Summer 2024 Issue

Data Security: Safety and Security for Wearables
By Dava Stewart
For The Record
Vol. 36 No. 3 P. 30

How Protected Is the Data They Gather?

Wearable devices, such as the Apple Watch, Fitbit, Garmin watches, and many others, provide useful and sometimes crucial information to consumers, but they pose a security risk when it comes to the data they collect because they are not protected by HIPAA. For health information managers, the risk can cause deep and warranted concerns about protecting patients’ health data as well as raise questions about what should and should not be included in a patient’s medical record. Although experts are calling for changes to address gaps in regulations and improve standardization in cybersecurity across industries, the immediate need from an HIM perspective is to take a proactive stance regarding risk management and compliance.

Unregulated and Unprotected
One misconception many consumers have is that their data is in some way protected, regardless of where or how it’s collected. If a woman chooses to track her cycle using a smart watch, that data is no more protected than if she posted it in a public forum. The information is owned by the entity that collects it and is not subject to the same legal protections as information collected by medical devices that are subject to HIPAA regulations. This misconception can lead patients to be less cautious.

“The problem is with those devices that are not considered medical devices and can only be marketed as a technology for improving lifestyle or wellness,” says Bertalan Meskó, MD, PhD, director of The Medical Futurist Institute. “Those technologies are in a no-man’s land from a regulatory perspective.” They aren’t considered medical devices, and the data they collect isn’t protected by HIPAA or any other laws, even though it does directly relate to the wearer’s health.”

Personal data such as that collected by wearables is sold, often at a premium cost, to companies that then use it to target their advertising efforts more precisely. “A patient who uses a health app or wearable might be unaware of their symptoms or the diagnosis based on those symptoms. The device, however, can document the symptoms, or even make a diagnosis, and then transmit all of that information to a third party,” according to a report in the Hastings Science and Technology Law Journal.1

The increase in the collection of data pertaining to individuals, such as heart rate, sleeping patterns, exercise habits, calorie consumption, and similar data by wearable devices means that more accurate profiles of a person’s health can be created, automatically and without that person’s knowledge.

Aside from those known issues, Meskó says there’s an additional and as-yet unrecognized danger. “In no way I’d diminish the importance of cybersecurity and privacy in the digital health world, but when it comes to discussions around privacy, people should be more worried about artificial intelligence (AI) algorithms fine-tuning social media content and ads for them based on their online habits, preferences, and personal details, rather than worrying about their blood pressure measurements or step counts being leaked.”

Physicians End Up Educating
In the age of patients-as-consumers who take a much larger part in the decisions regarding their treatments, security and privacy become part of conversations in doctors’ offices in new ways. The issue of what data can and cannot be included in a medical record and patients using do-it-yourself devices are just two problems care providers and patients wrangle with that didn’t exist a few decades ago.

Along with the common misunderstanding about what is and is not protected health information or how to implement basic security for their accounts and devices, patients also don’t always understand why the information collected from their wearable devices should not become part of their medical records. Patients are encouraged to be active participants in their own care and want to share the information they track with their health care providers.2 Yet, adding data from wearables to a person’s medical record changes who is responsible for protecting it and creates risk for the health care organization. Often, physicians who are not IT experts are left to explain to patients why the data they track on personal wearable devices cannot be part of their medical records.

People working in information security are also opposed to data from wearables being included in patient records, but for an additional reason. “It really opens you up from a liability perspective. You’re taking data from a system that’s not approved by the FDA and that isn’t regulated at the level of a true medical device,” according to Samantha Jacques, PhD, FACHE, AAMIF, vice president of clinical engineering at McLaren Health Care.

