Health and Fitness E-Gear Come With Security Risks | Articles | Big Data | Innovation Enterprise
The holidays are
a time of great gains… around waistlines everywhere. Perhaps it’s no
coincidence that many people pledge to lose weight, get in shape, and take
control of their health in the new year. Many of them will rely on
technology to help them in the effort. Wearable fitness gear, like that from industry
leaders FitBit or Garmin, and smartphone apps meant to track exercise and food intake, are excellent tools for helping stay on track, keep to your diet, and lose those
extra pounds.
But they are
also vulnerable to data breaches.
In early 2018,
the online fitness app MyFitnessPal, owned by sports apparel giant Under
Armour, suffered a data breach that exposed the data of as many as
150
million users
. According to Forbes, the data was offered for sale
on the dark web a year later. The asking price: $20,000 in bitcoin. A class-action lawsuit related to the data breach was referred to arbitration in May 2019.
In February
2019, fitness app 8Fit announced a security breach that affected approximately
20
million users
. Though the company claimed that no credit card numbers, Social Security numbers, or private message contents were taken, it encouraged
users to change their passwords and avoid opening attachments from or
responding to any suspicious emails. More troubling about the breach: it had
occurred a full six months before 8Fit became aware of it.
These are just
two examples of a problem that grows with the spread of mobile apps and
wearable technology. Security measures have not always kept up with the data
that app users and fitness tracker wearers hand over to their providers, most of the time without thinking of the consequences.
HIPAA Standards
In the above breaches,
fortunately, no medically sensitive data was subject to the breaches. But as
more health care applications become available for a variety of common
illnesses — such as
diabetes,
insomnia,
and
substance
abuse
— the information collected and transmitted by the apps and wearables
could implicate HIPAA (Health Insurance Portability and Accountability Act). Developers must be aware of, and prepared for, the
security requirements demanded by the federal law.
The key, under
Health and Human Services guidelines
, is whether the patient voluntarily and independently chooses to
use the app or wearable to transmit electronic protected health information (ePHI) to a HIPAA-covered health care entity.
If that is the case, then the entity bears no liability under the law.
“If, on the
other hand,” HHS tells us, “the app was developed for, or provided by or on
behalf of the covered entity — and, thus, creates, receives, maintains, or
transmits ePHI
on behalf of the covered entity — the covered
entity could be liable under the HIPAA rules for a subsequent impermissible
disclosure because of the business associate relationship between the covered
entity and the app developer.”
App Developer Impact
So, if a health care provider directs the patient to use an app or wearable to transmit ePHI to the
provider, the responsibility to keep the data secure belongs to the provider.
And if the app developer worked in concert with the provider to create the app,
it can also bear liability as a
covered
business associate
if it has access to ePHI.
This is an important consideration for software, firmware, app, and wearable developers
focusing on health care.
If access to the patient data is not necessary to the project, it should be
avoided.
On the other
hand, if it is necessary for whatever reason to access ePHI, the entire project
should undergo a thorough HIPAA compliance review.
Any developer not completely
familiar with HIPAA requirements should seek qualified advice from security
consultants fully trained in the latest HIPAA standards for data protection.
The cost of expertise and guidance, and if necessary, in development and
engineering security, is a small but important
investment that protects the company, its partners, and patients down the road.