Security Awareness Blog

You are for Sale: Wellness Apps, Wearable Devices, and Data Privacy

Editor's Note: This is a guest Blog Post from Kelli Tarala. This is the second in a series of blog posts from her about wearable devices and healthcare.

Introduction: In a recent post we discussed health wearables, a class of devices that measures and reports on statistical health information such as number of steps taken, heart rate, sleep patterns, etc. This collection of data is part of a movement known as the Quantified Self and it is an ecosystem of applications, cloud services, smart phones, medical devices and wearables that assist the user in self-tracking. The purpose of this self-tracking is improved self-knowledge, perhaps improved athletic performance or better health through weight loss, lower blood pressure, or more activity throughout the day. Through an application on a smart devices, this quantified self-data is organized and uploaded to a cloud service for analysis and record keeping.

Health wearables and wellness apps not only gather health data, they also gather a fair amount of supporting information such as a friends you exercise with, the location data of your favorite walking routes and when you are walking, the location of your favorite gym, or even how often you check-in at the local pizza parlor on Facebook. There are companies interested in your Quantified Self, but their goals may not be to health related. Their goal may be to make money by selling your information to third parties such as clothing companies, shoe companies, and other retailers.

My Quantified Self May Not be Private
When you sign up for a wellness app, you may or may not see a privacy notice on the website. A privacy policy is a public statement or legal document that details some or all the way an organization uses, gathers, and manages a your data. Wellness apps and wearables should have a privacy policy on their website and the privacy policies should address the information collected, location data, the use of personal data, and the disclosure of data to third parties. Sharing user data with third parties is a big and profitable business. In July 2013, a California-based consumer privacy advocacy group known as The Privacy Clearinghouse conducted a study of 43 popular fitness and health apps and found that "Of the free apps [they] reviewed, just under half (43%) provided a link to a website privacy policy. Of the sites that posted a privacy policy, only about half were accurate in describing the app's technical processes."1 Not only did a number of these wellness apps have a missing privacy policy detailing collection and disclosure of personal data, they were not even accurately describing how the data was gathered.

In a fairly innocuous example, a running app may share your mileage with a running shoe company, and in turn you may receive advertisements for a new pair of running shoes. In a more nefarious example, a food diary app may sell your food diary to health insurance companies and the analysis of the data could result in a higher insurance premium. In another study conducted by Evison in 2013, "We scanned 20 of the top health, wellness, and fitness apps and looked for the presence of third-party data collection technologies. The results varied, but they indicated in many cases an active practice of sharing user data with third parties. Among the top 20 apps, as many as 70 third parties were present, collecting data about the app users." 2 If you use wellness apps or wearable health devices, your data may not be as private. Look to see if the organization publishes a privacy policy. Despite collecting vast amount of health-related data, wellness apps and wearables devices are not covered under HIPPA.

My Quantified Self is NOT Protected by HIPAA?
Wellness apps and wearables create and transmit the Quantified Self, but this type of data may not have same level of security and privacy protections as data generated at the doctor's office. The Health Insurance and Portability and Accountability Act of 1996 was designed to protect personally identifiable health information collected, stored, and transmitted by covered entities and their business associates. 18 years ago, we did not have smart devices and wearable health technology like we do now, and it is difficult to determine which apps and wearable devices must be HIPAA-compliant and which are exempt. The US Department of Health and Human Services has not issue a definitive statement on PII on smart devices and wearables to date. It is highly likely that HIPAA driven privacy and security protections do not apply to casual wellness apps or the data collected from wearable devices. What can I do about protecting myself?

  1. Read and understand the privacy policy for the apps and services.
  2. If the app does not publish a private policy, consider using a similar app that does publish a privacy policy.
  3. Avoid apps that ask for excessive and unnecessary information.
  4. If you decide to use the app, implement a strong password with at least twelve characters, numbers, or special symbols.
  5. Use a separate email address for health and fitness apps.
  6. Don't reuse the same user name and passwords on different sites.
  7. If you decide to link to social media sites for encouragement, use with caution. Do not allow a social media app to post on your behalf. It may disclose your location or even worse, your private health details.
  8. Use a password or screen lock to prevent unnecessary access to your device
  9. Periodically review the rights and permissions granted to the app on your mobile device.
  10. Turn off Bluetooth when not required.

1: https://www.privacyrights.org/mobile-medical-apps-privacy-alert
2: http://www.evidon.com/blog/healthy-data-set

Guest Editor Bio: Kelli K Tarala is a principal consultant and co-owner of Enclave Security. Her career began in 1994 as a system administrator and technical editor at a pharmaceutical research organization. As a security architect and project manager, she specializes in IT audit, governance, and information assurance strategies. She is a SANS Institute courseware co-author for MGT415 A Practical Introduction to Risk Management Class and SEC566 Implementing and Auditing the Critical Security Controls - In-Depth. In her spare time, she contributes to Council on CyberSecurity Critical Security Controls project and enjoys running and kayaking.