Protecting employee COVID-19 health data: What CISOs need to know

Most companies are tracking coronavirus-related health data of their employees, and this presents unique risks and security challenges for CISOs.

Businesses re-opening in the wake of COVID are faced with keeping track of who in the company is healthy, who is sick, and who needs to isolate. A new International Association of Privacy Professionals (IAPP) study shows that 60% of employers are keeping records of employees diagnosed with COVID-19.  

These new sensitive datasets come at a time when many established security controls are in a state of flux due to large-scale remote working. CISOs need to know the risks associated with these datasets and help decide what data to collect and how.

The CISO’s role in COVID data collection

Reporting efforts and the types of data collected vary from self-reported health questionnaires and contact tracing through mobile apps and wearables to infrared thermometers and thermal video mapping. This information might exist in isolation or might be collated and aggregated to provide a more complete picture of employee health.

Forrester Senior Analyst Enza Iannopollo recommends that businesses think carefully about how they leverage COVID-related data collection efforts. “If those efforts are just happening in isolation and there are no policies aligned [to] help organizations maintain a safe environment, it will be just a cost to the organization in terms of liability and detriment to trust of employees as they will feel surveilled.”

Before anything is collected, CISOs should advocate for collecting as little information as possible in the least intrusive way to reduce the organization’s liability if that data is lost. “There will always be a temptation during this period around collecting data they don't actually need,” says Marcus Vass, partner at Osborne Clarke leading the Digital Health team. “A simple way to focus the minds of CISOs and others is to say in collecting the data, 'What would happen if this was breached how bad would it be?'”

Data Protection Impact Assessments or Privacy Impact Assessments will help the business assess what data it really needs to collect, why, and what protections are adequate against that data. It will also provide a paper trail if a company is challenged about its data collection efforts or suffers an incident relating to that data. “The nature of those forms is to ensure that you've thought very carefully about what's required as part of processing this data,” says Anna Elliott, partner at law firm Osborne Clarke. “What data is required, how it will be used, how long [you] will store it, how long you intend to keep it; all those considerations need to be taken into account to evaluate the risk profile, particularly when we're talking about medical evidence and people's health information.”

Iannopollo says that HR leads many COVID-19 tracking efforts. They simply apply existing data retention and data governance standards to this new data, which she says is a starting point. "Existing retention policies and governance policies are absolutely not enough, and some organizations are proceeding with a false sense of security. Some CISOs have told me that they are occasionally involved in reviewing some of the measures, but really they are not that involved. This is an enormous risk.”

The CISO will likely need to work closely with the organization’s Data Protection Officer (DPO), if it has one, as well as the CIO and legal counsel to help quantify the risk appetite around the data and then define and implement adequate controls and an incident response plan if the data is lost. CISOs will also have to work with the business to understand who owns the data and the risk around it.

“If we're talking about collecting greater data about staff and it is for the first time health related,” says Vass, “the CISO is the person who has got to work out the technical architecture to comply with what the DPO says is permitted. The DPO saying, 'You didn't tell me about this' isn’t going to be a defense if you have personal data, in particular health data, that has been misused without checking with the DPO and getting their sign off.”

CISOs should help HR to be clear and transparent about data being collected and how it is being protected to allay any concerns from employees. “With any introduction of policies or procedures, good communication is essential to ensure that they are received and well understood,” says Elliott. “Communicate the position very clearly to employees, including the rationale and basis for the measures, how the data will be used, who it will be shared with, etc. Obtain employees' agreement rather than forcing them. You need to get their buy-in to this and agree on the appropriate measures with them.”

Securing employees' COVID-19 data     

Working from home adds a complicating factor. A variety of personal and corporate devices with various levels of patching connecting to corporate systems using consumer-grade home networks adds risk.

“Anyone who has access [to employee COVID data] should have a demonstrable business need for access. Each person should have access to only the minimal set of data that they need to accomplish their functions, and all access to sensitive data should be logged,” says Jason Smolanoff, senior managing director and global practice leader at Kroll’s cyber risk practice.

Access should be assessed in terms of who can access the information, how it is accessed (for example, via VPN or single sign-on to a cloud-based service), from what devices, and from where. The security of home networks, whether the information can be printed locally, who in the household may be able to get access to that information should be considered for each person with access to that data.

“There is much greater capability for it to go wrong,” says Osborne Clarke’s Vass. “The CISO will have to team up with the DPO to assess whether that can in fact be performed remotely or whether that is going to have to be structured such that it can only be accessed on site and processed on site.”

While it is likely easier to keep information anonymized, organizations that want more granular information will need to consider how this new data set links to existing systems. If a company plans to keep the data as pseudo-anonymized as possible to ease liabilities, linking that health data to any sort of permanent employee records may be an issue. The security of those connection points must be closely looked at and monitored.

“Try to avoid moving a lot of existing data into a new data structure, but rather have a value that can be used to link the COVID data to your existing HR or medical department systems,” advises Smolanoff.

Data retention and decommissioning also needs to be clearly defined. The UK’s National Health Service (NHS) has announced it will hold onto the personally identifiable information collected by its track and trace app for 20 years. Private organizations, however, should be looking at much shorter timelines for retaining data. “Have a plan for decommissioning at the end of the process,” advises Vass. “If it's considered to be a temporary measure, you need to have in place in a transparent way about how that technology is going to be decommissioned at the end.”

