The rising cybersecurity threats in the most populous US state gave birth to a new law that aims to address issues regarding medical devices. The Connected Device Security Law officially took effect on January 1, which mandates manufacturers to produce connected devices that protect users from cyber-attack with “reasonable security” to prevent hackers from gaining remote access to concerned devices.
According to California law, medical devices are explicitly defined, which causes a broad range of connected devices to become affected by the law. While the law encompasses electronics prone to cyber-attack like security cameras and computers, some unconventional tools affected by the law include wearables like smartwatches and smart bands.
What Does the Law Say?
Connected devices refer to “any device, or other physical objects that are capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address” as described by the law. The Connected Device Security Law ensures strict regulations on the manufacture of such products to protect the device from any unauthorized access. Since these devices record, store, and transfer information, any cyber attack would compromise the security and privacy of any concerned individual.
There is a level of uncertainty with the law as it loosely defines the “reasonable security feature,” all connected medical devices are required to have. Daniel Pepper, a partner at BakerHostetler law firm, the law added details for the security requirement of connected devices like preprogrammed passwords or a unique authentication process. He also advised manufacturers to perform a holistic and complete data security diagnostic to determine if their devices pass the security standards set by the National Institute of Standards and Technology.
Pepper also pointed out that medical equipment manufacturers under the Health Insurance Portability and Accountability Act can ignore the new law’s strict specifications. There is a section in the law that explicitly states that any person, business, or organization under HIPAA or Confidentiality of Medical Information Act, are not legally bound to follow the new changes.
The FDA is on the Move
The FDA issues numerous guidelines to help increase medical device cybersecurity. The latest one was published last October 2018, which talked about concerns in premarket submissions. One of the proposed structure is to characterize devices according to “standard” or “higher” cybersecurity risks to which many manufacturers protested. There is also a proposal called the software bill of material, which can promote transparency in software components when a security patch is required. With the protest from manufacturers, FDA spokesperson Kristen Pluchino said the agency would provide a revised guideline that will incorporate the concerns of medical device manufacturers.
Personal Health Devices Concerns
Since the law regulates medical technology in personal devices as well, connected home health devices that collect health data are also affected. But, Susan Kohn Ross, a partner of Mitchell Silberberg & Knupp aw firm, expressed her concerns about the loosely defined description of medical devices. Since medical devices are generally considered as a medical device only if the FDA approves it, smartwatches do not qualify since the FDA does not recognize them as a medical device.
Browse through our site for more of the latest health industry news.