Wearable Devices and Securing Your Personal Health Information

View all blog posts under Articles | View all blog posts under Bachelor's in Cyber Security

Wearable health technology has become wildly popular over the past few years. Fitbit®, Apple®, Samsung®, and Garmin® are a few the 55 different companies that have capitalized on the wearable health device craze. According to ABI Research, a division of Advanced Telematic Systems, by the end of 2018, some 780 million wearable devices will be on the market.

People look to these devices to learn about their sleep patterns, calorie intake, blood pressure, heart rate, and glucose levels – while companies such as IBM® and Medtronic® have developed platforms that enable healthcare staffers to get a more comprehensive picture of a patient’s health through remote patient-monitoring (RPM) devices. ABI predicts that 100 million RPM devices could be produced over the next four years.

The availability of third-party smartphone applications such as Nike+ Training Club® and Runkeeper® continue to drive demand and subsequent sales of wearable tracking technology. A report released by The App Association, an industry group for application makers, says that revenues for health and medical apps are expected to reach $26 billion in 2017.

But how many consumers think about the privacy issues and potential data breaches health monitors present? Or how hackers can steal sensitive information and use it to enrich themselves? Here’s some basic information that security experts say consumers should know.

The Business Of Medical Data

Extracting and selling consumer-specific medical data on the black market is a highly lucrative business. Hackers steal personal data and then sell it to data brokers. Unscrupulous organizations purchase the information to assess consumers’ health risks, which in turn can be used determine insurance premiums, sell policies to employers doing background checks on new hires, or even cancel policies altogether.

The average cost of a healthcare data breach is $363 per record, according to a 2015 report conducted by the Poneman Institute, a research center dedicated to privacy, data protection, and information security policy, and sponsored by IBM. Credit cards, by comparison, go for a few dollars each. The price is higher than for any other set of data from any other industry, and for good reason, according to Caleb Barlow, vice president at IBM Security. Quoted in a May 2015 article on SecurityAffairs.co, a security resource website, Barlow said that healthcare records “can be used to establish credit or steal your identity ten or fifteen years from now. Once this information is out there, you can’t get the genie back in the bottle.”

Medicare ID numbers are even more valuable, as NPR reported in a February 13, 2015, article, “The Black Market for Stolen Health Care Data.” NPR’s reporter was present as Greg Virgin, CEO of RedJack, a security firm that specializes in complex network security issues, found someone selling IDs online. The deal: a package of numbers from 10 people at a price of 22 bitcoin – or about $4,700 at that day’s exchange rate.

According to the Federal Trade Commission (FTC), thieves have used stolen healthcare information to visit doctors, purchase prescription drugs, file claims with insurance providers, and even alter credit scores.

The risk is so real that some companies are now buying data breach insurance to protect themselves should a consumer’s information fall into the wrong hands.

Corporate Measures To Better Secure Data

If a doctor or healthcare organization provides a wearable device for a patient, the medical data it collects is classified as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

Under HIPPA, all collected, received, and transmitted data must be secured at all times. Violators face severe prosecution. On the other hand, if the device is store-bought, HIPPA rules do not apply. Consumers do receive a bit of privacy coverage from the FTC, but it isn’t nearly as stringent as HIPAA’s.

The Department of Health and Human Services (HHS) recently issued a warning that consumers wearing devices not covered by HIPAA may be providing consent to non-HIPAA agencies without knowing how or where their data is being used.

To avoid potential state and government regulation, many corporations have begun to adopt policies to provide consumers with better security architecture and data discipline, vowing not to sell or share personal information with any third parties. App makers also offer free and paid versions of apps with paid versions having stricter privacy regulations built in.

Meanwhile, 47 states have already adopted data breach notification statutes, and California, Florida, and Texas have expanded their laws to include medical treatment, condition, and history.

Protect Your Wearable Device

If the federal government weighed in on this trending topic, regulations could take years to take effect. Even then, with the rate at which technology changes, newly introduced laws could be outdated before they are even adopted.

Kristi Wolff, special counsel at Kelley Drye & Warren, LLP, regarded as one of the top 350 law firms in the world by The National Law Journal, notes that without the oversight of privacy laws, consumers could be forced to protect their own interests. “A lot of companies are coming out with innovative products,” Wolff said, “but they’re new and not taking some of the necessary precautions that more established companies would take in terms of data privacy and security.”

For now, users can help safeguard their wearable device by implementing some of the following steps:

  • Only enter the information the device requires.
  • Limit the number of apps that can access your healthcare information directly.
  • Avoid insurance policies that demand you wear a trackable device.
  • Check your default privacy settings and turn off anything you are uncomfortable sharing.
  • Though hard to find, search for a wearable device that deploys FIPS 140-2 encryption – part of the NIST’s validation program.

Catching Up to Demand

As technology continues to evolve, and the demand for further personal health information increases, large-scale companies will continue to create new ways to protect their consumers from malicious personal data breaches.

Maryville University – Online Degree in Cyber Security

Maryville University offers undergraduate and masters degrees in cyber security. Coursework includes topics such as cryptography, cloud security, incident handling, mobile forensics, and penetration testing. Students can log into their classroom anywhere, on any device, at any time with the Maryville Virtual Lab.

More information is available at Maryville University’s online cyber security website.

Sources:

The Missouri Bar: http://www.mobar.org/journal/marapr2016/privacy-fitness-device.htm

ABI Research: https://www.abiresearch.com/press/foundations-emerge-for-a-revolution-in-remote-pati/

Security Affairs: http://securityaffairs.co/wordpress/37259/security/ponemon-cost-data-breach.html

NPR: http://www.npr.org/sections/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data

FDA: http://www.fda.gov/medicaldevices/digitalhealth/mobilemedicalapplications/ucm368784.htm

Law Practice Today: http://www.lawpracticetoday.org/article/weary-of-wearables-ip-privacy-and-data-security-concerns/

PHYS: https://phys.org/news/2015-08-wearable-devices.html

Kelly Drye: http://www.kelleydrye.com/news/in_the_media/2147