• 

By: Shelly Mittal

Who does not love the convenience of instant health data at their fingertips? However, like everything else, this convenience comes with a price. With so much insight into our daily steps, calories, sleep patterns, body fat, heart rate and more, the wearables have given a whole new meaning to our personal health. Wearable technology is any device worn on the body that is equipped with sensors to collect information from both the body and the surrounding environment. This ability to quantify our health has the potential to radically improve human health and fitness. Consequently, the wearable technology industry is projected to maintain double digit growth through 2024, which speaks to its acceptance among users. However, the security vulnerabilities in wearable health devices pose significant challenges to users’ data privacy.

While most engineers focus on extending battery life, creating rich functionality with minimal computational resources and minimizing design constraints, security of these devices often takes a backseat. These devices run the risk of physical unauthorized access of data as, often, there is no user authentication required (e.g., a PIN, password or biometric security). The less computational power of wearables causes the absence of some complicated security mechanisms on the device. Secondly, the wearable devices tend to connect to our smartphones or tablets wirelessly via Bluetooth, NFC or Wi-Fi. This need for communication creates another entry point into the device making it prone to information leakage. The lack of encryption, in some cases, makes data in transit insecure. Thirdly, many wearables run their own operating system and need to be patched and updated to avoid the latest security vulnerabilities.

These security vulnerabilities, when put together with the regulatory issues, paint a scary picture for data privacy. Regulatory framework for the wearable technology industry is in flux with hardly any application of the Food, Drug and Cosmetic Act (FD&C) or the Health Insurance Portability and Accountability Act (HIPAA). Although these wearables collect the most intimate health information, collection and use of this information is not governed under HIPAA because health data, such as number of steps, calories, and sleep history, is not formally considered Protected Health Information (PHI) unless collected by your doctor or insurance provider. Only the health care providers, health plans and health clearinghouses (referred to as covered entities under HIPAA) are subject to HIPAA’s extensive privacy regulations. Companies who make wearables and collect health data are not yet subject to HIPAA. So, for as long as the Department of Health and Human Services (the regulatory body under HIPAA) decides not to focus their attention on wearables, the privacy of its users is mostly dependent on the privacy policies they accept while setting up the device.

Businesses are free to draft their own privacy policies for controlling information and data that falls outside the scope of HIPAA. In January 2015, the Federal Trade Commission (FTC), which  has relatively more enforcement powers in the wearables industry, issued guidance on privacy and security protection that should be included with the Internet of Things (IoT), including wearables. It also required a disciplined and structured approach for design, development and management of these devices and the data they produce.

The privacy policies, unilaterally drafted by companies, are often vague and include a lot of “may(s)” to give flexibility to the companies. Ambiguous terms give them enough wiggle room to use the health data for their own good. Therefore, it is more important than ever to not skip the privacy policy page and give it a thorough read before accepting. It is imperative for users to know if their data is actually being encrypted; if the companies periodically review and monitor access to their data; and to know who owns their data and how they can get more control over it. Hence, the solution to present privacy concerns lies in using FTC’s Fair Information Practice Principles of notice, choice, and consent in this self-regulating space of wearables.