As remote patient monitoring gains prevalence across healthcare, there are both benefits and challenges for clinical and IT leaders to grapple with. Cybersecurity has long been a challenge to be managed for implantable devices and remote monitoring systems, of course. But one under-appreciated risk with RPM wearables is that cyber bad actors could exploit an underprotected entry point to alter a device's output.Without a mechanism to prove who is actually wearing a device, healthcare providers cannot verify the user, the context or the authenticity of a wearable device's signal.Were an attack to manipulate remote device data or threaten to expose patient health information, it could also reduce confidence in a remote patient monitoring program, said Ricardo Amper, founder and CEO of Incode Technologies, a biometric authentication company. We caught up with Amper to discuss wearable device security challenges, data-hoarding trends, tips to help prevent RPM security breaches, and why baseline requirements in the industry must change.Q. Why are wearables, compared with other connected devices, higher cybersecurity risks for provider organizations?A. Most connected devices sit at the edge of a network. Wearables sit on a person's body, and that changes the entire risk profile. These devices are always on, continuously collecting and feeding data into portals and care workflows. The attack surface is not just a laptop, phone or network endpoint. It's an intimate, persistent data stream tied directly to someone's physical health, and that data is already among the most valuable targets in the cybercrime economy. Last year, one study, Privacy in Consumer Wearable Technologies, found that stolen healthcare records could be worth up to $250 each, compared with a few dollars for a payment card, because they contain far more comprehensive personal information.What makes this especially dangerous for providers is that wearable sensors are inherently dual-use. An accelerometer designed to track a patient's gait can also reveal their daily routines. A bio-acoustic sensor meant to detect a tap can localize interactions far beyond its intended function. And the threat isn't only what is collected today, but what can be inferred later. Researchers describe this as "data hoarding" – companies gather biometric signals now and, in the future, apply more powerful AI models to extract insights patients never consented to share.Unlike a compromised laptop, you can't simply wipe a wearable and start over. The data has already been collected, transmitted and, in many cases, analyzed. This is also why trust has moved to the center of the conversation. Patients are increasingly asking their providers harder questions about who sees it, where it goes and how it's protected. For providers, that means a wearable security issue can quickly become a privacy issue, a clinical trust issue and a patient safety issue, all at the same time.Q. What are the key challenges to wearable device security for providers that might allow them to connect to their portals?A. The fundamental problem is that most wearable manufacturers build for consumer convenience, not clinical trust, and those two postures have very different security standards. In the Privacy in Consumer Wearable Technologies study, a systematic review of 17 leading wearable manufacturers found that 65% have no formal vulnerability disclosure program, while 76% received high-risk ratings for transparency reporting. In plain terms, many of the devices providers are inviting into their environments do not yet meet the governance expectations that healthcare organizations would normally apply to systems that touch sensitive patient data.When a provider connects a wearable to their portal, they inherit whatever security the manufacturer built, which can be compromised through attacks. They also inherit data collection that often exceeds clinical need, along with a consent framework that is, in practice, fictional. The deeper challenge is that providers can't simply audit their way out of this. The missing layer in most wearable architectures isn't encryption or breach notification. It's identity. There's typically no strong verification of who is actually wearing the device, no authentication before sensitive data is transmitted and no attestation of context. Without that foundation, providers are making clinical decisions on a data stream they can't fully trust.Q. You have used the term "ransomware for the body." How would such a scenario actually play out, and what are the security risks for providers and other healthcare organizations?A. The term comes from peer-reviewed academic work, and it's worth taking seriously because it captures something traditional cybersecurity framing misses. With conventional ransomware, an attacker locks your files and demands payment. With wearables, the leverage can shift from files to bodily signals, behavioral patterns and sensitive inferences. Those pathways matter because they could allow an attacker to manipulate device outputs, expose sensitive information or undermine confidence in the data stream itself.For provider organizations, the downstream risk is significant. Manipulated wearable data can corrupt clinical decision-making at scale. Exposed biometric inferences damage the relationship between patients and the care teams they rely on, and weaken confidence in remote monitoring programs that healthcare systems have spent years building. Healthcare already operates under intense attack pressure, and wearables represent a new, underprotected entry point into environments that adversaries have spent years learning to exploit. The prudent framing is, not whether this risk is theoretically possible, but whether healthcare organizations are prepared before it becomes operationally real.Q. How can regulators and the health tech developer industry protect patients and providers from wearable security breaches?A. Current regulatory frameworks like HIPAA and Europe's General Data Protection Regulation were not designed for continuous, always-on biometric streams from devices that can both observe and influence the body. They focus heavily on what data is collected and stored, and not enough on what can be inferred from it over time, which is where most of the real risk lives. Regulators need sector-specific standards for body-level data: stricter rules on biometric and health-adjacent signals, clear limits on secondary use, mandatory vulnerability disclosure programs and accountability for inference, not just collection.On the industry side, the default has to change. Privacy by design – meaning minimizing what's collected, processing locally on-device wherever possible, enforcing strict purpose limitation and making consent genuinely understandable – needs to become a baseline requirement rather than a competitive differentiator. And the conversation has to expand beyond encryption and breach notification to identity. Verifying the right person, on the right device, in the right context is the structural intervention that closes the gap between data collection and data exploitation.Providers shouldn't wait for regulation to catch up, and patients are no longer willing to wait either. The most important step healthcare organizations can take today is to treat every wearable integration the way they'd treat any third-party system connecting to a sensitive clinical environment, with rigorous security review, defined data governance, clear policies on what data flows where and an explicit identity layer governing access. The standard has to be higher because this isn't app data. It's data from the body, and earning the right to handle it well is becoming one of the most important responsibilities a provider has.Andrea Fox is senior editor of Healthcare IT News.Email: [email protected]Healthcare IT News is a HIMSS Media publication.