Privacy and security concerns are mounting as wearable health technology explodes. Fitbits and Jawbone fitness trackers, smartwatches, glucose monitors, heart sensors and other health technology can improve patient engagement and ultimately outcomes—a win for patients, providers and payers—sensitive data can be put at risk if the technology isn’t properly developed.
Most fitness and medical hardware syncs with a mobile app rather than a traditional website so that data can be collected on a continuous basis. Mobile apps also can continue to run in the background, still gathering data, even when the app or wearable device isn’t actively in use.
These apps gather as much information as possible, and not just steps, heart rate, and weigh-in information. Some of these apps are also gathering location information or may store credit information and other more sensitive data, should consumers choose to store it in the app. Plus, it’s possible that consumers who use these health and wellness devices intending to catch a break on health insurance premiums wind up with the opposite effect should their health decline.
Privacy and Security Risks of mHealth Technology
USA Today shared a report showing that 1 in 5 hardware-based trackers submit consumer information without encryption, making sensitive data vulnerable.
Plus, ComputerWorld reported last year that medical devices have been hacked, which creates a backdoor into hospital networks. “By the end of 2015, there will be an estimated 200 million wearable devices on the market according to ABI Research,” ComputerWorld wrote. “By the end of 2018, there will be 780 million wearable devices on the market. This gives hackers plenty of opportunities to steal sensitive data and benefit financially from it.”
Medical information is at a much higher premium than credit information, so it’s paramount for mHealth developers to make security a top concern. Here are some additional points that make privacy and security problematic in the mHealth industry:
- Lack of federal regulation and oversight. Only certain medical technology is deemed a medical device so that it falls under FDA review. General health and wellness devices are outside their purview, so the industry is left to its own devices to set and enforce a set of standards, meaning there is wide variation.
- Ambiguous privacy policies set by manufacturers. It’s not always clear to consumers exactly how public they’re making their private information, or whether the company is free to sell their data to third parties. Many manufacturers and developers of health technology leave their privacy policies intentionally vague, potentially to protect themselves in the event of a breach. Some are even investing in data breach insurance to protect themselves.
- Market fluctuations. Because mHealth is such a hot market, devices are constantly being introduced. But because consumers have been known to pick up a device and only use it for a short time before abandoning it, many of the companies developing these apps and devices go out of business quickly. That leaves a huge store of data that the company may then try to sell to third parties, and consumers may be unaware of that potential outcome.
In order to protect data and secure sensitive information, developers need to incorporate privacy and security requirements into the process from the beginning. In January last year, the Federal Trade Commission released a report urging companies to adopt best practices to that effect.
An excellent approach to accomplish this goal is to integrate BA and QA into one role. This process not only ensures that the same person is involved in setting development requirements but is also present throughout the process to ensure nothing falls through the cracks along the way. Along with minimizing risks that could introduce privacy or security weaknesses, this also speeds time-to-market.
Other FTC guidelines included training employees on the importance of security; vetting outside service providers thoroughly; deploying a “defense-in-depth” approach when security risks are identified, which includes multiple layers of security to defend against specific risks; incorporating measures to prevent unauthorized users from accessing devices and data; and monitoring connecting devices throughout their expected lifecycles.