Notice F1: Implementation of the WHO digital documentation of COVID-19 certificates: vaccination status (DDCC:VS) technical specifications

Implementation of WHO technical guidance and interoperable capabilities for Malawi COVID-19 electronic vaccination (eVax) Certification

Two Sentence Overview: 
The project aims to implement standards-based data exchange resources with external systems to enable verification of a person’s vaccination status to align Malawi’s COVID-19 electronic vaccination (eVax) certification tool with WHO’s technical guidance with comprehensive documentation. Luke International is the leading developer of the eVax system that was implemented country wide in partnership with the Ministry of Health Digital Health Division, Expanded Program for Immunization (EPI) and the Public Health Institute of Malawi.
Executive Summary: 
Malawi has implemented a COVID-19 electronic vaccination (eVax) certification tool that is currently in use. The eVax certification tool queries the database in the Malawi One Health Surveillance Platform (OHSP) Electronic Vaccination Registry, powered by DHIS2, and generates a QR code that contains a public and corresponding private key to securely authenticate the identity of the certificate holder. The proposed project aims to implement standards-based data exchange resources with external systems to enable verification of a person’s vaccination status to align Malawi’s COVID-19 electronic vaccination (eVax) certification tool with WHO’s technical guidance with comprehensive documentation. Specifically, the project will generate technical documentation of the Malawi eVax Certification platform in line with WHO guidance, create data exchange resources, and enhance security of the eVax platform, through building interoperability with the National Registration Bureau (NRB) database. Luke International (LIN) will work in partnership with the Ministry of Health Digital Health Division, Expanded Program for Immunization (EPI) and the Public Health Institute of Malawi to achieve the project goals. LIN is the main technology partner involved in the development and roll out of the OHSP and eVax certification tool, and has been working in Malawi for more than 10 years in digital health implementation at all levels of the health system.
Consortium Team: 
Luke International (LIN) is a non-profit organization with its Head Office in Færder, Norway. LIN works primarily in the Southern African Development Community (SADC) region with country offices in Malawi and South Africa. LIN Malawi is recognized as an international NGO with registration with Council of Non-Governmental Organizations of Malawi (CONGOMA) registration no.: C449/2009. LIN holds a formal Memorandum of Understanding (MoU) with the Government of Malawi through the Ministry of Health (MOH). Since 2008, LIN has been providing technical assistance, capacity building and implementation of digital health solutions at all levels of the health system in Malawi accumulating more than a decade’s experience working with the MOH. Under the Kuunika Project funded by the Bill & Melinda Gates Foundation (BMGF), LIN supports the development and harmonization of various national digital health services and establishes interoperability layers following the OpenHIE framework. LIN will work mainly with the relevant government divisions for the eVax program, including the MOH Digital Health Division (DHD), Expanded Program for Immunization (EPI) and the Public Health Institute of Malawi (PHIM). The DHD is the main digital health governance unit in the MOH responsible for intra-ministry and external implementation partner coordination. The DHD is also responsible for providing national digital health services in 8 sections including policy and standard development, compliance, analytic and decision support, user capacity and support, product development and sustainability, infrastructure and management, privacy and security, and resource mobilization and management. LIN is the sole local partner supporting DHD’s operation with funding from BMGF. The EPI program is the MOH official business custodian of the eVax module and responsible for providing relevant vaccination and vaccine related domain knowledge, the standards of the certification and business rules at all levels of the health system. LIN has been working closely with EPI to support its eVax roll-out activities since the beginning of the system development. PHIM is the hosting institution of the Public Health Emergency Operations Centre (PHEOC) responding to the COVID-19 pandemic in-country. The PHEOC is still in activation mode. The eVax certification development and international coordination needs to go through the PHEOC coordination mechanism to work closely with WHO and other countries.
Project Description: 
Background: LIN supported the establishment and operation of the Digital Health Division (DHD) within the Malawi MOH. In response to the COVID-19 pandemic, the DHD lead the swift establishment of the Public Health Emergency Centre (PHEOC) digital health infrastructure, the COVID-19 official website, internal PHEOC dashboards, expanded digital disease surveillance functionalities and the electronic vaccination (eVax) program for micro management and digital certification. Malawi adopted the Integrated Disease Surveillance and Response (IDSR) in 2002. Since then there have been several initiatives aimed at strengthening IDSR, including the introduction of the One Health concept. The One Health Surveillance Platform (OHSP) was developed and implemented considering the interconnection of disease between humans, animals and their surrounding (environment). When COVID-19 was declared a global pandemic in 2019, and as National disaster in March of 2020, Malawi's One Health concept diverted from its original focus to support the MOH in enhancing syndromic surveillance through better identification of all potential COVID-19 cases, prevention of further outbreaks and more importantly, improve COVID-19 response. It was at this point, MOH through the Digital Health Division identified the District Health Information Software version 2 (DHIS2) as a platform that would help the Ministry rapidly develop and deploy modules for all IDSR M&E needs. Most recently we have included the Electronic Vaccine (eVax) Registry program in the OHSP. The program is designed to capture vaccination information for every citizen/person being vaccinated. The eVax registry has been an essential tool used to manage all aspects of documentation and reporting for the vaccination program. Following the successful rollout of the vaccine registry, there was a need to rapidly develop and deploy a digital vaccination certificate. A COVID-19 vaccine certificate has become an essential tool to help monitor and manage the rollout of the vaccines and get Malawi’s economy back on track. This credential is helping to facilitate the safe movement of Malawians and expatriates across countries. The certificate is enabled with a QR code that contains a public and corresponding private key to securely authenticate and protect the identity of the certificate holder. It is also enhanced with verification/authorization workflows that protects the integrity of the certificates. The