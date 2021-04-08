The text message is not secure enough to transmit confidential information.

Coronavirus disease symptom assessment Omaolo is an example of a digital service path that the public administration has implemented brilliantly. Symptom assessment is easy to use. It works quickly and reliably. In the Helsinki and Uusimaa Hospital District, it is possible to book a time for sampling directly from the Omaolo symptom assessment.

It is a pity that in such a great service concept, the lines are whitewashed. The test result is sent by text message, even though the patient data is confidential by law.

In his decision of 2010, the EDPS has alreadyUse of e-mail and text messages in healthcare”Was quite negative about the use of text messaging in patient communication. The decision has dealt with appointment data, not, for example, data containing test results. The EDPS has required the patient’s consent to the use of the SMS. It is also important to note that the decision was made before it was widely known that the signaling protocol (SS7) used for text messaging was vulnerable.

From the user’s point of view, the problem can also be illustrated with an example. Depending on the phone and its settings, the text message will appear directly on the phone screen when it arrives. In this case, anyone near the phone can read the content of the text message. The result of the coronavirus test may be visible to others other than the one tested, for example, if the phone is on a table and the message “Your coronavirus test is positive, ie you have a coronavirus infection”.

The choice of text message as the method of reporting test results must be understood. Text messaging is fast, well-known, reliable and easy to use. However, as the epidemic continues, the issue should be better resolved, as the SMS is not secure enough to transmit confidential information. The possibility to read the results through Omakanta already solves this in part.

My view may seem like a sip. However, this is of great importance in principle. There is a risk of citizens becoming accustomed to insecure practices.

It would be interesting to know how the use of SMS has been justified in the pre-deployment data protection impact assessment.

Magnus Tötterman

software entrepreneur, Helsinki

