With over 55 different fitness wearable devices to choose from, the wearables market has breathed new life into our personal health, providing us with more insight into our sleep patterns, calories burned, blood pressure, heart rate and so much more. In the near future, we may even ingest sensors to gauge how our body reacts to a drug. Adorning ourselves from head to toe with devices that allow us to quantify our health in new ways could bring enormous health benefits.
Like everyone else, I’m excited by the promise of instant health data conveniently available at our fingertips, wrists, and ankles. But I am a Metadata Era blogger, and while we strongly believe that you can’t manage what you don’t monitor, all this monitoring comes with a lot of new data, and data privacy and protection are always top-of-mind.
Learn how to automate Microsoft 365 management with our free PowerShell course
Here are 5 privacy and data security issues that should be on your radar:
1. Can your data be shared with or sold to third parties?
As users of these health monitoring devices, we’re often contributing health information to a centralized database maintained by the wearable maker. Most of us don’t want outsiders looking at our data, but many fitness trackers’ privacy policies are vague and ever-changing, with platitudes that begin with “We respect your privacy” and end with “We may share your information with third parties…” Unless you live in a state that treats this data as PHI, or Protected Health Information, expect that they can legally share your sensitive medical data without your permission, because HIPAA’s extensive privacy regulations (see below) don’t yet apply to this new industry. Ambiguously worded terms of service may give these companies just enough wiggle room to sell your un-PHI (unProtected Health Information) once you’ve clicked on the ‘accept license’ button.
2. Padlocks or Fort Knox?
We’ve entrusted these companies to gather our personal health information, but what measures will the company or 3rd party partners take to ensure that our unPHI is safe and secure? Many privacy policies indicate that they “protect your personal information from unauthorized access, use, or disclosure,” but what does that really mean? Do they encrypt the information? Do they periodically review who has access to it? What about monitoring?
These companies also have a social networking aspect, and subscribers can choose to publicize and share their information with others. Unfortunately, it’s not unusual for the default privacy to be set to public, allowing profiles to be found in search results. In 2011, one vendor was criticized when sexual activity it tracked– yes, you can learn lot from accelerometers –showed up in Google search results. If you don’t want your unPHI data searchable online, make sure you triple-check all of the default privacy settings and turn off anything you’re not comfortable sharing publicly.
4. HIPAA can’t help
With the number of heartbeats, steps, and sleep history tracked, these types of “health data” are not formally considered PHI unless it’s shared with a doctor, hospital, 3rd party vendors and therefore not subject to HIPAA regulations. But should wearable device companies be subject to them? So far, I’ve only seen one such company, a sleep device tracking organization, which at least acknowledges HIPAA and California’s own data security laws, which by the way explicitly covers personal medical data. For this particular wearable startup, you need to give them explicit consent about giving them access to your sleep data. However, it’s unclear whether Health and Human Services (HHS) is going to focus their attention on wearables any time soon, so it’s up to you to protect yourself.
5. Who owns your data?
That begs the question, “How can we get more control over our own data?”
Despite the privacy issues, I wore a sports band for one week to see if the potential benefits outweighed the risks. I thought the device was accurate until the log reported that I lost more calories during my 30 minute leisurely walk to work than in 1.5 hours of swimming, which normally takes everything out of me. Perhaps, as we wait for wearable technologies to mature and collect better data, it would also be a good time to figure out how to keep that data private and protected.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.