In the last week, both the Dept. of Homeland Security and the Food and Drug Administration have issued a consumer alert about the potential hacking risk regarding cardiac devices, specifically because those devices have no encryption on their software. The devices in question are implantable cardiac devices, clinic programmers and home monitors which are used to regulate one’s heartbeat rate – to speed it up or slow it down, as needed. The focus this time is on the Medtronic Conexus Radio Frequency Telemetry Protocol. Given this latest notice, one has to wonder what will be the impact of the California IoT law.
What both federal agencies had to say is short range access allows interference with, generation, modification or interception of communications. There is also the ability to read/write any valid memory location on the implanted device and, therefore, impact its intended functionality.
Between them, the agencies recommended the following mitigation steps:
- Maintain good physical control over home monitors and programmers;
- Use only home monitors, programmers and implantable devices obtained directly from your healthcare provider or a Medtronic representative;
- Do not connect unapproved devices to home monitors and programmers through USB ports or otherwise;
- Only use programmers to connect and interact with implanted devices in physically controlled hospital and office environments;
- Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment;
- Report any concerning behavior;
- Restrict access to authorized personnel only and follow at least privilege approach;
- Apply defense-in-depth strategies; and
- Disable unnecessary accounts and services.
Last October, the FDA itself issued updated cybersecurity recommendations to makers of medical devices, such as pacemakers. Specifically, those companies should look at: “FDA In Brief: FDA proposes updated cybersecurity recommendations to help ensure device manufacturers are adequately addressing evolving cybersecurity threats” which can be found here. Medical device manufacturers should also consult the FDA’s Premarket notification or 510k filing recommendations.
The CA IoT law takes effect on January 1, 2020 and requires a manufacturer of a “connected device” to equip that device with reasonable security features. Exactly what the CA IoT law requires is set out at Civil Code 1798.91.04:
- A) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
- 1) Appropriate to the nature and function of the device.
- 2) Appropriate to the information it may collect, contain, or transmit.
- 3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
- B) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
- 1) The pre-programmed password is unique to each device manufactured.
- 2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The relevant definitions are found at Civil Code 1798.91.05:
- A) “Authentication” means a method of verifying the authority of a user, process, or device to access resources in an information system.
- B) “Connected device” means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.
- C) “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.
- D) “Security feature” means a feature of a device designed to provide security for that device.
- E) “Unauthorized access, destruction, use, modification, or disclosure” means access, destruction, use, modification, or disclosure that is not authorized by the consumer.
There is no duty of compliance on the manufacturer if the user chooses to install third party software or applications; or on any party which provides an electronic store, gateway, marketplace or other means of purchasing or downloading software or applications. The user must be given full control over the device, including the ability to modify the software or firmware running on the device at the user’s discretion. Similarly excluded are any devices subject to the law, regulations or guidance of any federal regulatory agency. No private right of action is created, law enforcement remains able to obtain related data pursuant to appropriate request, and any entity subject to HIPAA is not subject to this law to the extent the relevant activity is regulated under HIPAA or the Confidentiality of Medical Information Act (CA HIPAA).
While medical devices come to mind quickly as covered devices given the very recent notice to consumers by DHS and FDA, these requirements will also apply to Amazon’s Echo©, Google’s Home©, and Ring© doorbell. One can quickly see how any device which can be connected to the Internet is covered, such as your refrigerator, coffee pot and any other connected device a consumer would want shielded from disclosure. What about the security system on your home?
For consumers, the question is: how many such devices do you have at home? When was the last time you changed any of their passwords? Do any of these devices even have passwords? All too often, a major hack which results in data being stolen occurs because cyber criminals are able to get into their target’s computer system piggybacking off of third party access. Do you want your office coffee pot being the weak link that lets the bad guys get access to your company’s trade secrets? Do you want your home router or computer to become one of a string of such devices that cyber criminals use to launch a Distributed-Denial-of-Service attack? How about if someone could hack into your home webcam or digital video recorder and start saying “bad” things to your children or pets, or spy on you or your guests! Do you really want everyone to know who you date/see or where you worship? These are all too real possibilities without strong password and encryption protection.
As with the California Consumer Privacy Act, the CA IoT is the first of its kind at the state level. It seems reasonable to think that manufacturers will find it more convenient and cost-effective to make all of their devices with these means of security, which would result in both laws setting a national standard without there being any federal law on the books!