Building a COVID-19 Vaccine Verification Solution on AWS
Buying a COVID-19 vaccination on the dark web for upwards of $1000 only for it never to materialize sounds like something from a Hollywood script. But according to cybersecurity agencies like Check Point, this situation is presenting itself to patients eager for vaccinations. Fraudulent activities like this and fake drug products such as those described in this notification from the FDA, have the potential to erode trust in the validity of COVID-19 vaccines. Biopharmaceutical companies have established track and trace platforms in response to global regulations such as the FDA’s Drug Supply Chain Security Act (DSCSA), but many healthcare providers and patients do not have a viable mechanism to verify drug products at the end of the supply chain. For biopharmaceutical companies developing and distributing COVID-19 vaccines to 7.8 billion patients around the world, this represents the perfect storm of the pre-existing fight to keep counterfeit products from harming patients, maintaining confidence in the COVID-19 vaccine itself, and a virus which must be addressed at global scale.
Limited public trust in the COVID-19 vaccine is a hurdle the healthcare industry must overcome. According to a global poll across 15 countries performed by Ipsos, only 32% of people would take a COVID-19 vaccine immediately, if available. YouTube has removed over half a million videos spreading misinformation related to the COVID-19 pandemic since February 2020, according to a letter by YouTube CEO Susan Wojcicki. In today’s world, conspiracy theories that go unchecked on social media can shape public perception.
In this blog, we show how pharmaceutical manufacturers can use AWS to allow customers, including healthcare providers and patients, to validate a COVID-19 vaccine’s authenticity using label information from a pharmaceutical manufacturers’ existing global track and trace repository. The customer scans the label barcode containing the vaccines unique identification number and performs a verification lookup query to validate the source of manufacturing and the associated event transactions.
Overview of the COVID-19 vaccine verification lookup
To enable COVID-19 vaccine verification lookup (API) capabilities at a global scale, the architecture must address the following requirements:
- Provide low latency user access for healthcare practitioners
- Maintain consistent performance at a global scale
- Scale up and down without interruption to spikes in requests
- Deliver disaster recovery capability
- Minimize operational and support overhead
- Integrate with existing Track and Trace systems
The following diagram illustrates the architecture providing millisecond response times for vaccine verification lookups. The main purpose of an active-active configuration is to provide latency-based routing that routes traffic to the nearest region in an effort to provide the fastest experience. The architecture allows for fast and reliable data replication between regions, stateless services, and DNS routing on a network, while avoiding cross-region calls.
How to look up and verify the authenticity of COVID-19 vaccines
Step 1: Data Ingestion and Storage
With each country targeting aggressive vaccine rollout plans, there could be tens of millions of vaccines administered daily, which will deliver an unpredictable workload to a database. To maintain a great level of performance to the healthcare practitioners at a global scale, Amazon DynamoDB is used to provide single-digit millisecond performance within region at any scale. DynamoDB’s global tables feature provides a multi-region, multi-active database for our API, which replicates tables automatically across the selected AWS regions. This allows you to avoid the undifferentiated heavy lifting of data replication between regions and resolving update conflicts, enabling you to focus on your application’s business logic.
To address the requirement of the unpredictable workload, DynamoDB auto scaling uses AWS Application Auto Scaling to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic without throttling. When the workload decreases, Application Auto Scaling decreases the throughput so that you don’t pay for unused provisioned capacity.
Vaccine manufacturers will need to track billions of doses of pharmaceutical product, along with the business and event-based transactions that occur in the supply chain for each individual unit sold. The vaccine verification solution is designed to work with both on-premises and cloud-hosted track and trace solutions by using a recurring batch job to capture serialized product information in a DynamoDB table. For one global life science customer, AWS’ Professional Services team helped move their global SAP track and trace solution to the AWS Cloud. While not mandatory for vaccine verification, moving their solution from on-premises to AWS did enable their serialization repository to handle the significant increase in capacity required to manage manufacturing and tracking of the COVID-19 vaccine.
Step 2: API for Vaccine Verification
To allow for integration into any front-end user interface, verification inquiries are routed through Amazon API Gateway. API Gateway is a managed service which provides customers with the ability to create, publish, maintain, monitor, and secure the vaccine verification lookup API at global scale. API Gateway lets you programmatically create the API connection to the code running in AWS Lambda, and then lets you call the Lambda code from your API. Lambda is a serverless compute service that lets you run code without provisioning servers, providing developers with flexibility to develop on their favored programming language, and scale automatically to meet the demands of the API requests.
