HealthCerts — An Update

Bill Claxton
10 min readFeb 19, 2021

--

I had previously written about HealthCerts and Singapore’s Safe Travel initiative. In this article, I want to report on progress and difficulties faced along the way. Disclosure: My company NextID is one of the vendors providing HealthCert issuance services.

Background

With the arrival of COVID-19 vaccines in Dec 2020, much attention has been paid to jump-starting air travel. Just like the roll-out of vaccines, the introduction of so-called ‘Health Passports’ has also been fraught. Although the US has mandated that international travellers will require proof of a negative COVID PCR test prior to entry, this proof can take the form of an ordinary paper document which is not tamper-proof. This is a flawed approach because fake COVID test certificates have become easily available across the world. And there is still a debate whether domestic travellers will require such proof.

At this time, there are two global efforts focused on rolling out ‘Health Passports’: the Vaccine Credential Initiative, driven by Microsoft and several tech giants and an airline industry initiative led by IATA. The Vaccine Credential Initiative relies on a credentials wallet known as CommonPass and the IATA Travel Pass is powered by Evernym’s credentials wallet. Both of these require the traveller to adopt a digital identity by installing and using a mobile phone app. It’s not clear that the travelling public is ready for this jump into the future of decentralised identity.

Singapore HealthCerts

So how is Singapore’s HealthCerts project faring? What’s beautiful about HealthCerts is their simplicity and ease-of-use. Here is a list of features that make the HealthCerts such a great solution, at least on paper.

Light Weight — Unlike systems which consist of wallets and issuer registries, a HealthCert is a portable machine-readable attestation. It is equally valid whether instantiated as a digital or paper document, using a QR code to link the two forms.

Standards Based — A HealthCert implements Fast Healthcare Interoperability Resources (FHIR), a medical data interchange format used by hospitals, and Verifiable Credentials, a data model for producing and sharing verifiable claims. It is therefore interoperable with most of the COVID-19 fitness to travel solutions, including CommonPass and IATA’s Travel Pass.

Easily Produced — A HealthCert can be produced by any of the approved vendors, providing ready choice for the local market. Also, because OpenCerts is open sourced, the barrier for adoption by foreign vendors is also low — as was demonstrated recently when a Canadian company became the supplier of certificates to 2 of Singapore’s largest medical testing labs. This advantage accelerates time-to-market.

Reliable — A HealthCert provides irrefutable proof that a known issuer has attested to the medical status of a particular individual. Backed by blockchain, the certificate cannot be fraudulently produced or tampered with after issuance.

But despite these merits, there have been delays in implementation, poor coordination with vendors and the government of Singapore hasn’t fully-embraced the decentralised capabilities of Verifiable Credentials. Vendors don’t have a clear technology roadmap nor any explicit government support for their commitment to the Safe Travel Initiative.

HealthCerts Singapore timeline

The diagram above is a timeline which shows that NextID was able to issue HealthCerts within one month after invitation by GovTech (Singapore’s national information infrastructure provider). But it took 3–4 months for other elements to be put in place. These were prerequisites for market readiness, including: a vendor portal, a mandate for clinics and labs to convert from paper-based to machine readable certificates, and launching of a notarisation service (more on this below).

The Ecosystem

Certificate issuance can only succeed by providing value as part of an ecosystem. Following is a summary of the COVID healthcare ecosystem in Singapore:

  • more than 25k COVID-19 tests are administered every day in Singapore
  • 600+ clinics are performing swabs for travellers and symptomatic patients
  • 150 companies are supplying test kits authorised by Health Sciences Agency (HSA)
  • 30 labs are performing RT-PCR tests authorised by Ministry of Health (MOH)
  • a few vendors (including my company NextID) are providing certificate issuance solutions authorised by MOH and GovTech
  • only one vendor is able to verify these certs and confirm whether they attest to a negative test result within the 72 hour window — Affinity (aka Affinidi)

Affinity is part of the government technology investment company known as Temasek Holdings (which owns Singapore Airlines and Changi Airport). Affinity built an app which can be used to verify different types of certificates, whether or not they conform to the Verifiable Credentials data model, and they supply this to airlines and immigration authorities.

