While the omicron-fueled COVID-19 surge is easing in many parts of the United States, it is still setting national and international records. With the likelihood of new variants also on the horizon, it is vital for employers to communicate quickly and effectively as new information emerges. Employers are grappling with the challenge of keeping their workforce as safe as possible, while protecting personal health data that is sensitive in nature.
State and local government organizations are tasked with collecting and protecting a growing volume of employee data related to COVID-19. This expansion of Protected Health Information (PHI) and Personally Identifiable Information (PII) places a greater burden on both HR functions and executive decision makers.
Meanwhile, cyber risks are only increasing. HIPAA Journal noted 642 data breach incidents involving 500 or more records in 2020, a 25% year-over-year increase. It reported 655 such incidents from January to October 2021, a new record. Additionally, 75% of state and local governments experienced a potential breach or compromise in the past year, according to research by MeriTalk.
Clearly, agencies need an effective way to protect the employee COVID-19 data they capture, store, and transmit. They can achieve this goal by following three steps:
- Establish a secure process for collecting employee PII.
Many agencies capture proof of employee vaccinations or negative test results. But employees can’t just bring a vaccination card to work to show it to a manager, or just view an image of the card on their smartphone.
Instead, OSHA recommends employers keep a record of employee vaccinations. This may include a physical copy of the vaccination record, a digital copy such as a scanned image, digital photograph or PDF version, or a medical record or other official documentation of the vaccination.
Regardless of the format of the data, HR teams will need to collect the results, aggregate them across their workforce, and communicate to managers which of their employees are unvaccinated. This information will need to be shared via email or other collaborative workflows. It is imperative that these data transmissions remain secure from end to end.
- Protect data end-to-end, not just in transit.
Organizations typically rely on the native encryption of most email applications to secure transmissions of sensitive data. The traditional approach is called transit-layer security (TLS). But TLS has a fatal flaw: it only protects messages in transit, and it leaves PHI vulnerable to a data breach because it doesn’t encrypt them end-to-end.
To understand what it means to protect data end-to-end, it helps to first understand encryption. Encryption uses complex algorithms, but conceptually it’s like wrapping data in an impenetrable wrapper. It hides the contents of a data object so that it can only be read by the person or entity authorized to read it.
Yet, when data is shared, it is never a simple A-to-B journey. Let’s take the example of an attachment to an e-mail. The message is written in an email client such as Gmail. The attachment is uploaded to Google’s servers. Once the e-mail is sent, it travels on the Internet from network to network. It eventually reaches the recipient’s network and email client. Although email is delivered in an instant, it is transmitted through multiple technology ecosystems before reaching its destination.
End-to-end encryption protects this data from its creation until it is accessed by the authorized recipient. It protects data across all formats, devices, and ecosystems: emails, attachments, documents, videos, databases, Internet of Things (IoT) devices, and more.
This way, state and local governments can ensure they are protecting and respecting employee data while helping to maintain compliance with regulations such as HIPAA and FERPA.
- Respect the data: Give employees control over their own personal information, while building in safeguards.
The protection of employees’ personal data is not limited to the protection of cybersecurity. It also involves employee trust, so it’s important to give employees control over their data while also demonstrating a commitment to protecting it.
This is particularly important as the trust of citizens and employees has eroded. Trust in government in the United States, although it increased by 3 percentage points last year, remains at a rather dismal 42%, according to the Edelman Trust Barometer 2021. Worldwide, only 53% of government employees trust their employer, study finds. And 68% of people are concerned about hackers and cyberattacks.
As the government job market has tightened in the wake of the pandemic, confidence can become a competitive advantage. And as agencies collect and manage employee data related to COVID-19, it will be imperative to demonstrate a commitment to employee privacy.
End-to-end encryption puts control of the data in the hands of the data owner. No matter how or where they move, the owner can change controls, limit sharing, or even revoke access.
These three crucial steps for end-to-end data protection are all enabled by an open standard called Trusted Data Format (TDF), which enables agencies to encrypt, control access and audit data protection. wherever they are created or shared.
TDF was created at the National Security Agency and thousands of organizations are already using it to achieve secure data sharing, with platform-independent encryption of any type of data on any device or cloud environment. This open-source technology can be particularly effective at the national and local levels, as these agencies are tasked with protecting growing amounts of sensitive data, such as employee vaccination records and test results.
While COVID-19-related employee data is the catalyst that drives organizations to take extra steps to ensure data privacy and security, it’s not the only sensitive data agencies are handling, and it won’t be. not the last new data type they will need. to worry. End-to-end encryption enabled by TDF can give organizations the versatile protections they need, on any application, device or cloud, regardless of the forms of data they need to collect, manage and share.
Ultimately, agencies are responsible for serving the public and earning their trust. A demonstrated commitment to respecting the personal data of individuals, whether employees or voters, can go a long way to fostering trust during the volatility and unpredictability of the global pandemic – and once the pandemic is over. , it will always be a vital way to serve our communities.
As CEO and co-founder of Virtru, John Ackerly is a longtime privacy advocate. Prior to co-founding Virtru, Ackerly worked in the private and public sectors, including as technology policy adviser at the White House and director of policy and strategic planning at the US Department of Commerce.