What California’s iOT Security Law Means for Medical Devices

In September 2018, California’s governor signed Senate Bill 327, the Security of Connected Devices, into law, which went into effect on January 1, 2020. Its purpose was to extend already existing privacy laws to connected devices and the information they collect, store and transmit. Unlike the California Consumer Privacy Act (CCPA), this is not an extensively written piece of legislation (only 725 words in length); however, SB-327 does contain an important clause that is relevant to companies producing medical devices that communicate with cloud-based storage (such as the Galen Cloud).

Reasonable Security Standard

SB-327 stipulates that reasonable security features should be appropriate to the nature of the device and the information it collects. It also states that the device should be designed to protect that information from unauthorized access, destruction, use, modification, or disclosure. This is very straightforward, and from the perspective of medical device manufacturers, these are core security principles that are already adhered to.

Secure Device Authentication

Where the California law becomes relevant is its stipulation on device authentication. The law specifically states that any device that authenticates outside of a local area network must meet either of these conditions to be considered “reasonably secure”:

  1. The preprogrammed password is unique to each device manufactured.
  2. The device requires a user to generate a new means of authentication before access is granted to the device for the first time.

These two authentication methods support different access models for sending the device data into the cloud. A preprogrammed password, usually referred to as a device access token, is used primarily by devices that stream their data whenever they have connectivity and must operate in a way that is independent of human intervention. In the second model, the device is dependent on a user creating an account and setting their own password for access, which is useful for devices that transmit their data asynchronously. This user authentication model is primarily used on devices that rely on an application running on an internet connected device. 

Device Authentication Implementation

Of these two methods, the user authentication methodology is the easiest to implement since it does not require any specialized programming during the device manufacturing process. In contrast, the preprogrammed password method requires the access token to be generated, registered in the cloud, and then programmed into the device during the manufacturing process. Since manufacturing facilities usually isolate computers that are involved in the actual production process as a preventative security measure, it is not unusual for a single access token to be generated and then programmed into multiple devices. The risk of having a computer connected to the internet on the manufacturing line has been shown to be very high, as there have been a number of incidents in which a virus or malware was introduced into a product during the manufacturing process. The solution has been to either have a single access token or to create a keystore, where several access tokens are stored in the device and rotated on a periodic basis. In either case, neither solution meets the requirements of the California law. 

There are several benefits of each device having its own unique access token besides being in compliance with California law. The greatest benefit is the ability to revoke the access token if the device is reported as compromised safeguarding the data it has already transmitted. It also has the potential to ensure that if the access token were compromised, the hacker would only be able to see the data from that single device, which would drastically reduce the liability and risk that a medical device manufacturer has under HIPAA and GDPR. It is still incumbent upon the cloud component to enforce data access rules based on the access token (which works in the same manner as a user interactively logging into the system, with the same controls and access limits).

SB-327 and Trends in Global Privacy and Cybersecurity Laws

Cybersecurity has been a large focus of the FDA’s regulatory efforts over the past 6+ years, and it will continue to be so as more and more devices are brought online and connected. This California law is a first of its kind to specify a requirement on the uniqueness of device access tokens, and. The law is targeted at all connected devices, ( not just medical)., and portends to what the global standard will likely become. Although SB-327 is specific to the state of California, manufacturers across the globe will quickly begin implementing these authentication methods into their devices. Maintaining flexible software in your device will help ease potential security issues down the road, as this new bill portends what the global standard will likely become.