Privacy Canada is community-supported. We may earn a commission when make a purchase through one of our links. Learn more.
Security Vulnerabilities of Wearable Fitness Devices
Though wearable fitness devices can be an extremely useful way of tracking and improving athletic performance, they also come with risks. As a fitness professional, you should recognize that collecting and storing health data means that you have legal and ethical responsibilities to your clients.
Taking these seriously not only limits your vulnerability to cybercrime: it also ensures legal protection should you become a victim. After educating yourself about the risks that wearable fitness devices pose, make sure you pass on this information to your clients.
This article outlines the cybersecurity risks posed by wearable fitness devices and explains how fitness professionals can protect themselves and their clients.
- For most users, the complexity of what wearable fitness devices do is hidden. It appears as if the data collected by these devices is instantly passed to apps on our phones, and automatically added to our fitness tracking software. In reality, the process is much more complex.
- Collecting data from your clients via a wearable fitness device might seem like a fairly straightforward, uncomplicated process. What a lot of health professionals don’t realize, though, is that collecting this data and storing it (even on a home PC) raises significant data compliance issues.
- You should ensure that every client you work with is aware of these risks, and uses the relevant privacy tools to protect themselves against them.
The Security Vulnerabilities of Wearable Fitness Devices
Wearable fitness devices can be an extremely useful tool for fitness professionals. They provide real-time monitoring of an athlete’s performance, and the data they produce can be used to track improvements (and other trends) in this.
They are becoming particularly popular in high-intensity interval training, and in assessing the impact of sedentary behavior. Given that, it’s not surprising that these devices are seeing rapidly increased use both by professionals and amateur fitness enthusiasts: recent research shows that the number of fitness trackers in use is expected to reach 560 million in 2021.
Whilst recognizing their benefits, it’s also worth noting that fitness trackers have raised concerns among cybersecurity professionals. Fitness devices form a part of the “Internet of Things” (the IoT), an interconnected ecosystem of devices that use the internet to send and receive data on real-world phenomena.
The IoT itself has been affected by high-profile IoT malware and several large-scale data hacks and breaches over the past few years, which has led some to call for its security to be improved. Others have pointed out that the problem is more behavioral – that we are simply not used to data on our health and wellbeing being shared across the web. When using any form of technology, including your professional Twitter or Facebook account, it’s important to be aware of the risks.
As fitness professionals, there are three major implications of this. The first is that we should be aware that the fitness trackers we use are susceptible to hackers, malware, and other forms of cyberattack. The second is that we should take steps to limit the possibility and impact of these attacks. The third is that we should recognize our responsibility to educate the athletes we work with about these dangers, and about how to avoid them.
In this article, we’ll take a look at why wearable fitness devices are vulnerable to cyberattack, and then look at how you can limit this vulnerability.
Other Security Risks Of Wearable Fitness Devices
In order to understand why wearable fitness devices are a source of security vulnerabilities, it’s first worth taking a brief look at how the average device works.
For most users, the complexity of what wearable fitness devices do is hidden. It appears as if the data collected by these devices is instantly passed to apps on our phones, and automatically added to our fitness tracking software. In reality, the process is much more complex.
All of the data that a wearable fitness device collects is, in the first instance, transmitted to a smartphone. The smartphone then uses an Internet connection to send these data on to a server. As such, there are (almost always) three devices involved in data collection and storage: the wearable fitness device itself, the smartphone, and the server.
Each of these devices is vulnerable:
- The manufacturers of wearable fitness devices have typically prioritized connectivity over security, and so many of these devices broadcast data – completely unencrypted – over a Bluetooth connection. This means that this data can be intercepted and read by anyone close to the device.
- Your smartphone is arguably the most secure part of this process, but not because smartphones are particularly secure in themselves. Rather, this is because most wearable fitness devices implement end-to-end encryption, and so the data stored on the smartphone itself is generally unreadable for hackers.
- The same cannot be said of the servers this data is stored on. Though large tech companies spend millions of dollars to protect their servers from cyberattack, major data breaches happen all the time, and these can lead to highly sensitive, personally-identifiable data being published in the public domain.
Why Does Wearable Fitness Security Matter?
As a fitness professional, it might seem like worrying about data security is not your concern. In a way, you’d be correct: wearable fitness devices made by reputable companies come with some protection against cyberattack. However, this is only effective if you use these devices correctly, and take steps to limit your exposure to security vulnerabilities.
We’ll shortly come on to how to do that. First, though, allow us to point out that the consequences of cyberattack can be severe. The problem with a wearable fitness device being hacked is not so much the risk that your (or your clients’) heart rate or O2 level is revealed– this type of information is not that much use to hackers – but hacking a fitness device can expose other kinds of personal information.
By hacking a FitBit, a hacker could get access to your bank details, since some fitness wearables allow their users to access their accounts at select financial institutions and make payments.
This is why, in August 2018, the Pentagon banned the use of fitness trackers, each of which possesses geolocation features, on military bases due to their exposure to data leaks. They had recognized that this security problem is presented not just by a fitness tracker, but by its whole ecosystem.
As announced by Michael Lynch, the Chief Security Officer for InAuth, a cybersecurity company, “even though the wearable itself may not be the primary target of an attack, its link to a mobile device creates another point of entry for cybercriminals to exploit – especially since wearables security is a relatively new frontier”.
How Protected Are You?
With all of this said, it’s worth pointing out that the manufacturers of wearable fitness devices have taken steps to improve their security over the past few years.
