Fitness trackers, which help keep track of sleep quality, heart rate, and other biological metrics, are a popular way to help Americans improve their health and well-being.
There are many types of trackers on the market, including those from well-known brands like Apple, Fitbit, Garmin, and Oura. While these devices are growing in popularity – and have legitimate uses – consumers don’t always understand the extent to which their information could be available to, or intercepted by, third parties. This is especially important because people can’t easily change their DNA sequencing or heart rhythm like they could with a credit card or bank account number.
“Once the toothpaste is out of the tube, you can’t get it back,” said Steve Grobman, senior vice president and chief technology officer of computer security company McAfee.
The holiday season is a popular time to shop for consumer healthcare equipment. Here’s what you should know about the security risks associated with fitness trackers and personal health data.
Stick with a well-known brand even if it’s been hacked
Gym equipment can be expensive, even without accounting for inflation, but don’t be tempted to skimp on security to save a few bucks. While a lesser-known company may offer more bells and whistles at a better price, an incumbent that gets hurt is more likely to care about its reputation and do things to help consumers, said Kevin Roundy, senior technical director at a cybersecurity company Gen Digital.
Certainly, data breach issues, from criminal hacks to the inadvertent disclosure of sensitive user information, can – and have – hit well-known players, including Fitbit, which Google bought in 2021, and Strava. Despite this, security experts say it’s better to buy from a reputable manufacturer that knows how to design secure devices and has a reputation to uphold.
“A smaller company might just go bankrupt,” Roundy said.
Fitness app data is not protected like health information
Aside from exposing an individual’s confidential information in a data breach, there may be other concerns. For example, fitness trackers generally connect to a user’s phone via Bluetooth, leaving personal information vulnerable to hacking.
Additionally, the information collected by fitness trackers is not considered “health information” under the federal HIPAA standard or state laws such as the California Medical Information Confidentiality Act. This means that personal information could potentially be used in ways that a consumer would never expect. For example, the personally identifiable information could be shared or sold to third parties such as data brokers or law enforcement agencies, said Emory Roane, policy counsel at Privacy Rights Clearinghouse, a consumer protection, advocacy and education organization.
Some fitness trackers may use consumer health and wellness data to generate revenue from ads. So if you have concerns, you should make sure there is a way to opt out. Read the provider’s terms of service to understand the policies before purchasing the fitness tracker, Roundy said.
Default social and location settings may need to be changed
A fitness tracker’s default settings may not offer the strictest security controls. To increase protection, see what settings can be adjusted, e.g. B. in terms of social networks, location and other shareable information, said Dan Demeter, security researcher at cybersecurity provider Kaspersky Lab.
Depending on the state, consumers can also opt-out of the sale or disclosure of their personal information to third parties, and in some cases, Roane said those rights are expanded.
Certainly, device users should be careful about what they post publicly about their location and activities, or what they choose to make public by default. This data could be searched online and used by bad actors. Even if they are not acting maliciously, third parties such as insurers and employers could gain access to this type of public information.
“Users expect their data to be their own data and use it how they want to,” Roane said, but that’s not necessarily the case.
“It’s not just about current data, it’s also about past data,” Demeter said. For example, a bad actor could see what times the character is running – what days and what time – and where, and use this to his advantage.
There are also a number of digital scams where criminals can use information about your location to make an opportunity appear more plausible. They can claim things like, “I know you lost your wallet in such and such a place, which lends credence to the scammer’s story,” Grobman said.
Location data can also prove problematic in other ways. Roane provides the example of a woman seeking reproductive health care in a state where abortion is illegal. A fitness tracker with geolocation services enabled could collect information that could be subpoenaed by law enforcement or bought by data brokers and sold to law enforcement, he said.
Use strong passwords, two-factor authentication, and never share credentials
Be sure to secure your account by using a strong password that you don’t use with another account and enable two-factor authentication for the associated app. And don’t share credentials. This is never a good idea, but it can be particularly devastating in certain circumstances. For example, a domestic abuse victim could be tracked by her abuser provided he had access to her account information, Roane said.
Also, make sure the device and app are up to date with security fixes.
Nothing is absolutely secure, but the goal is to be as secure as possible. “If someone tries to profit from our personal data, we’re just making their life more difficult, so it’s not that easy to hack us,” Demeter said.