When Privacy Matters, Not all Contact Tracing Solutions Are Alike

| by Sebastian Andreatta, Co-Founder & COO of Kiana Analytics

Cases of COVID-19 are increasing and institutions are struggling to keep their programs active. Educational leaders now have a better understanding of best practices for dealing with the pandemic: wear masks, test regularly, isolate when necessary, clean infected areas immediately and perform contact tracing. The last best practice is the most complicated because it requires manual contact to locate exposed individuals.

Automated contact tracing can help with this process. Since the data collected is sensitive personal health data, both Personally Identifiable Information (PII) and HIPAA, the question at the top of the list when evaluating alternatives becomes, “Is this solution truly private?”

Is sensitive user data truly secure?

Ideally, the vendor provides a complete and integrated solution that has privacy designed from the ground up. Things to look for when evaluating a solution, include:

  • It’s critical to collect encrypted data to guarantee security. The solution should collect only information necessary to accomplish the task, and the analysis should be performed with encrypted data by authorized staff.
  • The solution should be end-to-end, i.e., it should interface with your registration, human resources, and authentication systems.
  • The solution should facilitate easy integration with your campus infrastructure and meet your privacy policies.
  • Look at a vendor’s core solution. Demonstrable experience in this sort of analysis is the difference between an expertly designed solution and a product rebranding as “me too.”

Is the data centralized or distributed?

Centralized data means the information is located in a central repository (a local server or secure cloud account) which affords much tighter security control. Distributed information gathering systems (as with Bluetooth-based apps for contact tracing) have the advantage of giving control to the app owner, but they also create additional opportunities for data breaches. 

Who can access the data?

The vendor should implement enhanced security, such as two factor authentication. Only critical health and security managers should be allowed to view PII.

Can the solution provide for other needs beyond contact tracing?

Avoid “disposable solutions,” which are point solutions that offer no long-term value for your investment. A system should also identify locations that need to be cleaned, alert health teams when people are violating social distancing protocols, and help to reengineer facilities to minimize congestion.

Data Sunset.

The system should delete PII data when it’s no longer needed.

Know your Tech Tracing Options

Digital solutions from Bluetooth-based apps, as with Apple and Google’s much hyped Bluetooth proximity software for smartphones, to Wi-Fi-based tracing, are readily available. Both promise to identify individuals who are infected, and either alert the individuals or the institution to take preventive measures. However, in many cases the data captured is not always secured or collected in a manner that supports the institution’s privacy standards.

Bluetooth apps, unfortunately with time, have proven to be unreliable, and are prone to false positives/negatives (and the institution is not informed of any results). When considering these apps, one must be assured that management and data are secure. The nature of these apps is that they ostensibly keep the data only on the device. However, they provide their service via a cloud service (Apple, Google, Salesforce, and others) which is inherently insecure. A recent study from the University of Utah analyzed 60 apps for contact tracing and found that over 50% were not as secure as advertised. A combined adoption and usage rate of 65-70% is needed for a solution to be effective. The best adoption rates in the West are under 40%.

Solutions using existing Wi-Fi infrastructure are inherently more reliable and accurate, but the way different vendors implement contact tracing may leave your institution at risk of exposing sensitive data and subject to privacy breaches. Most enterprise Wi-Fi manufacturer solutions only provide rudimentary local information from individual access points, making it incomplete at best and requiring substantial integration efforts to provide meaningful and secure contact tracing. In all cases, when vendors require you to integrate your systems on your own or through contract development, inevitably, this opens up opportunities for a data breach.

Make your Decision

Focus on solutions coming from vendors who are experienced in private data analytics and understand privacy requirements. Make sure privacy is at the core of the solution and not an afterthought. Next, make sure you get multiples of value for your investment. Well thought out solutions will enable you to meet other objectives, such as targeted cleaning, site management, and physical security. These solutions will also be able to adapt to other health and wellness requirements in the future (even flu season could be better managed). Look out for hidden costs, such as integration charges for adapting to your institution’s environment. The ideal solution is comprehensive and inclusive of your institution’s unique campus management systems.

The decision process can take a bit of time, but it is time well spent before you invest in any contact tracing solution that could expose sensitive information to outside actors and give your institution a failing grade in protecting student and staff health and personal data.


About the Author

Sebastian Andreatta is a co-founder and COO of Kiana Analytics, recently included in Gartner’s CIO Guide: How Location Services Can Help Mitigate COVID-19 Spread.

Learn more about E&I’s Kiana contract and get started today.

Share this: