Security and Privacy Risks Linked to Wearable Healthcare Devices
While wearable technology can provide substantial patient benefit, these devices carry significant privacy and security risks.
Wearable technology, including electronic devices to help control pain, can provide substantial benefit to patients. However, these devices are associated with significant privacy and security concerns as many require the disclosure of sensitive information, according to an article published in the Health Informatics Journal.
Many of these new technologies can provide improvements in the treatment of chronic health conditions. In patients with chronic pain, devices can provide individualized, accessible pain management. However, the devices often collect sensitive data — for example, glucose levels in patients with diabetes — as well as personal information. Most of the devices require the use of a smartphone, which may provide another avenue for a security breach.
Stephen Cory Robinson, PhD, of the Department of Science and Technology at Linkoping University in Norrkoping, Sweden, noted that users of wearable devices do not own their own data; the data are owned by the manufacturer. Individuals may not be aware of this caveat, until or if a company decides to share that data. Furthermore, some wearable devices, such as glucose pumps and wireless digital pacemakers, are easily hacked because of the communication technologies they use.
Dr Robinson used the communication privacy management (CPM) theory to examine the policy issues and ethical ramifications of patients disclosing health information in exchange for chronic pain relief. He examined 5 wearable devices for chronic pain: 1 infrared treatment (LumiWave®, BioCare Systems, Inc), 3 transcutaneous electrical stimulation devices (iTENS, iTENS LLC; ENSO, and Quell®, Neurometrix), and 1 transcranial direct current stimulator (Thync, Thync Global, Inc.).
Dr Robinson wrote that it is essential that users be aware of the risks involved in using a wearable device and that companies employ reliable security to protect user data. Moreover, in some cases privacy violations can occur when companies try to access information unrelated to the treatment of the condition or disease, such as personal information for marketing purposes or for sale to a third party. Companies may try to access the user's smartphone applications, gain access to the camera and the user's photos or videos and to the user's contacts and GPS location tracking. Companies may also ask for a user's social network accounts.
Such intrusions into an individual's privacy can have adverse effects on their social health, while health information can be misused in employment decisions. Information can also be used for identity theft.
Dr Robinson argued that wearable device manufacturers should be required to give clear, succinct information about their data collection practices and only require information relevant to the delivery of treatment. They should state what is being collected, with whom it is being shared, and how users may opt-out. Particular attention should be paid to who owns the data should the company go bankrupt, as such information is sometimes sold following the liquidation of a company.
He concluded that both consumer technology companies and patients with chronic pain must seek a balance in which disclosing personal data provides better health outcomes while privacy and the security of personal health data are ensured.
Robinson SC. No exchange, same pain, no gain: Risk-reward of wearable healthcare disclosure of health personally identifiable information for enhanced pain treatment [published online September 11, 2018]. Health Informatics J. doi:10.1177/1460458218796634.