The text-messaging system, called v-safe, is intended to provide early indications about possible adverse reactions from the vaccines. Using the messaging program, people who have received the shots can report symptoms and other health effects, such as missed work. Their responses could prompt phone calls from a team of safety professionals.
But the technology is raising red flags for some health and technology experts, who say hackers or anti-vaccine activists may be able to access the software to create false or misleading reports. Officials’ unease is acute because vaccine hesitancy, stoked by a well-funded anti-vaccine movement that makes prolific use of social and other media, is expected to be a central obstacle to the widespread immunization required to end the pandemic.
Not rolling out v-safe early to health-care providers and public health workers, who will be asked to promote it, has also raised concerns, because these foot soldiers of the mass vaccination campaign have had little opportunity to see how the system works.
Officials at the Centers for Disease Control and Prevention, which is overseeing v-safe, say they are beginning to increase messaging about the software and how to ensure its proper use.
The vulnerability in the new tool “is a potential risk,” said one federal health official who spoke on the condition of anonymity to discuss internal deliberations. Safeguards are in place to block false information from being spread, but using them “eats up time” that could be used to investigate actual adverse events, said another official who spoke on similar terms.
The CDC said in a statement that the smartphone-based tool was developed to allow “people to report how they are feeling after covid-19 vaccination to CDC in almost real time.” The voluntary system is in addition to existing safety monitoring programs, the agency said. “Reports to v-safe indicating a medically significant health impact” are followed up by trained personnel. CDC vaccine experts may contact the person’s health-care provider to request more information, the agency said.
The v-safe platform “is in the final stage of development, which includes security testing,” the statement said.
The messaging tool promises to give officials a quicker signal of any safety issues associated with coronavirus vaccines. It prioritizes ease of use to encourage people to participate, but experts say that can make it less secure.
“With any widely available technology, there’s an opportunity for people to use spoofing and other nefarious techniques,” said Ed Simcox, who left his post as chief technology officer at the Department of Health and Human Services in February and is now chief strategy officer at LifeOmic, a software company. “That would undermine what is so potentially valuable about this system — going directly to patients, or citizens, to get their feedback about multiple vaccines administered in diverse settings.”
The smartphone technology is designed to enhance several well-established vaccine safety monitoring systems, including one run by the CDC and the Food and Drug Administration. That three-decade-old system, known as the Vaccine Adverse Events Reporting System (VAERS), is an early-warning system that also collects information about possible side effects or health problems after vaccination. The system looks for unusual or unexpected patterns that require a closer look. Anyone can report a reaction or injury, including health-care providers, patients and patients’ representatives, such as caregivers or attorneys.
Development of the tool was part of a partnership between Oracle and the Department of Health and Human Services, federal health officials said. The smartphone technology and other aspects of Operation Warp Speed, the Trump administration’s accelerator for vaccines and therapeutics, are undergoing “robust cybersecurity” vetting with several agencies, including the Justice Department, the Homeland Security Department and Defense Digital Services, HHS spokeswoman Natalie Baldassarre said.
An Oracle spokeswoman did not respond to a request for comment.
HHS has awarded a separate $2.3 million contract to CSRA, a Virginia-based IT company, for active vaccine surveillance. That one-year contract is for hiring people to take reports from v-safe recipients, according to federal health officials who spoke on the condition of anonymity because they were not authorized to discuss the matter. A spokesman for CSRA declined to comment.
The new smartphone-based system is targeted at early vaccine recipients, according to materials prepared by the CDC for an outside panel of immunization experts. Along with a cotton swab and Band-Aid, these patients will receive a fact sheet with a small black-and-white label. The label, known as a QR code, is the electronic entryway into the reporting system — one that will bypass doctor’s offices and medical bureaucracy and respond simply to the tap of an iPhone.
Text messages, set to arrive daily for the first seven days and then weekly for 1½ months, will direct users to Web-based surveys inquiring about their symptoms and posing such questions as, “Did you miss work?” and, “Were you unable to do certain daily activities?”