According to IDC, Fitbit is by far the top maker of activity trackers, though it has lost some market share recently. The company is also the one that has gone furthest when it comes to protecting its users from cybercrime, and it has done this through a variety of means. It offers a “bug bounty” for researchers who can find security holes in its devices, marking important security updates for users, and limiting the ability of third-party developers to see the data it collects.
Nevertheless, these technical measures can only go so far when it comes to protecting you (and your clients) from data breaches and hacks. It is still imperative to use these devices in a responsible, secure way. So let’s look at how to do that.
How To Keep Wearable Security Devices Secure
As a fitness professional, there are two major aspects of wearable device security you should be concerned with. The first of these is that you limit the ability of malicious actors to gain access to the data collected by these devices.
The second is that, if you are working with this data in order to track and improve athletic outcomes, you should store it in a secure way. This second aspect also implies that you comply with the relevant data privacy legislation in the territory you work in.
Let’s take a closer look at how to do this.
1. Anonymize Your Data
Collecting data from your clients via a wearable fitness device might seem like a fairly straightforward, uncomplicated process. What a lot of health professionals don’t realize, though, is that collecting this data and storing it (even on a home PC) raises significant data compliance issues.
In the US, the relevant legislation is the HIPAA, which delimits the ways in which individuals and companies can work with electronic Protected Health Information (ePHI). Even data as simple as a heart rate read-out falls under this definition. Consequently, according to Eric Hodge, director of consulting at CyberScout, a data risk management, and identity protection firm, you must “worry about complying with all kinds of HIPAA requirements just as a hospital would.”
In practice, this means anonymizing all of the data you store. No piece of information should be associated with a specific individual you are working with.
If you do not do this, you run the risk of huge fines. Hospitals in the US have recently been fined up to $6 million for failing to comply with the HIPAA. In addition, if a hacker breaks into your systems and steals this information, and you have not anonymized it, you are not able to claim damages from your insurer.
2. Segregate Your Devices and Data
“Segregation” is an old term among cybersecurity professionals attempting to secure IoT networks, and can be one that is difficult to understand for those new to cybersecurity. Essentially, it means keeping pieces of data as separate as possible, so that one system getting hacked doesn’t mean all the data you hold is leaked.
In practice, there are two ways that fitness professionals should segregate their systems.
The first is that you should avoid connecting the computers (and any other systems) you use for collecting fitness data to those you use for your business, and especially to your personal computer. Instead, use a dedicated laptop to store all of the data that you collect from your wearable fitness devices, and encrypt it.
Secondly, avoid the temptation to link the account you use for your wearable fitness devices to your other online accounts. Though it might seem easier to link your FitBit to your Google account, do not do this. It means that if your FitBit account is compromised, your Google account is easier to hack. That could lead to catastrophic consequences, such as the personal details of your clients being stolen and leaked.
Related: How Google & Facebook use your data
3. Due Diligence
Performing due diligence of the way you collect and store data is particularly important in the context of the legislation mentioned above. You should make sure that your business is HIPAA compliant, and this means looking carefully at the way that you store and use data. Not only does this process help to protect your data from theft, but it also limits your liability should it be stolen.
Due diligence is also important when you sign up for third-party software. Many fitness professionals use these services to track the performance of their clients, but not all of them are as secure as they should be. To make matters worse, some of these third-party platforms sell the data you provide to them. As a result, you should always check the terms and conditions of any software you want to use in a professional capacity.
4. User Education
Beyond improving your own and your kids’ security, you should also take all reasonable steps necessary to protect your clients from having their data stolen, leaked, or sold. As Jeff Pollard, a principal analyst focused on security and risk at Forrester Research, told CIO recently, “It might seem like the data I share with a (wearable) app stays on my smartphone or wearable.
In reality, it goes to the cloud and might be shared with a number of third parties. Less sophisticated users may never know what happens, or that they could opt-out of it when or if given the choice.”
You should ensure that every client you work with is aware of these risks, and uses the relevant privacy tools to protect themselves against them. It is also recommended that you check and pass on the information that has been made available via your government and device manufacturer, such as that accessible via OnGuardOnline.gov or Microsoft’s Safety & Security Center.
5. Prepare For The Worst
Even with the best security protocols and systems available, hacks and breaches continue to occur. As a fitness professional, this means that you should recognize that, at some point, you are likely to be the victim of cybercrime and prepare for this.
In many ways, if you’ve already taken all the steps above, you are well covered against the consequences of a hack. As long as you have done your due diligence, and are working with data in the way that you are supposed to, you should avoid the legal ramifications of a hack.
Unfortunately, limiting the reputational damage that a hack can have is more difficult. If you leak sensitive information on a client, they are unlikely to take this well. Still, as long as you have taken the reasonable steps you can to limit this possibility, you can limit the fallout.
- Wearable fitness devices are great but are also vulnerable to hacking.
- Make sure that you store client data in a secure and compliant way.
- Store this information on a separate computer to limit the possibility it can be stolen.
- Make sure your clients are aware of good cybersecurity practices.
In closing, you should recognize that though wearable fitness devices can be an extremely useful way of tracking and improving athletic performance, they also come with risks. As a fitness professional, you should take steps to ensure that you are using reputable wearable fitness devices that don’t share the data they collect with anyone else.
Beyond this, you should recognize that collecting and storing health data means that you have legal and ethical responsibilities to your clients. Taking these seriously not only limits your vulnerability to cybercrime: it also ensures legal protection should you become a victim. Lastly, after educating yourself about the risks that wearable fitness devices pose, make sure you pass on this information to your clients.
Though working with technology can be a major source of stress in itself, trust us: having your data stolen is more stressful than taking these simple steps.