Wearable devices are not new, healthcare professionals have been using heart rate monitors and other hardware as a method of monitoring vital statistics, among other things, for years. What is new though, is the rate of dispersion and the variety of devices coming into the commercial market, available to both healthcare providers and, increasingly, the public.
The wearable device market, also known as the quantified self, has amassed popularity in recent years. In 2015, global retail in this market was expected to reach US$4.5 Billion, and was estimated to triple by 2019 to a whopping US$53 Billion1.Rapid innovations in technology, falling costs in the unit price of devices, and a general social trend toward health by tech savvy consumers, are largely held to be the drivers of the increased demand for health- related wearables.
With increased demand comes a highly competitive market with new and old entrants battling it out to produce better, more accurate and more useful wearables. The pace of innovation and demand in this space is increasingly leading to concerns over privacy and inadequate security safeguards as development outstrips legislative and regulatory requirements.
Wearables present multiple attack vectors, in that they often require data to be transmitted to a processing application typically housed on a smart device such as phones, tablets or computers. Furthermore, applications may store the data online.
Reviews by various security firms have found multiple vulnerabilities in wearable devices and related applications, these range from exposed login credentials, network sniffing (wherein data transmitted from the device is visible to potential attackers), to being able to monitor a user’s location through their device’s tracking mechanism and public networking capability.
It is worth considering the security risks of wearables when linked to smart devices. Careless users may leave their wearable or smart phone unattended, where any person may pick it up and peruse the data stored thereon. Wearables themselves are not typically password protected or secured, and smartphones and other devices are only as secure as their lock screen password, if enabled.
Privacy of the user is closely linked to the security considerations and concerns that are inherent to wearables. Wearables that process health-related information - which may be anything from vital statistics to sleeping patterns - and track user locations, require additional safeguards to be in place to ensure the protection and lawful processing of such information in accordance with various legislation and regulations in place worldwide.
Wearables are often used with a number of applications which may be free, paid for or come with the wearable or your smart device. What is not evident, though, is who has access to the data once you have loaded it from the wearable onto the application.
Another emerging phenomenon regarding the theft of health information is medical identity theft, which is the use of stolen medical details to obtain medical care, buy drugs or submit fraudulent billing to medical aid8. Medical records are worth up to US$50 per record on the black market9, which when compared to US$1 per stolen credit card record, indicates why medical identity theft is so lucrative.
While data coming from your fitness band or glucose meter may not be as valuable as your electronic health record on the black market, users of wearables and their related applications need to be aware of the pervasive nature of thehealth information being collected and stored about them, and what a breach of that information might mean.
South Africans have also been swept up in the wearable fever. Fitness bands, for example, are common features in public and in the workplace. Several medical aid schemes offer incentives to members who buy and use wearables and share the related health information with the scheme.South African privacy awareness is still in its infancy.
However, there are currently several pieces of legislation that provide a framework to understand the rights and obligations of the user, service provider and other parties, where personal information is concerned.The Protection of Personal Information Act (POPI) is currently the most comprehensive privacy framework within the South African legislative landscape.
It provides eight conditions under which personal information may be fairly and lawfully collected, used, stored, transmitted, and destroyed by both public and private organisations.
© 2020 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.