What You Need to Know About Data Security and Wearable Devices in the Workplace

What You Need to Know About Data Security and Wearable Devices in the Workplace



Now that wearables and smart technology devices are frequently used to incentivize and measure participation in workplace wellness programs, activity trackers have emerged as an important—and sometimes debated—link between employee and employer.


Concerns about personal data and activity trackers made the news (again) this week, with reports that U.S. soldiers may have inadvertently revealed the locations of remote military bases in Iraq, Afghanistan and Syria by publicly sharing their jogging routes via the Strava fitness app.


And during a series of meetings last year between Apple and Aetna, Aetna employees’ questions about the safety of the data on their employer-provided Apple Watches ended up dominating the discussion—and the news media’s coverage of that discussion. By way of background, Aetna partnered with Apple in 2016 to provide select large employers and individual customers with Apple Watches, as well as offering to reimburse all 50,000 of its own employees for the watches. Apple has stressed that health information is only shared with user consent, and Aetna is continuing to gather feedback from its employees about whether or not the watches have had an impact on their nutrition and exercise habits.


Of the Apple/Aetna meetings, CNBC reported, “One of the biggest concerns with companies like Apple and Fitbit collecting health information, like steps and heart rate, is that it could get into the wrong hands. These fears are amplified as technology companies strike deals with self-insured employers and health plans.”


So what are employers and health insurers doing with the data they collect from activity trackers? The large majority of those employers are doing nothing with it and are providing employees and/or their customers with wearable devices only to encourage health and wellness in hopes of increased productivity and engagement and decreased healthcare costs.


Though it’s now common across industries, the trend of doling out activity trackers to employees and customers was popularized by healthcare companies. Back in 2014, tech startup Oscar made headlines when it partnered with Misfit, a wearable device company, to link its customers’ biometric information straight to their health insurance, presenting Amazon gift cards to those who met their fitness goals.


Since 2016, UnitedHealthcare has awarded employees who meet fitness goals (as measured by their wearable devices) with monetary prizes and credits that can be applied to a health savings account or health reimbursement account. The company’s vice president of emerging products recently reported that its program, which it calls “Motion F.I.T.”, has yielded “very impressive” engagement and activity rates. And, as part of its Wellvolution program, Blue Shield of California leverages the Walkadoo app, which keeps track of activity and allows employee participants to earn awards such as Fitbits and Visa gift cards. It has since also invited some of its plan participants to engage with the app in exchange for awards. OptimaHealth, Cigna, Humana and other insurers additionally offer their members discounts and rewards tied to activity trackers.


Even as activity trackers have provided impetus for some corporate employees to prioritize their health, the practice of incentivizing with them has, in some ways, heightened the tension between personalized medicine and private information. Workplace wellness programs that are offered by group health plans to group health plan participants only are covered by Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, while wellness programs offered to all employees, however, are likely not covered by HIPAA.


Just last week we reported on a new ruling from a federal district court in Washington, D.C., in which the U.S. Equal Employment Opportunity Commission (EEOC) has been ordered to alter its rules on employer-sponsored wellness programs that financially penalize employees who refuse to provide personal medical and genetic information. As wearable healthcare technology grows more sophisticated, we suspect that the number of questions it raises will continue to grow, as will the opportunities it creates.


For more on the role of smartphones and apps in personal health management, read our blog about trends in remote health monitoring.

The 3 Biggest Threats to Data Security and Privacy in Healthcare Today

The 3 Biggest Threats to Data Security and Privacy in Healthcare Today


by Jesse Braasch & Jason Langston


According to a new report on healthcare data breaches in 2017, the three greatest threats to data security and privacy this year have been human error, hacking/malware and insiders. To prevent breaches, all industry players need to ask themselves if they are vulnerable to these threats and ensure that their software systems are updated.


  1. Unintended Disclosure: 41 percent (the large majority) of breaches are the result of unintended disclosure, a.k.a. user mistake or human error. These incidents can come in the form of emails inadvertently sent to the wrong recipient or emails that contain protected health information (PHI). Discharge instructions may be given to the wrong patient, or a server containing PHI can be accidentally left open to the public. Workforce training and education can go a long way to diminish incidents of unintended disclosure.


  1. Hacking or Malware: Hackers have continued to disproportionately target healthcare organizations in 2017, organizing significant and sophisticated attacks that account for 15 percent of breaches so far this year. Phishing attacks on hospitals, insurance providers, medical equipment suppliers and others have resulted in the leaking of tens of millions of patient names, social security numbers, medical records, diagnoses, treatment information and other clinical data.


  1. Insiders: Disproving the old-fashioned theory that the best way to protect data is to keep it close to home are continuing reports of employee snooping or physical theft of on-site devices and data, which account for 15 percent of breaches (physical loss can be blamed for another 8 percent). Typically this can involve an employee viewing records without a work-related reason. Of note, the number of breaches attributed to employees are on the rise, but they are generally easier to mitigate than external threats.


Though the healthcare industry was slower to adopt cloud computing than other industries, but most healthcare providers and employers now overwhelming believe that patient and employee benefits data is safer being managed by a software-as-a-service (SaaS) company than it is with on-premise software. SaaS platforms are also more likely to have data engineers and software experts dedicated to continuously monitoring and guarding accounts for the above threats.


How can a company know if a SaaS provider can be trusted to provide secure custody of data? Verify that they understand the regulatory requirements and are strictly compliant with HIPAA, SSAE 16 and PCI.



Jesse Braasch

Vice President of Infrastructure and Operations at WEX Health

Jesse Braasch is the Vice President of Infrastructure and Operations at WEX Health, the largest Software as a Service (SaaS) company in the healthcare payment market today. His favorite saying is, “The most dangerous phrase in the English language is, ‘We’ve always done it this way!’” In the ever-changing, always dynamic world of consumer directed healthcare, Jesse’s dedication to innovation and excellence will continue to keep WEX Health at the forefront of the current healthcare revolution.

As the consumer driven healthcare industry grows exponentially, Jesse will help ensure WEX Health’s technical ecosystem has best-in-breed features, stability, security, and quality of service so the company is able to scale in parallel with the industry. Jesse’s passion is delivering creative yet rock solid technologies that truly solve the needs of the customer and enable speed to market.

Regarded as a veteran of the technology industry, Jesse has over twenty years of experience working for industry leading SaaS corporations and Fortune 500 companies. Most recently Jesse was Director of Infrastructure for XRS Corporation, a SaaS company providing trucking fleet management solutions, where he led server, storage, database, and IT operations teams. Prior to working at XRS, Jesse held technical and team leadership positions at Target Corporation, Fair Isaac Corporation, and Travelers Indemnity Company.

After serving in the United States Marine Corps, Jesse earned his Bachelor’s Degree in Information Technology from Capella University, and is currently pursuing his Masters of Science degree in Security. Jesse, his wife, and two teenage sons live in Maple Grove, MN, where he is an active volunteer in the community’s youth ice hockey association.

Jason Langston

Vice President of Infrastructure and Operations at WEX Health

Jason Langston leads the Enterprise Architecture and Application Security team at WEX Health. This team works closely with the IT Security, Compliance and Fraud teams to ensure the robust security and scalability of WEX Health Cloud. They run the software security assurance program, performing various tests, scans, attack models and reviews to identify, fix and prevent security issues. Jason has worked at WEX Health for 13 years and in the tech industry for almost 20 years in various technical and leadership roles, with a strong focus on architecture and security.