Consumers Should Be Wary of Health-Care Wearables

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Trouble may be brewing for the booming health-care device market as hackers and cybercriminals set their sights on the reams of data that are being collected every day.

Companies like Fitbit, Apple, and AliveCor have become leaders in the wearable space, creating products that can do everything from count steps and monitor heart rates to perform electrocardiograms. Tech behemoth Apple, for example, recently rolled out a new feature on its Health app that allows consumers to view their medical records on their iPhones and iPads, while AliveCor recently announced it has recorded 25 million consumer electrocardiograms through its devices.

Millions of health-care data points are collected by wearable device companies every day, and any gaps in data security and privacy policies could lead to catastrophic data breaches and uncertainty that would harm both the companies and consumers.

The lack of privacy and security standards for health data not protected by the federal Health Insurance Portability and Accountability Act is particularly troubling given the value that health information can fetch, Iliana Peters, a health-care attorney with Polsinelli PC in Washington, told Bloomberg Law.

The global market for mobile health-care apps hit $1.4 billion in 2016 and is expected to grow to $11.2 billion by 2025, according to a February report from BIS Research, a market intelligence firm based in Edina, Minn.

A 2016 report from the Office of the National Coordinator highlighted the lack of protections for sensitive health information held by companies that aren’t covered by HIPAA, Peters, a former deputy director for the Health and Human Services Office for Civil Rights, said.

The majority of wearable devices aren’t regulated by the Food and Drug Administration, which means there’s no independent validation that they do what they say they do, Peters said. Consumers should be wary of any claims companies might make about the devices and how they can improve patient health, Peters said.

The wearables market may have less robust security protections than health-care systems integrated into large corporate infrastructures, Thora Johnson, a health-care attorney with Venable LLP in Baltimore, told Bloomberg Law.

The FDA’s voluntary cybersecurity guidance was a good step in helping make more companies understand what they need to do to protect their users and their data, but not everyone is living up to that guidance, Johnson said. The guidance was issued in 2016.

Wearables companies can protect patient privacy through several steps, including conducting a privacy impact assessment, Johnson said. An effective impact assessment should determine what data should be collected by a wearable, with whom the data should be shared, and how long it should be stored, Johnson said.

Companies should also conduct a security risk assessment and perform due diligence when dealing with third-party vendors, Johnson said.

“When attackers alter data from wearables, or make it unavailable, in a manner causing harm to patients, regulators and legislatures at both the state and federal level will quickly become engaged to protect health-care consumers,” Johnson said.

Informing the Consumer

Companies that aren’t covered under HIPAA may give their customers a notice about how they may use, or even sell, data, but such notices may not be sufficient and customers may not understand the scope of how their data are being used, Peters said.

“Without baseline privacy and security protections for consumers, there really is no limit on how companies can use the data, and while the FTC does require good basic security practices for the companies it regulates, some of this very sensitive information may need heightened security controls,” Peters said, referring to the Federal Trade Commission.

Widespread implementation of adequate security safeguards is also potentially compromised if there are no overall privacy and security standards, leaving consumer health data vulnerable, Peters said.

It’s important for wearable companies to provide consumers with plain-language notices that include all possible uses for consumer data, Peters said. That way consumers can make informed decisions and the companies can build robust security into their programs from the ground up, she said.

As the HIPAA-covered parts of the health-care sector continue to implement good security, non-HIPAA covered companies that hold large amounts of health data will become easier targets for cybercriminals, Peters said.

It’s likely that HIPAA may at some point be expanded to cover more of the health-care sector, Peters said, but it’s more likely that Congress and state legislatures take action to implement much more robust privacy and security protections for consumer information, regardless of whether or not it’s health related.

Industry Compliance

San Francisco-based Fitbit has been selling wearable fitness tracking devices since 2007 and reported $571 million in revenue in the fourth quarter of 2017.

The company has had a long-standing commitment to privacy and data protection as well as providing transparency about how it handles consumer data, a Fitbit spokesperson told Bloomberg Law.

A handful of Fitbit users had their individual accounts hacked in 2016, but this didn’t involve Fitbit emails or servers being hacked, the spokesperson said.

“Our investigation found that the accounts were accessed by an unauthorized party using previously stolen or compromised credentials from other third-party sites unrelated to Fitbit,” the spokesperson said. Fitbit reset the passwords of affected users after the hack was uncovered.

Fitbit recommends that customers avoid reusing passwords associated with their email address, which can leave devices vulnerable to hackers, the spokesperson said.

The company doesn’t share any customer personal information except in limited circumstances, such as at a user’s request, in response to a legal case, or with Fitbit’s third-party customer support and billing providers, the spokesperson said.

Fitbit also invests heavily in data security measures and has staffed a full information security team, the spokesperson said. “We use a combination of technical, administrative, and physical controls to maintain the security of user data,” the spokesperson said.

The data security program includes a paid public “bug bounty” program, which leverages security researchers from around the world to help identify and address any data security issues.

Fitbit pays researchers from $100 to $2,500 per identified security vulnerability, and researchers have so far discovered 139 vulnerabilities. Fitbit has paid an average of $572 per identified vulnerability over the last three months.

Apple and AliveCor didn’t respond to requests for comment on privacy and security issues surrounding consumer health-care data.

Risk Factors

There are huge risks in this sector, but risk is unavoidable if the hacker is sophisticated, Lisa W. Clark, a health care attorney with Duane Morris LLP in Philadelphia, told Bloomberg Law.

Complying with best industry practices for the security of these wearables is the most important step these companies can take, Clark said.

They should also have clear policies on their websites that establish how the company will respond to a breach, in accordance with state guidelines, Clark said. The companies may also have to comply with HIPAA rules if they bill the federal government for any of their services, Clark said.

The privacy and security risk factors facing the wearables sector are no greater than the risks facing other health technology companies, but it’s critical from a business standpoint that wearable companies prioritize security, Ellen Janos, a health care attorney with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo PC, in Washington, told Bloomberg Law.

It’s unlikely that HIPAA will ever be expanded to include wearables or any type of health information that consumers collect and share with others, Janos said, “It’s a huge challenge for the Health and Human Services Office for Civil Rights to keep up with its mandate to oversee covered entities and business associates,” Janos said, noting that a HIPAA expansion could overtax the agency.

However, Janos said she wouldn’t be surprised to see legislative efforts aimed at protecting the privacy and security of consumer-driven health information, given the growth of the wearables industry and the popularity of health apps used by consumers to track health and wellness information.

Request Health Care on Bloomberg Law