AXEL.org

wearables

We’re Wearing Our Data – What Wearables and the Internet of Things Mean for Data Privacy

Dave is an average US worker.

His day starts when his smart watch buzzes gently on his wrist, and ends when it tells him he needs to get some shut eye to rack up the eight hours he needs.

Throughout the day, his smartwatch tracks his blood pressure, his heart rate, and how many steps he takes. Some days Dave doesn’t get enough sleep and he feels groggy, and other days he does more than his recommended daily amount of exercise and he feels great.

Dave likes knowing this information, just like millions of other consumers out there who have invested in wearable technology.

But while Dave and his fellow consumers might like knowing this information about themselves, they don’t want it to be captured and kept by large corporations.

Understandable, right?

However, that becomes particularly difficult when wearables rely on collecting user data in order to provide personalized programs and enhance user experience. Take Fitbit, for example, which collects data on health levels and uses that information to improve its algorithms and offer individual fitness programs.

Now, alongside the ever-increasing news about government-backed surveillance programs and data breaches, consumers are getting more and more paranoid about who has access to their data.

And, as we begin to dive into a world of wearable technology that’s with us all the time, the worry that has been simmering away is starting to bubble over.

So What Do Wearables Mean for Our Data Privacy?

Popular wearable products like the Apple Watch and the Fitbit have shifted the industry from heavily health-centered into the realms of popular culture. And, while this means that wearables can be used for a whole lot more than tracking our heart rate, it also means that the healthcare industry rules and regulations around data protection become hazy.

Sure, consumers all over the world are clamoring to get their hands on fitness trackers and smartwatches, but the vast majority of them don’t know what these devices mean for their data security.

In fact, a study released by the Center for Digital Democracy and the School of Communication at American University claimed that the health privacy regulatory system in the US doesn’t give consumers the protection they might expect when it comes to wearables.

As the wearable trend expands from people’s personal lives into their working lives and other verticals, users are becoming increasingly skeptical. Now, 82% of workers that use wearables as part of their job believe that it’s invading their privacy, while 86% think it makes them more susceptible to data breaches.

Why Wearables are Challenging Consumer Views on Data Privacy

In a report put together by the University of London and Rackspace, it was discovered that wearables boost user productivity rates by 8.5% – so yes, there are many positive points surrounding the industry.

But the increased usage of them has an impact on data privacy for two reasons.

Firstly, wearable devices increase the popularity of apps – because, well, the majority of them need an app to deliver the information from wrist (or clothing) to a screen. The problem with this is that apps are more susceptible to data breaches than general web browsing because they collect data and store it all in one place.

Secondly, wearable devices are used in real-time. They don’t need to be used in a certain place at a certain time; they can be used, wherever and whenever, which is one of their biggest draws.

This means that the devices are processing greater volumes of information at every moment the user is wearing it. This is great for the user, because they get loads more data on-the-go, and it’s also great for the wearable provider, because they’re also constantly getting their hands on data to improve and refine.

But where is the line? Where is the line between being beneficial to the user and the provider having too much information?

Let’s take a look at an example.

One of the biggest benefits of wearables is that they can be used discreetly – for the most part, they double up as fashion accessories and can blend in with any outfit.

This image has an empty alt attribute; its file name is Google_Glass_detail.jpg
Credit: Antonio Zugaldia (Wikimedia) Creative Commons Attribution 2.0 Generic

A number of casinos in Las Vegas are tapping into this benefit with a system that buzzes staff member’s wearables when a high roller walks past. When they check their smartwatch, the staff members can gather information about the high roller so they can then greet them by name.

While it can be argued that this improves the customer experience and it helps the casino get more money by targeting high rollers, who is the process more beneficial for?

And Then There Are Cyberattacks…

With any new technology the risk of cyberattacks increase. And, when wearables often connect to wireless networks, it can be a struggle to keep the system safe.

Let’s look at the numbers.

At the end of 2015, there were around 200 million wearable devices on the market. By the end of 2018, there is predicted to be around 780 million – a considerable increase in just a few years.

This shows the industry is continuing to blossom regardless of whether users are concerned about their data or not, but it also gives hackers more opportunity to steal sensitive data for their own gain.

Chief consumer security evangelist at Intel Security, Gary Davis, says that “the information that’s contained on your wearable that’s stored either on your smartphone or stored downstream on a cloud is worth ten times that of a credit card on a black market.”

This is because credit card companies are well-versed at detecting and dealing with fraud, and can make it go away pretty quickly. On the other hand, data stored on wearable devices is permanent – people can’t change their Social Security Number or their date of birth.

It’s Not All Doom and Gloom

But while there are undoubtedly increased data security risks from wearables (any kind of new technology is vulnerable to this), there are plenty of ways wearables are improving certain industries, whether it’s just enhancing customer experience in a shop or going all out and improving medical treatments for serious illnesses.

In the retail sector, store employees are increasingly tapping into the power of smartglasses to find key information about products on-the-spot. This improves the customer experience, but it also optimizes employees’ time. And, in the medical industry, smartwatches are able to monitor blood pressure and even examine a baby’s heart rate in the womb.

Which begs the question: do the benefits outweigh the data risks?

But perhaps the more pressing question is whether anything is being done to quash consumer paranoia?

In most industries there are a set of accountability laws and regulations. In the health industry, there’s the Health Insurance Portability and Accountability Act (HIPAA) which puts rules in place for what medical companies can and can’t do with data.

But the key problem is that this act, for example, only covers healthcare providers like doctors and hospitals, and doesn’t stretch as far as health-conscious wearables.

What’s the Future Like for Wearables and Data?

If predictions are right, the wearables market is only set to explode further in the next couple of years but, like with any fast-growing tech arena, it looks like there needs to be some serious thought put into how data is collected and used.

Like other industries, we might see a new rules and regulations act pop up that devotes itself to monitoring and laying down laws for the wearables industry, regardless of whether a smartwatch is being used for health reasons or to boost productivity in the workplace.

What we can be certain of is that consumer paranoia about wearables and data privacy is completely justified, but the next few years are vital for the industry to prove that it has its users at the front of the mind.

Apps That Wreak Havoc On HIPAA

This is the era of multiple devices and millions of apps. Phones, tablets, and smartwatches are filled with apps intended to make our lives easier.  And it seems almost daily we read about how some – or all – of those apps are spying on our lives.

Many people don’t care.  To some extent, I am one of those.  “I don’t do anything so special in life that anyone will want to hack me” is how I feel about most of my internet presence.  I happily share photos of my family, my dogs, and my travels.

But, I do worry about money and health issues; the things that I feel need to be secure.  So when my iPhone asked for access to my health information I was hesitant to share.

The iPhone comes standard with the “Health” app (Fitbit and other devices also take, store, and share health information). In the app, you can enter your health record data and share it with other health related apps on your device.  It can also pull such data from your other apps too.

You can enter vitals, lab test results, and even track your reproductive health – where it asks for everything from your menstruation history, to sexual activity.

Wow.  To say I was surprised to see this information on an app is an understatement.

Maybe I am old fashioned, but I cannot imagine grabbing my iPhone after sex and entering the event in; it’s akin to grabbing a cigarette in the old movies.  And if you did enter it, if you ask Siri about the last time you had sex… would she answer?   I will leave that alone for now.

Is your phone secure?

Naturally, I thought that if my phone wanted to hold my very private health information, it must be secure.  So to play off the old movie reference, it’s For Your Eyes Only.  But the app is not secured by any authentication.  Well, once your phone is unlocked that is.

So, if anyone gains access to your phone, guess what…they would quickly be able to learn your sexual activity, recent blood alcohol content, and anything else you happened to trust your handy-dandy iPhone with.

Of course, if that information is on your phone…. guess who else has it?  Apple, Google, Amazon, or whomever you have your back-up account with.

As I look at my phone, I realize that I have access to all my information but so does Apple.  Certainly the type of information Apple Health is seeking from me is my private health information; HIPAA calls it Protected Health Information (PHI).

Thus, it could be subject to HIPAA regulations. If so it’s safe and secure under federal law.  But, is Apple is an entity that would be subject to the privacy and security rules of HIPAA? Are they a Covered Entity (CE)?  The answer is no.

HIPAA applies to doctors, hospitals, medical insurers, and other health care providers.  They are what’s classified as CEs under HIPAA.  So the people that normally treat you and deal with your medical records and billings have to comply with HIPAA.  But, just having medical records does not create a HIPAA obligation.

Further, other companies which support CE’s can be subject to HIPAA as well – they are the Business Associates (BAs).  An example might be a medical device manufacturer; a hospital’s cleaning service or vendor that supports medical care in some way.

Tech companies aren’t restricted by HIPAA

Apple is none of these things.  So Apple has no requirement of privacy or security over my medical data.  Likewise Fitbit, Sprint, or whoever is similarly NOT restricted by HIPAA.  But they will have all my PHI… which is a scary thought.

As I read more and more about the medical profession and IT, it occurs to me that doctors and patients are using their smartphones to communicate.  And we should ALL encourage more communication.  But what if I use an app to share with my physician?

In that case the data gathered by the physician would likely come under the purview of HIPAA.  But what if the app we are using, itself, is not secure (e.g. the Health App, or simply iMessage)?

Does the doctor need to comply with HIPAA privacy and security standards, even though we all know the data is already compromised by the patient’s method of delivery?  I don’t know the answer to this one.

It would appear similar to a waiver of the attorney-client privilege when the information is shared in the presence of a third party.  But, HIPAA has express provisions for when HIPAA can be waived; not a single word exists about an unintentional waiver.

Thus it would seem that a doctor would have to abide by HIPAA, even knowing that the patient has exposed the very records to others. Certainly you don’t want your doctor to send your records to anyone willy-nilly and have the defense be that you texted them to him/her.  Once the doctor has the PHI, it’s protected.

But I have not seen anyone litigate this question.

HIPAA and the emerging tech world

Do we have HIPAA issues with our new-fangled “wearables”?  The answer is… maybe.  HIPAA does not apply to everyone.  You can give your health records to whomever you want; after all HIPAA was created to protect “you” from unauthorized acts of “others”.

But HIPAA also has clear limiting applications to what they call Covered Entities and Business Associates of those entities.

So you may want to think twice about entering any personal heath data into your new device; it’s not secure as it sits on your device and your cloud provider has no obligations to make it secure.

But if you provide any of that information to your health care provider, they will have an obligation to meet HIPAA’s requirements for privacy and security for the data they receive.