Access Control, Human Resources, Security

Vax Mandate, Not Lax Mandate: Security Considerations for Vaccine Mandate Compliance

Despite rising COVID-19 cases and hospitalizations driven by the delta variant, executive leaders are pushing toward a post-pandemic return-to-work model that puts employees in the office at least two days a week. HR and IT/security professionals have been feeling squeezed between a rock and a hard place trying to meet workforce health, safety, technology, data security, and productivity needs while also meeting exec expectations.

On one hand, 66% of remote employees say they are more productive working from home than in the office, according to 2021 data from Businessolver. And Limeade finds that 100% of employees are anxious about returning to the workplace, with more than three-quarters (77%) saying their top worry is being exposed to COVID-19. On the other hand, though, 91% of executive leaders told Pricewaterhouse Coopers that they expect to see employees in person by the end of the year.

All of this was true well before Sept. 9, when President Biden announced he was directing the Department of Labor (DOL) and Occupational Safety and Health Administration (OSHA) to issue a mandate for all U.S. employers with 100 or more workers to require employees to be vaccinated or submit to weekly COVID-19 testing. While there’s no effective date on the mandate, HR and cybersecurity leaders will have to work quickly to build and secure an infrastructure to help the affected 80 million employees comply and feel confident that their vaccine-related personal health information will be protected. In addition to the high stakes surrounding data security, data accuracy will be critical as well: According to OSHA, employers in noncompliance will be penalized $14,000 per violation.

Currently, only about half (49%) of the vaccine-eligible population is fully inoculated against the virus, and 11% are hesitant to receive the vaccine, mostly due to concerns about side effects (50.6%) and a lack of trust in COVID-19 vaccines (47.6%), according to the Census Bureau.

While meeting this mandate—particularly in such a polarized climate—might feel overwhelming to employers, HR and IT leaders can collaborate to calm concerns around privacy and security by getting back to basics. For me, and many of us in tech, that means returning to what security expert Mathieu Gorge outlined as the five pillars of security: physical, people, data, infrastructure, and crisis management.

Physical

For a successful post-COVID in-office strategy, security involvement and awareness in crafting organization protocols is key to helping employees feel safe returning to the office among colleagues who may opt to remain unvaccinated. Leaders will have an additional layer of physical security considerations on top of their usual responsibilities around managing workplace physical security—door controls, zoned access, cameras, workspace audits—related to cleaning and sanitization of these areas. Cleaning and sanitizing for HVAC systems—particularly regarding access to server rooms—will be important to consider, as well as offering input on office configuration to promote social distancing while also limiting data and/or server access to necessary personnel only.

People

Obviously, the biggest consideration for any employer is keeping employees safe and secure. From a security standpoint, this may involve reconfiguring accessibility to be contactless, removing camera-based image recognition, and/or adding additional modalities of identity verification so authorized employees don’t need to scan a hand/thumbprint or remove their mask to access protected data.

Data and Infrastructure

Clearly, under the president’s mandate, these security areas are the most controversial. It’s important to note that vaccine status information, in the hands of an employer, is not subject to HIPAA, according to the Equal Employment Opportunity Commission and Health and Human Services Department. However, employees will (rightly) expect that their information will be secured and kept private. And although that creates more data to protect, leaders don’t necessarily need to overthink how they go about it.

Greg Reynolds

Start from existing protocols for how your organization secures employee protected health information currently, then work with IT colleagues and external partners to expand those policies and practices to cover how employees upload and update vaccine and testing status. The tools you use now—multifactor ID, random passcode generators, etc.—to encrypt and secure data may well provide an adequate level of protection to give employees peace of mind and meet requirements under the Biden mandate, once it’s finalized. Similarly, existing procedures for collecting only the minimum data necessary, safeguarding data that’s collected, and limiting its disclosure may be sufficient to meet the mandate as well.

Still, tech companies are rolling out vaccine “passport” apps or embedded solutions that your organization may want to consider. Businessolver focused on how to bring vaccine information into our benefits technology to allow employers to leverage that data for workplace safety as well as apply it to their benefits strategy. Additionally, employers should think about opportunities that allow employees’ vaccine data to go with them from employer to employer. For example, IBM’s Excelsior Pass, rolled out in New York as part of the state’s reopening plan, is one of the tech solutions in this quickly growing market.

Thus far, the Biden administration has held firm that the federal government will not play a part in vaccine monitoring nationwide, so it will be up to individual employers to assess and determine how to collect and protect vaccine data.

However, securing systems is one thing; protecting those systems from human error is another thing entirely. Security training for employees, which may have slipped during the pandemic—especially among widely dispersed remote workforces—needs a reprioritized focus to prevent data leaks or breaches, and the negative headlines that those bring.

For example, multiple investigations are underway after a contact tracing data breach exposed the personal health information of 72,000 Pennsylvanians. The breach, according to a state representative, appears to be related to employees who “ignored or purposefully avoided security protocols.”

Additionally, you’ll want to educate and train employees to spot and avoid phishing attempts that use fake vaccination/testing status forms to gain access to protected information.

A final security consideration for data and infrastructure is authenticating vaccine information. According to Pew Trust, in just the first few days following President Biden’s vaccine mandate announcement, the typical cost of phony vaccine cards doubled from $100 to $200, and the estimated number of sellers also skyrocketed from about 1,200 to more than 10,000. And while the Biden administration has given no indication that employers will be held responsible or found noncompliant if employees submit falsified vaccine information, it’s a security scenario to plan for to ensure your organization covers its bases. 

Crisis Management

A breach of personnel vaccine data is the worst-case scenario. However, it’s probably the scenario for which you and your team are best prepared. The protocols for handling a vaccine information breach are almost sure to be the same for managing a data breach of any other type. Revisit your process for any gaps in policy around initial crisis response/communication, evidence preservation, and system restoration, then make sure it’s future-proof from a sustainability and succession perspective. Then trust the process and follow it. In this case, as with COVID-19 in general, an ounce of prevention is worth more than a pound of cure.

Greg Reynolds is the Chief Technology Officer at Businessolver, a provider of SaaS-based benefits technology and services.

Leave a Reply

Your email address will not be published. Required fields are marked *