Updated Strategic Command’s jHub aids NHSx securing Covid-19 symptom data

News by SC Staff

The Minisry of Defence Strategic Command’s innovation hub, jHub, is supporting NHSx to securely gather and share COVID-19 symptom data for project OASIS.

Mounting security concerns and doubts attached to the trailed NHS Covid10 tracing app are stemming from registration issues and the use of unencrypted data within the app which can be exploited by cybercriminals, says David Grout, CTO for EMEA at FireEye.
He notes, "One of the biggest concerns is attached to the fact it’s based on a “centralised” model. Just yesterday, France came out in defence of its own centralised model where contact-matching happens via a computer service as opposed to the decentralised model which uses the people’s phone to make the match. The UK Government will need to address these safeguarding issues ahead of the full nation roll-out, so citizens are fully confident that their data is not compromised but stored securely."
“Whilst the National Cyber Security Centre (NCSC) is addressing the security issues raised, this news will make the public very uneasy ahead of a full national rollout. Experts suggest that for the UK as a whole, about 60 percent of the population needs to install and use the software for it to live up to its full potential. The government is relying on a public buy-in for the project to work. To get the public on side, the government will need to not only ensure data is stored securely but also build trust by being open and transparent about the measures taken to defend citizen data, and also make the public aware of their rights to privacy. With this in mind, the Government should only gather data and information which will be used towards its sole purpose to mitigate the spread of the virus."
“With concerns surrounding the usage of the data in the app, and what will happen to that data even after the pandemic, there needs to be an agreed time restriction on how long the data is collected for and deletion rights which align with current data privacy regulations. Citizens should be made to feel in control of their data and reserve the right to have data deleted from the record once the crisis is over.”

Addressing some of these concerns, the Ministry of Defence Strategic Command’s innovation hub, jHub, is now supporting NHSx to securely gather and share Covid-19 symptom data for project OASIS.

Several third-party apps and websites have been collecting Covid-19 symptoms and basic demographic data to track the spread of the virus. OASIS will not be receiving, or requesting, data that can identify individuals (e.g. names or GPS specific location data).

Project OASIS is supported by JHub for "coordination and coherence of the Covid-19 symptom tracker apps; including facilitating the secure transfer of relevant symptom and epidemiology data from the third party Covid-19 apps to the NHSx datastore."

Information and any free text inadvertently identifing users is removed so that only symptom and demographic data is included. The data is checked for any security issues, with any incorrect or duplicate data erased, then it is securely shared with NHSX, (NHS England) to understand where the virus is spreading and how quickly.

A government statement says: "Project OASIS will adhere to strict controls to ensure the data sharing meets data protection legislation."

Natasha Gedge, the chief operating officer at jHub, commented: "At jHub, we are always working to deliver for UK Defence and we are proud to be able to take our approach, and apply it in support of the NHS and the people of the UK.

NHSx and jHub say they are only working with apps that have been assessed to the NHS Digital Health Technology Standard or against the Digital Assessment Questionnaire (DAQ) including the following App Providers,  

Agitate Ink C-19

Collected Cognition - FightCovid.info

Corona-help.co.uk

Evergreen

LetsBeatCovid.net

TrackTogether

YourMD

ZOE

More are reporedly to be announced shortly.

In an email to SC Media UK Grant Goodes, chief scientist at Guardsquare supported the approach to data privacy adopted by OASIS, but nonetheless warned of the dangers posed by potential hackers. He said: "It appears the the NHSx programme (project OASIS) is a well-considered and practical approach which recognises the serious concerns around data privacy while still maintaining effectiveness.  Simply put, as an essential element of this programme, Contact Tracing apps must be trusted by the general public, or else will not be broadly installed and adopted, which will defeat their basic effectiveness."

However, he went on to add, "There are two primary elements to ensuring that Public Trust can be established: The first is a basic design with privacy and data-security in mind, and on this front, the OASIS project seems to be on solid ground, with a data-gathering and -sharing model that adheres to the highest standards expected of UK and European governments (as enshrined, for example, in GDPR). 

"The second, and equally important aspect is Application Hardening: Even with the best data-security design, the application code itself is vulnerable to exploitation by malicious actors including criminal organisations or even amateur hackers, and as has been demonstrated again and again, the "out of the box" resistance of mobile applications against modern hacking tools and techniques is effectively zero.  In order to ensure that Contact Tracing apps do not become a target for exfiltration of personal data, the developers and deployers of these apps must include code- and data-obfuscation protections as well as RASP (Runtime Application Self-Protection)."

An NHS tracing app went on trial on the Isle of Wight on 4 May, and nationwide rollout is scheduled to follow the three week trial, thus by the end of May. To date about half the IOW population have downloaded the app. While the government aim is for 60 percent coverage, the shortfall doees not appear to be due to privacy concerns raised regarding the central data sharing model, but due to older phones not having access plus some segments of the population not being Internet users (about two million in the UK are believed not connected, and another seven million described as having very basic skills/limited usage).

A list of tracing apps and an assessment of their privacy levels is provided by  Samuel_Woodhams, digital rights lead at Top10VPN which provides a t Live Index, as reported by SC Media UK.

In a separte development, outsourcing firm Serco has apologised after accidentally sharing the email addresses of almost 300 contact tracers, according to BBC News. Serco is one of the companies hiring, training and operating the 15,000 contact tracers who do not have clinical training, and shared the information when emailing trainees to tell them about training.

When the Home Office made a similar error last year it referred itself to the Information Commissioner, but Serco is not intending to do this. The error did not involve patients' data, but does not bode well for a project that is set to ask many thousands of people who have fallen ill to share the details of their friends and acquaintances.

Jake Moore, cybersecurity specialist at ESET commented:“At a time when people are already questioning the app’s privacy concerns, this comes as a serious blow. Apps like this need the public’s inherent trust from the outset, so learning of even a small number of email addresses leaked is a shame. Those affected should remain aware that they could be used in phishing attempts – but luckily the numbers are low enough to mitigate any further risk. There is a genuine dilemma amongst many people as to whether or not we should download this app with the potential privacy concerns. The question is now whether the public will trust the app after this has happened so soon? Moreover, if the app does not achieve the desired uptake, it is flawed from the start.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews