Sponsored By

Your Medical Device Data is Not Safe From NSA's Prism

The scandal surrounding NSA's data gathering program means the government could also be looking at your medical device data.

June 11, 2013

5 Min Read
Your Medical Device Data is Not Safe From NSA's Prism

Edward Snowden is a name you'll be hearing a lot in the coming weeks. The 29-year-old former contract employee for the NSA has blown the whistle on NSA's top-secret Prism program, which aims to tap and blanket collect consumer data including emails, phone calls, chat logs, photos, videos, and more from some of the world's largest Internet companies – including Google, Apple, Microsoft,Yahoo, AOL, and Facebook. In short, the NSA, in it's counterterrorism efforts, has decided that, rather than working to specifically target data from terrorists and suspects, it's easier to just collect everyone's data and filter through it later.

Snowden's story was first broken by UK-based The Guardian, who revealed that the NSA had been given access to Verizon call data for all of Verizon's 98.9 million customers over a three-month period.


How is the NSA allowed to do this? While all of the details are not entirely clear, it all seems to fall under provisions outlined in the controversial Section 215 of the Patriot Act, which allows government to compel businesses to hand over user records if such information is deemed relevant to a foreign intelligence investigation. This includes medical records and medical data. And further, the Patriot Act prohibits doctors from informing patients when their records have been disclosed:


‘‘(d) No person shall disclose to any other person (other than those persons necessary to produce the tangible things under this section) that the Federal Bureau of Investigation has sought or obtained tangible things under this section.” 


 Several tech giants are listed as "current providers" to Prism in an NSA document

So for all the quantified selfers and big data enthusiasts this means that all of your personal health data – from your AliveCor ECG readings, to your Fitbit vitals, all the way to your patient records and data from your implantable devices - is subject to government search and seizure if it rests inside the servers of any of the aforementioned companies. Any iPhone owners out there? How about Gmail users?


This is probably not a huge concern for those of us who are only keeping track of our heartrate or overall fitness level or even some device users. "When it comes to my health data, I don't consider privacy to be as important as access, transparency and control, which are much more vital to me," patient rights advocate Hugo Campos says, “I don't think data from an implanted defibrillator or pacemaker would be of much use to the NSA. These devices are not equipped with GPS and cannot geotag their readings (at least not for now). But I suppose it could be possible to look at a time-stamped heart rate or accelerometer data to show that a potential suspect was excited or physically active at the time a crime was being committed. Still, it doesn't worry me much.”


However, as the so-called Internet of Things continues to expand you'll be seeing more and more of your personal medical data transmitted wirelessly and over the Internet, and being made available to government without your prior knowledge. Add in the growing fears of medical device hacking and related patient safety and something out of an episode of Homeland starts to seem less and less like fiction.


“It's frustrating because it shows that we have very little access or control over the large amounts of data we generate,” Campos says. “When it comes to our health data, the consequences of this trend can be disastrous.” He cites the remote monitoring of cardiac devices as an example wherein data from a patient's implant is periodically collected, stored, and made available to physicians, but not patients.


“Patient data is extremely valuable to the corporation that manufactures these devices,” Campos says. “It is used for post-market surveillance of their products and for the surveillance of a competitor's product when a generator is paired up with leads from a different manufacturer. It has been referred to as "the currency of the future" by Ken Riff, a Medtronic executive. Still, patients continue to be denied access to it.”


Tech giants have denied having any involvement with Prism. Facebook CEO Mark Zuckerberg has called the allegations “outrageous.” And Steve Dowling, an Apple spokesman told The Washington Post, “We have never heard of Prism...We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.” Companies like Google share the same line, saying that they only divulge user data with specific law enforcement requests and only do so within the requirements of the law.


Yet a 41-page slide presentation detailing Prism that was acquired by The Washington Post (and has since been removed from its site) lists all of these companies as “Current Providers.”


The damage control will likely continue as more information about Prism is revealed and it will be interesting to see how device manufacturers will respond (if they choose to at all) once more patients realize their personal data could be at risk.



-Chris Wiltz, Associate Editor, MD+DI
[email protected] 

View Edward Snowden's full interview with The Guardian:



Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like