COVID-19 has accelerated the adoption of digital technologies across many sectors, especially in healthcare. The need for secure but easy-to-use vaccination certificates required an alternative to traditional paper vaccination booklets and has led to the development of SMART Health Cards.
SMART Health Cards are portable paper or digital versions of clinical information, such as vaccination history or test results. They allow consumers to keep a copy of a medical record on hand and easily share this information with others in an interoperable format when required. The initiative is part of the SMART Health IT program: An open standards and technologies initiative supported by all major healthcare IT and technology companies and widely adopted in the US and internationally.
How SMART Health Cards work
Government agencies and healthcare organizations can issue SMART Health Cards to their clients similar to how they would previously have issued paper certificates for vaccination or test results. However, SMART Health Cards are more portable than ever. They can be added to digital wallets and even, for example, submitted for a flight booking via APIs. They are also much more secure as they use state-of-the-art digital signatures based on similar cryptographic techniques used in Bitcoin.
Creating SMART Health Cards with MuleSoft’s AnyPoint Platform
The SMART Health team provides excellent documentation of the standards framework in addition to a developer portal to assist with testing a standards-compliant implementation at each step of the workflow.
The simplified process of creating a SMART Health Card in MuleSoft consists of the following steps:
- Create the payload in the SMART Health Card FHIR format. Assemble the content — such as the patient and vaccination details — from the system of record as an FHIR bundle in a SMART Health Card compliant format.
- Minimize the size: Minify and compress. SMART Health Cards must fit on a single QR code so the payload is as small as possible.
- Digitally sign and create a JWS (JSON web signature). To ensure authenticity, SMART Health Cards are signed with an elliptic curve cryptographic algorithm with a private and public key and built in the SMART Health Card format.
- Issue the SMART Health Card through an FHIR API. Return the SMART Health Card in the Verifiable Credential format through a defined FHIR API.
You can find a sample Mule app to create SMART Health Cards on Github.
Now, let’s take a look at a more detailed view of the process to create SMART Health Cards using the MuleSoft Anypoint Platform:
Step 1: Assembling the SMART Health Card payload
The first step is to integrate with the systems of record that carry the patient demographics, vaccination, or test result data and expose this data through a System API. This could be an EMR system or a database such as an Immunization Register. For example, the Accelerator for Healthcare provides valuable assets to accelerate this integration with its FHIR System APIs for Cerner, Epic, and other EMRs.
The resulting FHIR bundle — which consists of the patient demographics and their vaccination records — is inserted into a Verifiable Credential (VC) structure. MuleSoft’s DataWeave and message transformation functions make it easy for developers to convert data from a source system and input them into the desired SMART Health Card format. The sample app includes a metadata definition of the required SMART Health Card format allowing easy drag-and-drop mapping.
Step 2: Minimize the size – minify and compress
To ensure the SMART Health Card can be encoded in a single QR code the payload needs to be as small as possible. Therefore the first step is to remove all white space from the payload. Again, MuleSoft makes this easy by simply adding indent=false to the output in a transform processor.
%dw 2.0output application/json indent=false---
Next, the payload needs to be compressed using the DEFLATE algorithm omitting any headers. While MuleSoft provides a compression processor, it adds the headers making it unsuitable for the required SMART Health Card format. Therefore, we have implemented this in a basic Java Class that converts the minified JSON string into a byte array and compresses it. In the sample app, you can find this in the signatureClass.java.
payloadCompressed = DeflateUtils.compress(byteArray);
Step 3: Digitally sign and create a JWS (JSON Web Signature)
To ensure the authenticity of the SMART Health Card, they are digitally signed using public/private key encryption. First, the public and private keys must be defined in the form of a JWK (JSON Web Key). The SMART Health Card specification requires the use of the P-256 Elliptic Curve with algorithm ES256. The key ID is the base64url SHA-256 thumbprint of the key. During development, you may use https://mkjwk.org/ where you can easily create these keys with the correctly encoded key ID.
//Sample JSON Web Key (Private Key){ "kty": "EC", "kid": "3Kfdg-XwP-7gXyywtUfUADwBumDOPKMQx-iELL11W9s", "use": "sig", "alg": "ES256", "crv": "P-256", "x": "11XvRWy1I2S0EyJlyf_bWfw_TQ5CJJNLw78bHXNxcgw", "y": "eZXwxvO1hvCY0KucrPfKo7yAyMT6Ajc3N7OkAB6VYy8", "d": "FvOOk6hMixJ2o9zt4PCfan_UW7i4aOEnzj76ZaCI9Og"}
Next, add your private key to the corresponding variable in the Mule flow. For a production deployment, you should appropriately secure the private key, for example, in a Secure Configuration Property. The public key is the same JWK without the “d” parameter. Publish the public key at the publicly accessible URL specified in the SMART Health Card payload (step 1).
