How to Reduce the Security Risks of Wearable Technology for Your Organization
Driven by the increased use of connected devices among employee populations, wearable technology has rapidly entered the workforce in recent years. While this technology presents innovative opportunities for employers to improve the delivery of healthcare, it also comes with associated risk. Understanding there is no true solution for these security concerns, risk mitigation is the key to ensuring your organization’s privacy and safety. Before incorporating connected devices into your benefits strategy, it’s important to make sure your employees understand the risks at hand and how they can be responsible users.
Wearable technology security concerns fall into four major categories:
Wearable technology is expanding into the workplace at a staggering rate, but from a security perspective not all devices are created equal. Some devices are extremely simplistic and singular in purpose, while others are powerful and more complex. This means the elements to consider from a security and data privacy perspective can also vary widely based on the device type, manufacturer, and type of services it’s running. Just because a device’s purpose may be singular (e.g. monitoring glucose levels), the hardware on the device may have more capabilities and be running additional services in the background.
So, what can your employees do to protect themselves? Here are a couple ideas:
Ways to mitigate device security risk: Users should always go to the company’s website and download the user manual. Manuals can help employees easily understand which security settings they need to configure. The manual will often suggest things like:
- Changing the default username and password. This is the single most effective step you can take. Attackers may look up a device’s owner manual, check the default login credentials, and attempt to compromise the device based solely on that information. Changing these credentials is enough to thwart most attacks.
- Running software, hardware, or firmware updates. From the date a device is built and shipped to when the consumer buys it, much time has passed and developers will have likely made improvements. Users should update devices to ensure they’re using the latest and greatest version.
- Identifying where the device stores and sends data. Some devices may store data locally on a storage drive, some may only store data temporarily while the device is running, and others may send data from the device over the internet to store in a cloud server. Understanding how your device stores and sends your personal data is crucial to keeping your information safe.
When dealing with wearable technology, each user is responsible for understanding and monitoring the security of their device. Specifically, when dealing with devices that can connect to Wi-Fi through Bluetooth or a smartphone, employees are responsible for ensuring they’re not accidentally giving the device access to corporate networks or technology. Additionally, users are also responsible for understanding how their wearable devices connect and transmit data, and the associated security of those connections.
Ways to mitigate network security risk: Ensure your information technology (IT) security team has developed best practices to educate and train employees about the risks of wearable devices before allowing them in your workplace.
- Ask employees to connect all personal devices to a dedicated guest network to eliminate the risk of malware attacks on the corporate network.
- Require your workforce to enable passcodes and multi-factor authentication whenever devices allow.
- Encourage your employees to understand where data is sent from their connected devices. A wearable device collecting personal health information (PHI) could be storing that data on the device’s cloud server in a foreign country, where data privacy and access laws may differ.
When integrating wearable technology with healthcare delivery, it is critical that devices are collecting data accurately so providers can diagnose and treat patients correctly. When these devices go unregulated or users fail to keep them updated, data integrity can be a large concern.
Ways to mitigate data integrity risk: Educate your employees on the importance of regular updates and send out reminders to help keep this issue top of mind.
- Inform your employees about the risks of sharing wearable devices. Connected devices should only be worn by their owner to ensure the data being collected and relayed to providers is accurate. Before sharing a device, ensure it is reset to factory default to clear all data, user, and network authentication credentials. Users should also ensure any automated connections to cloud servers or medical applications are cleared out.
- Encourage employees to consult their user manual to determine if routine device calibration is recommended and how to perform it.
Personal Health Information (PHI) Vulnerability
Users must understand wearable devices are not always held to the same privacy standards as traditional medical devices. If a patient wears a fitness tracker and connects the device with their health portal, the information in the health portal will likely be protected under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as PHI. However, if a patient wears that same fitness tracker and connects it to a fitness app on their phone, that collected information is not considered PHI and is not protected by the same regulations. That data may ultimately be stored by the app developer on a cloud server in a region where different regulations exist.
Ways to mitigate PHI vulnerability risk: Training and educating employees about the importance of keeping their personal health information protected is the best way to keep them safe and mitigate employer risk.
- Create a list of IT-approved or secure applications and share it across your organization. Employees will be more likely to opt for a secure application if your approval and research is shared with them.
- Encourage employees to always read the terms and conditions for their device. These often go unread and can contain crucial information, such as whether or not a developer has the right to re-sell your collected data.
IT teams are responsible for reducing security concerns across a multitude of platforms and devices, so it’s understandable that some organizations have been hesitant to the adoption of wearable technology. However, these devices are only gaining momentum and an increasing number of organizations are starting to see the benefits of offering these devices to their workforces.
At Premise Health, our secure member portal – My Premise Health – connects with thousands of wearable devices and apps to provide powerful insights to our members and their providers. Instead of waiting for an incident to unfold, connected devices remotely monitor and track members health so that our providers can stay on top of developing conditions, modify treatments plans, or intervene in a health emergency. By being proactive and taking these steps to safely integrate connected devices at your organization, your employees can be more informed and educated about their risks and take steps to keep their information safe.
Premise works with organizations in a wide array of industries across the U.S. to ensure health data, billing information, and electronic health records are safe. We are among the elite and few direct healthcare companies to have earned HITRUST CSF certification for our electronic health record and have maintained that status since 2017. At Premise, the security of our members is of the highest importance.
Premise can help your organization seamlessly integrate connected devices while protecting your employees’ personal data and keeping your information secure. Contact us today to learn more.