With over 55 different fitness wearable devices to choose from, the wearables market has breathed new life into our personal health, providing us with more insight into our sleep patterns, calories burned, blood pressure, heart rate and so much more. In the near future, we may even ingest sensors to gauge how our body reacts to a drug. Adorning ourselves from head to toe with devices that allow us to quantify our health in new ways could bring enormous health benefits.
Like everyone else, I’m excited by the promise of instant health data conveniently available at our fingertips, wrists, and ankles. But I am a Metadata Era blogger, and while we strongly believe that you can’t manage what you don’t monitor, all this monitoring comes with a lot of new data, and data privacy and protection are always top-of-mind.
Learn how to automate Microsoft 365 management with our free PowerShell course
Here are 5 privacy and data security issues that should be on your radar:
1. Can your data be shared with or sold to third parties?
As users of these health monitoring devices, we’re often contributing health information to a centralized database maintained by the wearable maker. Most of us don’t want outsiders looking at our data, but many fitness trackers’ privacy policies are vague and ever-changing, with platitudes that begin with “We respect your privacy” and end with “We may share your information with third parties…” Unless you live in a state that treats this data as PHI, or Protected Health Information, expect that they can legally share your sensitive medical data without your permission, because HIPAA’s extensive privacy regulations (see below) don’t yet apply to this new industry. Ambiguously worded terms of service may give these companies just enough wiggle room to sell your un-PHI (unProtected Health Information) once you’ve clicked on the ‘accept license’ button.
2. Padlocks or Fort Knox?
We’ve entrusted these companies to gather our personal health information, but what measures will the company or 3rd party partners take to ensure that our unPHI is safe and secure? Many privacy policies indicate that they “protect your personal information from unauthorized access, use, or disclosure,” but what does that really mean? Do they encrypt the information? Do they periodically review who has access to it? What about monitoring?
3. Public-by-default
These companies also have a social networking aspect, and subscribers can choose to publicize and share their information with others. Unfortunately, it’s not unusual for the default privacy to be set to public, allowing profiles to be found in search results. In 2011, one vendor was criticized when sexual activity it tracked– yes, you can learn lot from accelerometers –showed up in Google search results. If you don’t want your unPHI data searchable online, make sure you triple-check all of the default privacy settings and turn off anything you’re not comfortable sharing publicly.
4. HIPAA can’t help
With the number of heartbeats, steps, and sleep history tracked, these types of “health data” are not formally considered PHI unless it’s shared with a doctor, hospital, 3rd party vendors and therefore not subject to HIPAA regulations. But should wearable device companies be subject to them? So far, I’ve only seen one such company, a sleep device tracking organization, which at least acknowledges HIPAA and California’s own data security laws, which by the way explicitly covers personal medical data. For this particular wearable startup, you need to give them explicit consent about giving them access to your sleep data. However, it’s unclear whether Health and Human Services (HHS) is going to focus their attention on wearables any time soon, so it’s up to you to protect yourself.
5. Who owns your data?
Who owns the personal data you generate with the wearable device — you or the business that’s compiling your vitals? As the owner and creator of your very own health data, I was alarmed by one company’s privacy policy regarding accessing your own data:
That begs the question, “How can we get more control over our own data?”
Despite the privacy issues, I wore a sports band for one week to see if the potential benefits outweighed the risks. I thought the device was accurate until the log reported that I lost more calories during my 30 minute leisurely walk to work than in 1.5 hours of swimming, which normally takes everything out of me. Perhaps, as we wait for wearable technologies to mature and collect better data, it would also be a good time to figure out how to keep that data private and protected.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.