Regulations for Securing Devices

Sometimes, dealing with the repercussions of cyber attacks can give you a heart attack. In this case, a cyber attack caused literal heart attacks. In 2017, St. Jude Medical’s implantable cardiac devices were discovered to be hackable. Vulnerabilities could be exploited so that the devices’ transmitters were accessible, allowing for hackers to deplete batteries or administer incorrect pacing or shocks.

Cases like this are why the government regulates device security. Especially with the Internet of Things growing at such a rapid rate, with the market expected to hit $1.5 trillion by 2025 , ensuring device security is crucial.

Both mobile devices and devices part of the Internet of Things can have severe security risks. The Internet of Things is defined by the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 as, “Extension of internet connectivity into physical devices and everyday objects.” It includes devices — often labeled as “smart devices” — that “have a network interface, function independently, and interact directly with the physical world.”

While most of the regulations pertain to government IoT devices, the private sector is also affected by both the guidelines and the possible consequences of not adhering to them.

In the most recent case , the FDA released a cybersecurity alert for vulnerabilities identified in medical device software components. PTC Axeda agent and Axeda Desktop server, both of which are used in numerous medical devices from several manufacturers, could be exploited by hackers wanting to take full control of the host operating system. Mitigation for the issue includes upgrading the systems to newer versions and creating unique passwords for each device.

According to a study done by the Ponemon Institute, only about 50% of manufacturers test their products before deploying them. Without proper testing, it can be impossible to detect security vulnerabilities in devices before they are exploited by criminals. This creates the opportunity for events such as the Log4J hack to occur.

So, what do these regulations entail?

Devices must meet security standards developed by the National Institute of Standards and Technology (NIST). These include minimum information security requirements. Managing cybersecurity risks will include referencing “relevant standards, guidelines, and best practices developed by the private sector, agencies, and public-private partnerships.”

Creating and adhering to security guidelines for devices, especially those in the IoT, will keep everything from smart TVs to medical devices secure. It is important not to overlook the importance of cybersecurity practices for such devices.