Just when we thought the BYOD movement created the greatest onslaught of enterprise worry—we now have a whole host of body-bound gadgets to increase our fears.
It’s the most recent BYO conundrum—the explosion of wearable technology, which workers recognize can make them more productive, but also provide a whole realm of new security concerns. Just when we thought the BYOD (Bring Your Own Device) movement created the greatest onslaught of enterprise worry—we now have a whole host of body-bound gadgets to increase our fears.
Add that to the increased cybersecurity threats cropping up throughout healthcare, and we could have yet another perfect storm of security-related bad weather.
Wearable Worries
A recent study by PricewaterhouseCoopers (PwC) found that
“A full 82 percent of respondents say they are worried that wearables will invade their privacy, while 86 percent said they were worried that wearables would make them more vulnerable to data security breaches…The biggest concern for consumers regarding wearable technology in the retail space is potential breaches of privacy and security. No one wants their personal data compromised and very few are interested in having it shared socially.”
However, with more than 75% of the 1,000 workers surveyed saying that they believe that wearable technology can increase work efficiency and productivity, security fears may be trumped by the need to get more done.
According to Domingo Guerra, president and cofounder of Appthority, the required connectivity to share data and optimize the benefits of wearables creates a new level of security and privacy risks.
In an interview with InformationWeek, Guerra talked about the lessons we can learn from the explosion of mobile device use:
"Being able to connect everything has advantages, but it also changes the risk parameters from what was possible before…From the perspective of security, we need to make sure we learn our lessons from what we saw with mobile...Mobile exploded really quickly, and a lot of developers started building apps into the new ecosystems, and that's kind of why it grew so fast, but security and privacy weren't always in the top of mind."
Building interoperability into such systems to optimize information exchange is the best means to enhance the use of the data within, and open APIs are typically the best path to getting there. However, many app developers aren’t as concerned with security as the IT officers in the organizations such devices may connect to, creating the potential for significant data breaches in connected systems—and in healthcare, that’s a big deal.
In a recent blog post, Guerra discusses the blame-game when it comes to security breaches and 3rd party apps, noting Snapchat’s recent breach—that leaked 200,000 not-intended-to-be-seen-by-others photos to the public—and the company’s finger-pointing at apps that “leverage Snapchat APIs (without permission from Snapchat) to store photos taken by Snapchat users, but often have weaker security and user protection than the Snapchat native app.”
The 2014 IoT Study
The PwC results mirror another recent study by Accenture Interactive’s Acquity Group: “2014 State of the Internet of Things.” Datamation’s reporting on the study notes that
“Eighty percent of the 2,000 surveyed…expressed worries that wearable devices could infringe on their privacy.” According to an Acquity statement, there is a “great deal of uncertainty [that exists] around the security of these connected devices…Companies will have to address consumers’ very real security concerns before any widespread adoption can take root.”
Results predicted that “wearable fitness devices will generate the most mass consumer adoption in the next year, with 22% of consumers already owning or planning to make a purchase by 2015”—a number that is expected to rise to 43% in the next five years. The study also noted that by 2019, 69% of consumers will own an in-home IoT device in order to ramp up convenience and efficiency.
With research firm CCS Insight predicting an annual 129% increase in the shipment of wearables in 2014—and wrist-worn devices forecasted to make up 87 percent of all 2018 shipments, accounting for 68 million smartwatches and 50 million smart bands—there will be plenty of opportunity to find out how real the privacy and security risks really are.
A Privacy Advocate’s Concerns
According to privacy advocate, Deborah Peel, M.D., there’s no question that the risks are significant. Peel is founder and chair of Patient Privacy Rights and was chosen in 2013 as a top 10 influencer in healthcare information security and privacy. In an article for Healthcare Info Security, Marianne Kolbasuk McGee writes that Peel feels
“The privacy risks posed by evolving health technologies are largely fueled by a hidden, third-party data broker industry and a regulatory landscape that hasn’t kept up with innovation…None of the sensitive health information that these technologies handle gives us either copies or control over the use and sale of that information.”
Peel goes on to address 3rd party apps—noting that just because the developer says it won’t look at consumer data in a health app, it doesn’t mean they won’t sell customer information to others who will.
“The problem is that we have an entire ecosystem where even if one app, or one system, or one electronic health information exchange doesn’t sell your information and puts you in control over your data, there are a million that are selling your data.”
She also has concerns about the activities of pervasive-invasive tech giants—such as Google. The Google X research lab is developing a nanotechnology-based pill to detect early signs of cancer and other diseases.
“It’s very mixed news that this pill has been invented by Google. Who doesn’t want cancer detected? But the problem is that Google is known for using very sensitive information in ways that one would never want or expect…It’s very hard to know what can be trusted in healthcare.”
Peel believes that healthcare must demand that such complex issues be addressed by a variety of parties, including the industry, manufacturers, and Congress—since she contends that the HIPAA privacy law has “deliberately facilitated this massive hidden data broker industry.”
My Two Cents
An interesting—and perhaps critical—decision was just made in Connecticut. The state’s Supreme Court recently ruled that plaintiffs “can sue for negligence if a healthcare provider violates HIPAA regulations for protecting patient privacy.”
There’s still a lot of legal mileage to cover in this particular instance, but the decision itself could take the privacy discussion and implications for security breaches to a whole new level.
It makes me wonder about the impact upon wearable companies that either occupy or connect to this space, and who may be defined as covered entities or business associates under the HIPAA Omnibus Rule—as well as the healthcare organizations who are interfacing with their products. According to privacy attorney Brad Rostolsky:
“HIPAA does not provide for the ‘private right of action’ or [the right of] private folks to sue under the statute…But in a handful of cases, like this Connecticut ruling, courts have allowed HIPAA as the ‘standard of care’ for negligence claims.”
Privacy attorney Elizabeth Hodge, takes it a step further to link data breaches with the privacy element:
“In data breach cases, plaintiffs could argue that a healthcare provider, insurer or other covered entity did not meet the ‘standard of care’ with the HIPAA security of privacy rule in protecting records, and that the failure to meet that standard of care was negligent.”
Personally, the more I read, the more protection I buy—as the possibility of my information falling into the wrong hands seems increasingly inevitable.
In medicine, most treatments have potential side effects—and technology does too. If we want to enjoy the benefits, we may have to accept the risks that come along for the ride. Or in the versa of that vice—opt for privacy instead of progress—something many may choose.
The potential for exposure is a cozy bedfellow with the expansion of technology—and I’m beginning to wonder if we can have our digital health cake—and eat it, too.
Sue Montgomery is nuviun’s Senior Content Editor and has been a registered nurse for 30 years. You can follow her on Twitter @suemontgomeryrn.
The nuviun blog is intended to contribute to discussion and stimulate debate on important issues in global digital health. The views are solely those of the author.