Fitness trackers, which help keep tabs on sleep quality, heart rate and other biological metrics, are a popular way to help Americans improve their health and well-being.
There are many types of trackers on the market, including those from well-known brands such as Apple, Fitbit, Garmin, and Oura. While these devices grow in popularity and have legitimate uses, consumers don’t always understand the extent to which their information could be accessed or intercepted by third parties. This is especially important because people can’t just change their DNA sequencing or heartbeat like they would with a credit card or bank account number.
“Once the toothpaste comes out of the tube, you can’t get it back,” said Steve Grobman, senior vice president and chief technology officer at computer security firm McAfee.
The holiday season is a popular time to shop for consumer health devices. Here’s what you need to know about the security risks of fitness trackers and personal health data.
Stick to a known brand, even if it’s pirated
Fitness equipment can get expensive, even without accounting for inflation, but don’t be tempted to skimp on safety to save a few bucks. While a lesser-known company may offer more bells and whistles at a better price, a well-established supplier that is breached is more likely to care about its reputation and do things to help consumers, Kevin Roundy said. , senior technical director of the cybersecurity company. Digital generation.
Certainly, data compromise issues, from criminal hacks to unwitting sharing of sensitive user information, can — and have — affected well-known players, including Fitbit, which Google bought in 2021, and Strava. But even so, security professionals say it’s best to buy from a reputable manufacturer that knows how to design secure devices and has a reputation to uphold.
“A small business could just go bankrupt,” Roundy said.
Fitness app data is not protected like health information
There may be other concerns beyond the exposure of someone’s sensitive information during a data breach. For example, fitness trackers typically connect to a user’s phone via Bluetooth, leaving personal data open to hacking.
Additionally, information collected by fitness trackers is not considered “health information” under federal HIPAA or state laws such as the California Medical Information Privacy Act. This means that personally revealing data can potentially be used in ways that a consumer would not expect. For example, personal information could be shared or sold to third parties such as data brokers or law enforcement, said Emory Roane, policy adviser at Privacy Rights Clearinghouse, a privacy organization, consumer advocacy and education.
Some fitness trackers may use consumer health and wellness data to earn revenue from advertisements, so if this concerns you, you’ll want to make sure there’s a way to opt out. Review the provider’s terms of service to understand its policies before purchasing the fitness tracker, Roundy said.
Social by default, location settings may need to be changed
A fitness tracker’s default settings may not offer the strictest security controls. To boost protection, look at what settings can be adjusted, such as those related to social media, location and other shareable information, said Dan Demeter, security researcher at cybersecurity provider Kaspersky Lab.
Depending on the state, consumers can also opt out of the sale or sharing of their personal information to third parties, and in some cases those rights are expanded, according to Roane.
Certainly, device users should be careful about what they post publicly about their location and activities, or what they allow to become public by default. This data could be viewed online and used by bad actors. Even if they are not acting maliciously, third parties such as insurers and employers could have access to this type of public information.
“Users expect their data to be their data and use it how they want it to be used,” Roane said, but that’s not necessarily the case.
“It’s not just present data, it’s also past data,” Demeter said. For example, a bad actor could see all the times the person goes running – what days and times – and where, and use that to their advantage.
There are also a number of digital scams where criminals can use information about your location to make an opportunity more plausible. They may claim things like, “I know you lost your wallet at such and such a place, which lends credence to the scammer’s story,” Grobman said.
Location data can also be problematic in other ways. Roane gives the example of a woman seeking reproductive health care in a state where abortion is illegal. A fitness tracker with location-based services enabled could collect information that could be subpoenaed by law enforcement or bought by data brokers and sold to law enforcement, he said.
Use a strong password, two-factor authentication, and never share credentials
Make sure to secure your account by using a strong password that you don’t use with another account and enabling two-factor authentication for the associated app. And don’t share credentials. It’s never a good idea, but it can have particularly devastating consequences in certain circumstances. For example, a victim of domestic violence could be tracked by her abuser, assuming he has access to her account credentials, Roane said.
Also, make sure to keep the device and app updated with security patches.
While nothing is completely foolproof, the goal is to be as secure as possible. “If someone tries to take advantage of our personal information, we make their life more difficult, so it’s not that easy to hack us,” Demeter said.