Federal watchdog agencies are ratcheting up efforts to counter cybersecurity threats to devices and wearables connected to the Internet of Things (IoT), according to a security expert.
In particular, the Federal Trade Commission (FTC) is looking to expand its purview as "a champion of consumer data privacy and data security," and to clamp down on wearable makers who fail to protect their customers' personal information, said ESET security researcher Stephen Cobb to the Information Security Media Group, according to Gov Info Security.
"We saw that in the early days of privacy policies on websites, and I think we're going to see that in the case of wearables or Internet of Things devices where there's a clear-cut case of a company promising to protect information, or take privacy seriously, and then failing to follow through with that promise - [prompting] the FTC moving against them with one of their actions," Cobb said in the interview.
FTC in August won a landmark ruling by the U.S. Circuit Court of Appeals that affirmed the commission's authority – under its long-established powers as a consumer protection federal agency -- to sue companies it believes to have poor data security and privacy standards. Cobb notes in the article that the FTC lodged more than 50 cases in the last 15 years against different companies for security-related issues. The number of cases could increase as cybersecurity threats are expected to escalate in the coming years.
Earlier this year, FTC had released a staff report entitled Internet of Things: Privacy & Security in a Connected World, in which it gave six recommendations for companies to ensure that their products – including medical devices – have built-in security features from the outset.
In the interview, Cobb adds that the U.S. Food and Drug Administration (FDA) is "looking at to what extent does a wearable device become a medical device. And certainly in the medical device area, there are rules and regulations about security, and the potential to challenge devices or companies if they are not taking security seriously."
FDA last year released a cybersecurity guidance document containing non-binding recommendations to medical device manufacturers, including making cybersecurity an integral component in the design and development process. Months later, the agency had to issue its first cybersecurity-related alert for a specific medical device. Experts warn that similar warnings are forthcoming, as more devices, gadgets, and wearables get interconnected and become vulnerable to cyberattacks.
FDA's Center for Devices and Radiological Health (CDRH) already marked cybersecurity as one of its top ten priorities for 2016, stating in a recent report that its wants to "enhance performance of digital health and medical device cybersecurity" next year. To that end, FDA says it would seek and conduct research "to enhance performance and security of medical devices and interoperability, and to understand the impact of software modifications on device performance."
For Shahid Shah, a cybersecurity mentor and medical device hardware/software design coach, both the FDA guidance and the FTC report confirm that "cybersecurity is an emergent property of a system and not a feature or function that you can add later." He recommends that manufacturers reconsider the old notion of cybersecurity as something that can be “bolted on” late in the design cycle.
"Many device manufacturers will treat security as a compliance activity bolted on at the end — those designers will end up creating insecure devices that will get their customers’ data hacked or stolen, and land their customers on the front pages of newspapers. The progressive designers who don’t take a checklist approach to security and compliance and instead embed privacy, security, and safety into their product’s user-facing requirements will be far more trusted by their customers," Shah wrote in a recent MDO guest column.