The recently proposed U.S. Cyber Trust Mark is a voluntary cybersecurity labeling program operated by the FCC. It will initially provide IoT manufacturers with a certification label that signifies their compliance with cybersecurity guidelines and best practices—while providing consumers with more confidence when purchasing internet-connected devices. While the program won’t be implemented until the end of 2024 at the earliest and, as currently proposed, will cover only consumer-grade IoT devices, the government taking an active stance in establishing IoT security standards is significant. This development also undoes some of the disappointment that proponents of medical device security standards felt a year ago when IoMT cybersecurity requirements were stripped out of the FDA appropriations bill.
Enforcing recognized benchmarks within the relative Wild West of IoMT devices is a huge positive for the industry that will pay dividends down the road. Beginning with consumer healthcare devices that individuals use in their own homes will make the Cyber Trust Mark a competitive differentiator among device manufacturers, one that should quickly usher in better cybersecurity features. With these standards will come greater market trust and confidence in IoMT devices, as well as stronger safeguards and clearer expectations for what’s acceptable and what isn’t. I expect that as the ball gets rolling on the details of the Cyber Trust Mark program, the need to expand the certification program to include the IoMT will become clear, and new government action will result.
The IoMT remains rife with vulnerabilities, even as telehealth blurs the line between consumer and professional devices
Another trending development comes into play here: healthcare delivery organizations (HDOs) increasingly deliver care to patients at home, outside of a traditional hospital or medical facility. HDOs are also unique among IoT technology users in that they have massive fleets of heterogeneous IoMT devices from myriad manufacturers—because that’s what’s necessary for modern care with specialized healthcare functions. Patients love telehealth services, which are often enabled by connected IoMT devices providing health monitoring and more.
That said, attackers know IoMT devices have been among the most lucrative and easy-to-exploit targets; the average IoMT device has 6.2 vulnerabilities. Overwhelmed IoMT manufacturers can patch only a fraction of these flaws. Meanwhile, attackers targeting the IoMT have the possibility to breach highly sensitive personal data, and conduct ransomware attacks with the added threat that interrupted systems could put patients in peril.
This is why such government initiatives are so welcome. In a future where HDOs can easily vet new IoMT devices by looking for the Cyber Trust Mark, the speed of procurement and confidence cybersecurity teams can take in those devices will provide cascading benefits.
Sooner or later, IoMT certification or regulation is coming
Medical device manufacturers should anticipate more government mandates designed to enforce uniform and effective cybersecurity standards across consumer and hospital-grade IoMT solutions. HDOs—too many of which operate under the false notion that they hold no responsibility for security vulnerabilities they aren’t aware of—also need to refine their understanding of IoMT devices and their specific cybersecurity needs.
Even while IoMT devices have become a backbone of modern healthcare, HDOs, in general, have yet to develop a particularly deep and intuitive knowledge of what utilizing these solutions safely means for their organizations. This has to change: the consequences are too severe not to, and it will force HDOs’ hands. Government action to enforce IoMT device security standards will certainly help HDOs open their eyes to the importance of their cybersecurity postures and the measures they should take to protect their environments. Government goalposts and certifications will also add structure to conversations among HDOs, IoMT device manufacturers, and device suppliers, making cybersecurity responsibilities and expectations that much clearer.
IoMT manufacturers and HDOs should be active in the government process
The U.S. Cyber Trust Mark proposal will become open to public comment on its path to implementation, as will other potential and evolving government requirements. IoMT manufacturers and HDOs should remain attuned to those developments and make their voices heard in those processes. Going forward, certification criteria will need to ensure cybersecurity across the spectrum of IoMT devices, from low-complexity devices with only simple firmware, all the way up to high-end devices that include an operating system and their own data storage.
Being part of the process will help ensure that future certification or regulatory rules are workable and effective; for example, the certification process must allow manufacturers to bring secure devices to market without undue obstacles or slowdowns. Communication and collaboration will be essential as the government, manufacturers, and HDOs work together to shape a more secure IoMT.
