The Internet of Bodies

Opportunities, Risks, and Governance

by Mary Lee, Benjamin Boudreaux, Ritika Chaturvedi, Sasha Romanosky, Bryce Downing

Related Topics: Cybersecurity, Health Information Privacy

Internet-connected “smart” devices are increasingly available in the marketplace, promising consumers and businesses improved convenience and efficiency. Within this broader Internet of Things (IoT) lies a growing industry of devices that monitor the human body and transmit the data collected via the internet. This development, which some have called the Internet of Bodies (IoB), includes an expanding array of devices that combine software, hardware, and communication capabilities to track personal health data, provide vital medical treatment, or enhance bodily comfort, function, health, or well-being. However, these devices also complicate a field already fraught with legal, regulatory, and ethical risks. The authors of this report examine this emerging collection of human body–centric and internet-connected technologies; explore benefits, security and privacy risks, and ethical implications; survey the nascent regulatory landscape for these devices and the data they collect; and make recommendations to balance IoB risks and rewards.

Key Findings

Governance of IoB devices is managed through a patchwork of state and federal agencies, nonprofit organizations, and consumer advocacy groups

The primary entities responsible for governance of IoB devices are the FDA and the U.S. Department of Commerce.
Although the FDA is making strides in cybersecurity of medical devices, many IoB devices, especially those available for consumer use, do not fall under FDA jurisdiction.
Federal and state officials have begun to address cybersecurity risks associated with IoB that are beyond FDA oversight, but there are few laws that mandate cybersecurity best practices.

As with IoB devices, there is no single entity that provides oversight to IoB data

Protection of medical information is regulated at the federal level, in part, by HIPAA.
The Federal Trade Commission (FTC) helps ensure data security and consumer privacy through legal actions brought by the Bureau of Consumer Protection.
Data brokers are largely unregulated, but some legal experts are calling for policies to protect consumers.
As the United States has no federal data privacy law, states have introduced a patchwork of laws and regulations that apply to residents’ personal data, some of which includes IoB-related information.
The lack of consistency in IoB laws among states and between the state and federal level potentially enables regulatory gaps and enforcement challenges.

Recommendations

The U.S. Commerce Department can put foreign IoB companies on its “Entity List,” preventing them from doing business with Americans, if those foreign companies are implicated in human rights violations.
As 5G, Wi-Fi 6, and satellite internet standards are rolled out, the federal government should be prepared for issues by funding studies and working with experts to develop security regulations.
It will be important to consider how to incentivize quicker phase-out of the legacy medical devices with poor cybersecurity that are already in wide use.
IoB developers must be more attentive to cybersecurity by integrating cybersecurity and privacy considerations from the beginning of product development.
Device makers should test software for vulnerabilities often and devise methods for users to patch software.
Congress should consider establishing federal data transparency and protection standards for data that are collected from the IoB.
The FTC could play a larger role to ensure that marketing claims about improved well-being or specific health treatment are backed by appropriate evidence.