In-brief: new guidance from the Future of Privacy Forum urges connected health device makers to address security and privacy issues to prevent sensitive data from falling into the wrong hands.
The market for connected health products and wearables is exploding. The analyst group IDC estimates that the worldwide wearable device market will reach 111.1 million units shipped in 2016, up more than 40% from the 80 million units shipped in 2015. By 2019, IDC estimates that total shipments will reach 214.6 million units, with a compound annual growth rate of 28% between 2015 and 2019.
But the good news for device makers could be bad news for consumers if lax security and privacy risks posed by wearable computing and connected health products aren’t properly addressed in the design of new devices. In February, for example, the IEEE issued a report (PDF) that warned flaws in wearable devices could leave the devices and their owners susceptible to crimes such as identity theft, malware infections and denial of service attacks.
To help designers navigate the tricky waters of information security and privacy, the Future of Privacy Forum (FPF) last week published a guide to securing wearable devices and connected health products. The guide (PDF) is designed to provide specific guidance where general privacy statutes such as HIPAA (covering health data) or COPPA (which addresses protections for minors). The guidance applies to health and wellness applications and devices.
The U.S. Department of Health and Human Services (HHS) has warned repeatedly about gaps in regulating health information privacy and security, especially when it comes to a new generation of connected health devices.
Further, users consent should be obtained expressly, including for “secondary” use of the data collected when that use is incompatible with the purpose for which the data was collected (i.e.: reselling data from a connected health device).
In fact, the guidelines take a strong position in opposition to the resale to advertisers of collected data from wearables and health and wellness devices. “Covered data may not be sold to advertising platforms, data brokers, or information resellers, even with express consent,” the guidelines say. Sharing with other third parties (example: business partners) is allowed, providing privacy and data security contractual provisions are in place and in line with general data transfer trends, such as the Privacy Shield Framework, which require that entities include in contracts with third parties express provisions addressing privacy and data security prior to engaging in certain data transfers.
On the issue of security, FPF’s guidelines require connected health device and application firms to establish and maintain a comprehensive security program that is “reasonably designed to protect the security, privacy, confidentiality, and integrity of covered data.” Devices must be secure from both internal and external risks, such as unauthorized access, or unintended or inappropriate disclosure, the guidelines say, with “administrative, technical, and physical safeguards commensurate to the nature, context, and scope of its activities and the sensitivity of the covered data.
For example: protected data (like protected health information) should be encrypted and/or anonymized. Further, device makers need to be able to ensure ongoing confidentiality, integrity, availability and resilience of systems and services used to process data. Device makers need to be able to continually assess and evaluate the effectiveness of security measures and restore data in a timely fashion, FPF says.