10 Data Privacy Tips for Wellness Providers | VerSprite GRC Advisories 10 Data Privacy Tips for Wellness Providers | VerSprite GRC Advisories

Home  |  Resources  |  Data Privacy

10 Data Privacy Recommendations for Wellness Providers

Alex Williams

< Back to Blog Home

Wellness Industry & Growing Data Privacy Concerns

Growing nearly twice as fast as the global economy, the wellness market has quickly become a $4.2 trillion industry and wellness providers will need to consider data privacy measures in the future.

According to the Global Wellness Institute, the wellness industry is developing at a rapidly historic rate. The industry experienced a 12.8% growth increase from 2015 to 2017. Employers also express an interest in using wellness products in their workplaces.

While the services wellness providers offer are exciting, some ramifications of how wellness providers use data are not transparent. In an industry where, “data is shared with and passes through many partners,” as said by the executive director at the Center for Genetics and Society, wellness providers should consider privacy concerns and marketing proactive data security measures.

23andMe, for example, allows clients to provide genetic information to discover potential health problems or family members. To provide more services, 23andMe allows consumers to send their genetic data to a partnering biotech company, Genentech. Genentech experienced a breach in 2011. There are also reports, some Genentech employees present insider threats.

Let’s review our top ten recommendations to boost market sales, earn consumer trust, and gain a competitive advantage by addressing these three critical data privacy concerns:

Currently, there are no federal regulations to stop law enforcement agencies from using genetic data from companies such as GEDMatch, Ancestry, or 23andMe. These companies collect genetic data to find potential health problems or family members of consumers.

Law enforcement agencies use genetic data to identify familial relations of suspected criminals. In fact, police used data from the open source platform GEDMatch to identify the notorious Golden State Killer.

Companies, such as 23andMe attempt to protect consumer data by only providing law enforcement agencies data when required, such as by a subpoena. 23andMe also provides law enforcement agencies data when consumers agree to sharing their data. View the 23andMe Guide to Law Enforcement here.

Opportunity #1:
Cater to your consumers’ interest by protecting their data. Surveys by Blue Fountain Media, a digital marketing agency, found consumers in the United States do not believe businesses handle their data with care. Companies may be able to attract consumers by advertising the steps they take to protect client data. Learn more →
Opportunity #2:
Utilize the opportunity to incorporate data security into your brand’s identity. A poll lead by Cary, a software analytics company, found consumers desire technology rights. Aside from law enforcement agencies seeking data from DNA genomes, a lack of federal regulation allows wellness providers to change their terms of service at any point in time. No laws stipulate how wellness providers can change their terms of service. Learn more →

This means rules a consumer established with a wellness provider at one point may change at a later date. Since a wellness provider can send data to other organizations, who can use data for numerous purposes, some of the conditions consumers sign can also pose irreparable data privacy concerns.

Opportunity #3:
Provide your consumers with assurances not offered by competitors. Consumers and leading technology companies who work with health data claim many companies are not transparent about the data management practices they follow. Consumers may take an interest in companies which claim their data regulations are not subject to change without notification. Learn more →

Finally, the wellness industry is a relatively new aspect of healthcare that hasn’t had the same scrutiny regarding the storage and processing of customer data. Whereas health insurers, medical practitioners, and hospitals understand the importance of securely maintaining patients’ medical information, the majority of wellness apps don’t fall under the purview of HIPAA. Wellness providers are therefore free to use their consumers’ data as they please, so long as it is anonymized.

Moreover, unlike network capable medical devices, the FDA does not regulate wellness devices or apps, leaving security implementation solely on manufacturers. This has inevitably led to security considerations being marginalized.

In 2018 it emerged that FitMetrix, a fitness technology company, failed to secure several of its servers with password protections resulting in exploitation of 113 million data records. Each record included the user’s name, gender, email address, profile picture, emergency contacts, and other personally identifiable information.

Opportunity #4:
Stay ahead of the curve by anticipating and expecting future compliance requirements. Leading technology firms including Google, Apple, Microsoft, and Facebook voiced an interest in the United States adopting privacy and data laws similar to those practiced in Europe. Learn more →

Companies may be able to establish a forward-thinking persona by managing data in a manner that consumers appreciate before federal or state mandates require businesses to protect consumer interests.

