Editor's Note: This is a guest Blog Post from Kelli Tarala. This is the second in a series of blog posts from her about wearable devices and healthcare.
Introduction: In a recent post we discussed health wearables, a class of devices that measures and reports on statistical health information such as number of steps taken, heart rate, sleep patterns, etc. This collection of data is part of a movement known as the Quantified Self and it is an ecosystem of applications, cloud services, smart phones, medical devices and wearables that assist the user in self-tracking. The purpose of this self-tracking is improved self-knowledge, perhaps improved athletic performance or better health through weight loss, lower blood pressure, or more activity throughout the day. Through an application on a smart devices, this quantified self-data is organized and uploaded to a cloud service for analysis and record keeping.
Health wearables and wellness apps not only gather health data, they also gather a fair amount of supporting information such as a friends you exercise with, the location data of your favorite walking routes and when you are walking, the location of your favorite gym, or even how often you check-in at the local pizza parlor on Facebook. There are companies interested in your Quantified Self, but their goals may not be to health related. Their goal may be to make money by selling your information to third parties such as clothing companies, shoe companies, and other retailers.
My Quantified Self May Not be Private
My Quantified Self is NOT Protected by HIPAA?
Wellness apps and wearables create and transmit the Quantified Self, but this type of data may not have same level of security and privacy protections as data generated at the doctor's office. The Health Insurance and Portability and Accountability Act of 1996 was designed to protect personally identifiable health information collected, stored, and transmitted by covered entities and their business associates. 18 years ago, we did not have smart devices and wearable health technology like we do now, and it is difficult to determine which apps and wearable devices must be HIPAA-compliant and which are exempt. The US Department of Health and Human Services has not issue a definitive statement on PII on smart devices and wearables to date. It is highly likely that HIPAA driven privacy and security protections do not apply to casual wellness apps or the data collected from wearable devices. What can I do about protecting myself?
- Avoid apps that ask for excessive and unnecessary information.
- If you decide to use the app, implement a strong password with at least twelve characters, numbers, or special symbols.
- Use a separate email address for health and fitness apps.
- Don't reuse the same user name and passwords on different sites.
- If you decide to link to social media sites for encouragement, use with caution. Do not allow a social media app to post on your behalf. It may disclose your location or even worse, your private health details.
- Use a password or screen lock to prevent unnecessary access to your device
- Periodically review the rights and permissions granted to the app on your mobile device.
- Turn off Bluetooth when not required.
Guest Editor Bio: Kelli K Tarala is a principal consultant and co-owner of Enclave Security. Her career began in 1994 as a system administrator and technical editor at a pharmaceutical research organization. As a security architect and project manager, she specializes in IT audit, governance, and information assurance strategies. She is a SANS Institute courseware co-author for MGT415 A Practical Introduction to Risk Management Class and SEC566 Implementing and Auditing the Critical Security Controls - In-Depth. In her spare time, she contributes to Council on CyberSecurity Critical Security Controls project and enjoys running and kayaking.