Cybersecurity

Withings urinalysis product is latest health app to send sensitive data online, raising leakage concerns

The laws governing the use of and security parameters around health data are less clear than you’d expect, one expert says.
article cover

Francis Scialabba

· 3 min read

French health IT firm Withings made a splash at CES ’23 in January with their U-Scan urine analyzer—but the product, which transfers personal medical information to the cloud, has raised questions about health data security.

U-Scan is a small, flat, circular device that sits in your toilet bowl. It analyzes your urine and sends that information to a medical cloud run by a third-party partner in Europe, ASIP Santé.

It’s that transfer of information—sensitive health information that could reveal private information about the patient’s personal well-being—that puts the data into a digital space where it could, potentially, be hacked.

Julius Dewavrin, a product manager at Withings, told IT Brew at CES that the company takes security seriously—not just for U-Scan but for its other medical products, like its scales and blood pressure monitors, as well. In 14 years of operations, Dewarvin claimed, Withings has never been shut down by a hack, attributing this to the work of the company’s IT department.

“We are audited on a regular basis to check if all data is safe and secure,” Dewavrin said. The data is also encrypted, he added, and not tied to a user’s name or identity.

You’re in luck. While it’s possible that a hacker could penetrate Withings, Dewarvin believes that’s unlikely.

“Many global companies are attacked on a daily basis,” Dewavrin said. “The team is prepared for the better or worse attack.”

Hip-HIPAA hooray. Questions surrounding health data come from a real uncertainty on the part of consumers and providers alike with respect to protections, according to Jon Moore, senior VP and chief risk officer at health IT security firm Clearwater.

“You’ve wandered into a bit of a gray area in terms of data privacy and regulation in the US,” Moore told IT Brew. “Most people in the US assume that their data is going to be secured, in particular data associated with their health.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The central issue is that the Health Insurance Portability and Accountability Act (HIPAA) is supposed to protect your health data and provide privacy protections. According to Moore, however, there’s a fundamental lack of understanding over what the law actually applies to. He said the law is intended for “organizations that are involved in the transmission of electronic protected health information for purposes of, typically, transactions like billing, coding, that kind of thing.”

“If you’re a doctor in the US, but you don’t take insurance, so you’re not sending electronic payment information, you don’t fall under HIPAA,” Moore said. “HIPAA is a lot narrower than most people understand,” he said.

Withings, not being a healthcare provider, likely doesn’t fall under HIPAA, but Dewavrin told IT Brew that Withings abides by HIPAA regulations in the same way it abides by GDPR regulations in the EU.

One thing’s for sure, Moore said: We probably shouldn’t expect too many changes at the regulatory level when it comes to healthcare data.

“It’s really difficult for me to envision us completely flipping the US position on personal data on its head, and moving completely to more of a European model,” Moore told IT Brew. “That would probably be too much of a leap. The impact of businesses would be dramatic.”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.