What are the security and privacy challenges when data resides in and emanates from our own bodies?
As the Internet of Bodies moves from the realm of science fiction to reality, questions of privacy, security, and legality will multiply.
But first, what is the Internet of Bodies? Essentially, it’s the Internet of Things except instead of “things” like your thermostat, refrigerator, or car; you are the “thing.” Data about your body can be connected to the Internet in multiple ways:
If you’re a pet owner, you probably have your pet microchipped. Basically, a small chip is inserted just under the skin of the neck. The pet’s information is entered into a database. If your pet is ever lost, a scan of the chip will reveal ownership details so you and your wandering pooch can be reunited.
How would you like to be microchipped? 32M, a manufacturer of various microchips, had a “chip party” in 2017. Fifty employees had a company RFID microchip implanted between thumb and forefinger. This allowed employees to open doors, pay for snacks at vending machines, and unlock computers.
Exciting for some, terrifying for others.
If you fall into the former group, consider the pet example and think about an aging population and the increase in dementia and Alzheimers. While the idea of placing a microchip in your grandmother sounds odd, wouldn’t you like authorities to be able to return her home should she wander the streets with no memory of where she lives?
And these are two of the simplest examples. There’s much more coming for the Internet of Bodies (IoB, sometimes referred to as the Internet of People).
Consider this extreme hacking concern: Dick Cheney had his wireless-connected defibrillator replaced when he became vice president out of concern that the device could be hacked and an electronic shock could be used to assassinate him.
While our concerns aren’t as extreme, data security is going to be of paramount importance as the Internet of Bodies penetrates society.
Here are a few real-world uses of the Internet of Bodies today:
Each of these uses introduces various levels of privacy and security concerns. For an insulin pump, the same concern for Dick Cheney would exist if the device connects via Wi-Fi or Bluetooth.
Regarding information recorded from a pacemaker, pill, or other means; how do we ensure the privacy of that data from a health or life insurance company, who could use the data to raise or adjust premiums?
There’s also the intersection of privacy and law enforcement. The following is from an article in the Washington Post:
“. . . precedents are, however, being set for Internet of Bodies data to be used in criminal investigations. Medical data from a cardiac pacemaker was used to bring arson and insurance fraud charges against a man who allegedly burned down his house in 2016. The man claimed the fire started of its own accord and that he had packed his things, threw them out his bedroom window and brought them to his car to save himself. But a cardiologist concluded that the pacemaker readings, including heart rate and cardiac rhythms, made the timing of the man’s account unlikely, given his heart condition. Citing violation of his client’s privacy, the man’s lawyer moved for the evidence to be tossed out, but the judge ruled to permit the data to be used at trial.”
Or what if poor health habits revealed from IoB devices is used to deny insurance coverage?
These privacy issues are still to be decided and there is no clear answer to the question, “do you own your health data?”
As of yet, there are no regulations specific to wearables or IoB-type technology.
Until regulations catch up to reality, we must rely on the security measures already available.
The first step is to have a data security plan in place.
Secondly, ensure that data is encrypted, preferably at rest and during transmission.
Third, be aware that patient information is not PHI outside of HIPAA-covered entities. That means that the health data your Fitbit or Apple Watch shares to the associated app is not protected by HIPAA data privacy rules (unless the app is developed by a HIPAA-covered entity).
While a data breach of a manufacturer’s app information would be embarrassing and as damaging as data breaches are, it would not be a HIPAA violation.
Of course, for HIPAA-covered entities who currently use IoT or Internet-of-Bodies technology, you must comply with HIPAA privacy rules. Any data that is considered PHI, regardless of origin, must be secured and transmitted according to HIPAA.
So while there aren’t any specific regulations governing IoB technology, any IoB-related technology that would seek to work with a HIPAA-covered entity would have to comply with HIPAA and HITECH regulations.
As wearables are used more frequently to track activity and as embedded IoB devices become more capable of monitoring and transmitting health information, we will have more information available to help us live healthier lives and that information is going to have to be protected.
As consumers, we need to play an active role in maintaining our privacy until laws are in place. As businesses, especially as HIPAA-covered entities, the Internet of Bodies makes compliance more complicated, but doesn’t really change anything. Protected health information must be protected. It’s as simple as that.