But anyone who gets access to the QR code, from a fact sheet accidentally left behind or from a photo posted on social media, could be able to access the system. That person could register and file false reports about their experience with immunization, one of the federal health officials said.
Depending on the answers, the information may prompt follow-up phone calls from trained personnel at the VAERS call center. That monitor may also contact the person’s health-care provider to obtain additional information, such as medical records, to assess the case. Such verification probably would prevent false reports of side effects from being entered into the VAERS system, the federal official said.
Officials also could determine whether the survey participant is a legitimate vaccine recipient by cross-checking information in a master database. But the verification would have to be done manually, because the v-safe system is not connected to the larger database.
Technology experts say this type of software, while easy to use, lacks strong safeguards.
“I think the devil is in the details here on how exactly this is implemented,” said Gunther Eysenbach, editor of the Journal of Medical Internet Research, who is also an adjunct professor at the University of Victoria in Toronto. “A fair bit of marketing is also needed so people don’t have fear about privacy.”
Grace Lee, a member of a federal advisory vaccine safety task force and a professor of pediatrics at Stanford University School of Medicine, said multiple systems track vaccine safety and each has strengths and limitations.
Lee said the new smartphone technology and the existing VAERS system will be important early in the coronavirus vaccination program. “V-safe will focus on patients self-reporting any symptoms, such as local and systemic reactions, after vaccination,” she said, referring specific questions to the CDC.
For the longer term, officials and providers can rely on several other systems, such as Vaccine Safety Datalink, a collaboration begun in 1990 between the CDC and nine health-care organizations, to help evaluate potential signs of safety problems, Lee said. The systems are often complementary; findings from one can be used to corroborate those from another to determine whether they are “true” signals.
Nicola Klein, director of Kaiser Permanente’s Vaccine Study Center, said security is of utmost importance for surveillance systems such as the Vaccine Safety Datalink that rely on the participation of large health-care organizations, including several Kaiser Permanente locations. VSD monitors the safety of vaccines and conducts studies about rare and serious adverse events following vaccinations. A limitation, however, is that it does not include people who never seek medical care, she said.
V-safe removes that barrier, which comes with benefits as well as risks. “It is a nice early-warning system, and has the potential to be very useful and give a lot of early information if people are willing to sign up for it,” Klein said.
State and local officials say they have limited knowledge of the new system.
“That’s a topic that we have actively been asking CDC for more information on,” said Imelda Garcia, associate commissioner for laboratory and infectious-disease services at the Texas Department of State Health Services. She added, “Obviously safety and risk communication are absolutely paramount when we’re talking about a novel vaccine.”
The scant information available to states, Garcia said, has left her with the impression that authorities in Washington intend to “essentially run and promote that at the federal level.”
But federal officials said they are relying on state and local leaders, as well as medical providers, to champion the software.
Asked about raising awareness of the software and its safeguards, Tom Shimabukuro, deputy director of the CDC’s immunization safety office, told an advisory panel last week that the agency is “reaching that time where we’re really going to be pushing out strongly and trying to get the message out as broadly as possible.”
Vaccination experts working closely with the CDC asked Shimabukuro how exactly the software would work. Some wondered especially whether a regime of text messages and electronic surveys would be realistic for residents of long-term-care facilities, who are among those expected to receive the first shots.
The facilities, too, seem still to be working out the details.
Janine Finck-Boyle, vice president for regulatory affairs at LeadingAge, a national association of aging services providers, said nursing homes “must have access to training on any new technologies, including v-safe, that are part of a vaccination program.”
CDC officials sought to clarify the basic elements of the program at the advisory panel last week. Shimabukuro explained to one participant that the technology was not an “app, like an app on your phone. It’s actually a text-messaging program.”
An app may have been a better way to ensure survey participants are properly authenticated, and prevent repeat submissions, said Ramesh Raskar, an associate professor at the MIT Media Lab and the founder of the PathCheck Foundation, a nonprofit organization that is developing software to help contain the pandemic. But that would have required approval in app stores, not to mention a more elaborate federal certification, said Simcox, the former HHS official. Those hurdles could have delayed its rollout, he said.
Alice Crites contributed to this report.