Smart Health Devices Need Privacy Protection

With all the electronic devices available to monitor, coach, track, and remind us to stretch or take medicine, Americans should be the healthiest people on earth! It’s true that connected medical devices, including smartphones, smart watches, and fitness trackers, can help motivate us to be the healthiest versions of ourselves (although genetics, willpower, and the realities of daily life prevent many of us from achieving perfect wellness). However, if you’re using technology to improve your health, it’s important to understand how those helpful devices could be misused to put your privacy and/or identity at risk, and how you can protect yourself.

Connected medical devices are made to share your information over the internet, with applications, medical providers, and/or with you.

Wherever that information is transmitted or stored, there’s the potential for it to be stolen or misused. Here are some examples of what could happen:

• Medical ID theft: Devices like Apple’s iPhone are being used to store the user’s medical records in Apple’s Health app on the phone. If hackers were to install spyware on a device and steal those medical records, they could sell the owners’ medical identity to someone who didn’t have health insurance. Medical identity theft can run up fraudulent medical bills, use up the victim’s insurance benefits, or even put their life at risk if an imposter’s health information goes into their medical record.
• Tampering: Hackers could cause physical harm by tampering with medical devices. A recent CNET article humorously described hacking risks with Nike self-tying sneakers. (To our knowledge, there are no documented deaths from shoelaces being tied too tight.) However, researchers and the FDA have identified security problems that could allow devices such as pacemakers and fusion pumps to be hacked, interfering with their function and putting lives at risk.
• Privacy risks: Even if a connected medical device doesn’t put you at risk of bodily harm, the information it gathers can risk your privacy if it falls into the wrong hands. The Wall Street Journal reported that smartphone apps had been gathering personal health information such as weight, blood pressure, or menstrual cycles and sending the information to Facebook. At a minimum, that violation of trust could lead to unwanted advertising, but if that data were exposed (and Facebook has had its share of breaches), embarrassing medical information could be used to extort money or information from a breach victim.
• Discrimination: There’s also the possibility for information being improperly shared, say, with an employer or insurance company. What if medical data captured by a device could be interpreted to indicate a pre-existing medical condition? If changes to the Affordable Care Act remove those protections, a person could be denied medical coverage for a pre-existing condition. Or what if temperature records indicated a possible coronavirus infection or an underlying medical condition that would make an employee vulnerable. If the employer deemed them high risk, that person could lose weeks of wages or be restricted in their job opportunities.

Unfortunately, you can’t just download security software for most connected medical devices (although you can, and should, for your smart phone).

But you can take some steps to protect yourself. Here’s how:

• Ask questions: If you subscribe to a medical app, find out how the app maker protects your data and how they use it. Is the data encrypted on your device, during transport, and in their databases? What’s their privacy policy? Are they going to share your data with advertisers or their business partners?
• Use privacy settings: If the device has privacy settings (and smart phones most certainly do), then use those settings to protect your data as much as possible.
• Install security updates: In general, software updates equal security updates. When a software update comes out for your device, install it as quickly as possible.

From the rapid growth of telehealth to hospital rooms managed by Alexa, connected devices are the future of healthcare. You can help protect that future by pushing for higher standards in device security and medical privacy. Before you buy or accept a device or load a medical app on your phone, tablet, or computer, ask the vendor or your medical providers what’s being done to protect your privacy. Let your congressional representatives know there should be legal consequences for companies that sell customers’ medical data to a social media company such as Facebook. As a recent report by the eHealth Initiative said, “The medical device ecosystem is at a critical moment where strong leadership across industry, government, and the public is needed to prepare for a secure connected future.” It’s your health, your privacy, and your future, so take the lead!