The biggest risks of using fitness trackers for health monitoring

Fitness trackers that help monitor sleep quality, heart rate and other vital signs are a popular way to help Americans improve their health and well-being.

There are many types of trackers on the market, including those from well-known brands such as Apple, Fitbit, Garmin and Oura. While these devices are becoming more popular — and have legitimate uses — consumers don’t always understand the extent to which their information can be accessed or intercepted by third parties. This is particularly important because people cannot simply change their DNA sequence or heart rate any more than they can change a credit card or bank account number.

“Once the toothpaste is out of the tube, you can’t put it back,” said Steve Grobman, senior vice president and chief technology officer of computer security company McAfee.

The holiday season is a popular time to buy consumer health devices. Here’s what you need to know about the security risks associated with fitness trackers and personal health data.

Stick to a brand name even though they are hacked

Fitness equipment can be expensive, even without accounting for inflation, but don’t be tempted to skimp on safety to save a few bucks. While a lesser-known company may offer more things at a better price, an established vendor that’s been established is more likely to care about its reputation and do things to help consumers, said Kevin Roundy. Sr. CTO at cybersecurity company Gen Digital.

Of course, data compromise issues, from criminal hacks to the inadvertent sharing of sensitive user information, can — and have — affected well-known players, including Fitbit, which Google bought in 2021, and Strava. But even so, security experts say it’s better to buy from a reputable manufacturer that knows how to design secure devices and has a reputation to uphold.

“A smaller company might just go bankrupt,” Roundy said.

Fitness app data is not as secure as health information

There may be other concerns besides an individual’s sensitive information being exposed in a data breach. For example, fitness trackers typically connect to a user’s phone via Bluetooth, leaving personal data vulnerable to hacking.

What’s more, the information that fitness trackers collect is not considered “health information” under the federal HIPAA standard or state laws such as California’s Medical Information Privacy Act. This means that personally identifiable data can potentially be used in ways that the user may never expect. For example, personal information may be shared or sold to third parties, such as data brokers or law enforcement agencies, said Emory Roan, policy adviser at the Privacy Rights Clearinghouse, a privacy, advocacy and consumer education organization.

Some fitness trackers may use data about users’ health and well-being to generate ad revenue, so if that’s a concern, you should make sure there’s a way to opt out. Review the provider’s terms of service to understand its policies before buying the fitness tracker, Roundy said.

You may need to change your default social network settings

A fitness tracker’s default settings may not offer the strictest security controls. To increase protection, see what settings can be adjusted, such as those related to social networks, location and other shareable information, said Dan Demeter, a security researcher at cybersecurity provider Kaspersky Lab.

Depending on the state, users can also opt out of having their personal information sold or shared with third parties, and in some cases those rights are expanded, according to Roan.

Of course, device users should be careful what they post publicly about their location and activities, or what they allow to become public by default. This data can be searched online and used by bad actors. Even if they are not acting maliciously, third parties such as insurers and employers can gain access to this type of public information.

“Consumers expect their data to be their data and to use it the way they want it to be used,” Roan said, but that’s not necessarily the case.

“It’s not just about current data, it’s about past data,” Demeter said. For example, a bad actor can see when the person runs—which days and times—and where, and use it to their advantage.

There are also a number of digital scams where criminals can use information about your location to make the opportunity seem more believable. They may claim things like, “I know you lost your wallet in the same place, which lends credibility to the scammer’s story,” Grobman said.

Location data can be problematic in other ways as well. Roan gives the example of a woman seeking reproductive health care in a state where abortion is illegal. A fitness tracker with geolocation services enabled can collect information that can be subpoenaed by law enforcement or bought by data brokers and sold to law enforcement, he said.

Use a strong password, two-factor authentication, and never share credentials

Be sure to protect your account by using a strong password that you don’t use with another account and enable two-factor authentication for the associated app. And don’t share credentials. This is never a good idea, but it can have particularly detrimental consequences in certain circumstances. For example, a victim of domestic violence can be tracked by her abuser, assuming he has access to her account credentials, Roan said.

Also, remember to keep your device and app up to date with security patches.

While nothing is foolproof, the goal is to be as certain as possible. “If someone tries to profit from our personal information, we just make their life more difficult, so it’s not as easy for them to hack us,” Demeter said.

Leave a Comment

Your email address will not be published. Required fields are marked *