Coronatest.nl does not meet the safety requirements, how bad is that?

The fact that the website Coronatest.nl still does not meet six security standards six months after its launch is a bad sign. Thats what several experts specializing in screening like the ones currently running at the GGD against DeccEit.

Coronatest.nl is the government website for making test appointments at the GGD and requesting results. In total, there were eight standards which the GGD did not meet; in two cases the problem has already been resolved.

Because Coronatest.nl supports login via DigiD, the site must meet strict requirements. Especially with new sites that support DigiD, this is a problem. In 2020 there were 38 sites with a new DigID link in which one or more things had to be improved, including Coronatest.nl.

“ Many websites do not meet all requirements after launch,” says Floris Meijer, who specialises in this type of so-called DigID audits. “But eight out of twenty is exceptional.” In the meantime, two problems have been solved.

Risk of losing DigID coupling

Documents held by DeccEit show that the site eventually runs the risk of losing the DigID link. The first step will be taken this week. The problems must be resolved within four weeks; according to the GGD, this will work.

In the meantime, according to Logius, “technical measures” have been taken to ensure that the problems can be misused as long as they have not been fully resolved.

It

is difficult to estimate exactly how serious the shortcomings are. “It may mean that the paperwork is not in order, but also that the whole system is as leak as a basket,” says former auditor André Koot.

Another auditor says, “I had an audit the other day where someone forgot to sign a contract. Then you dont get to the norm either.” But, “Most of our customers succeed with flying colors.”

Safety has not been comraded

Minister De Jonge of Health says that he was not aware of the safety problems. He heard of it yesterday and informed the House of Representatives about it.

According to De Jonge, the problems are easy. “I understand that safety has not been at stake. The G.G.D. assured me that there were, or were, no security risks. Im not worried about that.” According to De Jonge, this is a standard procedure which is followed.

However, in three cases it is a problem that has been classified as high risk; one of these three deficiencies has now been corrected.

An auditor who does not want to be mentioned by name – “confidentiality is our profession” – states that there is little chance that this is, for example, a missing signature. “Then youd have longer time to solve it.”

Meijer also thinks of a technical problem. “I think this is about the quality of the connection, for example,” says Meijer. “The encryption doesnt seem to be in order.”

Room not informed

MPs do not settle for the statement of De Jonge. MPs Verhoeven (D66) and Agema (PVV) asked the Minister for clarification; they also want to know why he did not inform the Chamber. This could have been done, for example, during the debate on the GGD leak last week.