Article

Medical wearables under the microscope: U.S. regulatory, data privacy and cybersecurity perspectives

Fingerprints unlock secure devices
Medical wearables under the microscope: U.S. regulatory, data privacy and cybersecurity perspectives

Part of our report

Life sciences and healthcare insights
Published Date
Sep 16 2025
Related people
Image of Anna Rudawski
Anna RudawskiPartner, New York
Image of Erica Cook
Erica CookAssociate, Chicago

Wearable tech is everywhere: smart rings that track our every move, medical devices that can time and dose meds, luxury smartwatches… But as we obsess over our step counts and sleep scores, bigger questions arise. Are unseen eyes—doctors, developers, data brokers—also watching? Who’s protecting our data, and what boundaries—if any—exist at this rapidly expanding digital frontier?

Here, we clarify the complex and evolving U.S. regulatory framework around medical devices and wearables. We also explore their associated privacy and cyber risks—and explain the responsibilities of developers and end-users. 

The default assumption in the U.S. is that all health data is regulated by the Health Insurance Portability and Accountability Act (HIPAA). However, in reality, health data privacy is regulated by a patchwork of federal laws, agency rules, and a maze of state regulations. HIPAA is just one piece of a much bigger, messier puzzle.  

Nonetheless, when considering the privacy of health data, HIPAA is a good place to begin. HIPAA applies to three kinds of “covered entities”—healthcare providers, health plans, and healthcare clearing houses (effectively middlemen that help collect payments and check claims from healthcare providers for errors before forwarding them to health plans for processing). It also picks up third parties and vendors who access protected health information (PHI) as part of the services they provide to covered entities, also known as “business associates”. Organizations that exist outside of those categories (i.e., covered entity or business associate) are not subject to HIPAA.

Why much of the life sciences and wellness industry is beyond HIPAA’s reach

This leaves a broad swath of the life sciences and health and wellness space beyond HIPAA’s reach: pharmaceutical companies, health tracking apps, and certain providers that exist outside of the insurance market. In fact, it’s often more accurate to think of HIPAA as regulating participants in the U.S. health insurance system, rather than the entire healthcare ecosystem. As a result, despite consumer expectations, HIPAA may not apply to the wearable, device, or the company that develops it—even if it does apply to the entity using it. 

Moreover, the U.S. Department of Health and Human Services (HHS) has clarified this point. In a 2005 FAQ, HHS states that “a medical device company is not providing ‘health care’ if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals”. It also notes that in those cases, the device manufacturer is governed by the Food and Drug Administration (FDA). This means that a healthcare provider may be subject to HIPAA but the manufacturer of the device or wearable may be wholly exempt.

For example, a doctor may be able to access device-level data from a continuous glucose monitoring system or a direct-to-consumer sleep tracker. The healthcare provider then feeds that data into an individual’s health record and treatment plan, thus creating PHI. However, the device manufacturer may never access that data or provide treatment advice. 

Assuming it does access that data, it still does so outside of the scope of HIPAA. There is no covered entity or business associate relationship, it is simply the maker. And the user is just that—a consumer, not a patient. However, this does not mean the device maker is off the hook as far as health data privacy is concerned. For the purposes of that activity, the device manufacturer is subject to the FDA’s jurisdiction, while the loss of any personal data may be covered by other healthcare privacy laws, like the Federal Trade Commission’s (FTC) health breach notification rule and state breach notification laws. 

At the same time, there remain circumstances where a device manufacturer may be subject to HIPAA. More often than not, this relates to how the device or a connected app is serviced. For example, in the above scenario, if the device manufacturer creates a connected app for its glucose monitor and that app is designed to allow a healthcare provider to directly access the app and manage patient care, the manufacturer and app are now within HIPAA’s scope because the app is in the care chain. 

FDA relatively quiet on privacy and cyber—until now

While the FDA is the primary regulator of medical devices, it has been less prolific when it comes to privacy and cybersecurity rules. This is despite the agency repeatedly stating that cyber is a top concern. 

