Why NABL Mandated QR Codes for Document Security

When National Accreditation Board For Testing And Calibration Laboratories (NABL) issued a notification on consecutive days on May 18 and May 19 , first for test reports and calibration certificates and then for Medical lab reports to carry QR codes, it shouldn’t have come as a surprise to those who have been following the document security space.

NABL has notified that QR code is mandatory on all test report certificates issued by laboratories and testing agencies. It also mentioned that such reports and certificates issued should be scanned with a QR scanning application on mobile and other devices. The idea is to prevent manipulation and other kinds of tampering of results and also prevent forged test reports and thus protect the consumer and the end-user.

Manipulation of test reports is one of the biggest problems today, not just in India but across the globe. Over the last year, many of our clients and website visitors were made aware of the mammoth problem of forged test reports and lab reports. We shared how, from Cyprus to Bangladesh, fake lab certificates were a global phenomenon . We also shared in the context of COVID, on how while science struggles, tech cracks the code . Finally, we shared how we can integrate document security into test and lab reports and have shared the best practices for secure QR code implementations .

However, little was being done in terms of policy for document security. This notification from NABL is a commendable first step.

What Does Document Security Mean for Labs and Testing Agencies ?

For a medical laboratory or a certification agency, here are some of the reasons to adopt document security

1. Ensure that certificates issued are tamper-proof so that they can be used for the purposes desired with full trust. This is not only in the interest of the end user and customer but also other stakeholders including authorities and government agencies etc.

2. Not only does this security help in smooth processing but also helps to maintain & protect the reputation of the laboratory

Why is the NABL notification a Good Thing ?

1. NABL notification is a step in the right direction of ensuring that document security becomes the responsibility of the issuing organisation itself.

2. By choosing QR Code based solutions unlike the much ‘publicised’ blockchain, NABL has chosen the right approach of ensuring ease of adoption and affordability. QR codes are known to come at much lower cost and affordability than blockchain and this is a tried and tested solution which works for both digital and physical documents. It’s also simpler to implement and integrate with existing workflows and processes.

3. The ability to verify on smartphones is a welcome move that can accelerate the adoption by verifiers.

NABL notifications regarding QR codes

But the notification misses out on something important; What is that and what should laboratories do ?

One of the first things to ensure in such QR codes implementation is that it’s not just a checkbox implementation to fulfil the directive but to go one step further and have Secure QR codes that help in having proper document security. The NABL notification talks only about QR codes but for it to be powerful and achieve the desired objectives - one should implement Secure QR codes in the documents.

Secure QR codes are different from ‘normal’ or ‘regular’ QR codes. The following are the trade-offs or disadvantages of having a regular/normal QR solution.

1. Having a normal QR code to link to an URL is a bad idea; it compromises security and adds to vulnerabilities since a) it can be generated by anyone & b) it can be scanned by any generic QR reader which may be leaking sensitive and confidential data to servers across the world.

2. QR code phishing is another reason why URL embedded QR codes may not be appropriate. Any bad actor might still forge the certificate and guide the verifier to a different, malicious site, and the verifier would have no clue.

3. URL based QR codes need internet access to verify. However, in most countries, including India, access to the Internet is non-uniform, flaky, and sometimes the codes need to be verified in air-gapped environments. Hence there is a need to make the document verifiable offline. This can be easily done with self contained secure QR codes digitally signed by the private key of the issuer and only needing the public key in an authorised app to authenticate.

Why Secure QR Codes are like Steroids to the NABL Notification ?

While a Secure QR code looks like a regular QR code for the naked eye, it differs significantly in terms of the security it provides. A secure QR code printed on the certificate (physical), or an e-certificate (digital) is tamper proof , and makes the certificate itself easily verifiable and trustworthy. As a result, the Secure QR code solution adds a far higher level of security to the NABL implementation.

1. Secure QR offers a similar level of security for the document as to what a blockchain implementation can offer but at a fraction of its cost & with much greater flexibility and simplicity .

2. Secure QR offers a simple, easy, and affordable mechanism for the issuer to issue a tamper-proof certificate yet makes it easy for the verifier to verify offline where there is no internet or where the internet environment is unstable .

3. Secure QR codes have higher embedded security compared to URL based QR codes and hence maintain the integrity of your information without the need for database connectivity. These certificates can be revoked/updated for scenarios where this is needed (though this feature comes with a special type of Secure QR code called EDC codes that will need data connectivity for verification).

Unless the QR code is made secure at the source, bad actors will take advantage of its simplicity to further complicate. In addition, the certificates and lab reports will continue to be forged with a ‘new QR code’, which would only complicate tracking.

Secure QR Code – The Next Big Leap in making reports Tamper Proof

Secure QR code is an all-in-one security solution - think of it like achieving what holograms, embossments, digital, RFID and intelligent chips and blockchain achieve together - it is all of this rolled into one but much easier to execute and use. It thus ensures -

• Affordable Integration
• Digital-Physical Certificates
• Ease of Verification
• Easy Generation
• Seamless Security
• Tamper Proof Documents

Sample Vaccination Certificate with Secure QR Code

Sample Lab report with Secure QR Code

This is also why we think NABL mandated QR Codes is an endorsement for Secure QR codes and better document security.

You may also be interested in -

• How can Labs and Testing Organisations implement and integrate NABL mandate on QR Codes
• What! 1,00,000 fake COVID-19 test certificates that went undetected?
• I was nervous using a fake Covid-19 test certificate
• Did you know - there is an easy way to incorporate document security with your LIS