What You Need To Know About Medical Tech Wearable Security

By Harry Guinness

Wearable devices—like smartwatches and fitness trackers—increasingly are being used to monitor health and inform medical care. While they’re undeniably useful, this does bring with it a range of valid security and privacy concerns. Let’s explore some of the big issues with medical wearable technology.

The benefits of medical wearables

Consumer medical wearable devices show a lot of promise. Because they are able to constantly monitor vital signs like your heart rate and activity levels, they can paint a more complete picture of your lifestyle for your physician—and even spot warning signs of some conditions before you become symptomatic.

For example, a number of studies have found that heart rate measurements taken by smartwatches can predict the onset of Covid-19 symptoms before you feel them. And then, of course, you have anecdotes from real people about how the various features of their Apple Watches saved their lives. It’s clear using a medical wearable can genuinely help you lead a healthier life.

And these are just current consumer wearables. The devices coming out over the next few years look set to be able to non-invasively and continuously monitor even more health measures, like blood pressure, blood glucose levels and skin temperature. With more information and better biosensors to work with, they’re going to get even more popular with doctors and patients alike.

Given the acceptance by both the consumer and medical communities that medical wearable technology is pretty cool and has a lot of potentially life-improving benefits, it’s a good time to dig into the thornier issues around privacy and security.

How is data from my medical wearable protected?

In general, when you set up a wearable device, you link it to an online account. Any data the device collects will sync to your account, so you can view and access it from your smartphone or computer. It also means your data is backed up in case you lose or break your wearable.

There are no universal cybersecurity standards or privacy requirements for handling medical data from wearables. Fitbit, Apple and Garmin, for example, each has its own system.

Unfortunately, this means your medical data is only as secure as these online accounts. Just last year, Fitbit suffered a major data breach and Garmin paid a ransom to hackers (although it doesn’t seem like they were looking for customer data).

Also, it means that the companies can use your data in any way allowed by the privacy policy you agree to when you sign up. For example, you can see from Whoop’s privacy principles here that they don’t sell your personal data, but they do strip it of identifying information, aggregate it and then use it to research and develop their products.

As far as the internet is concerned, this is all totally normal. If you’re okay having personal information in your Gmail account, then you shouldn’t be too worried about your Apple Watch data in your iCloud account.

Does HIPAA apply to medical wearables?

The Health Insurance Portability and Accountability Act (HIPAA) is the main regulation that protects your medical data’s privacy. It puts in place strict requirements for how healthcare providers must handle and access your medical information. Your doctor has to follow certain procedures to ensure that your case files can’t be accessed by anyone else—or leak on the internet.

HIPAA, however, only applies to data “created, received or maintained” by healthcare providers and health insurance companies. It typically doesn’t apply to tech companies or medical data you collect yourself with consumer devices.

This means data from different devices are covered differently depending on how they’re used. Let’s say your physician takes an EKG in person. The data from it is completely covered by HIPAA. If your doctor prescribes you or provides you with a medical wearable device to monitor an ongoing health condition using an EKG, then the data from that would also be covered by HIPAA. However, if you use the wearable EKG monitor in your Apple Watch, the data from that is not automatically covered by HIPAA. (Although any EKG information you submit to your physician from it may well be.)

Can medical wearables be hacked?

For medical wearables, the risk of the device you carry on a day-to-day basis being hacked is incredibly small. Unlike your computer, wearables aren’t connected to the open internet and there are much harder limits on what sort of apps and software can be installed on them. An Apple Watch can’t really get a virus. For hackers, the online servers where the data is stored are a much bigger and easier target.

However, this isn’t to say the risk isn’t there. Most devices can be hacked—it’s just a question of how expensive and feasible it is to do. Pacemakers have been recalled in the past over security vulnerabilities and researchers continue to demonstrate ways it could be done.

How can I secure my medical data?

Your wearable accounts are basically the same as any other online account, so protecting your medical data is much the same as securing your Facebook, Netflix or Amazon account. First, though, you need to consider if you’re comfortable with how your data is handled.

Think about what data is being collected and where it’s being stored by your wearable. Your Garmin watch, for example, is recording things like your heart rate, location and sleep schedule and storing it on Garmin’s servers. If this is something you’re uncomfortable with, then you may decide to reconsider wearing your watch.

Also, understand what the company is doing with your data. This will mean reading either their privacy policy or at least taking a look at the reader-friendly summary on the website. Here’s Garmin’s summary, for example.

If you decide you trust the wearable company with your data, then it’s up to you to make sure it’s as securely protected as possible:

• Use a strong, unique password for your account. If it’s long and complicated, consider using a password manager.
• Enable “two factor authentication” (2FA) if it’s available.
• Use a second, private email account, one that you don’t share online, to create your account.
• If your device can have a PIN or password, make sure to set one.

While these steps don’t guarantee your data will be completely secure, they do maximize the chances of it staying private.

Are medical wearables worth using?

As I write this article, my Apple Watch is monitoring my heart rate, activity and other metrics about my daily life. I’m able to use the information it gives me to track my health and sports performance. It’s pretty exciting to see how things like my resting heart rate and cardiovascular fitness levels change in response to what I do.

And medical wearables are only going to get better and more useful. As long as you’re aware of the privacy and security risks—and ask your doctor about those specially prescribed devices—there’s no reason you can’t safely use them to improve your health, fitness and life.