FTC report on IoT calls for update to HIPAA standards

A Federal Trade Commission report on how to reduce the security and privacy risks for consumers posed by the Internet of Things (IoT) has drawn criticism, even by one of the FTC's own commissioners.

The report is based on the November 2013 FTC workshop, "The Internet of Things: Privacy and Security in a Connected World," which was not specific to healthcare. The report focuses on four issues: security, data minimization, notice and choice.

The FTC's backing for data minimization--the notion that companies should gather and store less information, not more--has drawn the most heat.

Data minimization, according to the report, can help guard against two privacy-related risks: that larger data stores present a more attractive target for data thieves and also increases the risk that the data will be used in a way that departs from consumers' reasonable expectations.

Workshop participants advocated for providing more consumer notice and choice when data would be used in ways outside what people would normally expect. The report urges Congress to enact broad privacy legislation rather than IoT-specific privacy laws.

It also calls for more updated and consistent HIPAA standards. The report points out the healthcare applications increasingly are collecting the same sensitive information from patients as doctors' offices and insurance companies through consumer-facing products not covered by HIPAA. "Consumers should have transparency and choices over their sensitive health information, regardless of who collects it," according to the report's authors.

However, Daniel Castro, director of Information Technology & Innovation Foundation's Center for Data Innovation, described the report as "disheartening" for trying to "shoehorn old ideas on new technology."

"In calling for companies to reduce their use of data, the FTC misses the point that data is the driving force behind innovation in today's information economy," he said in a statement.

FTC Commissioner Joshua D. Wright also issued a dissenting statement, criticizing the report for making policy recommendations without evidence to back them up.

Earlier this month, in a speech at the International Consumer Electronics Show in Las Vegas, FTC Chairwoman Edith Ramirez spoke of the privacy risks that connected devices pose for health information.

"Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks," Ramirez said. "These risks to privacy and security undermine consumer trust."

And last May, the FTC published a report recommending that Congress force data brokers to be more transparent about how they use the personal information of consumers, including health information.

To learn more:
- read the report (.pdf)
- here's the ITIF statement
- check out Wright's dissent (.pdf)