Thinking About Buying New IoT Devices? Better Wait ‘til Next Year for Better Security Features!

IoT Devices Vulnerable to Cybersecurity Threats  

Healthcare organizations, like other businesses, are integrating “smart technologies” into devices and facility controls that are connected to the internet. While much attention has been paid to the cybersecurity risks surrounding information systems that handle e-PHI, the security risks related to IoT devices are less well known.

Since IoT devices are connected to the internet, they can be hacked just like any other internet-enabled device. Many device manufacturers do not design security features into the IoT device leaving them vulnerable to cyberattack. This creates exposure into any connected enterprise information network or another networked device.

New State Laws Require Security by Design

New laws in California and Oregon will mandate security standards for IoT devices. FDA regulated medical devices and IoT devices that create data used by HIPAA covered entities and business associates for healthcare treatment services are exempt from the new standards.

Beginning January 1, 2020 manufacturers and some vendors of a branded internet “connected device” must equip that device with a “reasonable security feature or features” that are:

  1. appropriate to the nature and function of the device;
  2. appropriate to the information it may collect, contain, or transmit; and,
  3. designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

What’s Considered a “Connected Device”?

A “connected device” is broadly defined as, “Any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol (IP) address [or] Bluetooth address.” That means that anyone making consumer, industrial, or other internet-connected devices and selling them or offering them for sale in California or Oregon is covered under this law.

Additionally, if the connected device is equipped with a means for authentication outside of a local area network, it must possess one of the following “reasonable security features”:

  • it must have a preprogrammed password unique to each device manufactured; or,
  • the device must contain a security feature that requires a user to generate a new means of authentication before access is granted for the first time.

The IoT laws broadly define “manufacturers” to include the producers of the devices themselves and those who manufacture on behalf of such organizations, connected devices that are sold or offered for sale in California or Oregon. Manufacturers are required to allow users to have full control and/or access over connected devices, including the ability to modify the software or firmware running on the device at the user’s discretion. However, manufacturers are not responsible for any unaffiliated third-party software or applications that a user chooses to add to the device.

Are IoT Devices Used in Healthcare Exempt from State Laws?

The California and Oregon IoT laws contain various exclusions and limitations. For example, they do not apply to manufacturers of connected devices that are already subject to security requirements under federal law, regulations, or the guidance of federal agencies (FDA-regulated medical devices, or devices that have cellular connectivity, for example). They also do not apply to the activities of covered entities, healthcare providers, business associates, health plans, and pharmaceutical manufacturers, subject to the HIPAA privacy or security standards as well as California’s Confidentiality of Medical Information Act (CMIA).

The new IoT laws are enforceable by the respective state’s Attorney General and local consumer protection agencies. There is no private right of action created by the new laws that will allow consumers or other end users to file lawsuits against manufacturers that do not comply with the requirements.

The new IoT laws also do not mandate what security features are “reasonable,” effectively leaving it up to the manufacturer to determine whether its security features meet the three-prong test set-out in the legislation. Recommendations from agencies such as NIST and other industry best practice guidelines can help determine what will be reasonable under the circumstances (see Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks”).

We’re Slowly Starting to Move in the Right Direction

While the IoT laws may address the security threats brought about by hardcoded or default passwords that are easily guessable and might force manufacturers to require consumers and other end users to change their passwords before using such devices, they do not address many other security concerns or truly enhance device security throughout its lifecycle. While arguably incomplete from a security perspective, these states represent a large segment of the marketplace for smart technology and the IoT laws may serve as an example for other jurisdictions to follow. Any manufacturer of an IoT device that intends to ship its products into California or Oregon must start baking-in security by design with features that meet the requirements of these IoT laws. Maybe these IoT laws will be the catalyst needed to nudge IoT-connected devices in the right direction of better security for all.

CynergisTek offers information security assessments and vendor security management services that can ensure your supply chain practices and technology procurement support your cybersecurity safeguards. Please contact info@cynergistek.com if we can assist you with any questions about the new IoT laws or to assist you in identifying and securing your information systems from threats posed by IoT devices.

December 4th, 2019|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.