The price of wearable craze: Personal health data hacks

Technology pioneer isn't a role people associate with former vice president Dick Cheney, but technology security experts today give his medical advisory team props for a move made back in 2007 — disabling the wireless capability on Cheney's pacemaker. The act was, of course, a cautionary effort against any entity that might have tried to hack it to cause Cheney harm.

This is old news — Cheney revealed the story in 2013 during an interview on 60 Minutes — but in a year when the world's largest technology, medical device and health-care firms are betting big and fast on wearable technology's role in delivering patients a more precise and cost-effective way to manage their health, experts are worried that the pace of updating data-privacy laws and building infrastructures with optimal levels of security doesn't match the speed of the market's technological rollout.

The risks to consumers depend on what type of device they're wielding. In rare instances, weak links or endpoints in a cloud-based network powering something like a wearable insulin pump could be life threatening, as it opens the door to hackers tampering with them. On the privacy side, personal data culled from all types of wearables — namely, fitness trackers — are finding their way to employers, insurance companies and the black market, resulting in a range of grievances, from higher insurance premiums to identity theft.

"It's a consumer-driven movement; consumers are demanding medical-grade products that are coming from companies that are well versed in consumer electronics," said David Niewolny, health-care segment manager for Freescale Semiconductor. "These folks aren't familiar with the security type requirements that are needed for a health-care market vs. a consumer market."

Niewolny is referring to the firms that make up more than 80 percent of the health-related wearable technology market, the activity tracker upstarts like Fitbit and technology giants like Apple that are helping drive a new digital health-conscious movement into a $2.8 trillion health-care industry. Research firm Gartner estimates that more than 1.4 billion health and fitness units will ship by 2020, up from roughly 300 million today.

The segment that includes certified medical devices like continuous glucose monitors is also growing — but more slowly, given the regulatory approval process they pass through. Since 1997, the FDA has cleared 115 digital health devices, at a rate of roughly 20 per year. This year approximately 40 digital health devices have been cleared, but that includes updated/revised versions of existing products.

The first-ever digital health device approved by the FDA was in 1997, a heart tracker named Rhythmstat XL, a device that allowed patients to record an electrocardiograms (ECGs) and transmit it directly to their doctor, who could review it on a Psion 3C palmtop computer. The kinds of technology that the FDA considers a "device" — including apps — is complicated.

Both device camps will help propel the personalized medicine movement.

While the National Institutes of Health is researching ways to use wireless consumer and certified devices to collect massive amounts of health data for its Precision Medicine Initiative Cohort Program, firms like Samsung, Apple and IBM are working on platforms to enable wearables to provide to health-care staffers a more comprehensive and immediate picture of a patient's health.

To that end, medical technology firm Medtronic recently enabled real-time streaming from its continuous glucose monitor to an iPhone app, which allows diabetics to know blood sugar levels at all times. The system alerts patients when levels move too low or too high. The next iteration, which just completed a pilot test of 100 patients, will leverage the data analytics ability of IBM's Watson Health unit to alert diabetics as to when they're likely to experience a hypoglycemic event — hours in advance.

"That's the Holy Grail — the ability of sensors to continuously track you so if there looks like there's been a change in your health, you're notified before the event," said cardiologist Leslie Saxon, a professor of clinical medicine at the University of Southern California. Saxon also heads up USC's Center for Body Computing, which is studying how to engage people in sharing health-related information via social networks.

As this technology evolves and becomes more sophisticated in the way it harnesses and transmits tiny bits of data about an individual's health and behavior, so must the security protocols that preserve confidentiality and protect the device from being attacked directly.

While devices powered by legacy tech firms like Medtronic and IBM have robust security practices in place, upstarts may have more trouble balancing the risk-reward ratio of spending the time and money it takes to build a strong security backbone into their device with the speed at which they want to roll things out.

"When you're looking at the brain of one of these devices, if the software isn't designed to protect itself and it's not designed without design flaws and without vulnerabilities and implementation bugs in it — which we've seen — then it will be attacked," said Gary McGraw, CTO of software firm Cigital.

A big problem, say experts, is that most wearables aren't standalone devices — many work with smartphones. They also interact with a host of other endpoints, including the device maker, health-care firms, hosting providers — places that likely have varying levels of security.

