DE(§EMBER-2021
WILLIAM MARBACK INTERIM INSPECTOR GENERAL
CITY OF CHICAGO OFFICE OF INSPECTOR GENERAL 740 NORTH SEDGWICK STREET, SUITE 200 CHICAGO, ILLINOIS 60654 TELEPHONE: (773) 478-7799 FAX: (773) 478-3949
DECEMBER 2, 2021
TO THE MAYOR, CITY COUNCIL, CITY CLERK, CITY TREASURER, AND COMMUNITY MEMBERS OF THE CITY OF CHICAGO:
The City of Chicago Office of Inspector General (OIG) has completed a follow-up to its April 2021 audit ofthe Chicago Department of Public Health's (CDPH) COVID-19 contact tracing program's data privacy and cybersecurity.1 CDPH developed an electronic case management tool called the COVID-19 Assessment and Response Electronic System (CARES) to support the work of its contact tracing teams.2 Based on the Department's responses, OIG concludes that CDPH has fully implemented two ofthe three recommended corrective actions, and substantially implemented one.
The purpose ofthe 2021 audit was to determine if CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the applicable City policies3 and federal guidelines.4 Our audit found that the Department's COVID-19 contact tracing program mitigated data privacy and cybersecurity risks. Although improvements to policies and procedures could have encouraged consistent and timely application ofthe security measures, CDPH's efforts to safeguard data suggested that personal information was nevertheless protected.
Based on the results ofthe audit, OIG recommended that CDPH,
adjust its process to ensure that terminated users' access to CARES is removed within seven days of termination;
update the contact tracers' call script to inform patients and contacts of how long CDPH will store their data; and
|10�9|Contact tracing is the disease control strategy of identifying persons diagnosed with a disease and their contacts, then working with these individuals to interrupt further transmission.|10�9|CARES is a cloud-based electronic case management system that allows contact tracers to gather, organize, and store information so that CDPH can provide support to persons diagnosed with a disease and interrupt its spread by notifying their close contacts.|10�9|City of Chicago, "Information Security and Technology Policies," 2014, accessed October 20, 2021, . chicago.gov/content/dam/citv/depts/dgs/lnformationTechnology/CoC IT IS Policy Set ver RC 05.pdf.|10�9|Centers for Disease Control and Prevention, "Standards to Facilitate Data Sharing and Use of Surveillance Data for Public Health Action," March 5, 2014, accessed October 20, 2021, programintegration/sc-standards.htm: Centers for Disease Control and Prevention, "Guidelines for the Implementation and Use of Digital Tools to Augment Traditional Contact Tracing," December 15, 2020, accessed October 20, 2021, tracing.pdf.
IGCHICAG0.ORG | OIG TIPLINE: (866) 448-4754 | TTY: (773) 478-2066
OIG FILE #21-1199
CDPH CONTACT TRACING PROGRAM FOLLOW-UP
update its data release policy to include explicit criteria for determining whether to grant external data sharing requests.
In its response to the audit, CDPH described corrective actions it would take. CDPH stated that it would incorporate employment status reviews into its weekly check-ins, allowing the Department to promptly remove access for terminated employees and create a data retention policy and criteria for the review of data requests.
In July 2021, OIG inquired about corrective actions taken by CDPH in response to the audit. Based on the Department's follow-up response, OIG concludes that CDPH has fully implemented two of the three recommended corrective actions and substantially implemented one. Specifically, CDPH,
implemented a process to receive weekly termination lists from community-based organizations (CBOs) that employ contact tracing staff, thus allowing CDPH to remove 92.1% of terminated employees' access to CARES within 7 days of their terminations;
created an internal data retention policy and updated its CARES call script to inform contacts that their data will be retained for five years; and
updated its internal data release policy to include detailed guidance regarding which staff are responsible for handling external data requests, as well as explicit criteria and procedures for reviewing those requests.
Once fully implemented, OIG believes the corrective actions may reasonably be expected to resolve the core findings rioted in the audit. CDPH should continue to improve the process for removing CARES access for terminated employees and ensure that access is removed within seven days for 100% of terminated employees. Below, we summarize our audit finding and recommendations, as well as the Department's response to our follow-up.
We thank the staff and leadership of CDPH for their cooperation during the audit and responsiveness to our follow-up inquiries.
Respectfully,
William Marback Interim Inspector General City of Chicago
IGCHICAGO.ORG | OIG TIPLINE: (866) 448-4754 | TTY: (773) 478-2066
OIG FILE #21-1199
CDPH CONTACT TRACING PROGRAM FOLLOW-UP
FOLLOW UP-RESULTS
In July 2021, OIG followed up on its April 2021 audit of the data privacy and cybersecurity of CDPH's COVID-19 contact tracing program.5 CDPH responded by describing the corrective actions it has taken and providing supporting documentation. Below, we summarize OIG's finding, the associated recommendations, and the status of CDPH's corrective actions. Our follow-up did not observe or test implementation of the new procedures; thus, we make no determination as to their effectiveness, which would require a new audit with full testing.