In this solution, we are using a REST API that integrates with Lambda functions using a simple Lambda proxy integration. When a front-end client calls the API, API Gateway sends the request to the Lambda function and returns the function’s response to the client. The APIs are configured as regional API endpoints so traffic can be routed from a single global hostname to each of the regional endpoints using Amazon Route 53.
An API Gateway REST API is made up of resources and methods. For the API, we are using two resources: /getvaccineinfo and /healthcheck. A combination of a resource path and an operation (e.g., GET, PUT, POST) identifies the method of the API. The vaccine verification API uses:
- GET /getvaccineinfo method to return information about the specific vaccine vial
- GET /healthcheck method to return a basic health check for the API, ensuring traffic only gets routed to healthy resources (see Step 3: Routing Verification Request)
Step 3: Routing Verification Request
To prevent disruption to the healthcare practitioner performing the vaccine verification and ensure resilient performance of the solution, we need to ensure the request is routed to the nearest region. Route 53, a highly available and scalable Domain Name System (DNS) web service, performs three main functions in any combination: domain registration, DNS routing, and health checking.
Route 53 lets you use the console to transfer the registration for existing domains from other registrars or register a specific domain name for your vaccine lookup, such as examplevaccinelookup.com. When you register a domain with Route 53, we automatically make Route 53 the DNS service for the domain. Route 53 creates a hosted zone that has the same name as the domain, assigns four name servers to the hosted zone, and updates the domain to use those name servers.
Once a domain has been registered, you create records to tell the DNS how you want traffic to be routed for that domain. Route 53 supports seven different routing policies: simple, failover, geolocation, geoproximity, latency, multivalue, and weighted. Latency based routing determines the region which provides the lowest latency for the user. For example, if a healthcare practitioner is working in Thailand and measured latency is lowest to Singapore (ap-southeast-2) region, the provider’s requests will be routed to Singapore. Latency-based routing uses measurements performed over a period of time to reflect these changes.
Route 53 health checks monitor the health and performance of your API. Route 53 offers three different health checks: monitor an endpoint, monitor other health checks (calculated health checks), and monitor Amazon CloudWatch alarms. We can use a health check to monitor an endpoint which is specified by domain name, like the health check API. Route 53 submits automated requests to the health check API to verify that it is reachable, available, and functional. When Route 53 uses the health check to determine the health of the API and finds that it is unhealthy, Route 53 will direct the traffic to only healthy endpoints using DNS failover.
Step 4: Preventing Network Attacks
For protection against DDoS attacks, AWS provides AWS Shield Standard and AWS Shield Advanced. All AWS customers benefit from the automatic protection of AWS Shield Standard, at no additional charge. AWS Shield defends against the most common, frequently occurring network and transport layer DDoS attacks that target your applications. For higher levels of protection against attacks, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks and near real-time visibility into the attack. AWS Shield Advanced also gives you 24×7 access to the AWS DDoS Response Team (DRT) for manual mitigation of edge cases affecting your availability.
AWS WAF is a web application firewall that helps protect applications and APIs from attacks. It lets you configure a set of rules called a web access control list (web ACL) that allow, block, or count web requests based on customizable web security rules and conditions that you define. AWS WAF will protect your API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security, or consume excessive resources. Rules will to allow or block requests from specified IP address ranges, requests from CIDR blocks, requests that originate from a specific country or region, requests that contain malicious SQL code, or requests that contain malicious script.
COVID-19 has been the biggest healthcare challenge of the modern era. As of February 17, 2021, seven vaccines are now available to the public across at least 79 countries and over 181 million doses of the COVID-19 vaccine have been administered. As this is only 2.3% of the 7.8 billion people representing the global population, we all still have a long road ahead of us.
The COVID-19 vaccine verification solution provides a gateway to accurate information about the vaccine to healthcare professionals. It can also be enhanced to provide additional capabilities such as returning vaccine FAQs, dosage instructions, warnings/precautions, ease of access for reporting adverse events, and access to manufacturer medical information professionals through a variety of mediums. This provides a mechanism for enabling customer and patient support by scanning barcodes with unique product identification numbers, while also providing valuable insights back to the manufacturer to improve operations.
For more details on deployment of the vaccine verification solution, contact the authors of this blog at firstname.lastname@example.org.