Malawi eVax Certification is currently operational, and provides anyone that have completed their vaccination to log on to the MOH COVID-19 website (https://covid19.health.gov.mw/) to generate a vaccine certificate by entering their EPI number (the number issued to each individual by the EPI program upon receiving the vaccine). However, the MOH would like to add an additional layer of security, through integration with the National Registration Bureau (NRB) database for national identification (National ID). Through the integration it would enable the eVax program to authenticate the identity of the certificate holder through matching of the ID photo and the person presenting the certificate. Additionally, there is also a need to consider interoperability capabilities of the vaccine certificate with external systems within the region and abroad following the WHO technical guidelines, to facilitate the travel of citizens to other countries. Objectives: 1. To document the Malawi eVax Certification platform in line with the WHO technical guidance (detailed system design, implementation workflows and data exchange resources) 2. Create data exchange resources to enable the eVax platform to exchange patient demographics and vaccination details with other regional/global COVID-19 Vaccine Certification platforms. 3. Enhance security of the eVax platform, through enabling data exchange with the National Registration Bureau (NRB) database. Methods: Software development work will be coordinated through Scrum (agile) development methodology. Through this framework we will be able to track deliverables and meet timelines. As standard we use Notion.so as a tool for tracking deliverables and detailing individual tasks. As a Software Development M&E tool, we define user stories in the Product Backlog, each detailed (granulated) activity or task is defined in the Sprint Backlog and that's where the actual milestones are defined. Each sprint will last for at least two weeks with a minor release (module) that can be demonstrated and tested. Every minor release will be subjected to user feedback with possible iterations. Objectives and Activities: Objective 1: To document the Malawi eVax Certification tool in line with WHO technical guidance Objective 1.1: To document the Malawi eVax Certification platform in line with the WHO technical guidance Activity 1.1.1: Documentation of detailed system design, including system architecture, functional requirements, and core data elements. Activity 1.1.2: Documentation of implementation workflow and national trust architecture. Activity 1.1.3: Documentation of FHIR compliant data exchange resources. Objective 1.2: To create and maintain repository for the sharing of technical documentation Activity 1.2.1: Identify the suitable platform as the repository for the suite of technical documentation related to the Malawi eVax Certification. Activity 1.2.2: Create unified documentation template and version control measure. Activity 1.2.3: Publish technical documentation and share with appropriate parties, to facilitate adoption and learning within the community of practice. Objective 2: Create data exchange resources to enable the eVax platform to exchange patient demographics and vaccination details with other regional/global COVID-19 Vaccine Certification platforms. Objective 2.1: Create data exchange resources to enable the eVax platform to exchange patient demographics and vaccination details with other regional/global COVID-19 Vaccine Certification platforms. Activity 2.1.1: Understand the requirements from the WHO guidelines and HL7 FHIR immunization resource requirements. Activity 2.1.2 Define data and domain models. Activity 2.1.3: Define the REST FHIR resources. Activity 2.1.4: Scaffold the REST service. Activity 2.1.5: For each resource write e2e tests and implement the code to pass. Activity 2.1.6: Implement HTTP and service-level logging. Activity 2.1.7 Add Swagger docs, this could be done as we author the REST resources. Activity 2.1.8 Hook the logs to monitoring tools ie. the ELK stack. Activity 2.1.9 Implement security measures where applicable. Objective 2.2 Implement/test interoperability with the well established EU digital COVID-19 gateway Activity 2.2.1 Link up and meeting with EU representatives on COVID-19 digital certificates Activity 2.2.2 Review design specification documents and other related technical documentation Activity 2.2.3 Implement the standard based resources conforming to the EU standards as first test case Objective 3: Enhance identity binding through data exchange with National ID database Objective 3.1 Enhance security of the eVax platform, through enabling data exchange with the National Registration Bureau (NRB) database Activities 3.1.1: Project kick-off meeting with Key stakeholders including the NRB: Understanding the requirements on how to read the NRB API. Activity 3.1.2: Define data and domain models on how to capture the NRB information in FHIR format in the Covid-19 Vaccine Certificate application. Activity 3.1.3 Scaffold the REST service. Activity 3.1.4 For each resource write e2e tests and implement the code to pass. Activity 3.1.5: Add Swagger docs and document the rest in Notion.so. Activity 3.1.6: Conduct user acceptance testing and incorporate any feedback. Activity 3.1.7: Updating the user manual, and notifying border health officials on the software upgrades Methods: Software development work will be coordinated through Scrum (agile) development methodology. Through this framework we will be able to track deliverables and meet timelines. As standard we use Notion.so as a tool for tracking deliverables and detailing individual tasks. As a Software Development M&E tool, we define user stories in the Product Backlog, each detailed (granulated) activity or task is defined in the Sprint Backlog and that's where the actual milestones are defined. Each sprint will last for at least two weeks with a minor release (module) that can be demonstrated and tested. Every minor release will be subjected to user feedback with possible iterations. Risk Mitigation: First, there may be limitations on the external human capacity required by the project beyond the MOH’s jurisdiction that may delay software development. For example, the integration with the NRB system requires involvement of stakeholders from NRB that is under the Ministry of Home Affairs and Internal Security. This can be addressed by adequate advance planning, timely and transparent communications, and being explicitly clear on key objectives from project start to manage expectations. Secondly, the rapidly changing COVID-19 situation may affect the health of the key workforce. This can be mitigated by enhancing personnel infection and prevention control measures, and promoting vaccinations among co-workers. Third, there can be competing priorities from the software development team within DHD, as there is high demand for the eVax program. This requires task shifting and training more personnel to handle relevant tasks related to the program. Finally, unstable connectivity can affect the performance of the system. This can be addressed by moving the platform to the cloud, and is currently being discussed within the DHD.
Application Status: 
Not Approved

