The announcement that the US Food and Drug Administration (FDA) have given clearance to the irregular rhythm notification feature in the latest Apple Watch has been met with great enthusiasm by some and cynicism and concern by others. As Silicon Valley and the tech sector rejoice and press forward at full velocity, medical professionals have engaged in cautiously optimistic dialogue. These new tools clearly have the potential to help users monitor their health much more actively. However, these devices do not yet have clinical grade accuracy or precision. The FDA response letter identifies a number of risks with the device such as false negatives, false positives, misinterpretation, and potential over reliance on the devices. [1] Further, the use of devices to monitor people’s health, calls into question issues of privacy and security of healthcare data.

Privacy and security are complex and entangled concepts. Privacy refers to an individual’s right to control their information and its use. Security refers to how that information is protected. They aren’t necessarily congruent. For example, a business may keep data safe from cyber attack, but also sell that data without permission or consent. In which case, security is intact, but privacy was likely violated. In considering privacy, the current protections in the US under the Health Insurance Portability and Accountability ACT (HIPAA) are limited, complex, and outmoded for the volume, velocity, and variety of new digital data. [2] Specifically, HIPAA does not cover data generated by entities such as commercial technology vendors and is limited to direct identifiers, such as date of birth, address, and social security number, etc.

Looking more closely at biometrics parameters collected by these devices, could they not be used as new types of direct identifiers?  Modern biometrics, such as facial recognition, fingerprints, gait, iris and retinal scanning, touch typing, voice recognition, heart rate/rhythm and others serve as the basis of next-generation identity management technologies. In short, most digital health sensors are also biometric measurement and transmission devices. Just as a DNA sequence can be used to provide important medical insights, that same sequence can also be used uniquely to identify an individual. Biometric identifiers such as facial recognition are especially difficult to secure and protect as they can be captured without notice, are easy to tamper with, are easily compared to faces scraped from the web and social media sites and therefore can be easily weaponized. None of these data streams are explicitly covered under HIPAA, but they are likely protected under General Data Protection Regulations (GDPR) in Europe. The question is whether any of these regulations will be able to keep up with the speed of development and implementation of these technologies. [3]

GDPR is more modern and comprehensive than HIPAA and closes some of the HIPAA loopholes. Under GDPR, biometric data is explicitly covered under “special categories of personal data” and can only be processed and used under explicit consent or other clearly described circumstances. [4] Interestingly, the new Apple Watch, with the irregular rhythm notification feature, is not being marketed, or even advertised, outside of the US, and one must wonder whether differences in privacy regulation are contributing factors.

In terms of security, it is now clear that the healthcare industry is a high value cyber target and will continue to face persistent threats. [5] Devices are at risk of being hacked, and modern smartphones have the potential to be highly advanced surveillance devices in the hands of determined adversaries. According to a recent report from the US Department of Homeland Security (DHS) on mobile device security, mobile devices and connected accessories are easy to lose or steal, often connected to unsecured public wireless networks and are subject to an extensive range of cyberattacks that include geolocation disclosure, tampering, denial of service, identity and data disclosure, phishing and device hijacking. [6]  Geolocation disclosure is especially troubling as the threats here go beyond the financial and reputational attacks we have witnessed to date. We must understand that, by mixing health and location data, we open up an entirely new domain of privacy and physical threats. Location data is currently unregulated and enables deep surveillance of individuals’ activity, location, and habits without their notice. [7]

While progress has been made, especially in awareness and in the increases in cyber assurance funding by healthcare institutions, policy progress has been too slow to be of practical use. In a world where regulations take years, but new cyber threats appear at a rate of tens of thousands per day, we need to think differently about regulation. Even when regulations and guidelines exist, they are poorly utilized. For example, while the FDA letter on the Apple watch specifies the requirements for compliance with a significant list of federal regulations, there are no explicit cybersecurity or user privacy requirements.

The good news is that, as risks are identified, mitigations and remediations can be implemented if action is proactive and swift. We cannot allow ourselves to be caught off-guard by cyber threat again. We must be proactive in ensuring privacy protections and cyber resilience now, at the beginning of this digital transformation.

This is truly an exciting time to be in healthcare. The possibilities of digital tools to improve patient wellness and healthcare are extraordinary. We should not let the promise go unfulfilled, but we must also take care.

Eric D Perakslis, Department of Biomedical Informatics, Harvard Medical School.

Competing Interests: None declared.

References:

1. US Food and Drug Administration. Response to De Novo request for classification of the Irregular Rhythm Notification Feature. Angela C. Krueger Deputy Director, Engineering and Science Review Office of Device Evaluation Center for Devices and Radiological Health. September 11, 2018
2. Cohen IG, Mello MM. HIPAA and Protecting Health Information in the 21st Century. JAMA. 2018; 320(3): 231-232.
3. Owen D. Should We Be Worried About Computerized facial Recognition? The New Yorker.  2018. Dec. 17.
4. https://gdpr-info.eu/art-9-gdpr/
5. Jarrett MP. Cybersecurity – A Serious Patient Care Concern. JAMA. 2017;318(14):1319-1320.
6. US Department of Homeland Security. Study on Mobile Device Security. https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Devic
7. Harris R.  Your Apps Know Where You Were last Night and Are Not Keeping It a Secret.  New York Times. 2018. December 10.