News Feature | February 6, 2015

Consumer Privacy, Security At Risk From Internet-Connected Health Devices

Christine Kern

By Christine Kern, contributing writer

EHR Cuts Admission At Hospital

Medical devices and health and fitness wearables have benefits, but also pose risks, to consumers.

While the growth of Internet-connected medical devices and wearable fitness products can potentially improve health outcomes, there are also some serious challenges to consumer privacy and security that must be addressed in its application. That is what a new Federal Trade Commission staff report on the “Internet of Things,” has concluded.

The Internet of Things (IoT) refers to the explosion of everyday devices or sensors (aside from computers, laptops, or smartphones) that connect, communicate or transmit information with or between each other through the Internet. Among the possible security risks exacerbated by the IoT are: unauthorized access and misuse of personal information, facilitating attacks on other systems, and creating risks to personal safety.

“Connected health devices will allow consumers with serious health conditions to work with their physicians to manage their diseases,” the FTC report states. “However, these connected devices also will collect, transmit, store, and potentially share vast amounts of consumer data, some of it highly personal.”

To help reduce the risks, the FTC recommends data minimization – limiting the collection of consumer data and retaining that information only for a set period of time and not indefinitely. Engaging in data minimization addresses two key privacy risks, the FTC report states: the risk that larger data stores present lucrative targets for both internal and external data thieves as well as the risk that consumer data will be used in ways contrary to consumers’ expectations.

The FTC report makes flexible recommendations for data minimization, suggesting that companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data, or choose to de-identify the data collected and maintained.

The FTC report also discussed the role of legislating the IoT, acknowledging the ongoing debate over its appropriateness. While there is merit to possible legislation, the report states that IT-specific legislation at this stage would be premature and instead supports the development of self-regulatory programs to encourage the adoption of privacy- and security-sensitive practices.

The report does state, “In light of the ongoing threats to data security and the risk that emerging IoT technologies might amplify these threats, staff reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach. General data security legislation should protect against unauthorized access to both personal information and device functionality itself. For example, if a pacemaker is not properly secured, the concern is not merely that health information could be compromised, but also that a person wearing it could be seriously harmed.”

Further, the pervasiveness of information collection and use that the IoT makes possible requires the reinforcement of baseline privacy standards, which should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as how to provide choices to consumers about data collection and use practices.”