Fitness trackers, which help track sleep quality, heart rate and other biological metrics, are a popular way to help Americans improve their health and well-being.
There are many types of trackers on the market, including those from well-known brands like Apple, Fitbit, Garmin, and Oura. While these devices are increasingly common — and have legitimate uses — consumers do not always understand the extent to which their information may be made available to or disclosed to third parties. stop. This is especially important because people cannot simply change their DNA sequence or heart rate like they can change their credit card or bank account numbers.
“Once the toothpaste is out of the tube, you can’t get it back,” said Steve Grobman, senior vice president and chief technology officer of computer security firm McAfee.
The holiday season is a popular time to buy consumer medical devices. Here’s what you should know about the security risks associated with fitness trackers and personal health data.
Stick with a famous brand, even though they are hacked
Fitness equipment can be expensive, even without accounting for inflation, but don’t skimp on a few dollars to save on security costs. While a lesser-known company can offer more bells and whistles at a better price, an established supplier is underpowered, said Kevin Roundy, senior technical director at the cybersecurity firm. Violators are more likely to care about their reputation and do whatever it takes to help consumers. Digital generation.
To be sure, data breach issues, from criminal hacking to unintended sharing of users’ sensitive information, can — and have — hit prominent players, including Fitbitthat Google bought in 2021 and Strava. But even so, security experts say that you’re better off buying from a reputable manufacturer that knows how to design safe devices and has a reputation for maintenance.
“A smaller company could go bankrupt,” Roundy said.
Fitness app data is not protected like health information
There may be other concerns beyond having a person’s sensitive information exposed in a data breach. For example, fitness trackers often connect to users’ phones via Bluetooth, making personal data vulnerable to hacking.
Furthermore, the information that fitness trackers collect is not considered “health information” under federal HIPAA standards or state laws such as the California Health Information Privacy Act. This means that personally disclosed data could potentially be used in ways that consumers may never expect. For example, personal information may be shared or sold to third parties, such as data brokers or law enforcement agencies, said Emory Roane, policy advisor at Privacy Rights Clearinghouse, an organization education, advocacy and consumer privacy organizations.
Some fitness trackers can use consumer health and wellness data to generate ad revenue, so if that’s a concern, you’ll want make sure there is a way to opt out. Review your provider’s terms of service to understand their policies before you buy a fitness tracker, says Roundy.
Default social and location settings may need to be changed
The default settings of a fitness tracker may not provide the strictest security controls. To increase protection, see what settings can be tweaked, such as related settings, says Dan Demeter, security researcher at cybersecurity provider Kaspersky Lab. to social networks, locations, and other sharable information.
Depending on the state, consumers may also refuse to sell or share their personal information with third parties, and in some cases, these rights are being extended, according to Roane.
Certainly, device users should be careful about what they publicly post about their location and activity, or what they allow publicity by default. This data can be searched online and used by the bad guys. Even if they are not acting maliciously, third parties such as insurance companies and employers can still access this kind of public information.
“Users expect their data to be their data and use it however they want,” says Roane, but that doesn’t have to be the case.
“It’s not just about current data but also about past data,” Demeter said. For example, a bad guy could see all the times he’s been running – what date and time – and where, and use it to their advantage.
There are also a number of digital scams where criminals can use information about your location to make it seem more plausible. They may ask for things like, “I know you’ve lost your wallet here and there, which adds credibility to the scammer’s story,” says Grobman.
Location data can also cause problems in other ways. Roane gives the example of a woman seeking reproductive health care in a state where abortion is illegal. A geolocation-enabled fitness tracker, he said, could collect information that law enforcement could subpoena or be purchased by data brokers and sold to. law enforcement agency.
Use strong passwords, two-factor authentication, and never share logins
Make sure your account is secure by use strong password that you don’t use with another account and enable two-factor authentication for the linked app. And don’t share credentials. It’s never a good idea, but it can have particularly serious consequences in certain circumstances. For example, a domestic violence victim could be tracked by her abuser, assuming he has access to her account credentials, Roane said.
Also, make sure to keep your device and apps up to date with security fixes.
While there is no such thing as complete proof, the goal is to be as safe as possible. “If someone tries to profit from our personal information, we make their life more difficult so it’s not easy to hack us,” Demeter said.
