When Privacy Matters | Not all Digital Contact Tracing Solutions Are Alike

Sebastian Andreatta, Co-Founder and COO, Kiana Analytics

Sebastian Andreatta, Co-Founder and COO, Kiana Analytics

Corporate and Government leaders are understanding better the best practices in dealing with the pandemic: wear masks, test regularly, isolate when necessary, clean infected areas immediately and perform contact tracing.  The last is the most complicated because it requires manual contacting to locate exposed people. As done now, this takes time and effort and has relatively low compliance. In short, manual tracing is far too slow in a large dynamic corporate or manufacturing environment, so the solution is to enhance the contact tracing program with digital discovery and exposure analysis.  Doing this affords helps organization to quickly identify all exposed individuals and react immediately to isolate and test affected people and places.  Unlike this time last year, there are now a plethora of solutions to help.

The problem now is not whether, or even how, to provide automated contact tracing, but which solution would be most effective for their campuses. Since the data collected to help identify infected individuals are by definition sensitive personal health data (both PII (Personally Identifiable Information) and HIPAA), the question at the top of the list when evaluating alternatives: Is this solution truly private?

Any solution you select should meet some basic criteria:

1. Must not compromise personal privacy

2. Should not put the organization at risk

3. Should not risk delaying your response

4. Should not require investing in a disposable solution (point solutions that offer no long term value for your investment).

To make an informed decision, one needs to look a bit under the hood of any solution and ask a few questions:

Is sensitive user data truly secure? Ideally, the vendor provides a complete and integrated solution that has privacy designed from the ground up. Things to look for:

● It’s critical to collect encrypted data to guarantee security. The solution should collect only the information necessary to accomplish the task and analysis should be performed with encrypted data by authorized staff.

● The solution should be end-to-end, i.e. it should interface to your registration, human resources, and authentication systems. The solution should facilitate easy integration with your campus infrastructure, and meet your privacy policies.

● Look at a vendor’s core solution; demonstrable experience in this sort of analysis is the difference between an expertly designed solution and a product rebranding as “me too.”

Is the data centralized or distributed? Centralized data means the information is located in a central repository (a local server, or secure Cloud account) and affords much tighter security control. Distributed information gathering systems (as with Bluetooth based apps for contract tracing) have the advantage of giving control to the app owner, but they also create many more opportunities for data breaches.

Who can access the data? The vendor should implement enhanced security, such as two factor authentication. Only critical health and security managers should be allowed to view PII.

Can the solution provide for other needs beyond contact tracing? Avoid disposable solutions (point solutions that offer no long term value for your investment). A system should also identify locations that need to be cleaned, alert health teams when people are violating social distancing protocols, and help to reengineer facilities to minimize congestion.

Data Sunset.  The system should delete PII or Private data when no longer needed

Know your Tech Tracing Options

Digital solutions from Bluetooth-based apps (as with Apple and Google’s much hyped bluetooth proximity software for phones) to WiFi-based tracing are readily available. Both promise to identify individuals who are infected, and either alert the individuals or the organization to take preventive measures. However, in many cases the data captured is not always secured or collected in a manner that supports privacy standards.

Bluetooth apps,unfortunately with time, have proven to be unreliable, prone to false positives/negatives (and the institution is not informed of any results).  When considering these Apps, one must be assured that management and control over the data are secure. The nature of these apps is they ostensibly keep the data only on the device. However, they provide their service via a cloud service (Apple, Google, Salesforce, and others) which is inherently insecure. A recent study from the University of Utah analyzed 60 apps for contact tracing and found that over 50% were not as secure as advertised. A combined adoption and usage rate of 65-70% is needed for a solution to be effective. The best adoption rates in the West are under 40%.

Solutions using existing WiFi infrastructure are inherently more reliable and accurate, but the way different vendors implement contact tracing may leave your institution at risk of exposing sensitive data and subject to privacy breaches. Most enterprise WiFi manufacturer solutions only provide local rudimentary information from individual access points, making it incomplete at best and requiring substantial integration effort to provide meaningful and secure contact tracing. In all cases, when vendors require you to integrate your systems on your own or through contract development, inevitably, this opens up opportunities for a data breach.

Make your Decision

Focus on solutions coming from vendors experienced in private data analytics and who understand privacy requirements. Make sure privacy is the core of the solution and not an  afterthought. Next, make sure you get multiples of value for your investment. Well thought out solutions will enable you to meet other objectives such as targeted cleaning, site management and physical security. These solutions will also be able to adapt to other health and wellness requirements in the future  (even flu season could be better managed). Look out for hidden costs such as integration charges for adapting to your environment.

Making a decision can take a bit of time, but it is time well worth spending before you invest in any solution that could expose sensitive information to outside actors and place your organization at risk for exposting health and personal data.