As vaccination mandates become more common, immunization records are increasingly required across the world. Organizations are turning to the digital space to upload images of COVID-19 record cards as electronic proof of vaccination.
Having a web application for uploading proof of vaccination records is a double-edged sword. When implemented properly, web applications save a good deal of time verifying everyone’s health information. But vaccination cards submitted to an online portal can expose organizations and their user data to cyber risks.
Unsecured file uploads in web applications can potentially result in a data breach, malware infiltrating the organization’s infrastructure, ransomware, or a zero-day attack. In fact, 82% of organizations reported an increased concern about malware attacks from file uploads since last year.
Regardless of your position on vaccination cards and mandates, let’s review the potential risks associated with external parties uploading images and documents into web application environments for ongoing management.
Here are five issues you may want to consider:
1. Vaccination compliance verification
Whether it’s a regulatory or local policy decision, organizations are requiring their constituents to upload proof of vaccination to provide or receive services, particularly in scenarios where individuals may find themselves near others or indoors.
Depending on the requirement, organizations may ask members to submit proof of full COVID-19 vaccination, or in some cases, show a negative PCR COVID-19 test or a negative rapid test result from a legitimate testing provider within 72 hours before entry.
This use case for uploading proof of vaccination is driven by increasingly more demanding requirements:
- President Biden’s September 9 Executive Order and related guidance on ensuring adequate COVID-19 safety protocols for federal contractors require that public university employees, including student workers and graduate assistants/associates, upload proof of full vaccination documentation by December 8, 2021, unless they have been granted a religious or medical exemption.
- Return to campus protocols for many universities are mandating students and employees be fully vaccinated against COVID-19, requiring proof of vaccination via either two doses of the Pfizer or Moderna vaccine, or one dose of the Johnson & Johnson (Janssen) vaccine (Note: the WHO has listed additional vaccinations for emergency use internationally).
Hospitals and other health care facilities
- On November 4, the Biden administration declared COVID-19 as an occupational hazard and introduced a new vaccination mandate that would require about 17 million healthcare workers across 76,000 hospitals, nursing homes and other health care facilities to be fully immunized by January 4, 2022.
Transportation and travel
- United Airlines required its 67,000 U.S. pilots, flight attendants and gate agents to be vaccinated by October 25. This is one of the strictest mandates in the industry.
Recreational and entertainment venues, including restaurants, bars, and taverns
- In locations like New York City, San Francisco, and Los Angeles, a negative diagnostic test is no longer a valid vaccination substitute for attending indoor events and restaurants, and oftentimes proof of vaccination is required as part of purchasing tickets and admittance.
In these cases, each organization provides some form of guidance to fulfill their vaccination and compliance verification requirements as a prerequisite to help organization members follow the appropriate document upload procedures.
2. Building a proof of vaccination system
Given today’s digital landscape, the mechanics of uploading files to portals is often an extension of existing applications with three key components: the front end, the back end, and the human element—the administrative users reviewing the evidence internal to the organization.
- Front end: Mobile applications and web browser applications have quickly emerged to support Health Self-Assessments and document uploads to a variety of human resources and health management systems. In many cases, it’s as simple as downloading the app, logging in, taking a picture of your vaccination card, and uploading to the applicable website.
- Back end: A complete web application infrastructure is required to support this process, either a custom application environment or a SaaS application supporting a level of customization tailored to specific form fills and file upload criteria. The back-end infrastructure should also support file upload storage and security requirements. From a security perspective, this should include a file upload security component that provides scanning capabilities to detect known malware and emerging threats as well as content disarm and reconstruction (CDR) technologies that remove dangerous elements of files and allow them to proceed safely through existing proof of vaccination workflows.
- Human element: Administrative users, associated with Health Assessment teams, are often responsible for manually reviewing the vaccination documentation over two to four business days to ensure compliance. This represents perhaps one of the weakest links in this process. Without the necessary security or integrity checks of these submitted third-party files, administrative users open files that can inadvertently execute potential malware within their business infrastructure.
3. Emergence of fake COVID-19 vaccine cards
The sale of fraudulent COVID-19 vaccination cards is booming as individuals look to circumvent vaccination requirements.
The black market started to flourish months after international officials had warned the world to prepare for organized crimes that target the COVID-19 vaccines. In Memphis, authorities have seized more than 120 packages of counterfeit cards imported from China in August. In a different scenario, two travelers were arrested for allegedly using falsified vaccination cards to travel to Hawaii.
Using forged vaccination cards is not just illegal—it also exposes identities to risks as scammers will have the target victims’ personal information. Once the cybercriminals have seized your organization’s or constituents’ confidential data, they can make a profit at your expense: making fraudulent transactions, gaining access to other accounts, or holding data hostage until a ransom is paid.
High-tech threat actors can also inject malware into the images of the vaccination cards by inserting a malicious code into the script of the image. Once the victim has downloaded and opened the image, they will also trigger and launch the malware, disseminating malicious content into your organization’s system.
4. Private information and data loss prevention
Asking for proof of vaccination also comes with the responsibility of safeguarding personally identifiable information (PII) data within these cards. Your record card contains sensitive information, such as your first and last name, date of birth, and your medical record number.
Organizations with a web application for uploading vaccination cards can safeguard PII data by reinforcing data loss prevention (DLP) capabilities. DLP is effective at mitigating third-party risks, helping to prevent data breaches, and minimizing the risk of compliance violations. For digital images like COVID-19 vaccination cards, DLP solutions that incorporate Optical Character Recognition (OCR) can recognize, detect, and redact the sensitive data in images.
5. Integrating into existing environments
Businesses often rely on third-party online software tools for form uploads or tracking of employees’ vaccination status. For example, Employee or Human Resource Management Systems (HRMS), like Oracle PeopleSoft, Workday, and dozens of other SaaS providers, often serve as the primary application to host data on employees and their health assessments.
These external applications may require integrations to other web applications to facilitate uploads of vaccination proof to the existing environment, which means they need a protection layer to secure against potential threats, such as advanced malware, zero-day attacks, or data breaches. Anytime a software is being developed, particularly external facing, it should meet strict software development life cycle (SDLC) and DevSecOps applications security requirements before entering production.
Building strong security for file uploads
The lack of an appropriate cybersecurity process when allowing file uploads onto web application portals can result in attacks on the organization’s infrastructures, attacks on the user, and disruption of service. The good news is that organizations can take preventive measures to mitigate file upload attacks.
Here are 10 best practices that we recommend:
- Authenticate users before uploading any file
- Only allow specific file types
- Verify file types in addition to restricting the file types accepted
- Set a maximum name length and maximum file size
- Use simple error messages so users can change their behaviors
- Check for vulnerabilities in files
- Scan for malware in all files
- Remove possible embedded threats, e.g., hidden scripts and macros that are not always detected by anti-malware engines
- Randomize uploaded file names so that attackers cannot try to access the file
- Store uploaded files outside the web root folder