FINDING- I ^PH s COVID-19 contact tracing program mitigates I data privacy and cybersecurity risks.
OIG Recommendation 1:
OIG recommended that CDPH adjust its process forremoving access to CARES to ensure it is completed within seven days of a user's termination. OIG suggested that the Department might look for opportunities to automate this process.
Status of Corrective Action: Substantially Implemented
CDPH stated that it now requires CBOs that employ contact tracers to either provide a weekly list of terminated employees or send notifications through email as terminations are processed. A CDPH manager then removes the terminated employees' access to CARES. The Department maintains a CARES access report in Microsoft Excel that identifies all employees CBOs have terminated since the audit was published in April 2021.
According to this report, CDPH removed access to CARES for 58, or 92.1%, of 63 total terminated employees within 7 days of each employee's last day of work. The 5 other employee accounts were terminated automatically after 14 days of inactivity. In 2 of those 5 cases, CBOs provided late notice ofthe employee's termination to CDPH; in the other 3, CDPH did not remove access despite receiving prompt notice from CBOs. None ofthe 63 accounts had login activity following a terminated employee's last day of work.
However, the CARES system's automatic revocation of account access after 14 days of user inactivity is not fail-safe. A terminated individual
5 City of Chicago Office of Inspector General, "Audit of the Chicago Department of Public Health COVID-19 Contact Tracing Program: Data Privacy and Cybersecurity," April 29, 2021, 2021/04/OIG-Audit-of-CDPH-COVID-19-Contact-Tracing-Program.pdf.
PAGE 3
OIG FILE #21-1199
CDPH CONTACT TRACING PROGRAM FOLLOW-UP
could circumvent this feature by continuing to log into CARES after their termination. CDPH stated that contact tracing team supervisors can also monitor all team members' login and usage activity in CARES. The Department believes this ability provides a strong layer of control to prevent unauthorized access.
OIG encourages CDPH to work with CBOs to improve the weekly status review process to ensure that CBOs promptly notify the Department whenever a contact tracer is terminated. We also encourage CDPH to actively monitor CARES activity to ensure that terminated employees do not continue to log into the system.
OIG Recommendation 2:
OIG recommended that CDPH update the CARES call script to inform patients and contacts how long the City will retain their data.
Status of Corrective Action: Fully Implemented
CDPH's updated call script informs patients and contacts that the City will retain their data for five years, then "seek approval to have [their] information destroyed in accordance with the Local Records Act." Its updated data retention policy states, "CDPH shall retain COVID-19 contact tracing data within Chicago CARES, or a similar electronic system, for a period of five years, after which CDPH shall seek approval from the Local Records Commission to destroy the data."
OIG Recommendation 3:
OIG recommended that CDPH update its data release policy to include explicit criteria for staff to reference when determining whether to grant data requests.
Status of Corrective Action: Fully Implemented
CDPH's updated data release policy includes detailed guidance regarding which staff are responsible for handling external data requests. The policy also provides explicit criteria and procedures for reviewing those requests.
PAGE 4
The City of Chicago Office of Inspector General (OIG) is an independent nonpartisan oversight agency whose mission is to promote economy, efficiency, effectiveness, and integrity in the administration of programs and operations of City government. OIG achieves this mission through,
administrative and criminal investigations by its Investigations section;
performance audits of City programs and operations by its Audit and Program Review section;
inspections, evaluations and reviews of City police and police accountability . programs, operations, and policies by its Public Safety section; and
compliance audit and monitoring of City hiring and human resources activities by its Compliance section.
From these activities, OIG issues reports of findings and disciplinary or other recommendations to assure that City officials, employees, and vendors are held accountable for violations of laws and policies; to improve the efficiency and cost-effectiveness of government operations; and to prevent, identify, and eliminate waste, misconduct, fraud, corruption, and abuse of public authority and resources.
OIG's authority to produce reports of its findings and recommendations is established in the City of Chicago Municipal Code §§ 2-56-030(d), -035(c), -110, -230, and -240.
PROJECT TEAM
Kevin Smith, Chief Performance Analyst Ben Spies, Chief Performance Analyst
PUBLIC INQUIRIES
Communications: (773) 478-8417 | communications(5>igchicago.org
TO SUGGEST WAYS TO IMPROVE CITY GOVERNMENT
Visit: igchicago.org/contact-us/help-improve-city-government
TO REPORT FRAUD, WASTE, AND ABUSE IN CITY PROGRAMS
Call OIG's toll-free hotline: (866) 448-4754 /TTY: (773) 478-2066 Or visit: igchicago.org/contact-us/report-fraud-waste-abuse/
Cover image courtesy ofiStock. Alternate formats available upon request.