An IT expert is raising questions about the security of the government’s new website and health app, but the head of national digital services says there is nothing to worry about.
Yesterday, the government launched My Covid Record, a web application that by the end of the year will allow people to store their vaccine certificates and Covid test results.
Currently, the app only allows people to access their vaccination records.
IT security expert Daniel Ayers said the web application was using software that was known to have security flaws and that people’s information could be at risk.
Users can use their RealMe to create an account for the app or sign up with their email address, ID, and national health index number.
Ayers tested the web application on several security testing sites that highlighted “medium risks” or breaches in cybersecurity, and gave it a rating of D.
He said it was unacceptable.
“This is a healthcare system, you would expect it to be flawless, well configured and secure, but it is not. This is a site that most, if not the entire population of New Zealand will have to visit. Use because it is the way in which we obtain our vaccination certificates, “he said.
The tests suggested that outdated jQuery software is being used for the application, which is known to have at least two security flaws since April last year.
Ayers said it was concerning that the app had made it through the development process without warning signs like these.
“What worries me is not so much that it has mid-level security problems, they are not necessarily catastrophic. I think the problem is, what do we conclude from the fact that this newly launched website has security flaws?
“That is not what you would expect from a government website that contains health information, and it is not good enough.”
Ayers also questioned what quality control tests had been done for the website, as he was able to identify problems with the site so quickly.
However, the manager of the national digital services group at the Ministry of Health, Michael Dreyer, told Morning Report that there was nothing to worry about.
“It’s absolutely safe, my job is to keep New Zealanders’ health information private and secure, we take this very seriously, we’ve spent a lot of time building it, and we run rigorous security checks.”
Dreyer said the software had been “tracked all over the place” by several security partners.
After reading a report on Ayers’ concerns, Dreyer said the reported problems were “very low risk.”
“We have tested the penetration of this thing several times and have been externally reviewed by various parties.
“We run a process called ‘responsible disclosure’ where members of the public or security experts who choose to take a look at these things can go to our website and provide information where they feel there are gaps, our teams obviously take a look. to that and interact with those people and solve any problems they find. “
Dreyer said they would take down the website if they learned of any privacy or security issues.
“We use very modern cloud software platforms and we are constantly reviewing, updating, patching, getting ahead of these things, you know this is something we do every day, so we are always chasing that.”
He said his team could work with Ayers to understand their concerns, but there is currently nothing wrong with the website or app.