That may be starting to change. The Consolidated Appropriations Act of 2023 established mandatory cybersecurity requirements applicable to the marketing of new “cyber devices” (i.e., medical devices). The act empowered the FDA to enforce compliance with these requirements through warning letters, mandatory recall and remediation, withdrawal or denial of market approval, civil penalties, and in certain cases, criminal sanctions. 

In June 2025, the FDA published guidance with cybersecurity recommendations for premarket approval of medical devices, including use of a Secure Product Development Framework (SPDF), a set of processes to identify and reduce vulnerabilities through the device lifecycle (design, development, release, support, and decommissioning). The guidance also sets forth special requirements for developers and manufacturers of “cyber devices” with software, internet connectivity, and technology features that could be vulnerable to cybersecurity threats. Cyber device developers and manufacturers must include the following information with their premarket submissions:

  • a cybersecurity management plan;
  • documentation of processes and procedures to ensure reasonable assurance of cybersecurity (e.g., implementation and documentation of security controls and cybersecurity testing); and
  • a software bill of materials (SBOM) that identifies all proprietary, commercial, open-source, and off-the-shelf software components along with their support status and end-of-support dates.

Enforcement, however, has been spotty. Since 2023, the FDA has issued several warnings in relation to medical devices where cybersecurity vulnerabilities would either cause the device to malfunction, enable remote access, and/or allow the alteration of sensitive data. In July 2023, it also issued a mandatory recall of DNA sequencing systems for remediation of a known vulnerability. In that case, the manufacturer’s compliance with the FDA’s conditions was not the end of the story. 

The DOJ brought claims alleging the manufacturer violated the False Claims Act by knowingly selling the systems to federal agencies without an adequate cybersecurity program to sufficiently identify and address such vulnerabilities. In 2025, the manufacturer entered into a settlement of USD9.8 million with the DOJ to resolve the allegations. 

To avoid the risk of FDA and other agency enforcement, developers and manufacturers should consider (and are) voluntarily recalling their cyber devices or pushing out patches for identified or potential weaknesses.  

FTC is primary regulator for consumer healthtech companies beyond scope of HIPAA

The FTC has become the primary regulator for the rapidly growing sector of consumer-facing health technology companies that fall outside the scope of HIPAA.  

As of early 2010, the FTC Health Breach Notification Rule (HBNR) covered businesses that offer products and services (e.g., online services, mobile apps, and connected devices) directly or indirectly related to personal health records (PHR). 

Initially, PHR referred to electronic individually identifiable health information collected from multiple sources and managed by or for individuals. However, since 2021, the FTC has clarified that the HBNR applies to PHR regardless of whether it is collected from multiple sources, broadening the landscape of companies that must comply with the HBNR’s breach notification obligations.  

Notably, a failure to comply constitutes an unfair and deceptive trade practice under Section 5 of the Federal Trade Commission Act. Here, the FTC has been successful in obtaining significant monetary and structural remedies against businesses with consumer-facing health apps, wearables, telehealth platforms, and ancillary services. 

When does a healthcare or wellness app, or wearable, become a medical device? 

Is the mobile app that sends you wellness tips or the smart watch that tracks your heart rate considered an FDA-regulated medical device? The answer is that it depends on its intended use and the functions it performs. 

A healthcare app or wearable becomes an FDA-regulated medical device when (i) it performs (or transforms a device to perform) functions that are intended to diagnose, cure, mitigate, treat, or prevent disease or otherwise affect the structure or function of the body; or (ii) is marketed with claims that it may perform such functions. 

The FDA also regulates apps that are accessories to regulated medical devices. For example, a healthcare app that provides insulin dose calculations based on user-entered glucose readings would be considered an FDA-regulated medical device because it performs diagnostic functions and provides treatment recommendations for a specific disease and/or person. Conversely, an app or wearable that merely collects, stores, and transmits health information without interpreting it, like a running watch or calorie intake tracker intended to encourage a healthy lifestyle, is not considered an FDA-regulated medical device. However, such apps and devices remain subject to other federal and state consumer protection and privacy regulators and laws.  And the line between the two can be blurry for developers and consumers.  

