paper

Wearables Are Not Personal Devices: They Are Vulnerable Points Inside Critical Systems

Wearables are often treated as personal technology. In reality, they are connected vulnerable points embedded within critical systems. This ISI paper examines how smartwatches, trackers, and connected devices create hidden governance exposures across healthcare and enterprise environments.

Institute for Systems Integrity

4 min read
Share
Wearables Are Not Personal Devices: They Are Vulnerable Points Inside Critical Systems

By the Institute for Systems Integrity (ISI)
Co-authors: 

Kishore Madhusudanan, B.Tech, CISM, EMBA (Melbourne Business School)

Security Architect | Zero Trust & Cloud Security Resilience Architecture | Executive MBA | Certified Information Security Manager

Dr Alwin Tan, MBBS, FRACS, EMBA (Melbourne Business School)

Senior Surgeon | Governance Leader | HealthTech Co-founder
Harvard Medical School — AI in Healthcare
Australian Institute of Company Directors — GAICD candidate
University of Oxford — Sustainable Enterprise

(Disclaimer: The views and opinions expressed in this post are strictly those of the authors in their personal capacity. They do not necessarily reflect the official policy or position of any current or former employer, organisation, or affiliate.

Healthcare organisations do not consider wearable devices part of their critical infrastructure.

That assumption is no longer defensible.

Smartwatches, fitness trackers, smart glasses, and biometric sensors are now always-on, continuously connected, and embedded in human workflows. They move with clinicians, administrators, executives, and patients across physical, digital, and organisational boundaries.

They are not external to the system. They are inside it as vulnerable points that organisations often fail to see or manage.

This is Not a Device Problem; It is a System-Integrity Problem

Most discussions about wearable risk focus on technical specifics:

  • Bluetooth vulnerabilities
  • Weak encryption
  • App permissions
  • Privacy controls

While these are valid concerns, they are not the primary issue. The deeper problem is structural. Wearables are human-attached vulnerable pointsembedded in tightly connected systems without corresponding governance, oversight, or accountability. This is where system integrity begins to erode.

The System-Stress Lens: Why This Matters Now

When viewed through a system perspective, wearable technologies sit within environments characterised by high connectivity, dependence on real-time data, and increasing digital integration. These conditions are well described in recent literature on wearable health monitoring systems, which highlights their reliance on continuous sensing, wireless communication, and cloud integration (Zhang and Chen, 2025).

Wearables amplify these conditions by introducing:

  • Continuous behavioural and physiological data generation.
  • Large-scale deployment across diverse populations.
  • Limited visibility into device behaviour and autonomous data flows.

At the same time, governance has not kept pace. Many organisations do not classify wearables as part of their system architecture or assign ownership of wearable-related risk. They assume a rigid boundary between "personal" and "organisational" technology that effectively no longer exists. This creates predictable outcomes: silent data leakage, undetected reconnaissance, and indirect pathways into organisational systems.

The Evidence: Systemic Breaches, Not Isolated Events

Recent history illustrates how modern healthcare systems fail through connected dependencies rather than isolated compromise.

  • New Zealand (2023–2024): A breach involving the ManageMyHealth patient portal exposed sensitive clinical records, affecting multiple general practices. This demonstrated how a single "trusted" node can compromise a national network (RNZ, 2024).
  • United States (2024): The Change Healthcare ransomware attack disrupted claims processing nationwide, proving that system-wide failure can occur even when local hospital systems remain intact (American Hospital Association, 2024).

These incidents demonstrate a consistent pattern: systems fail because connected vulnerable points exist across the system without sufficient oversight. Wearables sit directly within this pattern.

Where Wearables Fit Into This Risk Landscape

The literature shows that wearables create three critical exposure pathways (Zhang and Chen, 2025; Peker et al., 2022):

  1. Behaviour Becomes Intelligence: Wearables generate data on movement, location, and physiological activity. Research shows this data can be used to infer behavioural patterns and routines (Kounoudes et al., 2023). What appears to be personal data becomes operational intelligence.
  2. Wireless Exposure Enables Passive Observation: Bluetooth Low Energy (BLE) communications can expose identifiers when implementations are weak (Peker et al., 2022). Passive observation can enable device identification and traffic analysis without triggering traditional security alerts (Silva-Trujillo et al., 2023).
  3. Ecosystems Amplify Risk: Vulnerabilities often arise from interactions across smartphones, applications, and cloud platforms (Timofte et al., 2025). Each integration creates a new vulnerable point.

The Critical Shift

The most important insight is this: Wearables convert human behaviour into system exposure.

  • A clinician’s movements can reveal workflow structure.
  • A staff member’s routine can expose timing and access patterns.
  • Aggregated data can reveal organisational behaviour.

This is reconnaissance without intrusion, and it remains largely outside governance visibility.

Why Governance Has Not Caught Up

The gap persists due to 

misclassification (treating them as personal), 

diffuse ownership (unclear responsibility between IT and clinical leads), and a lack of visible failure.

Risks emerge gradually through data aggregation and delayed exploitation, making them easy to underestimate.

The ISI Position

The Institute for Systems Integrity does not argue against wearable technologies. Their benefits in chronic disease monitoring and patient engagement are well established (Jafleh et al., 2024). However, adoption without governance introduces system stress, which leads to failure.

What Boards Should Be Asking

Boards should move beyond technical checklists and ask:

  1. Are wearable devices recognised as part of our system architecture?
  2. Where are the vulnerable points created by human-attached devices?
  3. Who owns this risk?
  4. How would silent exposure be detected?

If these questions cannot be answered clearly, the system is already exposed. Wearables do not break systems; they reveal where systems were never designed to account for human-attached, always-on vulnerable points.

Harvard References

American Hospital Association (2024) Change Healthcare cyberattack impact and response. Available at: https://www.aha.org (Accessed: 10 April 2026).

Jafleh, E.A. et al. (2024) ‘The role of wearable devices in chronic disease monitoring and patient care’, Cureus, 16(2). Available at: https://pmc.ncbi.nlm.nih.gov (Accessed: 12 April 2026).

Kounoudes, A.D. et al. (2023) ‘Enhancing user awareness of inferences from fitness trackers’, Sensors, 23(1). Available at: https://pmc.ncbi.nlm.nih.gov (Accessed: 12 April 2026).

Peker, Y.K. et al. (2022) ‘On the security of Bluetooth Low Energy in wearable devices’, Sensors, 22(14).

RNZ (2024) ‘ManageMyHealth data breach exposes patient information in New Zealand’, Radio New Zealand, 15 July. Available at: https://www.rnz.co.nz (Accessed: 14 April 2026).

Silva-Trujillo, A.G. et al. (2023) ‘Cybersecurity analysis of wearable devices: Smartwatch passive attack’, Sensors, 23(11).

Timofte, E.M. et al. (2025) ‘Security assessment in mHealth environments across wearable, mobile and cloud layers’, Applied Sciences, 15(1).

Zhang, B. and Chen, C. (2025) ‘Security and privacy issues in wearable health monitoring devices’, Computers & Security, 148.

Read more