Beware the security flaws of health tracking technology

The number of people engaging in personal health tracking is on the rise, as are the number of devices available for that purpose. By some estimates, around 15% of Americans use technology to track a health indicator for themselves or a loved one.

The availability of technology like Bluetooth LE and smartphones have made tracking an ever increasing number of health parameters possible. As we recommend these tools to patients, its important for clinicians to not only be familiar with the potential benefits but also the costs and risks our patients will be incurring. And with risk in particular, we may be lulled into thinking that risk does not exist; these tools are, after all, very different than a medication or invasive procedure.

In a new report, data security firm Symantec reminds us that nothing is risk free by exposing significant privacy flaws among popular tracking tools.

Researchers from Symantec evaluated personal health tracking technology in two ways. First, they went out into public areas to see what kind of data they could scoop up using less than $100 in equipment. Next, they evaluated the privacy and data security of popular health tracking apps currently in the market.

In their cyber snooping experiment, they constructed Bluetooth-scanning devices using Raspberry Pi mini computers. They then placed these devices at set points along the route of a marathon as well as in highly-trafficked public places like city squares and transport hubs in Dublin and Zurich.

The Symantec researchers found that they could readily track devices based on a unique identifier they transmit; in fact, they were able to track specific runners along the race route based on this piece of data alone. In addition, they found that several devices would allow further data to be readily extracted with just a few more keystrokes.

In their evaluation of currently-available devices and apps, they revealed a number of other concerning findings as well. For example, they reported that 20% of apps examined transmitted sensitive data like username and passwords in clear text; other apps used very low level and easily crackable types of security. Several apps also exposed other personal information like email addresses. And while it may not seem all that concerning if hackers gain access to a user’s step count history, Symantec’s researchers point out that many people reuse the same usernames and passwords across multiple sites.

Another theme they identified was the number of third parties with which these apps are sharing information. Among the apps they evaluated, as many as fourteen third-party domains were contacted during regular operation of the app. In many instances, user information is being shared with these third parties. As an example, they highlight an app that tracks sexual activity, yet shares data with an ad network and analytics service; due to the type of data being shared, it would be possible for anyone at the ad network and the analytics service to infer quite a bit about users’ activities.

Personal health tracking will almost certainly continue to grow both in the number of people engaged as well as the range of health metrics being captured. Somewhere in that ever-growing haystack, we will start to find the ways we can systematically use that data to improve health. As we continue to move towards that goal, it’s important for clinicians to remember that there are still kinks and risks that need to be addressed as these technologies become part of our clinical toolkit.

As a start, Symantec offers several tips that we should share with patients using personal health tracking apps and device:

  • Use a screen lock or password to prevent unauthorized access to your device
  • Do not reuse the same username and password between different sites
  • Use strong passwords
  • Turn off Bluetooth when not required
  • Be wary of sites and services asking for unnecessary or excessive information
  • Be careful when using social sharing features
  • Avoid sharing location details on social media
  • Avoid apps and services that do not prominently display a privacy policy
  • Read and understand the privacy policy
  • Install app and OS updates when available
  • Use a device-based security solution
  • Use full device encryption if available

Satish Misra is a cardiology fellow and a founding partner and managing editor, iMedicalApps, where this article originally appeared.

Leave a Comment

Most Popular