If you don’t yet wear a smartwatch or smart ring to monitor your health and fitness, you may soon be encouraged to do so by some of the highest-ranking members of the government.
During a House Energy and Commerce Health Subcommittee hearing, Health Secretary Robert F. Kennedy Jr. said he’d like all Americans to use wearable health products, such as Fitbits, Apple Watches, Oura Rings, WHOOP and glucose monitors, to “control” their health and “take responsibility” for it.
According to Poltico, Kennedy said people can use wearables to track “what food is doing to their glucose levels, their heart rates and a number of other metrics as they eat it, and they can begin to make good judgments about their diet, about their physical activity, about the way that they live their lives.”
While this remains just a suggestion and not a mandate, it’s been announced that the Department of Health and Human Services will launch a campaign to encourage Americans to wear these devices.
Wearables can track your heart rate, menstrual cycle, fitness regimen, blood sugar levels, sleep patterns, location and more. They’re a great way to understand your health (for example, the Oura Ring lets you know when it thinks you’re getting sick) and to stick to a workout regimen (the Apple Watch is both loved and hated for its “close your rings” reminders).
While they can be helpful for the average person, these devices store lots and lots of our data — is it safe for all of this information to be out there? And what happens if this data ends up in the wrong hands — including the government’s? Experts weigh in.
First, know that no one has said the government will actually collect this health data.
There is a major difference between the government having access to health data and the government simply encouraging folks to use wearables for their own health tracking, said Alex Hamerstone, the advisory solutions director for TrustedSec, an ethical hacking company.
“Those are obviously two very different questions, and there’s no indication at this point that they’re looking to have the government have access to that data,” he noted.
The government does, though, already have access to lots of health data. “If you look at the percent of people who receive health care through Medicare and Medicaid and state programs, and so on and so forth, they already have a lot of very detailed information,” Hamerstone noted.
“I know there are guardrails around it and things like that, but not to get into any kind of political thing, but a lot of those guardrails seem to be falling down,” he noted.
You should also understand that no matter who is privy to it, health data is very valuable.
You’ve probably heard the phrase “data is the new currency,” meaning your personal data has inherent value to companies. It’s how they sell you ads and understand your needs.
But “health data is just kind of a different category of data,” said Hamerstone.
Having your credit card hacked is temporarily annoying, but you’re not liable, and typically, after some phone calls and logistics, your life will go back to normal.
“But if someone gets access to your private health care data, that’s much different. It’s a different kind of data,” Hamerstone said.
“So, somebody knowing how many steps you take is one thing, but if you start to get into things like glucose levels or very detailed medical information, those things could start to affect other parts of your life,” he added.
This could impact insurance rates and insurance options, Hamerstone said.
Halfpoint Images via Getty Images
Some experts are worried about the government’s ability to protect health data because of past breaches.
Kevin Johnson, the CEO of Secure Ideas, a security testing and consulting company, has concerns about the government’s ability to protect any data that is gathered through the use of wearables.
For instance, in 2018, there was a major security breach involving the Strava fitness app and the U.S. government in which soldiers’ locations at military bases were shared via Strava.
“So, the idea that the government is saying we’re going to encourage … wearing of these when the government had a significant security problem due to this, that’s one of the concerns that I just don’t understand how we forgot that happened,” said Johnson.
Overall, Johnson said, there are “significant security issues with wearable devices.”
“My company and other companies have tested these devices. We’ve found vulnerabilities. We have found ways that the wearable technology gives an attacker access to your data because of security lapses in the hardware and software. We’ve seen multiple cases where attackers are able to gain access to things that are unrelated to the health care data because of security problems,” Johnson said.
There have also been privacy violations when data brokers get access to this data, whether they gain access illegitimately or legitimately, Johnson said.
(And the companies collecting the data from wearables do often sell your data to data brokers, Johnson noted.)
You may not care if someone has your heart rate data from your smartwatch, but it’s so much more than “just” that.
“There are always security concerns when it comes to connected technology,” said Dave Chronister, the CEO of Parameter Security.
And your wearable device is most likely connected to your smartphone — meaning it has access to lots of your personal data, according to Johnson.
“No device or platform is completely secure,” Chronister noted. “Attackers often target the backend systems, such as cloud servers, via compromised employee credentials or software vulnerabilities.”
“Devices that rely on Bluetooth or Wi-Fi can also be exploited, and if the device supports messaging or sync features, phishing or spoofing attacks are possible,” noted Chronister.
“We’re not just talking about heartbeat. We’re not just talking about your sleep schedule. We’re talking about your location. We’re talking about most of these apps tie into your contacts.”
– Kevin Johnson, CEO of security testing and consulting company Secure Ideas
These devices can also get stolen or lost, which also puts your data at risk, Chronister added.
Johnson said he’s often heard people say things like, “Oh, it’s just my heart rate data, that’s not a big deal,” but it’s actually so much more than that.
“The issue is, we’re not just talking about heartbeat. We’re not just talking about your sleep schedule. We’re talking about your location. We’re talking about most of these apps tie into your contacts so that you can invite friends,” said Johnson.
More, it also may include your reproductive health data, glucose levels or heart irregularities, Chronister said.
“These can paint a sensitive, personal portrait of someone’s health and behavior,” Chronister added.
Health data from wearables isn’t protected like your medical records.
“It’s important to understand that data from wearables is not protected under HIPAA like your medical records are,” said Chronister. HIPAA protects patient health records from things like doctor’s appointments.
“Instead, it is governed by the company’s terms of service … which often include loopholes that allow for data sharing or sale, especially in the event of a merger or acquisition,” Chronister explained.
This is true even if the company says they’ll never sell your data. “That promise can be overridden by fine print or future policy changes,” he added.
“Consumers should be aware that once their data is out there, they may lose control over how it is used,” Chronister said.
What can you do to protect your security if you use wearables?
“Almost all of these types of devices have some level of privacy controls in them that you’re able to select what data you give,” said Johnson.
If you decide to get a wearable, make sure you check your privacy settings and adjust them accordingly, he noted.
“And this is very important — regularly go in and validate that the privacy settings are still set the way you want them to be,” Johnson added.
This is really the most you can do to protect your data, and it certainly won’t totally protect you from data breaches or data brokers.
“Unfortunately, individual users have very limited control. You are largely at the mercy of the device manufacturer and app provider,” Chronister noted.
While you can follow privacy precautions, such as by “turning off unnecessary Bluetooth connections, using strong account passwords, and checking app permissions … those measures only go so far,” Chronister said.
“The real issue is how companies store, share and protect your data behind the scenes,” Chronister noted.
Chronister stressed that “it’s critical to understand the long-term implications of voluntarily handing over personal health data to private companies. This information can be sold to marketers, shared with third parties, or exposed in a breach.”
He voiced specific concern about how this data can be combined via different apps and companies over time to build “incredibly detailed personal health profiles.”
So while it may not be a big deal if one company has your sleep data and another has your activity levels, these companies can be acquired, or data can be combined to create a fuller picture of your private health information.
“And AI is really a wild card. Going forward, it will increasingly be able to draw conclusions and make predictions about your current and future health. This raises serious questions about how such insights could affect things like insurance eligibility, premium rates, or even creditworthiness,” Chronister said.
When it comes to health data (and data of any sort), “the risks are inherent even with the government not involved,” Hamerstone said.
Once that data exists, it’s at risk of being lost or stolen by bad actors, he added.
Keep that in mind before you start using wearable health technology, and if you’re already a user, it’s important to be aware of the risks so you can make informed decisions and do what you can to protect your privacy.
Read the full article here
