Clinical labs face a steep learning curve when integrating themselves into the new world of COVID-related “health passes”—the digital or paper certificates that allow individuals to demonstrate proof of a test result or vaccine record in order to cross borders, join events, enter facilities or otherwise move about the world with greater freedom than is currently allowed in many countries.

So what does the COVID health pass ecosystem look like from a clinical lab’s point of view?

Verifiable credentials and digital health passes

In some countries, test results and vaccine records are frequently printed out as hard copy documents. These are relatively easy to create and use, but they are also prone to loss, fraud and errors. So to help ensure that the health passes contain records that are accurate and trustworthy, many organisations are developing systems that encrypt test or vaccine records and make them visible—often by QR code—only to trusted parties who can verify that the information is accurate and has not been altered.

These records, sometimes referred to as “verifiable credentials”, can either be printed on a piece of paper or securely stored in a “wallet” or “passport” app on an individual’s smartphone. The records can then be accessed and verified by other parties like check-in staff at a hotel or immigration officials at a border.

There are many layers in the COVID health pass ecosystem. This includes dozens of health pass apps being built by governments, NGOs, technology firms and in vitro diagnostic companies. Some of the most prominent include CommonPass, an app being deployed by The Commons Project Foundation (TCP), and IATA Travel Pass, an initiative of the International Air Transport Association (IATA).

Those developing the end-user apps tend to get the most media attention, but they are enabled by an array of behind-the-scenes players building the core technologies and frameworks that make these apps possible. This includes independent tech providers that are helping labs to issue verifiable credentials for COVID tests, but which may not be directly involved in the development of the apps to store or verify them.

Issuing COVID credentials

Participating in this network inevitably brings with it responsibilities. Labs must carry some extra IT weight, learn new processes and assess potential risks.

One of the key concerns is about preserving the privacy of the patient’s data. Labs are concerned because they will be the “issuer” of COVID credentials and they need to be sure that they are operating in compliance with local privacy laws when they share them with other parties. Smart technology and data management protocols can help limit these risks.

In the CommonPass system, for example, personal health information and personally identifiable information are only stored with the original data source—the lab or vaccination clinic—and on the user’s phone. “That the data does not sit on a server, or go into a database has been a huge hurdle that we’ve been able to overcome and it has eased adoption tremendously,” says Barbara Tannenbaum, a Business Development Executive at TCP.

A second concern in the issuance process is confirming the identity of a test recipient. IATA Travel Pass addresses this by requiring labs to use a web app that lets them establish a secure connection with the test recipient’s mobile phone via a QR code. Once the lab has confirmed the user’s identity, comparing their physical passport against the digital identity the user has already established on their phone when they installed the IATA Travel Pass app, the test result is pushed to their phone via the secure link previously established in the lab.

A third challenge is interoperability of the various technologies. Not all platforms are embracing open, interoperable standards, and seeking instead to onboard labs onto closed proprietary networks. And so it may take a while to settle, and labs may have to familiarise themselves with two or three different approaches, all of which may have different IT requirements.

Ensuring trust in results

At its heart, this new ecosystem is built around trust. All stakeholders with an interest in verifying test or vaccine records need to be sure that the credentials they’re seeing are correct and match whatever standards they have set to allow an individual through a border or into a facility.

For clinical labs, trust means that other stakeholders in the ecosystem must be confident in accepting the COVID credentials they issue. If the ecosystem is small, ensuring trust across the network may be relatively straightforward, but if it is large and transnational in scale, this can pose major operational and technical challenges.

One approach to addressing this challenge is to build international registries of approved labs. The CommonTrust Network launched by TCP and the World Economic Forum, for example, says it has already added 9,000 labs sites across 32 countries to its network, and another nearly 18,000 are due to go live later this year.

For the CommonTrust Network, labs can complete a survey on their website, answering questions that TCP determines are necessary for validation. Such criteria include whether a lab is already accredited, whether it is authorised to do vaccines, whether it verifies the identity of a patient at the time of the testing, and whether it can turn lab results around in less than 24 hours. The process also checks if the lab uses open, interoperable standards for issuing, such as the SMART Health Cards Framework.

After passing the initial vetting process, a lab will be contacted and helped through the onboarding process, and to overcome any concerns they may have. The CommonTrust Network will then verify that the lab exists and that they tick all the boxes, including ISO standards. This due diligence includes partnering with local governments and health ministries to cross-check with government approved white lists.

IATA Travel Pass also sits on top of an international network of trusted labs, which it is actively building. It is also talking to national lab registries to see if the process of onboarding could be done en masse by plugging into those directly.

“A trusted ecosystem is critical to ensuring the security and accuracy of health credentials for verifiers, issuers and travelers,” says Stacey-Ann Pearson of Affinidi, a Singapore-based provider of credential verification technologies. “Right now, what’s feasible and scalable, and somewhat secure, is this concept of trust network, where I, as a verifier, trust you as an issuer to go out and do your due diligence of your original healthcare institution.”

“At Affinidi, we are working with partners to scale such trust networks for safe travel, and this will continue until the industry comes up with a new version,” she adds.

The future

These are early days for COVID health passes and credentials, and there are bound to be teething problems. A potential complication is that some countries or airlines may only recognise tests from certain labs, so that granularity will have somehow to be built into the system.

Another likely issue is that most of the solutions do not currently allow for test results to be amended or updated—if, say, a result was entered in error, or a particular test or vaccination was found subsequently to have issues. This is likely to change, but it’s bound to affect labs who may be required to update their systems and procedures at some point.

Labs are likely to find that getting involved in this new landscape early will help them understand it better, but they need to be ready, too, to adapt to likely shifts as the terrain settles.