Journalists should distinguish between “Internet of Bodies” medical devices that are regulated by the Food and Drug Administration, and consumer devices that are mostly unregulated – and may pose privacy, cybersecurity and equity risks, Mary Lee of the RAND Corporation told NPF data privacy fellows. [Transcript | Video]

4 takeaways:

➀ Connected devices that collect data on the human body are evolving into an ecosystem. The “Internet of Bodies” is a subset of the Internet of Things that collects a person’s health or biometric data (like an Apple Watch or Fitbit) or alters the human body’s function (like a smart insulin pump, explained Mary Lee, a mathematician at the RAND Corporation. They include watches, rings and smartphone apps that track steps, heart rate and maybe how much alcohol you drank last night. There are also attention monitors – glasses that use brain activity and eye movements that might vibrate if they think you’ve spaced out. I’ve heard of them being used in schools in China to make sure that students are paying attention,” Lee said.

➁ Implantable and ingestible devices are (usually) regulated by the FDA but consumer devices are not. These include pacemakers that upload data to a cardiologist and pills that contain sensors that record whether medication was taken. So far, pills that transmit to a mobile app for patient compliance have been approved for schizophrenia and chemotherapy. These medical devices are regulated by the FDA and must adhere to guidelines that cover privacy and cybersecurity.

Lee is concerned that they may improve health outcomes but widen inequality in healthcare treatment. Moreover, she noted the recent spate of ransomware attacks on hospitals that have exposed patient data. Finally, the FDA has begun to regulate some software.

“There’s FDA-approved apps on your watch, which is the consumer device but has some medical angles to it. To me, the landscape is a little bit murky and confusing right now,” Lee said.

➂ There are plenty of fascinating angles for journalists to explore. Lee flagged a number of unanswered questions, including: Can we be free from the Internet of Bodies, as devices can be used to track people without their consent? What are the rules governing employer use of devices to track their employees, or authorities using ankle monitors to track incarcerated people or immigrants awaiting a hearing under the ICE “alternative to detention” program?

“Then there’s the question of body autonomy and integrity,” Lee said. “Once a device is implanted inside of you, for example, are you free to modify it as you like once it’s inside your body? What does that mean in terms of software end-user license agreements?… Will the device still be under warranty, for example, if you mess with it but it’s a part of you?”

The courts have yet to weigh in, Lee noted.  In Ohio, police issued a warrant for the pacemaker records of a man named Ross Compton, who was charged with arson when his alibi did not match his heart data. Compton’s lawyers objected, but a judge ruled the pacemaker data was admissible at trial. Compton died before the appeals court could rule on the matter, so there is no legal precedent now, Lee said.

➃ Are we ready for this? There is a patchwork of regulations and state laws, including efforts to regulate data brokers, and some voluntary security standards, but Internet of Bodies technology is moving faster than the policy can keep up. “In my mind, the question is, the Internet of Bodies is already here, but are we ready for its implications? Lee said.

This program was sponsored by Arnold Ventures and Medtronic. NPF is solely responsible for the content.