An IT expert raises questions about the security of the government’s new website and health app, but the head of national digital services says there is no cause for concern.
Yesterday the government released My Covid Record, a web application that by the end of the year will allow people to store their vaccination certificates and Covid test results.
Currently, the application only allows people to have access to their vaccination records.
Computer security expert Daniel Ayers said the web application used software known to have security vulnerabilities and people’s information could be at risk.
Users can use their RealMe to create an account for the app, or register with their email address, username, and national health index number.
Ayers tested the web application on various security testing sites which identified “medium risks” or gaps in cybersecurity, and gave a D rating.
He said it was unacceptable.
“It’s a healthcare system, you expect it to be flawless, well installed and secure, but it isn’t. It’s a site that most, if not all of the people of New Zealand are going to have to use because that’s how we get our vaccination certificates, ”he said.
Tests suggested that outdated jQuery software is used for the app, which is known to have at least two security holes since April of last year.
Ayers said it was concerning that the app had passed the development process without red flags like these being noticed.
“What concerns me is not so much that there are mid-level security issues, they’re not necessarily catastrophic. I think the issue is, what can we conclude from the fact that this website newly launched has security vulnerabilities.?
“It’s not what you would expect from a government website with health information, and it’s not good enough.”
Ayers also asked what QA testing had been done for the website because he was able to identify issues with the site so quickly.
However, Michael Dreyer, head of the Department of Health’s national digital services group, told Morning Report there was nothing to worry about.
“It is absolutely safe, my job is to keep New Zealanders’ health information private and secure, we take this very seriously, we have spent a lot of time on construction and we carry out rigorous security checks. “
Dreyer said the software has been “explored everywhere” by several security partner companies.
After reading a report on Ayers’ concerns, Dreyer assured that the reported issues were “very low risk.”
“We have had this intrusion tested several times and have had it reviewed externally by a number of parties.
“We run a process called ‘responsible disclosure’ where members of the public or security experts who choose to review these things can go to our website and provide information where they believe there is a gap, our teams obviously take a look and engage with these people and solve any problems they find. “
Dreyer said they would take the website down if they were aware of any privacy or security concerns.
“We use very modern cloud software platforms and we are constantly checking, upgrading, patching, staying one step ahead of these things.
He said his team could work with Ayers to understand his concerns, but currently there was nothing wrong with the website or app.