The Internet of Things, Security, and the Law

The Internet of Things (IoT) is finding its way into every aspect of our lives. From our smartphones to personal fitness devices, and thermostats to home appliances, the IoT is becoming more connected to our bodies and our homes. These devices are generating a lot of data, and governments are putting legal frameworks and regulations in place around how IoT data can be managed, used, and stored.

This isn’t just driven by consumer technology. IoT devices are finding their way into every aspect of industry and commerce around the world, from smart sensors in factories to water monitors in a farmer’s crops. One area that’s seeing heavy use of IoT technology is the healthcare industry. Connected medical devices capture a great deal of sensitive information and its concern about access to this healthcare data that’s behind the need for legal action to regulate IoT information.

A 2017 bill, “The Internet of Things Cybersecurity Improvement Act of 2017” aims to introduce strict security standards about how IoT device manufacturers handle all the data their devices are producing. The bill only targets vendors selling devices to the federal government including the Defense Department and Veterans Affairs healthcare facilities, but this will then filter out into the rest of the healthcare industry.

The main regulations the bill introduces are as follows:

Allow maintenance patches and security updates for IoT devices — most IoT devices run on installed “firmware.” This firmware must be updatable so it can be patched if any security or other vulnerabilities are identified.

Remove hardcoding of username and password and allow them to be changed — default credentials on IoT devices provide a very easy attack vector for hackers and criminals. The legislation requires vendors to allow IoT devices to have their login, password, and authentication information changed.

Ensure devices are free of known security vulnerabilities — although this should really be best practice, the legislation also requires new devices to be updated to remove any previously identified security issues or vulnerabilities.

There are several other areas that the legislation also covers. Here’s a quote from Senator Mark Warner’s website, a co-sponsor of the bill:

 

  • Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
  • Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
  • Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
  • Require each executive agency to inventory all Internet-connected devices in use by the agency.

 

As IoT device use becomes more widespread, we can expect to see more legislation introduced to keep user data safe. IoT manufacturers will need to stay up-to-date with changing compliance and legal requirements to ensure they can provide reliable, resilient, secure devices.

The IoT Healthcare experts at Panoptex strive to provide a unique, tailored big data storage, processing, and complex analysis solution that delivers optimum value as well as unrivaled security to customers. If you want to learn more about IoT healthcare and how we can help protect your organization, contact us today at (407) 777-2555.

Leave a Reply

Your email address will not be published. Required fields are marked *