Health IT, Policy

IoT report reveals FTC’s worst fears of what insurers, third parties would do with health data

It’s been a few weeks since the Federal Trade Commission gave Consumer Electronics Show attendees […]

It’s been a few weeks since the Federal Trade Commission gave Consumer Electronics Show attendees a preview of an upcoming report on the Internet of Things. The published report is the product of a workshop held just over one year ago looking at different aspects of cybersecurity and data privacy, including how consumers’ health data is used and could be used from devices connected to the Internet of Things. It takes a strikingly defensive posture on data transmission and ardently recommends increased privacy legislation backed up by any number of worst case scenarios.

I highlighted some of the recommendations in my last post on the report. This one draws attention to the commission’s arguments for their justification.

The report has been chewed up by critics, particularly because its recommendations rely more on assertions and isolated violations rather than a series of events.

The insurance industry is eyed with suspicion. For example, the report expresses concerns that a program by car insurer (Progressive) which allows members to opt-in to a plan that tracks their driving and rewards them for safer driving habits could be applied to health insurance. That’s despite the fact that current laws, particularly the Fair Credit Employment Act, limit the use of consumer data to make determinations about credit, insurance, or employment, as the report itself points out.

One researcher has hypothesized that although a consumer may today use a fitness tracker solely for wellness-related purposes, the data gathered by the device could be used in the future to price health or life insurance or to infer the user’s suitability for credit or employment.

Digital health companies like Ginger.io, which have developed a way to track smartphone users’ mood based on how they use their phone, while not mentioned by name, also come under scrutiny as a group.

Another participant referred to the IoT as enabling the collection of “sensitive behavior patterns, which could be used in
unauthorized ways or by unauthorized individuals.” Some panelists cited to general privacy risks associated with these granular information-collection practices, including the concern that the trend towards abundant collection of data creates a “non-targeted dragnet collection from devices in the environment.”

It also argues for an expanded version of HIPAA that would extend to consumer facing products that capture healthcare data. The report makes clear that plenty of people at the workshop discussion that the report draws its conclusions from object to the level of work that would be asked of small and large companies, particularly the opt-in component.

if patients have “to consent to everything” for a health monitoring app, “patients will throw the bloody thing away.” Yet another participant noted that any requirement to obtain consent could be “a barrier to socially beneficial uses of
information.”

There’s also reason to be concerned that could undermine innovation, especially in the healthcare industry where digital health is gathering momentum.

The point at which the FTC report really jumps the shark is when it cites Facebook as an example of helping users protect their data with its video tutorial to guide consumers through its privacy settings page. High praise for a social media network that offers a case study in how these networks make money from the sale of personal information.

[Photo credit: Internet of Things photo from Flickr]

Shares0
Shares0