Rules for Medical Devices Emerge as Issue in Smart Device Label Comments

Products regulated by other U.S. government agencies like the Food and Drug Administration don’t require a new assessment of their level of security, said Philips Healthcare. “Cybersecurity per-se is an ever-evolving field and a product that is compliant to a standard today might not be compliant tomorrow,” Philips warned: “A labeling program can potentially be misleading to consumers, defeating the noble purpose of the intent to inform consumers and differentiate developers/manufacturers that take cybersecurity seriously.”

The FDA’s Center for Devices and Radiological Health urged caution concerning devices it regulates. “FDA is concerned that this proposed program, particularly as it applies to medical devices regulated by FDA, lacks tailored controls/minimum criteria that are necessary for some types of IoT products, may cause confusion among consumers where existing labeling schemes exist, and potentially creates conflict where product manufacturers attempt to both qualify for the U.S. Cyber Trust Mark and comply with existing statutory and regulatory cybersecurity requirements under other federal laws, such as the Federal Food, Drug, and Cosmetic Act,” the agency said.

The IoT M2M Council (IMC) backed a phased approach, noting the scope of the proposed program “is extremely broad.” IMC said the definitions for IoT devices and products appear vague. The group wants more focus on firmware: “Access to firmware is a well-documented problem when IoT Device/Product vendors go out of business and there are firms that provide … escrow service. Perhaps needless to say, expiration and renewal are extremely important topics that need much evaluation.”

Wireless technology company Widelity supported the launch of a voluntary program with information “presented on all devices in a clear and concise manner, using language that is easily understood by consumers.” Widelity also supported the FCC’s proposed IoT registry of devices that voluntarily comply with the program listing their cybersecurity features: “This would allow consumers and enterprises to easily access information on a product's security features, vulnerabilities, and updates, as well as provide a central location for manufacturers to update information on their devices.”

“To bring trust, consistency, and a level playing field to this label -- and to support its ultimate success as a trusted and helpful mark for consumers -- the program must involve independent third parties who can verify that labeled products meet the required standards,” said the TIC Council Americas, which represents testing, inspection and certification companies. “The services provided by independent third-party TIC providers support consistency, efficiency, an impartial level playing field, and critically, trust, in any label that rests on consistent, uniform adherence to technical requirements,” the council said.

But AIM Global, representing the automatic identification and data capture industry, said the program should allow companies to assess their own products.” Granting the manufacturers the authority to do self-assessments can facilitate the extensive acceptance of the labeling program, and the ability to do new assessments in a time-efficient manner to help maintain security on the device from new threats, AIM said. With new cybersecurity emerging daily, “an accredited device could become vulnerable within minutes of being accredited,” the group said.

The New York City Office of Technology and Innovation supported launching a voluntary program as laid out by the FCC. “A voluntary program will help offer assurances to consumers who wish to select an IoT product or solution that adheres to Cybersecurity practices and principles,” the city said.