Health agencies are gathering data to combat COVID-19: Here’s why that might be a problem and what to do about it

August 21, 2020

After months of social distancing, the coronavirus remains a serious public health challenge. As states across the country devise plans to reopen their local economies, government agencies and private healthcare providers are hungry for reliable data.

Already, Apple and Google will now offer a contact tracing app for their smartphones, enabling data tracking across millions of devices in the U.S. At the same time, members of Trump’s administration have discussed forming a national surveillance system to monitor COVID-19 data. Just like after 9/11, we’re seeing a growth in extensive surveillance to prevent a second-outbreak and control the spread of the virus after re-opening. But as more and more personal data is collected, Americans need to consider the costs and take action to protect their data.

At first glance, the argument for extensive data collection seems straightforward enough. When combatting an invisible virus, our personal data provides the only tangible information that private and public entities can use to monitor the spread of COVID-19. While most Americans are rightly concerned by the extremes of surveillance put into place by the leaders of South Korea, China and Singapore, some sort of increased data collection seems like the surest way to equip health authorities with the resources they need to ensure a safe and secure reopening.

But increased data collection presents significant risks.

First and foremost, all the personal data that governments and health providers collect is far from secure: 83 percent of healthcare devices present significant cybersecurity vulnerabilities. Already cybercriminals are using malware, ransomware and other malicious software to hack data stored by the World Health Organization, infiltrate hospital networks and even infect personal smartphones. Even the U.S. Department of Health and Human Services has been the victim of a cyberattack.

Cybercrime against health organizations can be highly lucrative, especially during a crisis. Hackers can demand high ransoms to restore critical network functionality, for example. But cybercrime that targets healthcare networks can also easily funnel personal data into the dark web. In one instance, a hacker stole personal healthcare data from three different U.S. institutions and tried to sell it on the dark web for over $700,000. Hackers buy and sell personal information like this because it can be used by cybercriminals to perpetrate insurance fraud and identity theft.

But on top of the increased exposure to illegal cybercrime, enhanced data collection compromises data privacy. We think that data pertaining to our health is protected by HIPAA regulations; the unfortunate truth is that most of it is not. Many private entities like Facebook and Google aren’t bound by HIPAA in the same way that your doctor or your hospital is.

In fact, privacy loopholes abound in the world of healthcare apps and services. Consumer apps that market healthcare monitoring are empowered to share, distribute and otherwise profit from all the data that they collect. And under current data privacy laws in the U.S., once you share your data with these consumer apps, it becomes almost impossible to retrieve it.

In view of the risks, Americans can’t afford to take a passive approach to data security. Americans need to take active control over their data and protect their privacy.

A big part of that is smart data-sharing practices. Americans should be wary of new apps, devices or web services that capitalize on coronavirus anxiety. The old saying “if it’s free, then you are the product” is a maxim to keep in mind. Being aware of when, where and how you share your data is an excellent way to minimize exposure and control your privacy.

But it’s not always possible to know all the ways your data is being collected or how it’s being shared. For that reason, it’s vitally important to use personal data security services and data protection technology to keep your personal data safe from exploitation and cybercrime. MIDAS, a data monitoring technology that we incorporate into our MyIDCare service, mitigates against identity theft and fraud by monitoring the internet for potential misuse of personal data. But MIDAS is just one example among many. The most important thing is that Americans see the need for data security, especially in the current pandemic, and take action.

The rapid and large-scale expansion of data collection in response to the coronavirus is bound to impact the data economy and future of our privacy for years to come. While we need to use every tool at our disposal to combat COVID-19, we can’t turn a blind eye to the risks. With our fundamental rights to privacy and data security on the line, ignorance and inaction could be devastating.

Thomas F. Kelly is president and CEO of ID Experts, a Portland, Oregon-based provider of data breach and identity protection services, including the MyIDCare suite of services. He is a Silicon Valley serial entrepreneur and an expert in cybersecurity.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.