Insights from BCC Research

Protecting Health Data Acquired on the Run

Posted by Laurie L. Sullivan on Jan 6, 2016 6:00:00 AM

In today’s brave new world of mobile, cybersecurity is an overriding concern. We’re living in an era where health data is, well, wearable. According to an analysis by BCC Research, the global market for wearable devices is currently estimated at $1.023 billion, and is expected to grow at a compound annual growth rate (CAGR) of 22.9% to reach $2.874 billion by 2020. (See BCC Research’s report, The Internet of Things.) As of 2015, smart watches and fitness tracking bracelets are the two most popular wearables.

NBC News recently covered the issue. Simply put, wearable data is less secure data. Less simple is how to protect it. Personal data culled from consumer wearables are ending up in the hands of employers, insurance companies, and the black market. Activity tracker upstarts like Fitbit and technology giants like Apple are helping to drive a new digital health-conscious movement into a $2.8 trillion healthcare industry. BCC Research estimates that total shipments for wearables will increase from 14 million in 2015 to 65 million in 2020, a CAGR of 35.9%.

As the NBC article points out, upstarts may have more trouble balancing the risk-reward ratio of spending the time and money it takes to build a strong security backbone into their device with the speed at which they want to roll things out. According to Dell SecureWorks, health data is about 10 times more valuable on the black market than a stolen credit card number. Insurance firms could use brokered health data to classify individuals, which might impact premiums. And potential employers could be mining it to avoid hiring someone (for example, a diabetic) who might end up costing more in terms of health benefits.

FROM THE GYM TO THE CLINIC

As wearables that detect and monitor serious diseases move from the laboratory to the market, they create business opportunities estimated to be worth tens of billions of dollars. Unlike devices such as Fitbit and Jawbone fitness trackers, medical-grade wearables require FDA approval. Also, devices must be FDA approved to be covered by insurance. Alphabet Inc.'s healthcare unit Verily has said that it plans to work closely with the FDA as it develops medical-grade devices.

Empatica is a small startup developing a wristband designed to alert patients with epilepsy and their caregivers of seizures. This could potentially avert a dangerous post-seizure condition that can cause sudden, unexpected death. For its first FDA application, Empatica wants to show that its device can reliably detect some types of epileptic seizures and send an alert to caregivers to check on the patient. (See details in Reuters story, December 18.)

Such alerts might help prevent sudden unexpected death in epilepsy (SUDEP), which kills 1 out of every 1,000 patients with epilepsy. If seizures are uncontrolled, the risk of SUDEP jumps to more than 1 in 150, according to the Epilepsy Foundation. Death is typically preceded by seizure and most deaths occur when people are unattended.

In addition to collecting data, medical wearables companies will have to develop analytical capabilities to prove the data can improve patient health. Analytics could isolate clinical signs, e.g., fluctuations in glucose levels or abnormal heart rhythms such as atrial fibrillation.

FORGING NEW LEGAL AND REGULATORY FRONTIERS

As illustrated by NY-headquartered Law.com, companies must navigate a legal labyrinth to realize the enormous potential to be gained from wearable devices. Federal and state regulators in the Federal Trade Commission, FDA, the Office of Civil Rights, and state attorneys general have taken notice of wearable technology and have provided some limited feedback for companies wishing to enter the wearable technology space.

A recent FDA advisory demonstrates the agency’s increased interest in cybersecurity issues. In a privacy alert, the FDA recommended hospitals stop using a particular Hospira Inc. infusion pump because it had weak cybersecurity protections. In theory, hackers could commandeer the pumps and tamper with patient dosing. This marked the first time the FDA has recommended hospitals discontinue use of a specific medical device because of its poor digital security. Though directed to hospitals, the FDA alert extends to any provider or developer whose wearable technology may be accessed remotely through a network. As cyberattacks become increasingly common, the FDA is likely to provide additional guidance and oversight.

Wearable devices that collect health data could be subject to the requirements of the federal Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Security Rule sets standards for protecting electronically shared personal health information (PHI). However, companies developing hardware and software applications that collect, store, and analyze medical data are not expressly subject to HIPAA. This means that many wearable developers can share a user’s sensitive data without express user consent. However, state laws or company policies may restrict PHI use or disclosure; if the state law is more stringent than HIPAA, both laws apply.

PROTECTING PERSONAL HEALTH DATA IN THE EUROPEAN UNION

By 2018, a new personal health law in Europe could restrict the use of data collected by non-medical health, wellbeing, and fitness technology. The European General Data Protection Regulation could treat health data from wearables the same as sensitive medical records. The issue is due to be discussed in the European Parliament in 2016. Osborne Clarke, a UK tech and innovation law firm, is asking the European Union to rethink the plans, saying that proposals to categorize health data from wearables within the same regulations as medical records is too restrictive and will stifle innovation in health tech. (See story by Wareable.)

The NHS is already planning to introduce wearables, such as skin sensors for diabetics, into its services. Similar to the United States, the question is whether tech firms can build health and wellbeing tracking devices, market them with claims to improve health, and then deal with the data as they see fit. As proposed by Wareable, an EU compromise could be made up of practical measures that focus on making data anonymous together with user consent and control with simple terms, conditions, and privacy policies.

Geographically, BCC Research shows that in 2015, North America is the dominant market for wearables, constituting 39% of the total market. However, this is expected to change by 2020, as the Asia region grows from $327 million in 2015 to nearly $1.2 billion in 2020. At that point, the North American region will be the second largest, with $920 million. Europe is currently the third largest market ($246 million; 24% of the global market), projected to reach $488 million by 2020 at a CAGR of 14.7%.

STEPS CONSUMERS CAN TAKE TO PROTECT THEIR WEARABLE DATA

Perhaps you received the gift of wearable technology this holiday season. If so, here’s how you can help protect your data. Some recommendations from experts include the following. 1) Avoid the first generation of new platforms. Allow time for the bugs to be worked out. 2) Think it through. Assume your data could get hacked and consider the consequences of that. 3) Research the device’s creator and security history, perhaps sticking with established manufacturers. 4) Be cautious of malicious apps and suspicious emails or links.

With that said, saddle up…no wait. Buckle up? Nope, that’s not it either. How about, strap on your device and enjoy the ride!

Topics: Life Sciences, Healthcare, Information Technology