At a glance.
- Protecting customer data a motive for encryption.
- Updates on contact-tracing apps.
- Unauthorized parties might be able to retrieve deleted recordings of Zoom sessions.
- The pandemic hasn't made HIPAA obsolete.
Protecting customer data is the primary driver of businesses adopting encryption.
nCipher Security surveyed businesses and found that their respondents indicated that protecting consumers' personal information was the primary reason they'd adopted encryption. The Cambridge Independent reports that the study found that 54% described safeguarding PII as their top priority. The former top priority, compliance, dropped to fourth place with 47%, trailing not only protection of personal data, but also security of intellectual property (52%) and protection against "specific, identified threats" (51%). A 54% majority also said that they regarded employee mistakes as the biggest threat to sensitive data.
Contact tracing for COVID-19 infections.
Apple and Google are proceeding with their work on technology for contact-tracing. ESET has a quick overview of how Apple's Mobility Trends Reports are working out. Their systems are designed in the first instance for US domestic use, and may have difficulty attracting enough opt-ins to be effective. A report from the Sinclair Broadcasting Group quotes experts who doubt that Americans are likely to sign on in sufficient numbers to attain the 75% threshold generally thought to be the point at which such contact-tracing tools become valuable. The perception that people generally have become skeptical about Big Tech's privacy record seems to contribute to the pessimistic conclusion.
Another Zoom privacy issue surfaces.
A new problem has surfaced for Zoom. CNET writes that a researcher has found a vulnerability that could allow Zoom videos to persist in the cloud even after the users had deleted them. They may continue to exist inside an AWS S3 bucket, and should someone access that bucket, the recording could be compromised.
HIPAA hasn't gone away for the duration of the pandemic.
An op-ed in Law360 cautions against assuming that the privacy protections in HIPAA, the Health Insurance Portability and Accountability Act of 1996, somehow go away during a public health emergency. They don't. Prudent organizations will lawyer up before they get too frisky with healthcare data, no matter how public-spirited their mood and motives may be.
The Department of Health and Human Services clarified the circumstances in which protected data might be shared without explicit patient consent. It may be shared for purposes of the patient's treatment, and it may be shared for four specific public health "activities":
- "A covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have novel coronavirus;
- "At the direction of a public health authority, to a foreign government agency;
- "To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations; and
- "Disclosures to prevent a serious and imminent threat."
These aren't public disclosures. HIPAA continues to require a patient’s consent before making a public disclosure about their condition.