Compliance requirements for COVID data

In the UK and Europe, the GDPR categorizes health data as “special category data.” This will inform much of their decision making around data protection and the measures that will need to be put in place. Any firms within the EU looking to use location data will also need to keep the EU ePrivacy Directive and local implementations such as the UK’s Privacy and Electronic Communications Regulations (PECR) in mind.

Even within the GDPR there is a lot of variation to consider. In France, for example, employers cannot normally collect any health information, while in Germany organizations will need to liaise with work councils and justify what data is being collected from employees and why. “Organizations can't just take a blanket global approach on this,” says Osborne Clarke’s Elliott. “They need to ensure they're combined with the relevant local laws. They need to make sure they are still complying with the overriding obligations under health and safety law and privacy law.”

The GDPR includes exemptions around public health, so organizations should likely use the public health emergency when looking at any requirements around justifying their data collection. Local Data Protection Authorities have published additional guidance around collecting COVD-19 data and technologies such as track and tracing apps.

“ICO has produced some guidance around the obligations of employers during this time which says that the data protection shouldn't be a barrier to the overriding duty to protect health and safety of employees,” says Elliott. “All that guidance is non-binding at the moment and not incorporated into law. So, you can't ignore the overriding legal obligations. You have to take a holistic view and make sure you're still complying with your underlying and overarching objectives and health and safety, data protection, and employment law which continue to apply in whatever you're doing at the moment.”

Where COVID-19 data resides in terms of compliance requirements isn’t so clear cut in the US. HIPAA will not apply to all organizations in the US even if they are collecting health-related data, while the Americans with Disabilities Act (ADA) will likely not apply to all employees. And while some state-level regulations such as the California Consumer Privacy Act (CCPA) might dictate planning around how data is protected, each state will have different expectations around the data.

“For the CISO, you're in the most unfortunate position of trying to predict the classifications and the layer of protection that should be applied to these databases,” says Peter F. McLaughlin, partner at law firm Culhane Meadows. “Whether it's SARS or H1N1 or HIV, contact tracing apps are not new, but at the moment I'm not sure where on the spectrum of sensitivity a COVID diagnosis falls.”

“We're taking sort of a new batch of data and trying to figure out what category does this fit in and what levels of protection do we need to apply,” McLaughlin adds. “This environment is going to be viewed with the benefit of 20/20 hindsight, so you want to make sure that you're applying a process that's appropriate, rigorous, and that you're doing it consistently.”

In lieu of any single regulation that might help guide data protection thinking (and assuming they haven’t adopted a policy of global GDPR compliance), McLaughlin recommends that US organizations look to well-established standards such as ISO 27001, ISO 27002, ISO 27005, or NIST’s Data Privacy Framework for best practices, and document decision making in case organizations are later challenged on why certain actions were taken.

“Certainly, if the data were lost, the Federal Trade Commission would be among the first to send a letter saying, ‘You had all this sensitive information about your employees and you lost it. Please talk to us about what happened,’” says McLaughlin. “Some of the first questions are going to be, 'What did you do? Please show us your documentation. How did you arrive at the decision that you did, and what was the process?' You'll be in a better place if you're able to demonstrate that the things that you did and that the technologies and the configurations and so forth are consistent with generally recognized benchmarks.”

How to evaluate COVID data collection tools

A market for data collection systems has already sprung up with more than 40 vendors offering some sort of tracking system. However, the urgency to implement a solution might encourage some to avoid the usual checks and balances.

“There has been a mistaken belief that because everything is being rushed through that the normal rules of personal data and the sensitive nature of health data can be in some way waived,” says Vass. “People have thought that the law can be slightly blindsided at this time, and a number of companies are stirring up problems for the future.”

Retired Air Force Brigadier General Greg Touhill, previously federal CISO of the U.S. government and now on the faculty of Carnegie Mellon University’s Heinz College, advises companies to look for independent third-party pen-tests of COVID-related applications. “Many of the reputable application developers now routinely hire pen-testers to evaluate their products and share the results on request to demonstrate the capabilities of their products.”

Touhill also advises CISOs to check for reviews of the application as they can reveal a lot about strengths and weaknesses, and to ask for references of previous customers (though this may be difficult for new products).

Other security features and considerations to look for include:

  • Multi-factor authentication (MFA)
  • Whether data is encrypted at rest and in transit
  • If data can be deleted upon demand without leaving artifacts behind
  • What data is stored on the device
  • What data is transmitted and how it is sent
  • Where it is to be stored and who is managing that location
  • Monitoring and logging capabilities
  • Whether that data is going to be anonymized, pseudo-anonymized, identifiable, or aggregated once it reaches its location
  • Whether the app/system is auditable and has accessible documentation
  • Data retention and deletion policies and processes

“You can’t simply say, ‘it’s stored in the cloud, so it’s someone else’s problem,’” says Smolanoff. “Everything in the system is your responsibility, even if you outsource it to someone else.”

Forrester’s Iannopollo warns that some third parties may try to use that data for their own purposes – for example, an insurer might use it to help determine workplace premiums. “The language of the contractual obligations needs to be framed very specifically. Retention policy is where you have to look,” she says. “That data is too tempting for a number of different companies to stay around.”

Be aware how the application provider regulates access. Some might say they have zero access only to caveat it with exceptions. Iannopollo advises that organizations get clear information from vendors about how that data will be masked, de-identified, anonymized, pseudonymized, or aggregated. “You want to work with third parties that have a reputation for being trustworthy, to have ethics in the way they deal with data,” she says. “I wouldn't work with third parties that cannot show a proven record of commitment to best practices when it comes to their data management and privacy and security.”

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline