Coronavirus immunity card through the eyes of cybersecurity

Here is the vaccine, the third wave, and the coronavirus immunity card is also coming.

Since the recent announcement, the press has been filled with news about the issuance of the coronavirus immunity card. The decree on the card certifying protection against Covid-19 was published in Issue 21 of the Hungarian Gazette. Since then, it has been highlighted in every media outlet that these cards will be sent out starting from March 1st.

In this article, we will explore the cybersecurity concerns related to the card.

What will the immunity certificate validate?

The card is intended to prove protection against the coronavirus if:

  1. We have had a confirmed case of the disease, or
  2. We have received the appropriate dosage of the vaccine, or
  3. We have had the infection without knowing or being tested for it, and a subsequent antibody test (antigen test) confirms that we have had the disease.

The card will contain the following personal data of the individual:

  • Name of the individual
  • Passport number (if applicable)
  • National ID card number (if applicable)
  • Immunity card number
  • In case of confirming vaccination, the date of vaccination and the type of vaccine
  • In case of confirming recovery from the infection, the validity date of the certificate
  • A machine-readable data storage code (QR code) generated from the above data using an information technology tool

According to the decree, an application will also be developed with the purpose of verifying protection against the coronavirus.

After identification, the application will likely display:

  • Name of the individual
  • National Health Insurance (TAJ) number
  • Date and type of vaccination
  • Confirmation or absence of protection against the infection

It is evident that these combined pieces of information constitute personally identifiable information (PII), as discussed in a previous article we published. Proper handling and protection of this data are of paramount importance from the perspective of the General Data Protection Regulation (GDPR) of the European Union.

Could another plastic card find its way into wallets starting from March?

What is the source of this data?

Next, we will examine the three cases in which our protection against the coronavirus can be verified with the card or the application.

  1. Confirmed infection or vaccination

In the case of having officially reported our confirmed infection to the authorities, or if we have received the vaccine, the validity period of the coronavirus immunity card is based on the registry in the Electronic Health Services Space (EESZT) system.

If we receive the vaccine, the certificate is issued based on the information derived from the EESZT.

According to the Privacy Notice, this system is operated by the CISO.

  1. We have an antigen test

The third possibility for proving our protection is if we have undergone an antigen test in a laboratory, which demonstrates the presence of antibodies in our body, indicating that we have previously had a coronavirus infection. In this case, the laboratory will provide us with the confirmation of our immunity, and the reliability of this data depends on the information system associated with it.

We can also prove our protection against Covid with an antigen test.

Which laws do healthcare systems need to comply with?

The HIPAA (Health Insurance Portability and Accountability Act) ensures the efficiency and effectiveness of healthcare systems without compromising the security of individual health information.

These compliance requirements must be strictly followed by every healthcare provider and business associate, as well as any individual involved in providing healthcare during their regular business activities, even if they do not possess official HIPAA certification accreditation.

Major IT security checkpoints include:

  • Periodic verification of system access
  • Proper utilization of logging (logging was discussed previously)
  • Maintaining comprehensive records of patients’ medical histories
  • Encryption of protected healthcare data
  • Mandatory regular risk analysis

In Hungary, the handling and protection of healthcare and related personal data are governed by Act XLVII of 1997 on Healthcare (“Eüak.”). The Third Government Decree, enacted on March 16, 2020, modified certain provisions of the aforementioned law and introduced new data transmission obligations.

Compliance with the above-mentioned laws is applicable to both the EESZT (Electronic Health Services Space) and private hospitals.

Risk involved

Let’s hypothetically explore the cybersecurity risks that may arise in relation to these IT systems:

  • A malicious hacker may breach the website/mobile application, gaining access to users’ personal and protected healthcare information (PHI). They can sell this data on the Dark Web.
  • By compromising the website, a black hat hacker can fraudulently generate vaccination certificates for themselves, obtaining proof of vaccination. They may also sell these certificates to others.
  • Similar to the previous point, but with malicious intent, individuals who have already been vaccinated or recovered from the virus may delete their data, making it impossible for them to prove their immunity.
  • EESZT is Hungary’s new e-healthcare system, which has been in use since 2017 by general practitioners, outpatient and inpatient healthcare facilities, and all pharmacies. If the website experiences a shutdown, the entire national healthcare system would be affected.
  • Private laboratories could face significant fines due to a data breach involving protected healthcare information.

Cybersecurity of health systems is critical


Recently, the coronavirus vaccination calculator was released, which estimates approximately when it will be our turn based on the number of daily administered vaccines. The calculator can be found here.

If we check when our turn would come…

…we might think that there is still time to subject critical government websites and private hospital applications to cybersecurity testing. However, it is crucial for both the operator of EESZT and private clinics to prepare for cybersecurity risks now.

The risk is real, as evidenced by recent government reports of a coordinated cyberattack against government websites. This attack affected the vaccination registration and consultation website, the informational site about the coronavirus, and even the portal.

We are at the disposal of all interested parties through our contact information or via the contact form. It would be forward-thinking for these critical healthcare systems to have bug bounty programs. The ethical hacking community can help identify vulnerabilities, thereby reducing cybersecurity risks.

You can find our services here.



Our latest articles