Fitness trackers, which help monitor sleep quality, heart rate, and other biological metrics, are a popular way to help Americans improve their health and well-being.
There are many types of trackers on the market, including those from well-known brands like Apple, Fitbit, Garmin, and Oura. While these devices are becoming more popular and have legitimate uses, consumers don’t always understand the extent to which their information might be made available to or intercepted by third parties. This is especially important because people can’t just change their DNA sequence or heart rates like they can with a credit card or bank account number.
“Once the toothpaste comes out of the tube, you can’t get it back,” said Steve Grobman, senior vice president and chief technology officer at computer security company McAfee.
The holiday season is a popular time to purchase consumer health devices. Here’s what you need to know about security risks related to fitness trackers and personal health data.
Stick to one brand, even if they’re pirated
Fitness devices can be expensive, even without accounting for inflation, but don’t be tempted to skimp on safety to save a few bucks. While a lesser-known company may offer more accessories at a better price, a well-established supplier that suffers a violation is more likely to care about its reputation and do things to help consumers, said Kevin Roundy, senior technical director for the cyber security company. Digital Generation.
Undoubtedly, data compromise issues, from criminal hacks to the unintentional sharing of sensitive user information, can and have affected known gamers, including fitbitthat Google bought in 2021, and Strava. But still, security professionals say it’s best to buy from a reputable manufacturer that knows how to design secure devices and has a reputation to uphold.
“A smaller company could go bankrupt,” Roundy said.
Fitness app data is not protected like health information
There may be other concerns beyond having someone’s confidential information exposed in a data breach. For example, fitness trackers typically connect to a user’s phone via Bluetooth, leaving personal data susceptible to hacking.
Additionally, information collected by fitness trackers is not considered “health information” under the federal HIPAA standard or state laws such as the California Health Information Privacy Act. This means that the data they personally reveal can potentially be used in ways a consumer would never expect. For example, personal information could be shared or sold to third parties, such as data brokers or law enforcement, said Emory Roane, policy adviser at the Privacy Rights Clearinghouse, a consumer privacy, advocacy and education organization.
Some fitness trackers may use consumers’ health and wellness data to earn revenue from ads, so if you’re concerned about that, you’ll want to make sure there’s a way to opt out. Review the provider’s terms of service to understand their policies before purchasing the fitness tracker, Roundy said.
It may be necessary to change the default social location settings
The default settings of a fitness tracker may not offer the most stringent security controls. To increase protection, look at what settings can be adjusted, such as those related to social networks, location and other information that can be shared, said Dan Demeter, a security researcher at cybersecurity provider Kaspersky Lab.
Depending on the state, consumers can also choose not to sell or share their personal information with third parties, and in some cases, these rights are being expanded, according to Roane.
Device users certainly need to be careful about what they post about their location and activities, or what they allow to be made public by default. This data could be searched online and used by bad actors. Even if they are not acting maliciously, third parties such as insurers and employers may have access to this type of public information.
“Users expect their data to be their data and use it how they want it to be used,” Roane said, but that’s not necessarily the case.
“This is not just current data, but also past data,” Demeter said. For example, a bad actor could see all the times the person runs, what days and times, and where, and use it to his advantage.
There are also a number of digital scams where criminals can use information about your location to make an opportunity seem more plausible. They may state things like: “I know you lost your wallet in such a place, which lends credence to the scammer’s story,” Grobman said.
Location data can be problematic in other ways, too. Roane offers the example of a woman seeking reproductive health care in a state where abortion is illegal. A fitness tracker with geolocation services enabled could collect information that could be subpoenaed by law enforcement or bought by data brokers and sold to law enforcement, she said.
Use a strong password, two-factor authentication, and never share credentials
Be sure to protect your account with using a strong password that you don’t use with another account and enable two-factor authentication for the associated app. And don’t share credentials. That’s never a good idea, but it can have especially devastating consequences in certain circumstances. For example, the abuser could track down a victim of domestic violence, assuming she had access to her account credentials, Roane said.
Also make sure to keep your device and app up to date with security fixes.
While nothing is complete proof, the goal is to be as secure as possible. “If someone tries to take advantage of our personal information, we just make their life more difficult, so it’s not as easy to get hacked,” Demeter said.
.
