"Startups Often Focus On Data Security Too Late, If At All"

STEVE INSKEEP, HOST:

This year's Consumer Electronics Show in Las Vegas includes companies that promise to revolutionize medicine as we know it. They're using sensors and systems like Wi-Fi Internet connections and Bluetooth to monitor the human body on a constant, real-time basis. Critics say this high-tech medicine is leaving security concerns behind.

Aarti Shahani reports from member station KQED.

AARTI SHAHANI, BYLINE: Teddy the Guardian is a little brown bear with a blinking red heart. Founder Ana Burica says the toy can record your child's heart rate, body temperature and blood oxygen levels and upload all that to a mobile app.

ANA BURICA: All the child has to do is take Teddy by the paw, hold him for three to five seconds, and this is the time definitely enough for the sensors to track the values.

SHAHANI: BodyCap is a little red and white pill that looks like Tylenol, but inside there's a chip. Marketing director Isabelle Lauret says a patient recovering from chemotherapy can swallow it and the pill will shoot off a temperature reading every 30 seconds.

ISABELLE LAURET: And the doctor can get on his iPad. So if there is a rise of temperature, he can call his patient and ask him to return to the hospital immediately to do all checks.

SHAHANI: And over at Beddit, founder Lasse Leppakorpi shows me sensors you can put under your bed sheet.

LASSE LEPPAKORPI: It automatically during the night analyzes your sleep quality, your heart rate, your breathing. And then it sends the information using Bluetooth to your mobile device.

SHAHANI: This all feels very, very intimate. So I ask: How do you handle security?

LEPPAKORPI: For the data?

SHAHANI: Yes.

LEPPAKORPI: So what kind of security you will need with your own sleep and wellness data, which is stored in your own mobile device?

MARK ORLANDO: I think we've all seen how secure mobile devices can be, which is to say not very secure.

SHAHANI: Mark Orlando is a cyber-expert with Foreground Security. And he's seeing a lot of start-ups jump into health and fitness; hire all the right engineers and coders. But he says these companies are not hiring a single data security expert or outside auditor.

ORLANDO: It's their product that's collecting and aggregating this data. So, you know, I think that they need to take responsibility, as opposed to kind of shifting the risk onto, say, a mobile phone manufacturer or, you know, an e-mail provider.

SHAHANI: There's a real spread in what companies can do and are doing to protect health data. Some encrypt it before it leaves the device and re-encrypt on the Cloud. So even if it's stolen, it's useless. Others don't ever encrypt. And many investors don't ask.

Listen to this candid confession from a leading venture capitalist Ping Li, who was talking at a Silicon Valley conference last October. He says that he pushes his startups to make a great product first, security comes later.

PING LI: I think you should push it earlier. But it's so hard to know when a startup becomes interesting enough to get attacked. And sometimes it's a weird thing. You get attacked and we made it - we finally are, you know, we finally are worthy of getting hacked.

(LAUGHTER)

SHAHANI: Experts say that with cybercrime is on the rise, and lots of health data out there, many more startups are going to find themselves worthy of getting hacked.

For NPR News, I'm Aarti Shahani in Las Vegas.