Opportunity #5:
Inspire consumer confidence and establish trust. Cybersecurity is meant to reduce both the risk of a cybersecurity breach and damages associated with a breach. Organizations that claim they adhere to policies recommended by cybersecurity experts may attract the attention of consumers who wish to minimize the potential data risk. Learn more →

Information Technology Weaknesses

The wellness industry is experiencing a significant increase in wearable devices equipped with network capable technology. These devices can range from simple step and heartbeat counters to advanced appliances that can monitor patients with cardiovascular diseases and more serious conditions.

As with all IoT devices, there is a general lack of suitably robust security measures, with most lacking basic authentication or data encryption.

Opportunity #6:
Determine how effectively your organization’s data is being protected, encrypted, access controlled, and authentication. Discover the potential threats that can cross technologies, people, and processes. Assess the strength of the countermeasures to resist attacks. Learn more →

Cloud centric risks are also a concern for wellness device providers. Many pieces of wellness technology are synced to a cloud application to aid in the retrieval of user information from multiple devices. The poor security measures inherent in wellness devices means that they can potentially be used as a launch point, or attack vector, by cybercriminals infiltrating a network to steal or corrupt sensitive information.

Opportunity 7:
Conduct a cloud security audit that factors in your organization’s security priorities and risk appetite. VerSprite runs checks against all your Cloud infrastructure (AWS, Azure, etc.), and provides an integrated control audit of security gaps alongside prioritized recommendations. Learn more →
Opportunity 8:
Identify security risks that may go undiscovered if not properly tested in client software, mainframe, web applications, fat clients, embedded software, and more. VerSprite’s penetration testing methodology is based on emulating realistic attacks by a malicious actor through the use of PASTA (Process for Attack Simulation and Threat Analysis). Learn more →

Employer Misuse of Data

In an attempt to lower health insurance costs, increase productivity, and boost employee morale, many organizations are starting to offer business-sponsored wellness plans as a part of their employee benefits.

Wellness plans raise data privacy concerns. How are businesses expected to use the data gathered from these wellness devices? Will it be to solely encourage a healthier workforce? Or will corporations sell employee data to increase profits?

In addition, although it is against US law to discriminate against employees based on physical attributes, there is a possibility employers could use the data to influence personnel advancement.
Those seen to be healthier, and therefore less of a health insurance risk, could be given preferential treatment in promotion scenarios, which in turn, if proven, could result in discrimination charges against the business.

Opportunity 9:
There are key takeaways to learn from the California Consumer Privacy Act (CCPA) and its effect on data privacy. The key principle is that privacy is becoming a much bigger concern for legislators. With these benchmarks now firmly in place, the way is paved for more and more privacy regulations and a broader range of regulators and industry bodies to impose privacy standards. Learn more →

Wellness apps, which can be used in conjunction with wellness devices or as a standalone tool, similarly pose risks to user privacy. The information collected is often extensive and when not stored properly could be used to identify users and their habits.

Consider Ovia apps. They are designed to monitor menstrual and ovulation cycles for women trying to conceive or track the pregnancy of expectant mothers.

Employers can pay to access aggregated data to identify, for instance, when new or expectant mothers are projected to return to work. These types of issues rarely receive widespread attention in the public domain. There is clearly a disconnect between consumers’ use of wellness apps and their understanding of how their information is used.

Most consumers remain unaware of what information is collected, how that information is stored, and most importantly who it is sold to or how it is ultimately used.
Advertising agencies, analytics companies, and social network organizations are all potential buyers. While the storage of personal information is supposed to be anonymized, an organization could potentially combine two sets of separately sourced data and compare device IDs, usernames, or email addresses, to identify users.

Opportunity 10:
Revisit both traditional governance best practices that are still invaluable to proper data management and governance efforts, as well as practical technological controls that can support the management of data. Learn more →

Next Steps for Wellness Providers Interested in Data Security

VerSprite offers two kinds services to assist wellness providers with handling data in a secure manner.

For businesses concerned with their own data privacy practices, VerSprite’s Governance, Risk, and Compliance (GRC) team offers consultations for complying with state, federal, and international regulations.

Additionally, VerSprite’s Geopolitical Risk (GPR) team provides a variety of specialized services to help businesses conduct thorough due diligence, vet vendors and partners, prepare for expansion, and assess the effectiveness of current or planned strategies. Businesses working with partnering companies should also consider merger and acquisition and joint business services.

SecOps

DevSecOps Efforts Are Changing How We Govern Security Controls

The rise of regulations and demand for more agile engineering practices is forcing CISOs and security programs to develop more sophisticated ways to adhere to security requirements from regulations, internal governance, and clients. Learn More →

We are an international squad of professionals working as one.

logos