With the arrival of fall months and cooler weather, outbreaks of the Coronavirus disease (COVID-19) continue to increase and businesses struggle with re-opening plans. Many have started to plan their employees to transition from remote to on-site work after the holidays. In all cases, businesses are coming to grips with the necessity of planning for the long haul, where they expect to coexist with this pandemic for some time. A growing number of forward-thinking organizations are also looking longer term to be alert and prepared for challenges to employee health in the future.
Automated contact tracing is the answer
Business leaders are understanding better the best practices in dealing with the pandemic—wear masks, test regularly, isolate when necessary, clean infected areas immediately and perform contact tracing. The last is the most complicated because it takes time, requires manual contacting to locate exposed people and is often done far too slowly to respond effectively for a large dynamic business environment. The solution is to enhance the contact tracing program with digital discovery and exposure analysis to increase reaction time and efficiency. By augmenting with automated digital solutions, an organization can quickly identify all exposed individuals and react immediately to isolate and test affected people and places.
The problem now is not whether, or even how, to provide automated contact tracing, but which solution would be most effective for an organization. Since data collected to help identify infected individuals by definition contain sensitive personal health information (both personally identifiable information, or PII, and HIPAA), the question at the top of the list when evaluating alternatives is, is this solution truly private?
Selecting a solution: The difference between expertly designed and “me too”
Any solution you select should meet some basic criteria:
1. Must not compromise personal privacy.
2. Should not put the organization at risk.
3. Should not risk delaying your response.
4. Should not require investing in a disposable solution.
To make an informed decision, one needs to look under the hood of any solution and ask a few questions:
1. Is sensitive user data truly secure? Ideally, the vendor provides a complete and integrated solution that has privacy designed from the ground up. Things to look for:
● It’s critical to collect encrypted data to guarantee security. The solution should collect only the information necessary to accomplish the task and analysis should be performed with encrypted data, where only authorized personnel can access decrypted details.
● The solution should be end-to-end, i.e. it should incorporate your own registration, human resources and authentication systems.
● Products that are built with analysis in mind are designed to provide or facilitate easy integration with your internal applications.
● In all cases, you should look at the company’s experience and level of expertise in analyzing sensitive data to identify the difference between an expertly designed solution and a product rebranding as “me too.”
2. Is the data centralized or distributed? Centralized data is located in a single repository (a local secured server, or secure cloud account). Distributed data may be on multiple devices and databases.
Centralized data affords much tighter control and security of the information. Distributed information gathering systems (as with Bluetooth-based apps for contract tracing) have the advantage of giving control to the app owner, but they also create many more opportunities for data breaches.
3. Who can access the data? The contact tracing solution should implement enhanced security, such as two-factor authentication. Only critical health and security managers should be allowed to view PII. There should also be a system of record to audit data access, enable additional features and track searches.
4. Can the data support other needs beyond contact tracing? This question speaks to the value provided by the vendor. A robust solution will also provide assistance in identifying locations that need to be cleaned, alert health teams when people are violating social distancing protocols, and reengineer facilities to minimize congestion for everyone on campus.
5. Data sunset. The system should be sophisticated enough to automatically delete and retire any search and associated data. In the case of COVID-19 and based on CDC guidelines, data after 14 days is no longer relevant and should be deleted.
Know your tech tracing options
Digital solutions from Bluetooth-based apps to WiFi-based tracing are all readily available. Both promise to identify individuals who are infected, and either alert the individuals or the institution to take preventative measures. However, in many cases the data captured is not always secured or collected in a manner that retains privacy standards required to protect individual information.
Bluetooth apps are ubiquitous, but they have proven to be increasingly unreliable and prone to false positives. Many implementations are shown to not provide adequate privacy protections. When considering Bluetooth applications, one must be assured that control over the data is secure. The nature of these apps is they ostensibly keep the data only on the device. However, they provide their service via a cloud app, which is inherently insecure.
A recent study from the University of Utah analyzed 60 apps for contact tracing and found that over 50% were not as secure as advertised. In Germany, a national effort for a contact tracing app was dropped when researchers identified critical privacy issues. These apps require a third party to collect and manage exposure data. Finally, in order for the solution to work at all, apps require a very high adoption rate and app users must regularly report their health status. A combined adoption and usage rate of 65-70% is needed for a solution to be effective. The best adoption rates in the west are under 40% (Iceland) with most states in the use under 6%.
Solutions using existing WiFi infrastructure are inherently more reliable and accurate, but the way different vendors implement contact tracing may leave your institution at risk of exposing sensitive data and privacy breaches. In all cases, when vendors require you to integrate your systems on your own or through contract development, inevitably, this opens up opportunities for a data breach. It’s like building the airplane as you fly it.
Make your decision
So, how do you select a solution that is both accurate and able to deliver truly secure and private protection of student and staff PII data?
For starters, focus on solutions coming from vendors experienced in mobile user analytics and who understand privacy requirements such as GDPR and CCPA from the start. Make sure the privacy is the core of the solution and not a bolted-on afterthought.
Next, since this is an investment make sure you get multiples of value for your dollar. Well thought out solutions will enable you to meet other health objectives such as targeted cleaning, site management and physical security. Look out for hidden costs, such as integration charges for adapting to your organizations’ environment. The ideal solution is comprehensive and inclusive of your organizations’ unique management systems.
Making a decision can take a bit of time, but it is worth it before you invest in any solution that could expose sensitive information and give your company a failing grade in protecting your staff’s health and personal data.