The #WeAreNotWaiting movement illustrates a remarkable issue that wouldn’t have been imaginable even 20 years ago. People involved in the movement use do-it-yourself artificial pancreas systems to monitor and automate insulin delivery.3 Patients were frustrated with the lack of innovation in diabetes management and treatment and, beginning in 2013, began cobbling systems using websites, continuous glucose monitors, and devices like mobile phones to track glucose and automate insulin delivery through open source software and easily available hardware. Today, the #WeAreNotWaiting community is large, thriving, and a force for innovation in diabetes care. These systems haven’t been subject to regulatory processes in any form, yet researchers are finding “initial outcomes from this self-selected community (including adult and pediatric populations globally) have been positive. Several studies have documented improvements in A1c, time in range, and other outcomes such as quality-of-life benefits.”4 Without clear regulations for data protection, how should the information collected through do-it-yourself systems be treated by HIM professionals and health care providers?

Such do-it-yourself systems raise complex questions when it comes to regulatory processes, liability, and health care delivery, among other factors. However, since the people using them are experiencing improvements in their health and in their quality of life, addressing those questions is well worth the effort.

A Very Large Unknown
One of the biggest issues for IT in general and health care specifically is how AI will affect all of the issues related to regulation, data security, and privacy of information. As Jacques notes, most bad actors are looking for quick, easy revenue, so phishing schemes and ransomware are generally reserved for large organizations. Still, an individual’s personal data is valuable in other ways.

For example, a company developing a drug to treat a specific condition could be very interested in the day-to-day lives of their target customers. AI has the capability of collecting all of the information about a person scattered across the web, including social media platforms, discussion groups, forums, and even seemingly unrelated things like shopping lists. Since the data collected by wearables falls into the same category, it’s also at risk of being bought, sold, traded, or stolen. Putting all of that information together creates what could be an alarmingly accurate profile.

Who might profit from that sort of very detailed information? “I’m sure we haven’t even thought of ways that [data] can be used, especially now that AI is coming out and we can correlate all this data and we can do all this weird stuff we’ve never done. As AI develops it’s just going to get worse,” Jacques says.

According to Meskó, consumers can understand the problems related to data privacy and security but are not in a position to solve them. “Ideally,” he says, “regulators and policy makers should be knowledgeable enough to come up with regulations and guidelines that would clearly set the path for researchers and developers about what they can and cannot do while developing technologies.”

Some efforts to address the regulatory gaps in cybersecurity are underway. The Cybersecurity and Infrastructure Security Agency, or CISA, is the arm of the government responsible for coordinating infrastructure security and resilience. Following an executive order5 issued on May 12, 2021, about improving the nation’s cybersecurity, CISA announced6 efforts to implement a standardized approach to cybersecurity. Jacques says this is movement in the right direction but believes “it’s going to be a long slog before we get to what I would call minimum security standards for everything that’s out there in the environment.” Additionally, HIPAA was updated in 2023, but those updates still did not address wearable data.

Jaques recommends that HIM professionals and health care providers work closely with their risk management and compliance teams, take a proactive risk management stance, and carefully monitor compliance with federal and institutional regulations across their organizations.

— Dava Stewart is a professional writer and content strategist interested in health care, technology, and climate change.

 

References
1. Guiterrez K. Privacy in wearables: innovation, regulation, or neither. Hastings Science and Technology Law Journal. 2022;13(1). https://repository.uclawsf.edu/cgi/viewcontent.cgi?
article=1109&context=hastings_science_technology_law_journal/

2. Morris L. Do personal health trackers belong in the doctor’s office? Patients say yes. Software Advice website. https://www.softwareadvice.com/resources/consumer-wearables-in-healthcare/. Published October 24, 2023. Accessed December 5, 2023.

3. Dickson R, Bell J, Dar A, Downey L, Moore V, Quigley M. #WeAreNotWaiting DIY artificial pancreas systems and challenges for the law. Diabet Med. 2022;39(5):e14715.

4. Lewis D, History and perspective on DIY closed looping. J Diabetes Sci Technol. 2019;13(4):790-793.

5. Executive order on improving the nation’s cybersecurity. The White House website. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/. Published May 12, 2021. Accessed November 13, 2023.

6. Executive order on improving the nation’s cybersecurity. Cybersecurity & Infrastructure Security Agency website. https://www.cisa.gov/topics/cybersecurity-best-practices/executive-order-improving-nations-cybersecurity. Accessed November 13, 2023.