By Michael O’Farrell – Investigations Editor
THE HSE’s new vaccination portal is unable to recognise imposters seeking to leapfrog others on the priority list, the Irish Mail on Sunday can reveal.
Instead, the system, known as the COVAX portal, relies on a physical ID check which must be carried out by vaccinators immediately prior to a jab being administered.
The revelation of a potential back door into the vaccine rollout comes as health unions this week expressed concerns about the possible manipulation of the portal by those seeking to jump the queue.
‘This highlights a point that we as a group of unions have raised with the HSE ourselves,’
Siptu’s health division chief Kevin Figgis told the Irish Mail on Sunday.
‘We asked how they can ensure that the sequencing, which is based on risk and exposure, will not be exposed to people trying to manipulate it or people trying to put themselves before somebody else.
‘We were assured that the software is strong enough to ensure that people will be assigned correctly.’
To test this, the MoS accessed the portal the day after it was launched this week and was able to register as a frontline healthcare worker.
The system – being put in place by IBM and global customer relationship management (CRM) firm Salesforce – did not recognise the use of a PPS number which did not match the applicant’s name. ‘Thank you for registering with the Covid-19 vaccination system,’ a confirmation of our registration reads.
‘As a frontline healthcare worker, the Covid-19 vaccination service will be available at your facility and you will be contacted.’
According to rollout guidelines, vaccination teams must verify the identity of those who show up for vaccination appointments via a form of photo ID.
A person’s entitlement to receive the vaccine as a priority candidate must also be physically established via proof of employment.
However, a letter from an employer, which an imposter could easily fake, is deemed sufficient.
Though it is unlikely large numbers of people would seek to manipulate the system, concerns have already been expressed that some do try to jump the queue.
‘There were issues with all sorts of people turning up at nursing homes,’ one well-placed insider told the Irish Mail on Sunday.
‘Some were turned away – but many people I’ve been told about, particularly in rural parts of the country, were just putting everyone through.’
The insider, a high-ranking health administrator, said they would not be surprised to see the portal manipulated.
‘I wouldn’t be shocked at all,’ the person said. ‘It appears to me to be relying on honesty – that only health workers are going on to register in the correct categories and they’re just relying on most people waiting their turn.’
Controversially, the issue also came to the fore in recent weeks as some hospitals vaccinated connected parties, such as family members of senior managers when they found themselves with spare doses of the Pfizer jab.
‘The adherence to the sequencing document is very important to us because previously, when hospital groups were given the vaccine, there was a lot of concern that maybe that was not adhered to as was set out and I think that’s been recognised by the HSE,’ said Mr Figgis.
Today’s revelation questioned the ability of the vaccine portal to weed out imposters, he said. ‘They’re putting a lot of stock in the fact that those concerns will now be addressed because they believe that the software is going to be strong,’ he said.
‘But what this does is highlight that you’re ultimately relying on somebody to produce some type of a card or something. Well, that does suggest then that the software maybe isn’t as robust as it needs to be.’
Concerns about queue jumping via vaccine portals are not unique to Ireland.
Last month the BBC reported that a UK wheelchair firm denied doing anything wrong by circulating a link to employees that gave healthcare workers access to the NHS vaccine portal.
‘Through a back door we have access to vaccinations,’ the email told staff.
Meanwhile in the US, similar problems with a vaccine portal for teaching staff across Nevada saw unions describe the situation as ‘kind of like the vaccine Hunger Games’.
Another issue that unions are warning about here is that many lower grade healthcare workers may not be able to access the HSE’s vaccination portal.
‘There are a lot of members that we represent who work in different grades within the health service where it would not be normal or natural to them to have IT access, laptop access or even have an email address,’ said Mr Figgis.
‘You cannot have staff working in a key priority area who are subject to exposure and risk – you cannot have a situation that they cannot register for their vaccine because you’re putting the reliance on them to be IT literate.’
Siptu members have also experienced technical issues with staff being unable to log into the portal in certain circumstances.
These teething problems have also been experienced by the private home care sector, which employs more than 10,000 carers who must be vaccinated as health staff.
‘The logistics of this have been a little bit messy,’ said Home and Community Care Ireland’s chief executive, Joseph Musgrave.
‘Different community healthcare organisations have different procedures,’ he said. ‘Some are asking people to complete spreadsheets with their carers listed. Others are directing them to the portal and others are doing both. It’s unclear sometimes to our members how they’re meant to proceed and make sure their carers get the vaccine.’
Mr Musgrave has previously expressed concern about the fact that the HSE does not know how many carers are employed across the system – something that feeds into concerns about the potential for the manipulation of access to vaccinations.
‘I don’t know how they will track it,’ he said.
‘There is no central register in the sector. It’s all well and good having a national IT system to track and administer the vaccine itself, but I don’t know how that system talks to other systems to make sure we’re getting full coverage.’
In response to queries from the Irish Mail on Sunday, the HSE said it was deploying a system in weeks that would usually take months and that for ‘reasons of extreme urgency’ IBM and Salesforce were selected after a ‘rapid selection process’ rather than through a competitive tendering process.
For commercial reasons the HSE is refusing to reveal the contract value.
Addressing the security of the portal, the HSE said a ‘balance must be struck between ease of use and security’ and added that a ‘multi-factor authentication process’ is being considered before the portal is made available to the public.
‘We will do everything in our power to ensure that no vaccine is inappropriately allocated to people attempting to undermine the vaccination programme by seeking a vaccine out of sequence,’ the statement said.
The HSE added that anyone seeking to register using falsified personal data ‘will be noted at the point of validation’ and could end up having their vaccination delayed.
‘Such efforts could result in a person delaying their opportunity for vaccination in the appropriate sequence,’ the statement said.
The HSE also advised that any health staff who have already registered in the wrong sequence should update their profile in the portal with the correct details and said support was available for those who are not IT literate.
PATIENT DATABASE COULD BE HACKED
THE HSE’s vaccine portal will create an unprecedented national database containing personal information and health details of virtually the whole population.
The system will exceed previous patient databases in both scope and scale.
So how safe will this database be?
The answer is that the portal will be as secure as your online banking account or any other service you trust the internet with.
But in a world where global powerhouses and governments are routinely hacked and attacked, the reverse is also true that it is vulnerable. In other words, if eBay and the US Government can be hacked, so can the HSE.
The data potentially at risk includes everything the vaccine portal collects.
For starters, that means names, ethnicity, gender, addresses, eircodes, dates of birth, email addresses, everyone’s mother’s maiden name, mobile numbers, system passwords and basic health details required before a vaccine is administered.
From there, the data will grow to include details of adverse reactions and follow-up appointments as well as lists of those who decline consent.
Almost inevitably, thanks to the creation of a unique health identifier, the portal is the first in a much larger step towards all of our medical files being stored electronically in the cloud.
In this instance, that cloud is controlled by Salesforce and resides in overseas data centres.
In a new Data Protection Impact Assessment (DPIA), the HSE and its partners, IMB and Salesforce, have considered all the risks.
According to the DPIA, which has been prepared in consultation with the Data Protection Commissioner, it is likely that attempts will be made to intercept data transfers to and from the system.
To counteract this, the HSE and its partners have promised to ‘ensure that data is encrypted’ in an effort to prevent interception.