Data practices of internet of medical things: A look from privacy policy perspectives

Abstract

The Internet of Medical Things (IoMT) is an important enabler for improving healthcare through collecting, processing, and analyzing sensitive medical data of unprecedented volume. While the data collection on the body, in the home, or in hospital settings helps revolutionize healthcare, it endangers privacy and exposes users to network vulnerabilities. Furthermore, there is a lack of transparency in the data practices of the IoMT devices. We seek to explore the data practices of IoMT devices found in smart homes and identify trends and potential outliers. We leveraged legal frameworks (i.e., HIPAA, CalOPPA, COPPA) and expert opinions to develop a Privacy Policy Assessment Questionnaire (PPAQ) to evaluate the privacy posture of IoMT devices (i.e., weight scales, blood pressure monitors, continuous glucose monitors). We evaluated 20 IoMT privacy policies according to the PPAQ's seven privacy factors: General Data Collection, Data Sharing, Data Retention, Data Protection, User Choice, and Children's Personal Information. The results show the presence of the privacy factors, but the statements are general and do not provide specificity to describe relevant privacy concerns. For example, more than 85% (17/20) of the privacy policies mention children, but more than half of those policies do not explain how they handle the unintentional collection of children's personal information. Additionally, most privacy policies indicate data retention, but only three privacy policies provided time frames for the retention periods. This study underscores that privacy policies fail to inform and support users and demonstrates a need to investigate the prevalence of device identifiers as a tracking technology among IoMT devices. • Most policies cover privacy-related factors, however the coverage lacks specificity. • Health information is the fourth most discussed data type in IoMT privacy policies. • Data protection responsibility is disproportionately placed on users. • IoMT devices use device identifiers for tracking.