Where a device connects to the cloud is probably the weakest link of all. "[These devices] are not as secure as your smartphone or your PC — it's not that hard for someone with malicious intent to tunnel back into the device and do some harm," said Gary Davis, chief consumer security evangelist at Intel Security.

There's another reason why hackers could be exploiting flaws in medical devices: They want the information contained in your health records, which, according to Dell SecureWorks, is about 10 times as valuable than a stolen credit card number on the black market.

"These devices contain your address, date of birth, group number — that's stuff hackers can use for a long time and get a lot of benefit out of," said Davis, who coined 2015 "the year of the health-care breach," given the number of big insurance companies and hospitals targeted by hackers. "While the credit card companies have gotten so good at detecting fraud, managing mileage out of [a stolen card number] is pretty limited."

A story in the Washington Post earlier this year noted that "Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009," based on a review by the Washington Post of Department of Health and Human Services data. Anthem revealed that hackers got into a database with personal information of nearly 80 million records related to consumers, which the Post noted was "one incident that more than doubled the number of people affected by breaches in the health industry since the agency started publicly reporting on the issue in 2009."

Other major insurers, including Aetna and UnitedHealth, have been citing the risk of hacks in annual reports since 2013.

And these are the organizations designated to protect health data and with the most experience doing that.

Probably the most contentious issue about health wearables is how and with whom data is shared. While devices prescribed by physicians are covered under the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule — which in most consumers' minds means that their data won't be seen by entities outside of their health-care network — the process has many weak links.

"While HIPAA is a set of standards to govern the collection, storage and usage of patient data, there is no static compliance that can be achieved or certified," said Walter Paley, director of marketing for SafeLogic. "HIPAA … refers all security guidelines to the National Institute of Standards and Technology (NIST), which mandates that encryption not verified and validated by NIST is considered, bluntly, useless."

"It's very rare to find a consumer wearable, medical or otherwise, that has deployed FIPS 140-2 encryption — NIST's validation program — in their product."

James Goodnow, a partner with law firm Lamber Goodnow, said that lots of obscurities also exist when it comes to applying the law to medical health devices. "HIPAA applies to covered entities — health-care providers, health plans and health clearinghouses," he said.

Firms not on HIPAA's list that likely have accessed the data: tech makers, Internet hosting providers and any other third-party firms that service or host the information in some way.

Goodnow said it's hard to know what information is protected, a point that becomes more salient as medical devices evolve and start to mirror patients' smartphones.

"Heart rate? Probably. Steps? Maybe. But what about the text message you sent or the video you took? No way," Goodnow said, noting that it's still unknown how a court would react in these situations, because there isn't yet a set precedent. "What's happening is a bundling of information even if it's going to a covered entity — some of that information may be protected health information … but a bunch of other stuff is going to these places that aren't covered under HIPAA."

What this means for consumers, he said, is that the data they thought was protected could become discoverable in a civil litigation case where their health is an issue — say, a personal injury case or a worker's compensation case.

Perhaps the darkest side of the data-privacy issue involves consumer wearables like fitness trackers, where any personal data emitted is up for grabs. Users essentially give up the right to keep any personal information private when they accept a wearable's terms of service, which often contains vague language and notions.

"In order to get some benefit, you need to share information with various apps — say, the route you ran or cycled," said Robert Clyde, certified information security manager of ISACA, a global cybersecurity association. One of the dangers of sharing such information is that it's potentially being collected by data brokers, firms that seek personal information about individuals from a host of online and offline sources and then sell it to companies who use the data in various ways.

According to an FTC report, much of the information being brokered is used for marketing purposes. But there are also worries that insurance firms are using it to classify individuals, which might impact premiums. And potential employers could be mining it in an effort to steer clear of hiring someone — say, a diabetic — who might end up costing more in terms of health benefits.

"If you're going for a new job and have shared all kinds of information via social media — like your blood sugar levels, if you're a diabetic — if the potential employer picks up on that, he might not be that motivated to bring a diabetic on board," Clyde said.

Until regulations catch up to the loopholes associated with the technology — Goodnow predicts that we'll see cases popping up in the next several months to the next several years that will help sort out such issues — experts say it's essential for consumers to become better versed in what they're giving away when signing on to use a new device, medically certified or not.

After all, "there's no way to make [a device or system] 100 percent secure," said Cigital's McGraw.

— By Maggie Overfelt, special to CNBC.com