As lockdowns ease, states must lock up contact tracing data

Contact tracing data can help public health agencies track, identify and quarantine new cases of COVID-19, but if that data falls into the wrong hands, the consequences could be devastating.

As states across the country gradually ease lockdowns -- and as infections spike in new localities --  many local government leaders are looking to contact tracing to help track, identify and quarantine new cases of COVID-19 . To assist this effort, Google and Apple announced a security- and privacy-based framework in April 2020 to allow developers in each state to build these apps for public use.

In the quest to return back to normal however, two big questions remain: who is going to have access to this sensitive data, and how can we prevent it from getting into the wrong hands?

Data storage challenges

As we’ve seen with many of the varying state coronavirus policies, one of the biggest issues is that each state has its own privacy laws, which will undoubtedly create discrepancies and inconsistencies in how to store and protect data.

For example, will California have its own database while New York, New Jersey and Connecticut partner together in the tri-state area? Do cities such as Dallas, Austin and Houston need their own isolated databases because of population density compared to rural areas? And, as states reopen businesses and people start traveling again, will this information need to be shared across state borders?

We’ve already seen, some states rejected the Google-Apple framework and sought a different solution, and others may consider a similar path. With technologies, policies and procedures varying between states, it becomes harder to maintain security and compliance standards for national data.

While some states may incorporate strict protections against adversaries seeking to exploit contact tracing data, a lack of common protocols may leave other states more vulnerable. If attackers were able to gain access to the databases or cloud servers hosting contact tracing data in one state, they may be able to breach systems other states with similar or even stronger security in place. 

Dangers of too much access

Contact tracing app data falling into malicious hands could have devastating consequences.

With access to this critical data, cybercriminals could collect an individual’s personal information -- such as name, address and health records -- and sell it on the Dark Web. They may be able to decipher location data and determine a person lives and works. Those exposed as having had COVID-19 could be discriminated against by their peers, workplace and insurance companies.

Individuals would not be the only ones at risk. Those responsible for the data could risk penalties if they are under the jurisdiction of consumer privacy regulations, such as the California Consumer Privacy Act.

How privileged access management can deter breaches

Any type of breach is dangerous for states and for the citizens whose data they store. However, if attackers gains the admin credentials to the server that stores critical contact tracing applications and data, the sky's the limit to the menace they could pose. Threat actors could temporarily halt access to the contact tracing system and delete existing data, greatly diminishing the value of the effort and painting an inaccurate picture of a state’s cases. Attackers could also change the usernames and passwords public health workers, blocking them out and possibly delaying notifications to people exposed to the virus.

Fortunately, state governments can protect access to the servers, databases and cloud environments that host their contact tracing data. By securing the privileged access credentials of IT administrators, agencies can greatly reduce their chances of a data breach.

After all, nearly three-quarters of all data breaches start with privileged credential abuse. With the new processes and procedures necessitated by the pandemic, state governments must be even more laser-focused on ensuring the right security controls are in place. These controls must enable authorized users to do their jobs, while preventing threat actors from exploiting privileged accounts.

States must throw away the notion of “trust but verify” and adopt a “zero trust” mentality to protect their most privileged users. This strategy will help limit access after verifying who is requesting access, why they are doing so and the risk of the access environment. Approved users can be granted least-privilege access -- just enough to do the job required, just-in-time to do it and only for the time it takes to complete the task.

To fully embrace this approach, government security leaders must take the following steps:

  1. Apply multi-factor authentication. With privileged accounts, agencies must know that the person on the other side of the screen is who they say they are. Passwords are no longer good enough. Two or more verification methods should be used, such as a code to the users’ smartphone, a fingerprint or facial scan.
  2. Make sure access is only achieved through a clean source. Organizations should ensure that privileged users are only accessing critical infrastructure through a jump host, so they don’t bring any malware or other infections from their PCs into the agency IT environment.
  3. Grant least privilege. Allowing the least amount of privilege possible can limit lateral movement across the network, which is how most attackers get access to sensitive data. If agencies enforce a “just enough, just-in-time” approach and zone off what users have access to, they can greatly limit lateral movement and significantly reduce risk.

Contact tracing data will be critical for gaining a better understanding of the pandemic’s spread and helping the nation recover from the pandemic. As states begin to use the data to suppress new infection clusters, it is imperative they lock down access. By adopting a zero trust mentality and protecting privileged users, the United States can make progress against COVID-19 and defend against threat actors looking for access to sensitive data.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.