When you use a wearable device to track your health or fitness, do you control your sensitive information? Or is technology actually using you?
Although he is a Certified Information Privacy ProfessionalI wear two health trackers almost all the time: one Oura ring And Garmin Watch. Both are considered Internet of Things (IoT) devices, or anything with an internet connection except traditional gadgets like computers and phones. In addition to wearables, IoT devices range from washing machines and refrigerators to military surveillance robots. In 2020, 445 million wearable devices were shipped to consumers, and in 2021, the wearables industry reported revenue of $41.94 billion. Researchers believe that 41.6 billion IoT devices will exist by 2025, reflecting a growing global appetite for connectivity.
Fitness wearables come in various forms: stylish jewelry like smart watches, smart rings and smart bandsto high technology continuous glucose monitors. Some people, like me, wear one or more devices to “biohacking” or “DIY biology”, which is the process of monitoring one’s inputs (e.g. energy kcal, sleep and meditation) and corresponding outcomes (e.g. well-being, steps and variable heart rate) to improve sleep, health, lifespan and/or sports performance. Others wear them to record workouts, listen to music, or simply tell the time.
But exactly what data do these IoT wearable devices track and what do they do with it?
A review of OuraIt is Terms of use, Health Privacy PolicyAnd Team Privacy Policy show that:
- Oura collects sensitive health information, including heart rate, body temperature, BMI, women’s reproductive health information, fitness activities, and user “tags” (for example, if (user wore a sleeping mask, drank caffeine, or was caring for a baby late at night). ).
- Oura collects personally identifiable information, including name, age, contact and demographic information.
- Oura stores financial information, such as my credit card number.
- Oura uses GPS when enabled to track precise geolocation data during a workout, collecting and storing it, including my home address and where I usually run.
- Oura may share data with healthcare providers, but only if I opt-in.
- Oura uses cookies to track my engagement with its website and others to analyze my behavior and target me with specific advertisements.
- Oura uses the health data it collects to provide its services, as well as for research and development and third-party integrations.
Overall, Oura collects a lot of different data beyond the scope of my fitness activity, increasing my risk in the event of a data breach.
Even though I know my data is being tracked, collected, and used for purposes other than optimizing my health and athletic performance, I still wear my health trackers and plan to continue. I value the convenience and health information, and I’m willing to accept the trade-off. However, I limit online tracking by disabling cookies and do not share my data with third-party providers.
Here are some other ways we can keep our devices secure and protect ourselves from bad actors.
Software and Firmware Updates: Software And firmware Updates often fix vulnerabilities identified by device engineers. If an update is pushed to your device, there’s probably a good reason for it. Don’t silence or delay updates for too long, as they can leave your device vulnerable to bad actors or viruses.
Limit connectivity: In 2019, a ethical hacker identified Cyber Security Vulnerabilities in Extended Continuous Glucometer (CGM) Connectivity, alerting regulators that malicious hackers could wirelessly connect to a CGM device and alter insulin delivery, with catastrophic health consequences. Always check your device settings; disable the device’s wireless connectivity, including Bluetooth, when not in use; and limit access to the minimum necessary for use.
Sellers are not subject to HIPAA: Providers of wearable fitness technology are not considered “covered entities” under the law. Health Information Portability and Accessibility Act (HIPAA)which means they can sell your data. Fitbit, acquired by Google in 2019, is an interesting example: the data collected by Fitbit can be used by Google to serve targeted advertisements. These ads may take into account any information shared with Fitbit: fitness goals, calorie tracking, sleep quality, or any other metrics inferred from usage. You can generally opt out of this type of use by reading a company’s terms of use and privacy policies.
Know before you buy: When it comes to information security, it’s often better to trust a more expensive brand than to save money with an unknown brand. All businesses are susceptible to cyber incidents, potentially making your sensitive data vulnerable to misuse. Read a company’s consumer reviews, security information, and privacy policy to understand the measures in place to protect your sensitive information.
Need help?
Concerned about a University of Utah or University of Utah Health data security incident? Contact the Campus IT Help Desk at 801-581-4000, the University of Utah Health IT Help Desk at 801-587-6000, or the University Security Office Security Operations Center. information at 801-581-4000. SOC@utah.edu for immediate assistance.
Have you received a malicious or suspicious email? Use the Phishing alert button in UMail or forward the email as an attachment to phish@utah.edu.
You want to know more ? Contact the offices below.
- Office of Legal Counsel: Contact Ogc-admin@lists.utah.edu if you are evaluating a service for your organization and receiving a contract for goods or services.
- Privacy Office: Contact baa@utah.edu if a third-party provider accesses, views, stores or uses academic protected health information (PHI). If the terms of service or contract suggest data collection, a Business Associate Agreement (BAA) or other Data Use Agreement (DUA) may be legally required. Contact privacy@utah.edu with general inquiries about information privacy and your rights and responsibilities.
- IT governance, risks and compliance: Contact ISO-GRC@utah.edu if you are evaluating a software or hardware service for your organization. The University’s Office of Information Security must evaluate the security of new software or hardware.
- PIVOT: Contact PIVOT Center – Partners for Innovation, Business, Outreach and Technology (utah.edu) if you have an idea for innovative systems using apps or software.
Do you have a privacy topic you would like to learn more about? Contact Bebe Vanek, Information Privacy Administrator for University of Utah Health Compliance Services, at bebe.vanek@hsc.utah.edu.