At the outset, the guidance we received from the government was to focus on the 600+ clinics which administer tests. But this quickly proved to be an impossible task because the clinics would turn vendors away until the Ministry of Health (MOH) gave them a mandate to go digital. Also, their volume is not high, typically 10 certs per day for stand-alone clinics and 100 per day for medical groups.

Compounding that, the certificates are time-sensitive and need to be issued promptly after receipt from the labs, so they may have to be issued individually. MOH policy states that each certificate is valid for 72 hours after the lab results are documented, and in that time the traveller must have reached his or her destination.

Some other vendors are using Ethereum for their blockchain anchor and due to the recently increasing price point of ETH, transaction fees can be as high as USD 5–10 per certificate. At least one other vendor is using a new proof of issuance method that relies on DID signing and does not require a blockchain-based trust anchor. We have sidestepped these transaction costs because we have moved to the Zilliqa blockchain, but the cost of transaction fees is a real problem for those issuing in small batches on Ethereum.

Data Consolidation

We felt from the beginning that the ideal party to issue HealthCerts for COVID PCR test results was the testing labs. They are in the best position to attest to the claims made in the certificate and have the economy of scale to automate and perform issuance in large batches. But when we discussed this option with the labs, we realised that they didn’t have all the information needed to produce a certificate, in particular the patient’s passport number. They also didn’t have an email or phone number for each patient, so they must coordinate with clinics to communicate test results to the patients.

An ecosystem approach recognises that data is added at each step in the process of issuance, notification and verification. For this to work smoothly, sufficient information must be available at each step in the process. But it seemed to us that crucial data was not shared from the first patient encounter, and was absent from the Patient Risk Profile Portal (PRPP). As a workaround, some labs asked their clinics to submit information such as passport numbers on a note attached to the PRPP printout. This required additional data entry. For our part, we added editing features to our issuance application that would allow both parties to share data without rekeying or transcription.

Notarisation

When vendors were first recruited for this project, it was explained that MOH would take a decentralised approach so that the various clinics and labs could help to scale up the nationwide certificate issuance system. But then they introduced an additional verification step called ‘notarisation’.

A key challenge with Verifiable Credentials is to reliably establish the authorship of a certificate, especially if the issuing entity is a small organisation. Other governments could not be expected to know which clinics in Singapore were trustworthy and which were not. Thus, notarisation was seen as a way to give credibility to HealthCerts, which would be relied upon by other governments.

Of course, there is no notarisation mechanism in Verifiable Credentials. There is a means for referencing a credential in another credential, such as to provide an endorsement of the issuer, but this is not notarisation per se. What GovTech and MOH decided to implement was the issuance of a new certificate, distinct from the one produced by the lab or clinic, and this would be the document required for travel.

Here is the process: a certificate recipient logs onto a government website, submits their certificate, and a new certificate is created which is issued by MOH. The process is performed by the traveller and not the clinic or the lab. They must do this within the 72-hour expiration period of their HealthCert.

Of course, as shown in the timeline illustration above, it took GovTech months to implement this additional layer of certification. On 9 February, the notarisation service went live. A recent MOH circular instructs clinics that the Affinity app will require notarisation for certs issued on or after 10 March 2021.

A Scramble

When the Ministry of Health finally announced their mandate to require digital issuance and QR codes on HealthCerts, they gave clinics and labs only 3 weeks to complete the migration. Vendors were not notified — we found out from the clinics. In the scramble to serve hundreds of clinics, competition heated up between the labs and several announced that they would be issuing HealthCerts for their clinics. In other words, the market changed overnight.

But because not all the data was present in the PRPP, extensive integration work was required and could not meet the deadline. The need for notarisation was mentioned in the MOH circular, but as it was not in production, there was also confusion over the requirements. On the night before expiration, MOH announced there would be a 1 month extension, and that it was incumbent on clinics to provide all of the data needed by the labs. This extra time was welcomed by the vendors, but of course, clinics began cancelling orders, and instead working with their labs.