Comments

Thank you for your application. We would like to see more on planned work for privacy, data protection, and security in the full application. Would also request more details on the alignment of the tool to the definition of global goods and what software license the tool is published under.

Thank you for a great application. Please elaborate on:

  1. Where will the client identity mapping happen? What is the plan to ensure data protection?
  2. Is the product open source and what is the community governance mechanism.
  3. How will certificates be generated for paper records incase clients do not have no access to mobile phones.

Thank you for the questions and kindly find below some further elaboration: 

1.     Where will the client identity mapping happen? What is the plan to ensure data protection?

The client identity mapping and storage will happen within the COVID-19 vaccine certificate (CVC) application. Data querying will happen through the National Registration Bureau (NRB)  Application Programming Interface and the data matching algorithm and other functions including updating the certificate record will happen in the CVC application. To ensure data protection, we would want to make it on the VPN tunnel. Ideally, the information exchange between the NRB and the CVC will be on a Virtual Private Network, and the API authentication is through OAuth2 protocols with two factor authentication.

2.     Is the product open source and what is the community governance mechanism.

The application is open source, we are advocating for any other implementer to fork the application and use it within the GNU GPL and MPL-2.0 parameters. As a Malawi government Ministry of Health we advocate for following governance model.

·       Do-ocracy with a bit of Founder -leader for the countries community of practice.

3.     How will certificates be generated for paper records incase clients do not have no access to mobile phones.

We are providing EPI-Numbers at the vaccination sites, these are system generated unique identifiers for the vaccinated clients. In case they are required to present their certificates to authorities they can simply provide their EPI-Number and the authorities will be able to check for authenticity and the identity of the holder.