Cybersecurity standards for Internet of Things devices need to be improved in order to secure medical devices that have created the “Internet of Bodies.”
Terrell McSweeny, commissioner of the Federal Trade Commission (FTC), said that more regulation needs to be written before connected medical devices become commonplace.
“We have not fixed these problems in the Internet of Things, stuff that’s already in our homes, on our bodies, in our cars, and in our daily lives,” McSweeny said at the Atlantic Council’s Cyber Risk Panel last week.
McSweeny said that the FTC is focused on creating a safe environment for consumers, which includes securing IoT devices.
“There’s a lot of work to be done,” McSweeny said. “It’s not just an issue of security. It’s also a very big consumer protection issue.”
McSweeny said that the FTC often doesn’t know how to mitigate some of the technical issues that consumers experience.
“We don’t really know what to tell people when their IoT is delivering them a ransomware attack,” McSweeny said. “Pay it, don’t pay it, throw it out?”
Symantec, a cybersecurity firm, always tells its customers not to pay ransomware.
“Paying the ransom puts a notch on your gate,” Kevin Haley, director of product management and security response at Symantec, said in August 2016.
McSweeny said that one of the problems is that there is overlap between agencies on IoT jurisdiction. For example, the Food and Drug Administration approves connected medical devices, but the FTC enforces consumer protection laws. Also, the Commerce Department outlined its IoT policy goals in January.
The Commerce Department’s approach to advancing the IoT landscape, according to the agency’s report, has “the potential to benefit public safety, health care, governance, the environment and improve the daily lives of workers and consumers.”
The duplicative approaches create gaps in regulated IoT products and confuse businesses about which regulations they need to follow.
“We have some gaps here that we do need to address and I think it would be really unfortunate if we don’t address them ahead of time because I think we could run into problems where people are bearing too much of the risk,” McSweeny said.
McSweeny said that these potential regulations wouldn’t hurt innovation because they’d be written in a technology-neutral way.
One consideration is to assign an agency with regulating connected devices and monitoring cyber issues.
“Right now we have not sufficient protections in place,” said McSweeny. “I support, for example, more comprehensive data security legislation.”