Unique risks to wearables and medical devices 

Medical devices and the systems that support them are susceptible to the same cyber attacks as other technologies. These include ransomware strikes, distributed denial of service (DDoS) attacks, which are intended to disrupt the availability of an app or device, and even surveillance operations that use devices or wearables to collect sensitive data. 

However, as a piece of operational technology, there are some specific risks worth addressing in relation to medical devices. The first is jailbreaking.  

Jailbreaking is the unauthorized modification of a device’s software or firmware to bypass manufacturer settings and restrictions, usually to enable features or functions not added by the manufacturer. Jailbreaking is not necessarily malicious and indeed is often done by users or patients. For example, medical devices from different manufacturers often cannot directly communicate with each other, meaning that hardware such as glucose monitors and insulin pumps may be controlled by separate apps. However, it may be possible for a configuration modification to enable users to control both devices from the same app; the benefit to the user is increased functionality, but the additional egress channel to an unvetted app introduces risk to the system. Jailbreaking circumvents manufacturer-installed security controls, firmware integrity checks, and encryption protocols that may be integral to safeguard the functions performed and personal data processed by medical devices. 

Following an alteration, the reliability of the device’s authentication mechanisms, audit logs, and transmission safeguards can no longer be assured. Moreover, the altered firmware often disables automatic security updates and patches, which can create opportunities for “zero-day exploits” (whereby threat actors leverage vulnerabilities unknown to the manufacturer to gain entry to systems) and the deployment of malware to access, manipulate, or delete patient data.

‘Jailbreaking’ poses threat to interconnected healthcare ecosystems

Equally troubling is the broader security cascade that jailbroken devices can precipitate within interconnected healthcare ecosystems. Compromised wearables frequently interface with mobile applications, cloud dashboards, and electronic health record platforms through unsecured APIs or peer-to-peer protocols. 

This enables attackers to move into more robust clinical networks and facilitates cybersecurity events that can have far-reaching effects. Falsified or corrupted data streamed from a jailbroken device could induce erroneous clinical interventions or cause a device to stop functioning properly, posing direct threats to patient safety and exposing healthcare providers and device manufacturers to substantial tort liabilities. 

Further, insurers, regulators, and litigants may consequently view the continued use of jailbroken hardware as negligence per se, emphasizing the importance of comprehensive security policies, device procurement standards, and ongoing monitoring frameworks to mitigate this multifaceted risk.

Malicious actors could disable medical devices’ life-sustaining functions or interfere with them to deliver incorrect dosages, potentially resulting in injury or death. Moreover, attacks that focus on making small changes on the device can be difficult to detect. 

Then there is the added challenge presented by the fact that medical devices are often expensive, with users reasonably expecting them to remain functional and supported for many years. 

Unlike consumer electronics, where an unsupported laptop or smartphone may be inconvenient, the consequences of a medical device becoming an unsupported “legacy” system can be dangerous. 

When manufacturers discontinue updates or support, patients may be left using devices with known vulnerabilities and no path to remediation. Additionally, expecting userswho may be elderly, ill, or lack technical expertiseto consistently install software updates is unrealistic, even though those updates may be critical to address cybersecurity flaws. This gap between device longevity, user capability, and ongoing security support creates a persistent risk that is unique to the medical device ecosystem.

Solutions require collaboration between stakeholders

Wearables and connected medical devices are reshaping how we live our lives, but are evolving in a legal landscape that remains, at best, fragmented. In the U.S., a single data point captured on a device can migrate through a series of regulatory regimes: HIPAA when ingested by a provider’s electronic health record system; it may then be monitored by the FDA if the underlying functionality crosses the line into diagnosis or treatment; and it may also fall in scope of the FTC’s HBNR. 

To add further complexity, overlaying those statutory touchpoints is a growing body of cybersecurity expectations and risks, all anchored by the FDA’s cyber requirements and enforced through recalls, warning letters, and even False Claims Act liability. 

As we become more tethered to our devices, so the questions will get harder. Finding the solutions will require lawmakers, developers, and consumers to understand the regulatory framework’s shortcomings and strengths, as well as the cyber risks associated with our increasingly connected selves.

Downloads

Life sciences and healthcare insights

pdf1.9 MB

Related capabilities