Building a standardized, secure and verifiable vaccine certificate system for COVID-19 in Laos using DHIS2
HISP Vietnam supports the implementation of an internationally recognized digital COVID-19 vaccine certificate in Laos based on EU standards.
When COVID-19 became a global health crisis, countries adopted restrictive measures including stringent lockdowns and border closures to contain the spread of the virus. International travels quickly ground to a halt. Following the availability of vaccines against the virus in 2021, governments the world over began what is arguably the world’s largest concurrent vaccination campaign. To better manage the vaccination campaigns, countries introduced vaccination certificates, often referred to as vaccine passports, used to identify individuals who have been fully vaccinated against COVID-19.
As more people became vaccinated, local and international travel slowly restarted, but this posed a new challenge: a lack of standardized, easily verifiable COVID-19 vaccine certificates which can be used to validate the vaccination status of travelers.
HISP Vietnam, with support from the DHIS2 interoperability team, adopted the technical specifications contained in the EU Digital COVID Certificate (DCC) application guidelines to build a COVID certificate generation and validation system in DHIS2 for Lao DPR. The system has helped Lao implement a digital certificate system to generate, sign and verify COVID certificates as well as help the Ministry of Health authenticate other important documents for enhanced security. Certificates generated by the system can be verified both online, via a public portal, or offline using secure certificate signing keys, including by health and border control authorities in other countries. This solution is now freely available on Github, allowing other countries to take advantage of this local innovation.
Choosing a standard for a digital COVID-19 certificate in Laos: security, simplicity and interoperability considerations
HISP Vietnam considered a few globally acceptable standards in determining the architecture and method to design an efficient COVID certificate system. The Digital Infrastructure for Verifiable Open Credentialing (DIVOC) system, which used the guidelines and digital architecture standard for a digital smart vaccination certificate established by the WHO Smart Vaccination Certificate Working Group in 2021, was the first platform tested by the HISP Vietnam team for generating COVID vaccine certificates. The DIVOC platform had already been integrated with DHIS2 for digital COVID-19 certificates in Sri Lanka. However, in reviewing this option, HISP Vietnam found it to be unsustainable in the Laos context, given the complexity of the integration and the need for significant long-term technical support by both the HISP and DIVOC teams it would entail. Consequently, HISP Vietnam considered other options.
Similar to the WHO’s Digital Documentation of COVID-19 Certificate (DDCC), the eHealth Network of the EU had developed a set of technical specifications for the implementation of the EU Digital COVID Certificate (EU DCC). The EU DCC was initiated to promote safe travel and unrestricted movement within the EU by standardizing systems for the generation and verification of vaccine certificates by member countries. This standard facilitates the creation of vaccine certificates containing QR codes in both digital and paper formats and is notably secure. All member states of the EU have adopted the EU DCC standard for their COVID certificate systems, as have several non-EU countries in Africa, Asia and South America.
The EU DCC standard was selected by HISP Vietnam as the preferred approach for the development of the COVID-19 certificate system for Laos. The simpler model of the EU DCC standard facilitates secure certificate generation in DHIS2 without the need to duplicate vaccine registry data in an external platform. It was also within the technical competency of the HISP Vietnam team to develop the Vaccine Certificate system in DHIS2 using this guideline, thereby utilizing local competencies and foreclosing the need to depend on external teams for long-term technical support.
Structure of the COVID vaccine certificate system in Laos
In Lao DPR, the Ministry of Health had deployed the DHIS2 COVID-19 surveillance metadata package for tracking the spread of the virus throughout the country. The system which was implemented with the help of HISP Vietnam had helped Laos generate accurate data on the pattern of the disease spread, supporting efforts to curtail the virus. Building on that, the COVID certificate solution pulls essential data from the DHIS2 COVID vaccination registry which is then used to generate a secure certificate using private certificate signing keys (pki) issued by the approved signing authority, in this case, the MoH.
In Laos, custom web and mobile applications were developed to access the certificate generation service. To adopt COVID certificate generation services inside DHIS2, HISP Vietnam developed a custom form solution that could be included inside the DHIS2 tracker generic module instead of creating and maintaining custom web apps. This custom form solution has also been adopted in Vanuatu and Suriname for their COVID certificate generation.
