There’s been a lot of news lately in the health and fitness wearables space. Apple just announced they’re releasing an app, called “Health,” as well as a cloud-based platform “Health Kit”. Somewhat related, Nike recently pulled the plug on its activity tracking Fuelband. The conventional wisdom is that fitness trackers are on the decline, while the wearables market in general —think Google Glass and the upcoming iWatch–is still waiting for its defining moment.
And on the privacy front? In fact, there’s been a lot of movement there as well, and the FTC is all over it! They recently hosted a “Consumer Generated and Controlled Health Data” event and all the speakers – the FTC Commissioner, technologists, attorneys, privacy experts – agree that the potential of health-based wearables is huge, but since health data is so sensitive, it needs special protection.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
I’ve distilled their privacy wisdom into 5 key things privacy experts want you to know about health data, the data generated from your wearables, your privacy and why it’s so hard to create one law that protects all.
1. Transparency and trust are essential
If health and fitness wearable makers create privacy policies that are ambiguous and don’t require consumer consent for data sharing, it may limit the benefits of these services for many people, especially those who are privacy conscious. Why upload your health data when there’s no guarantee it will be kept private?
Some experts suggest short, clear-cut notices about the safety and protection of your data—something akin to a data nutrition label.
2. Your health data gets around
Latanya Sweeney, the FTC Chief Technologist and Professor of Government and Technology at Harvard University, attempted to document and map all flows of data between patients, hospitals, insurance companies, etc. She learned that it’s not really clear where data is going and it’s difficult to know all the places it might wind up.
Inspired by Sweeney, I checked whether some heathcare data may find its way outside the medical ecosystem. It does! The recent FTC report on the data broker industry (see appendix B) proves the brokers collect some sensitive patient data points.
Source: DataMap
3. Discharge data in disarray
Information about your hospital visit is also known as discharge data. This data is required by state law to be sent to whomever is designated by that state law to receive that data.
What do states do with your discharge data? Turns out 33 states sell or share your discharge data. Of the 33 states, there are only 3 that are HIPAA compliant.
Source: DataMap
4. Geolocation is not to be overlooked
One very important privacy matter mentioned at the FTC event was geolocation. Many health and fitness apps and wearables mine data about your running routes or when you’re at the gym. Some apps may also be able to predict where you’re going to be at a certain time or predict when you’re not home.
5. There’s no free lunch
In exchange for a freemium health and fitness app, you are sharing A LOT of data. That’s not unusual in the free app world, but medical data is not the same as sharing your list of favorite movies.
Some users might put trust in the maker of their heathcare app or device-maker, say, Nike, but not realize that by using the product they’re consenting to having their health information sold and resold to third parties that may not be as trustworthy.
Jared Ho, who is an attorney in the FTC’s Mobile Technology Unit tested 12 health and fitness apps and found that his data was sent to the developer’s website as well as 76 third parties–mostly advertising and analytics organizations.
Here’s what he found:
- 18 of the 76 third parties collected device identifiers such as unique device ID.
- 14 of the 76 third parties collected consumer-specific identifiers, such as user name, name and email address
- 22 of the 76 third parties received information about the consumers such as exercise information, meal and diet information, medical symptoms, zip code, gender and geo-location.
No one can predict what will happen in the wearables market, but emerging business practices and technologies will inform and impact consumer privacy regulations as it remains a very hot topic. Concerns and worries such as who will and should have access to one’s personal health data and who has potential access to the data will no doubt remain a part of the discussion.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.