Fitbit says the recent hack conducted by researchers, manipulating its tracker accelerometers via sound waves, “is not a compromise of Fitbit user data and users should not be concerned that any data has been accessed or disclosed.” Fitbit, in an official statement, added that “we carefully design security measures for new products, continuously monitor for new threats, and rapidly respond to identified issues.”
3. It’s important to anonymize data
Companies that collect but don’t carefully anonymize health-related data have effectively acquired what’s known as electronic Protected Health Information (ePHI), “which puts you squarely in the HIPAA world,” warns Eric Hodge, director of consulting at CyberScout, a data risk management and identity protection firm. And then, you must “worry about complying with all kinds of HIPAA requirements just as a hospital would,” he says. Plus, you’re exposed to the same fines, which lately have been between $150,000 and $6 million, if you don’t comply with HIPAA requirements. As a precaution, be sure to dissociate information about health and fitness from the individual, he adds.
4. Segregate wearables on a different network
IT should treat wearables like any other computing device on their network, Manzuik says. “When possible, consider segregating IoT devices to their own network and don’t connect them directly to the internet.”
Because some IoT devices have “a history of poor security,” organizations should keep these devices on a dedicated network that doesn’t provide any access to internal resources, such as a guest Wi-Fi network, adds Matias Woloski, CTO and co-Founder of Auth0, a universal identity platform.
5. Do your due diligence
Is the IoT company HIPAA-compliant? Does it adhere to standards? How does it manage credentials and identity? Is there an easy revocation strategy in case a device is lost or stolen? These are a few questions CISOs should ask wearable/group health platform providers, says Woloski.
Corporate fitness and wellness programs are typically tied to third-party software platforms that request permission to access the data generated by trackers or other devices, Woloski adds. CISOs should look for wearable providers that expose their API using authorization protocols such as OAuth 2, so that users can stay in control and revoke access whenever they want, he says.
6. Educate users
It’s important to educate users about the type of data wearables collect, where it goes, and how it might be used, notes Pollard. “It might seem like the data I share with a (wearable) app stays on my smartphone or wearable. In reality, it goes to the cloud and might be shared with a number of third parties. Less sophisticated users may never know that happens, or that they could opt-out of it when or if given the choice.”
Sign up for CIO Asia eNewsletters.