The custom form solution was developed to help the MoH in Laos issue certificates both in the local Laos script, which is used in-country, and in English for international travel. The custom applications developed by HISP Vietnam are publicly available in google and apple play store to Laos residents who can self-generate their own vaccine certificates by providing identifiers including vaccination ID, date of birth among others.
Certificates generated by the system are verifiable in two ways: through a public portal and by use of a public encryption key. The public portal is a website accessible by anyone and does not require registration. Any device with a camera can be used to scan the QR code attached to the generated vaccination certificate for immediate authentication. With this method, the certificates generated can be verified anywhere provided internet access is present. So far, this method has been used throughout Laos as well as by officials in Singapore and the Philippines to validate COVID certificates presented by international travelers from Laos. The second method for verifying vaccine certificates generated by the system is with the public encryption key issued by the signing authority. This key can be shared by the Laos MoH with approved partners, organizations or governments to facilitate offline verification of vaccine certificates. To this effect, relevant authorities in Singapore have been issued a public key that can be used to verify certificates presented by travelers from Laos without the need for internet connectivity.
Unique benefits of the COVID Certificate System: End-user data accessibility, non-intrusive certificate verification, systems strengthening beyond COVID and use of international standards supporting widespread acceptability
The COVID certificate system by HISP Vietnam focused on a simple and easy-to-maintain solution by integrating the vaccine data repository with the certificate generation system, thereby avoiding the need to modify the core DHIS2 app. The system has helped the MoH generate and verify COVID vaccine certificates, but beyond that, there are some outcomes from the implementation that stand out.
User data accessibility: Most countries maintain a form of registry for storing and tracking data of their population who are scheduled to be vaccinated or have been vaccinated for COVID-19. During the COVID-19 pandemic, many countries deployed electronic registries using DHIS2 to allow for multi-point data entry and speedy response. The team at HISP Vietnam has extended their system to allow people who have been vaccinated to review their records in the registry for accuracy and completeness. To do so, people are expected to enter their vaccination ID and other identifiers in a public portal to access their records in Tracker. Subsequently, if they notice an error in their data, they can take steps to have them corrected by contacting the healthcare or vaccination centers. This feature serves to improve data quality and integrity in the system, thereby aiding high-quality research, planning and management.
Non-intrusive and secure certificate verification: The COVID certificate system in Laos was designed to support offline verification of issued certificates without access to the national vaccine registry of the country. To achieve this, the country signing authority can generate a pair of private and public keys which are used to encrypt and decrypt the user data encoded in the certificate respectively. The encrypted data is then presented in QR code format which can be printed or downloaded by the user. The country signing authority could then share the public key with any approved user or organization who can subsequently verify the authenticity of the generated certificate without connecting to the vaccine registry. This system further secures user data by removing the need for remote access to user records in the registry while still enabling certificate authentication without internet connectivity.
Systems strengthening beyond COVID: The common practice for issuing official documents in government ministries is by printing, appending a signature and stamping the documents. It is also generally known that this time-honored practice does not provide adequate or timely document authentication capabilities. As part of the process of implementing the COVID certificate system in Laos, HISP Vietnam facilitated the establishment of the country signing authorities in the Ministries of Health and ICT to generate certificate signing keys for document validation. Personnel of the ministries were also acquainted with global best practices of using digital certificates for document control and validation. It is hoped that this will spur an uptake in the use of digital certificates to sign many other documents issued by the ministry beyond COVID certificates.
Widespread acceptability: The Laos COVID certificate system was developed based on the EU DCC guidelines which outline frameworks for a unified COVID certificate generation and verification system across Europe. Currently, the system is being used by all the countries in the European Union as well as 48 non-EU countries spanning Africa, Asia and South America. By adopting this standard, certificates issued in Laos are potentially acceptable in those countries, simplifying travel for users and verification for officials.
Note: The approach to generating digital certificates in Laos developed by HISP Vietnam described above is a useful model for countries where no prior solution exists for creating and signing digital certificates. Countries that already have digital certificate solutions can integrate data directly from DHIS2 Tracker programs without the need for duplicate data entry. An example of this approach is Cape Verde, where data from the DHIS2-based COVID-19 vaccination registry is sent via an interoperability layer developed by Saudigitus (HISP Mozambique) to the government platform for generating and hosting certificates. In the case of Cape Verde, these certificates are also based on the EU schema and are accepted for travel into the EU.