booking systems. The system will be rolled out nationally in late May to support the ramping up of Covid-19 vaccinations, particularly as we move towards the middle of the year when the general population are able to access their vaccinations.

“The national online booking system will support and, in some instances, replace individual DHB booking systems,” the MoH spokeswoman said.

While the Salesforce-based booking system will work with the new Covid-19 Immunisation Register, the CIR plays a wider role.

“Details recorded by the CIR include: NHI numbers, location of vaccination, vaccine type, volume administered, batch number, date and time, who the vaccinator was and any immediate adverse reactions.”

Soon, the system will also likely have to feed into some kind of vaccine passport certification.

While those features went live in December 2020, the expanded CIR which will replace the old (stay with me) National Immunisation Register won’t be ready for several months. All the MoH will says is that the new National Immunisation Solution -as the final service will be called – will be ready “in time for next year’s winter flu campaigns”.

Once complete, the new system will not only track vaccinations but allow punters to view free spots and book their own jab online.

“The UK experience indicates that a national booking system was very effective for large-scale vaccination events and dedicated community hubs,” the MoH spokeswoman said.

The UK, however, had the advantage of an existing online patient record system, as does Australia.

And while we wait for the national booking system, data about who’s got the jab is a lot more opaque than that available for infections, according to Herald data journalist Chris McDowall.

“The Government’s openness about Covid-19 case data stands in stark contrast to the slow-walk release of information about the vaccine rollout,” McDowall says.

Following months of planning, the first Covid vaccinations were administered on February 20. Over six weeks later there are still no vaccination progress numbers on the Ministry of Health’s website.

“But the only regular updates on the rollout come during Wednesday media updates fronted by Minister Chris Hipkins and director-general of Health Dr Ashley Bloomfield. Unfortunately, the numbers provided at these events are often vague and occasionally flat-out wrong,” McDowall says.

Meantime, while the Office of the Privacy Commissioner is part of the multi-agency investigation into the Canterbury DHB data breach blunder, it is still not across the pending new system.

“We’re aware of the Ministry’s plans for a national vaccination booking system but we are not aware of the details of the system. That of course may change but that’s how things are at the moment,” a spokesman for the OPC said.

Source: Read Full Article