Creating a SMART Health Card compliant signature requires the use of a Java class which you can reuse from the sample app provided on Github (signatureClass.java). The implementation is quite simple and requires only a few lines of code to create a JWS (JSON Web Signature) which consists of a concatenated string with three elements:
JWSHeader.Payload.Signature
JWS Header = base64url encoded: {“zip”:”DEF”,”alg”:”ES256″,”kid”: base64url SHA-256 JWK Thumbprint}
Payload = base64url encoded compressed payload
Signature = base64url encoded signature
Step 4: Issue the SMART Health Card through an FHIR API
The SMART Health Card is formed by wrapping the JSON Web Signature into a specific Verifiable Credential format. The following shows an example of a digitally signed SMART Health Card for COVID vaccinations.
{"verifiableCredential": [ "eyJ6aXAiOiJERUYiLCJhbGciOiJFUzI1NiIsImtpZCI6IjNLZmRnLVh3UC03Z1h5eXd0VWZVQUR3QnVtRE9QS01ReC1pRUxMMTFXOXMifQ.7VRNj9owEL3zKyL3CvmA3YXl2K1U7WGrSkv3suJgnIG4cuzIdhAU5b937MBuIEFQtadqIyWyx29mnmfmZdcLAsKNIdOAZNYWZhpFpgAWmpxqmwEVNgsZ1amJYEPzQoCJEF6CJn3nKhdLdE3uRjfjye1kOA5vR3f-YM3QvsMVru22ANy9-l3QSHSa41O9GbiNj38BzvO8lPwXtVzJa_BMrXma3BOPnNcOhGlIQVpOxXO5-AnMvhHHw2XG9Qto4xJgiW7COEzeM7nTz6VMBTR80K7BqFIzmNUXJ3tM_x2xLwlhSghM2eSPp0hHbxsVc8-usXapSyF-aOFiHLJN40aMIx5H7M5w_I5VxLwnIVyLaQ4nXLoYHXjRnAvHnTyVAp7Vsh3R41Z8DbIzrD9-ohuOgTiVne6ImGUQPEoLK02t0qQDNG_ZqhPLvHXZBceR-UKtL0lyf5sM4mQwjI_DN8NU_T_rUfI3PXrsmvc3tLHUlqaeKqdUC2kbtKaMcQkPKu3K6OSgUi5XZzqz6-6F2RoL-eEfgtLLxDhUehU5gUSGpxFbb841ktVUyDCedHWx6l3qa9W6ZLGf5c4LaliCBukr3tTOxaiKsVJ7TzcgM57vaQ_9kMRJu9gF6KXSOf4sr9YPZW6ap-cqnXJTCOr19RVAKLkKXnxH_UwED4JLzq4r42UxCGW_lfnC0ycxPkmC7z8Uw_BDDP-jGEYfYjhaH3pUW9y36lW_AQ.KEaI-bjzjOYU6khYEAlWUPVO2Y0TuJgLEPcAMLVuDa_6qHraYiY5L7PzThWGGZFOd_EMg_2sr0bGnMZj0ovbcg" ]}
The FHIR Implementation Guide for SMART Health Cards proposes an FHIR endpoint that allows applications, such as a digital wallet, to request a SMART Health Card. In MuleSoft, this can be easily implemented as an Experience API which returns a SMART Health Card Verifiable Credential as shown above. Authentication and authorization are outside the scope of the SMART Health Card specification; however, they are designed to work well with SMART on FHIR for which MuleSoft also provides an implementation template as part of our Accelerator for Healthcare.
Alternatively, the SMART Health Card can be encoded as a QR code and issued to a patient so they can print it or add it to their digital wallet. Performing the above step in reverse allows a verifier application to decompress and display the payload containing the client identification and vaccination details. It also confirms the digital signature against the public key to ensure its authenticity.
An important element to use SMART Health Cards in practice is a trust framework. Our sample implementation above has shown that anyone can issue a SMART Health Card; the fact that it was digitally signed only proves that it has not been tampered with since signature. Assuring the authenticity of a trusted vaccination certificate issuer is an essential piece of building an efficient and effective framework in using and distributing SMART Health Cards.
In the US, this is coordinated through The Commons Project which certifies the authenticity of trusted certificate issuers. Verified issuers include various government entities such as the State of California, healthcare providers like Kaiser Permanente, and mobile apps from EMR providers like Cerner and Epic. The Commons Project also provides a verifier app that can be used to decode a SMART Health Card QR code and show if it was issued by a trusted issuer.
Conclusion
While the COVID-19 public health response has accelerated the development and adoption of SMART Health Cards for vaccination certificates, they are a great solution wherever patients need to securely store and share health records and credentials. MuleSoft’s Anypoint Platform makes it easy for developers to create and issue SMART Health Cards. As more SMART Health Card use cases emerge, an API-led approach enables accelerated development via reuse in a secure and scalable environment.
Be sure to register for MuleSoft Transform to discover how a clear API vision will help you respond to changing market dynamics no matter your industry. You can also get started with a free trial of Anypoint Platform and learn more about Anypoint Platform’s vaccine management capabilities.