Who Should Issue HealthCerts?

We have faced a near-constant tension with the government over who should be the issuer of these HealthCerts. Verifiable Credentials (VCs) are decentralisation technology. Thus notarisation and centralised production are antithetical to how VCs should work.

One of the practical considerations of certificate issuance, not described in the Verifiable Credentials data standard, is that the Issuer and the Producer of a VC need not be the same entity — and usually they are not. A good analogy is the distinction between Data Controller and Data Processor in GDPR, a form of delegation, where the Data Controller is legally responsible for disposition of personal information but the Data Processor also has a duty of care for management and storage. In the context of academic credentials, a university would be the Issuer while the registrar’s office, a specific department or school would be the delegated Producer of certificates. Recognising this, our issuance application has always supported two entities with their own distinct admin rights: Issuer and Producer.

In the case of HealthCerts, MOH could be the Issuer and delegate to clinics or labs to act as Producers. MOH would only need to permit its public key or DNS signature to be affixed to each certificate. They would not need to process the data or perform any IT integration. And, because the clinics and labs are all licensed by MOH, they would be able to assure foreign governments that the issuance process was well-controlled and not subject to tampering or fraudulent issuance.

When we engaged with GovTech to drop the notarisation requirement, they raised additional concerns about potential ‘rogue clinics’ in two specific scenarios:

  • How would our issuance application prevent a clinic from issuing certs for tests or vaccinations that they were not actually authorised from MOH to produce?
  • How would our issuance application prevent a clinic from issuing certs for non-existent travellers, or travellers who did not actually have a negative test result?

For the first case, we explained that our application determines which tests a specific clinic may issue certificates for. We maintain internal lookup tables for Issuer and Producer attributes, like clinic addresses and physicians permitted to endorse certs. The data for permitted tests simply needs to be provided by the ministry and they can easily stipulate that vendors must implement such controls if not already available in their issuance applications.

For the second case, it can be addressed by having the recipient accept the certificate as accurate before it can be used for travel. This is actually part of the VC data model (eg- ‘Terms of Use’) and we recommend it because it provides another level of non-repudiation. In such cases, a rogue clinic would be endangering their license and would also need to collude with certificate recipients willing to make false claims in violation of the law.

As we went through the notarisation tests, we realised that MOH was checking precisely these things. The login with national identity and password meant that the traveller was legally exposed to liability for inaccurate or false statements to the government, that by submitting the certificate produced by a clinic, they were in fact attesting to its accuracy, and behind the scenes, MOH was checking that the clinic was properly licensed and was authorised to conduct the tests being documented.

While MOH had chosen to perform these additional checks themselves, rather than rely on private entities, it was clear to us that notarisation would not have been required if MOH were the ‘issuer of record’ in the first place. They could also require vendors to ensure that clinics and labs were properly authorised, while simplifying the process for travellers.

What’s Next?

The next step in HealthCerts evolution is to introduce vaccination certificates. At NextID, we are waiting for the schema for this type of certificate, which will come from MOH and GovTech. MOH will provide the FHIR portion and GovTech will wrap it in a VC document.

It is pretty clear that the demand for vaccination certs will eclipse what we observed for COVID PCR test results, even if the latter may still be required during the transition. The validity of vaccination certificates will be months at a minimum, much longer than the 72 hours for COVID PRC tests. So we expect this is where all the capabilities that vendors have put in place can finally be put to good use to help the Safe Travel initiative take off.

In the vaccination scenario, labs have no role and it will be incumbent on the clinics to produce certificates. If MOH takes the role of Issuer and clinics take the role of Producers, then the vendors will be able to provide issuance solutions rapidly. Let us hope that MOH sees reason this time and does not try to centralise production — which would be inimical to the whole decentralised credentialing effort.

Want to know how it turned out… be sure to read the coda.

By William Claxton, CEO & Founder of NextID

--

--

Bill Claxton
Bill Claxton

Written by Bill Claxton

Identity management thought leader in Asia & advocate for rare cancer patients. Connect on LinkedIn (https://www.linkedin.com/in/wmclaxton/).

No responses yet