California’s Information Privacy for Connected Devices Law is a Good Start, But Doesn’t Apply to Healthcare

The following is a guest blog post by Mike Nelson, Vice President of IoT Security, DigiCert.

As the nation’s most populous state, California often serves as an incubator for national legislative and regulatory policy, and it’s great to see them take a leadership position in IoT cybersecurity. The announcement of California’s ‘IoT Cybersecurity Law’ is a move in the right direction. The new law will require manufacturers of connected devices to produce them with “reasonable” security features.

However, this law specifically excludes healthcare IoT devices. It states that a covered entity, provider of healthcare, business associate, healthcare service plan, contractor, employer, or any other person subject to HIPAA or the Confidentiality of Medical Information Act shall not be subject to this title with respect to any activity regulated by those acts.

While HIPAA has made great strides to help protect the privacy of personal health information, it does very little to protect the many connected medical devices that are in use today. California lawmakers missed an opportunity to drive strong IoT security requirements that protect consumers and the data they want kept confidential.

Additionally, this law will not solve the majority of cybersecurity issues that are being found in IoT devices. For example, the law requires good password practices, which includes the elimination of hard-coded passwords.  While this is a security best practice and is important for user authentication, it doesn’t cover the many back end connections that also need to be authenticated, such as over-the-air updates. Asking for “reasonable” security features to be produced simply isn’t directional enough.  It misses an opportunity to drive requirements around essential cybersecurity practices, like encryption of sensitive data, risk assessments, authenticating all connections to a device, and digitally signing code to ensure integrity.

A general rule of cybersecurity and connectivity is that whenever something becomes connected, it will eventually get hacked. The risks inherent with connected devices are real – especially in healthcare where in many cases, people rely on these devices to sustain life.  The risks of connectivity are diverse, including intercepting and manipulating sensitive data, or embedding malware that causes a device to malfunction and cause harm to a patient. The risks not only can impact patients, they can also harm the device manufacturers as well. 

St. Jude Medical, now Abbott Laboratories, learned this the hard way. A hacking organization publicized a vulnerability in a cardiac device after purchasing a short position of their stock. Upon release of this vulnerability, the company’s s stock dropped significantly, causing financial and reputational damage to St. Jude. Considering all these risks, and the many others I haven’t mentioned, it becomes clear that simply putting in place good password protections isn’t enough. More direction is needed. While it may sound like I’m advocating for stronger regulation, I’m not. I believe industries do much better when they come together and collaboratively develop best practices that are broadly adopted. Regulators can only do so much. Real solutions require the in-depth knowledge of healthcare practices and what the market can bear – something only companies and practitioners can tackle effectively, but the private sector needs to do more.

We need to begin looking at security more broadly than just hardcoded passwords. As a healthcare industry, we need to practice robust penetration testing and work to develop risk assessments on all connected medical devices. We need to make the encryption of sensitive data, both at rest and in transit, standard practice. No medical device should accept an unauthenticated message. No code or package should be executed on a device that is absent a digital signature verifying trust. Driving requirements around these types of best practices would have a much greater effect on the security of connected devices than the new California law currently does.

Though the IoT Cybersecurity Law is primitive in its protections and lacks many details to require strong security measures that would move the needle, at least California is trying to do something – absent the development of industry standards by collaborative groups. As the first of its kind at the state level, the effort should be applauded, as California is recognizing the need for manufacturers to address cybersecurity in the manufacturing process for connected devices. Time will tell if manufacturers will take responsibility and the initiative for security themselves, before further regulation requires them to act.