Enterprise Mobility Management / BYOD , Governance & Risk Management , HIPAA/HITECH

Fitbit, Google Health Data Collaboration: What Are Risks?

Experts Question Whether Partnership Could Pose Privacy, Security and Safety Concerns
Fitbit, Google Health Data Collaboration: What Are Risks?

Fitbit and Google say they are collaborating to accelerate innovation and "transform the future" of digital health and wearables, leveraging cloud computing. Some observers, however, say the partnership also raises privacy, security and patient safety questions.

See Also: How Enterprise Browsers Enhance Security and Efficiency

In a joint statement, consumer wearable health device maker Fitbit and Google announced that they are exploring the development of consumer and enterprise health solutions.

"Fitbit intends to use Google's new Cloud Healthcare API to help the company integrate further into the healthcare system, such as by connecting user data with electronic medical records," the companies said.

Combining Fitbit data with EMRs could provide a more comprehensive view of a patient's profile, enabling more personalized care, the companies claim. The collaboration could also help patients and clinicians manage chronic conditions, such as diabetes and hypertension, by using services such as Twine Health, a health coaching platform that Fitbit acquired earlier this year, the two companies say.

Google says its health application programming interface provides "a robust, scalable infrastructure solution to ingest and manage key healthcare data types - including HL7, FHIR and DICOM - and lets our customers use that data for analytics and machine learning in the cloud."

What About the Risks?

Some privacy and security experts, however, say that while details of the collaboration haven't been fully disclosed, the partnership between Fitbit and Google appears to raise a number of potential security, privacy and perhaps even patient safety questions.

For instance, will the advancement of Fitbit devices combined with Google's cloud services - and the addition of potential new data feeds into patient EMRs - transform Fitbit into becoming a provider of what the Food and Drug Administration classifies as a software as a medical device product that clinicians use to treat, mitigate, cure or diagnose patients?

That's a question that will need to be scrutinized by regulators, says technology attorney Steven Teppler of Abbott Law Group. And if some future Fitbit health applications fall under the umbrella of what the FDA deems SaMD products, Teppler worries about potential patient safety concerns.

"FDA does not review [software] code for quality" as part of their product premarket approval process, he notes. That potentially creates some questions about accuracy of data that's generated for making clinical decisions, he says.

In addition, the Google cloud-based platform could also make the Fitbit applications and data a target for ransomware and other cyberattacks that could disrupt clinicians' ability to access patient data and provide care, he says.

"We saw what happened with Allscripts," Teppler says, referring to a ransomware attack earlier this year on the cloud-based vendor that disrupted about 1,500 healthcare providers that use the company's Electronic Prescriptions for Controlled Substances and Professional EHR applications.

Teppler says the collection of Fitbit-generated consumer health data on the Google cloud platform, combined with other data Google collects about consumers through its other services, also presents potential privacy concerns.

"What will Fitbit and Google do with this data? Look at what happened with Facebook and Cambridge Analytica," he says.

Where Does HIPAA Fit In?

Privacy attorney Stephen Wu of Silicon Valley Law Group says the arrangement between Fitbit and Google, and how consumer data will be shared with patient EMRs for use by healthcare providers, also creates the potential for Fitbit to become a "business associate" liable for HIPAA compliance.

For instance, if Fitbit and Google provide data services to HIPAA covered entities, such as hospitals and clinics, then the arrangement likely would create a business associate relationship, Wu says. But if consumers direct Fitbit and Google to send their data to their healthcare providers - and the covered entities aren't overseeing the collection of the data - there might not be a business associate relationship involving the vendors, he adds.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says that even if they are enabling interfacing with EMRs, "there's a good chance that Fitbit and Google's collaboration will fall outside of HIPAA."

While Fitbit and Google may connect to EMRs, "they likely are doing so on behalf of the consumer, rather than on behalf of the healthcare provider as a covered entity," he says. In that case, HIPAA may not apply, but they will be subject to other laws, such as the FTC Act, he adds.

Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says the question of if - or when - Fitbit is a business associate also can change when examined against any number of scenarios.

"If the Fitbit is offered by the healthcare provider or health plan to the individual in order to provide information that will be used by these HIPAA covered entities, then Fitbit would be their business associate," Holtzman says.

Also, entities and patients should be aware of potential security threats - such as man-in-the-middle attacks - when a consumer wearable - whether a Fitbit device or other application - connects directly with a healthcare organization's records system, he notes.

In a 2015 security incident, hackers gained access to the accounts of dozens of Fitbit wearable fitness device users through leaked email addresses and passwords from third-party sites. Once inside the accounts, the attackers changed details and attempted to defraud the company by ordering replacement items under the user's warrant. The attackers also reportedly had access to customer data, including GPS history, which shows where a person regularly runs or cycles, as well as data showing what time a person usually goes to sleep (see Fitbit Hack: What are the Lessons?).

Due Dilligence

Covered entities also need to do their due diligence before getting involved with relationships that could involve the use of patients' Fitbit-generated health data, Wu stresses. If the CEs are working with the vendors, the healthcare providers should inquire about the kinds of security and privacy precautions the vendors have implemented, he says.

Greater patient engagement and receipt of day-to-day fitness and health data into the EMR offers great potential, Greene says. "But healthcare providers should be sure to consider in their HIPAA Security Rule risk analysis this potentially new area of protected health information coming into electronic systems," he says. "If the flow of information is bi-directional, with EMR data going to Fitbit or Google, then they should ensure that they have fully complied with the HIPAA Privacy Rule, such as documenting that the patient has requested the disclosure or that it is for treatment purposes."

Meeting Regulatory Requirements

The companies in their joint statement note that Google Cloud will provide Fitbit with "next-generation cloud services and engineering support," allowing Fitbit to scale faster.

"Google Cloud is also committed to meeting the requirements for security and privacy in the healthcare industry, with the majority of Google Cloud products supporting HIPAA compliance, including Cloud IoT Core," the statement says.

"The move will allow Fitbit to leverage Google Cloud's infrastructure and advanced security capabilities to help accelerate the Fitbit Health Solutions business and expand deeper into population health analysis, while maintaining Fitbit's commitment to protecting consumer data," the companies say.

Google's artificial intelligence and machine learning capabilities and new predictive analytic algorithms will further Fitbit's efforts to bring more meaningful data and insights to consumers to help them achieve positive health outcomes, according to the companies' statement.

Additionally, Google Cloud states on its website that customers have control over their data, and that data is processed only as instructed by customers. The company also asserts that in many cases, its cloud platform can help customers be "better protected" against ransomware, phishing, and other types of cyber threats than they might be with their own infrastructure.

Fitbit Responds

In a May 2 statement provided to Information Security Media Group, Fitbit says the company's collaboration with Google "will not change" how Fitbit manages and protects its users' data.

"We have a longstanding commitment to privacy and data, and our data practices will continue to be governed by the Fitbit Privacy Policy," the company says. "We are not sharing our user data with Google; we are partnering with Google to host Fitbit user data, similar to other cloud/hosting service providers. We take our obligation to safeguard users' personal information very seriously and are committed to protecting the privacy and security of our users, while being transparent about our data practices."

Fitbit adds that it will give its users control over their information by providing them with account settings and tools to access and manage the personal information associated with their accounts. "We will continue to give Fitbit users choices regarding how their information is shared, including when it comes to EMRs or other integrations. We never sell personal data, and we do not share customer personal information except in the limited circumstances described in our privacy policy."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.