IE 11 is not supported. For an optimal experience visit our site on another browser.

The Price of the Wearable Craze: Less Data Security

On the black market, your personal health information is about 10 times more valuable than a stolen credit card number.
Get more newsLiveon
/ Source:

Technology pioneer isn't a role people associate with former vice president Dick Cheney, but technology security experts today give his medical advisory team props for a move made back in 2007 — disabling the wireless capability on Cheney's pacemaker. The act was, of course, a cautionary effort against any entity that might have tried to hack it to cause Cheney harm.

Newest Innovations In Consumer Technology On Display At 2014 International CES
Activity trackerEthan Miller / Getty Images, file

This is old news — Cheney revealed the story in 2013 during an interview on 60 Minutes — but in a year when the world's largest technology, medical device and health care firms are betting big and fast on wearable technology's role in delivering patients a more precise and cost-effective way to manage their health, experts are worried that the pace of updating data privacy laws and building infrastructures with optimal levels of security doesn't match the speed of the market's technological rollout.

The risks to consumers depend on what type of device they're wielding. In rare instances, weak links or endpoints in a cloud-based network powering something like a wearable insulin pump could be life threatening as it opens the door to hackers tampering with them. On the privacy side, personal data culled from all types of wearables — namely fitness trackers — are finding their way to employers, insurance companies and the black market, resulting in a range of grievances, from higher insurance premiums to identity theft.

"It's a consumer-driven movement; consumers are demanding medical-grade products that are coming from companies that are well-versed in consumer electronics," said David Niewolny, health care segment manager for Freescale Semiconductor. "These folks aren't familiar with the security type requirements that are needed for a health care market versus a consumer market."

Niewolny is referring to the firms that make up more than 80 percent of the health-related wearable technology market, the activity tracker upstarts like Fitbit and technology giants like Apple that are helping drive a new digital health conscious movement into a $2.8 trillion health care industry. Research firm Gartner estimates that more than 1.4 billion health and fitness units will ship by 2020, up from roughly 300 million today.

The segment that includes certified medical devices like continuous glucose monitors is also growing, but more slowly given the regulatory approval process they pass through. Since 1997, the FDA has cleared 115 digital health devices, at a rate of roughly 20 per year. This year, approximately 40 digital health devices have been cleared, but that includes updated/revised versions of existing products.

The first-ever digital health device approved by the FDA was in 1997, a heart tracker named Rhythmstat XL, a device that allowed patients to record an electrocardiograms (ECGs) and transmit it directly to their doctor, who could review it on a Psion 3C palmtop computer. The kinds of technology that the FDA considers a "device" — including apps — is complicated.

Related: Healthcare Way Behind on Data Security, Cyber Firm Says

Both device camps will help propel the personalized medicine movement.

While the National Institutes of Health is researching ways to use wireless consumer and certified devices to collect massive amounts of health data for its Precision Medicine Initiative Cohort Program, firms like Samsung, Apple and IBM are working on platforms to enable wearables to provide to health care staffers a more comprehensive and immediate picture of a patient's health.

To that end, medical technology firm Medtronic recently enabled real-time streaming from its continuous glucose monitor to an iPhone app, which allows diabetics to know blood sugar levels at all times. The system alerts patients when levels move too low or to high. The next iteration, which just completed a pilot test of 100 patients, will leverage the data analytics ability of IBM's Watson Health unit to alert diabetics as to when they're likely to experience a hypoglycemic event — hours in advance.

"That's the holy grail — the ability of sensors to continuously track you so if there looks like there's been a change in your health, you're notified before the event," said cardiologist Leslie Saxon, a professor of clinical medicine at the University of Southern California. Saxon also heads up USC's Center for Body Computing, which is studying how to engage people in sharing health-related information via social networks.

As this technology evolves and becomes more sophisticated in the way it harnesses and transmits tiny bits of data about an individual's health and behavior, so must the security protocols that preserve confidentiality and protect the device from being attacked directly.

While devices powered by legacy tech firms like Medtronic and IBM have robust security practices in place, upstarts may have more trouble balancing the risk-reward ratio of spending the time and money it takes to build a strong security backbone into their device with the speed at which they want to roll things out.

Related: Fitbit, Apple Lead Surging Wearables Market

"When you're looking at the brain of one of these devices, if the software isn't designed to protect itself and it's not designed without design flaws and without vulnerabilities and implementation bugs in it — which we've seen — then it will be attacked," said Gary McGraw, CTO of software firm Cigital.

A big problem, say experts, is that most wearables aren't standalone devices — many work with smartphones. They also interact with a host of other endpoints including the device maker, health care firms, hosting providers — places that likely have varying levels of security.

Where a device connects to the cloud is probably the weakest link of all. "[These devices] are not as secure as your smartphone or your PC — it's not that hard for someone with malicious intent to tunnel back into the device and do some harm," said Gary Davis, chief consumer security evangelist at Intel Security.

There's another reason why hackers could be exploiting flaws in medical devices: They want the information contained in your health records, which according to Dell SecureWorks, is about 10 times as valuable than a stolen credit card number on the black market.

"These devices contain your address, date of birth, group number — that's stuff hackers can use for a long time and get a lot of benefit out of," said Davis, who coined 2015, "the year of the health care breach," given the number of big insurance companies and hospitals targeted by hackers.

"While the credit card companies have gotten so good at detecting fraud, managing mileage out of [a stolen card number] is pretty limited."

A story in the Washington Post earlier this year noted that, "Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009," based on a review by the paper of Department of Health and Human Services data.

Anthem revealed that hackers got into a database with personal information of nearly 80 million records related to consumers.

Other major insurers, including Aetna and UnitedHealth, have been citing the risk of hacks in annual reports since 2013.

And these are the organizations designated to protect health data and with the most experience doing that.

Related: 'Tech Tats' Use Conductive Ink to Put a Circuit on Your Skin

Probably the most contentious issue about health wearables is how and with whom data is shared. While devices prescribed by physicians are covered under the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule, the process has many weak links.

Perhaps the darkest side of the data privacy issue involves consumer wearables like fitness trackers, where any personal data emitted is up for grabs. Users essentially give up the right to keep any personal information private when they accept a wearable's terms of service.

One of the dangers of sharing such information is that it's potentially being collected by data brokers, firms that seek personal information about individuals from a host of online and offline sources and then sell it to companies who use the data in various ways.

According to an FTC report, much of the information being brokered is used for marketing purposes. But there are also worries that insurance firms are using it to classify individuals, which might impact premiums.

And potential employers could be mining it in an effort to steer clear of hiring someone — say, a diabetic — who might end up costing more in terms of health benefits.

Until regulations catch up to the loopholes associated with the technology — Goodnow predicts that we'll see cases popping up in the next several months to the next several years that will help sort out such issues — experts say it's essential for consumers to become better versed in what they're giving away when singing on to use a new device, medically certified or not.

After all, "there's no way to make [a device or system] 100 percent secure," said Cigital's McGraw.