Internet of Things Cybersecurity Improvement Act of 2020

Blog Post by Nick Keys, ITRM Manager at Meditology Services

Congress passed the Internet of Things Cybersecurity Improvement Act of 2019 on November 17, 2020. The new law is several years in the making and provides a welcome and much needed step forward for securing the growing network of unmanaged endpoint devices employed by healthcare and other industries.

Congress passed the new bill and it promptly cleared the Senate by unanimous consent. The President signed the bill into law on December 4, 2020. The bi-partisan support for this initiative demonstrates the consensus across the industry that IoT devices have become one of the most vulnerable assets and entry points for malware and other malicious activity on enterprise networks.

IoT is an extension of Internet connectivity into physical devices and everyday objects. IoT devices such as security cameras, temperature sensors, and other devices have long been introducing security weaknesses to personal and corporate networks. The evolution of the Internet of Medical Things (IoMT) has raised the stakes of these vulnerabilities by transmitting and storing sensitive patient information and exposing regulated healthcare networks to vulnerabilities that can lead to ransomware and other malicious attacks. Vulnerable IoMT devices include some of the most sensitive patient-facing systems like infusion pumps, wearables, EKG machines, defibrillators, in home monitoring solutions, and much more.

This groundbreaking IoT legislation is not a new idea. The bill was originally introduced in August of 2017 and has been in the works for over three years. The law requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) take specified steps to increase cybersecurity for the Internet of Things devices.

NIST is commissioned to create IoT security standards by March of 2021 and they've already gotten a jump start on the process. NIST is developing standards and vulnerability reporting frameworks to help address this new law for IoT devices.

The enforceability of the act only applies to IoT manufacturers and devices that are used and deployed and purchased by the federal government. This means that the regulation is not enforceable in the private sector. However, this law holds manufacturers of IoT devices accountable to build security into their products up front if they want to have the opportunity to sell and deploy and use those devices in any sort of government function.

The federal government is essentially leveraging their massive purchasing power to drive change in the security of devices that are used across both public and private industry sectors, including healthcare. Major brands of IoT and IoMT devices will need to bake in security and align with NIST cybersecurity standards, which is a win for everyone.

Our team here at Meditology will continue to keep the industry apprised of the efficacy of the law and the downstream implications for healthcare entities in the months ahead. We welcome this step forward in the right direction and hope that this will lead to further laws and standards in securing our vulnerable IoT and medical device assets going forward.

Meditology is a top-ranked healthcare security and privacy firm servicing healthcare entities of all shapes and sizes. We were designated the #1 Best in KLAS firm for 2019 and 2020 for healthcare cybersecurity advisory services.

We have extensive experience building and implementing IoT and medical device security programs at leading health systems across the country. We have also advised the federal government on medical device security and ethical hacking matters.

Contact us to learn more about how we can help you with your IoT and medical device security program needs.

Most Recent Posts
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More
Rise of Responsible AI Read More