Consumer Privacy, Security at Risk from Internet-Connected Health Devices

While the growth of Internet-connected medical devices and wearable fitness products can potentially improve health outcomes, the technology also raises serious privacy and security concerns that could undermine consumer confidence.  

That is among the findings of a new Federal Trade Commission staff report on the “Internet of Things,” referring to the explosion of devices or sensors—other than computers, smartphones, or tablets—that connect, communicate or transmit information with or between each other through the Internet.

“Connected health devices will allow consumers with serious health conditions to work with their physicians to manage their diseases,” states the report. “However, these connected devices also will collect, transmit, store, and potentially share vast amounts of consumer data, some of it highly personal.”

For example, the FTC report points out that “researchers are beginning to show that existing smartphone sensors can be used to infer a user’s mood; stress levels; personality type; bipolar disorder; demographics (e.g., gender, marital status, job status, age); smoking habits; overall well-being; progression of Parkinson’s disease; sleep patterns; happiness; levels of exercise; and types of physical activity or movement.”

The FTC recommends data minimization—limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. According to the commission, data minimization addresses two key privacy risks: the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and that consumer data will be used in ways contrary to consumers’ expectations.

As an example of how data minimization might work in practice, FTC argues that a wearable device such as a patch, which assesses a consumer’s skin condition, does not need to collect precise geo-location information in order to work. However, if such a device manufacturer believes that this kind of information might be useful for a future product feature that would enable users to find treatment options in their area, the report recommends that as part of a data minimization approach the company should consider waiting to collect geo-location until after it begins to offer the new product feature, at which time it could disclose the new collection and seek consent.

Companies should also consider whether they could offer the same feature while collecting less information, such as by collecting zip code rather than precise geo-location. However, if companies decide they need the precise geo-location information, they should provide a prominent disclosure about its collection and use of this information, as well as obtain consumers’ affirmative consent.

The report takes a flexible approach to data minimization. Under its recommendations, FTC say companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data; or choose to de-identify the data collected.

Companies that collect and maintain data for business purposes should also consider whether they can do so while maintaining data in de-identified form.

As an example, FTC mentions that one university hospital offers a website and an associated smartphone app that collect information from consumers, including geo-location information, to enable users to find and report flu activity in their area. The hospital can maintain and post information in anonymous and aggregate form, which can benefit public health authorities and the public, while at the same time maintaining consumer privacy.

Nonetheless, FTC acknowledges that as technology improves, the possibility exists that de-identified data could be re-identified, which is why it is also important for companies to have accountability mechanisms in place. When a company states that it maintains de-identified or anonymous data, the commission states that companies should take reasonable steps to de-identify the data (including by keeping up with technological developments), publicly commit not to re-identify the data; and have enforceable contracts in place with any third parties with whom they share the data, requiring the third parties to commit not to re-identify the data.

In addition to its report, the FTC also released a new publication for industry with advice on how to build security into Internet-connected products using best practices developed by security experts, such as strong encryption and proper authentication.

For reprint and licensing requests for this article, click here.