Wearables Security: Taking the Risks in Stride

Wearable technology is the future. Projected to be a $50 billion industry globally by 2022, wearables will play a critical role in how people communicate, track their fitness goals, and even how much they pay for health insurance.

Evolved from their primitive pedometer roots, smart devices, like Fitbits and Apple Watches, have broken new technological ground and raised many questions about the security and confidentiality of the personal information they receive, store, and transmit.

Recently, the Federal Trade Commission (FTC) released a report on the security of these Internet of Things (IoT) devices and determined that potential security risks could be exploited to harm consumers by:

  1. Enabling unauthorized access and misuse of personal information
  2. Facilitating attacks on other systems
  3. Creating risks to personal safety

For those of us who just want to take a more active role in our wellness, this sounds like more than we signed up for. Should we be concerned that hackers can determine our habits, when we’re home or away, or that we’re sleeping based on our heart rate? The truth is, devices that operate via close-proximity protocols, such as Bluetooth, pose a nominal risk when compared to IoT devices that are actively connected to the Internet. That being said, it is always in a consumer’s best interest to investigate whether the manufacturer pushes regular fixes and updates to keep their technology secure, and if the data collected is appropriately anonymized. If the data is not identity-scrubbed, that manufacturer has effectively acquired electronic protected health information (ePHI) and must now abide by Health Insurance Portability and Accountability Act (HIPAA) regulations.

For companies that provide wearables to employees, a best practice is to segregate the devices to their own network and not connect them directly to the Internet. Enterprises should also vet potential wearable providers by determining if their application program interface (API) is open and if wearable users can revoke data access at any given time.

Currently, no Federal legislation exists regarding data privacy in the United States. Individual states, however, continue to debate and update their own laws as IoT technology— and the associated threats — evolves. For now, consumers should do their due diligence when selecting wearables and keep manufacturers on their toes by demanding that adequate security measures are implemented and updated routinely. In turn, manufacturers should conduct regular privacy and security risk assessments of their devices to ensure consumer data is appropriately anonymized and secure.