What the US Cyber Trust Mark Means for IoT Security in Healthcare

August 10, 2023 - In July 2023, the Biden-Harris Administration announced the creation of the US Cyber Trust Mark, a cybersecurity labeling program for Internet of Things (IoT) devices to help consumers make informed purchases with security in mind.

Proposed by Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel, the US Cyber Trust Mark aims to provide cybersecurity assurances for consumer IoT devices, from smart refrigerators to smart televisions, climate control systems, and fitness trackers.

Although the program is still in its early stages, IoT experts already have predictions surrounding how this trust mark could be expanded and applied to a variety of products, including Internet of Medical Things (IoMT) devices.

“First and foremost, the US Cyber Trust Mark shows a more active government role in enforcing cybersecurity standards for IoT devices,” Shankar Somasundaram, CEO of Asimily, told HealthITSecurity. “That's important—and it certainly bodes well for the industry going forward.”

Time will tell how the US Cyber Trust Mark program will impact consumer and enterprise purchases, and how it will inform future regulations in the IoT and IoMT space. But as of now, IoT experts in the healthcare space are hopeful that this is a step in the right direction.

“Smart devices make our lives easier and more efficient—from allowing us to check who is at the front door when we’re away to helping us keep tabs on our health, remotely adjust the thermostat to save energy, work from home more efficiently, and much more,” Rosenworcel said in a press release accompanying the proposal. “But increased interconnection also brings increased security and privacy risks.”

Unchecked cybersecurity vulnerabilities in IoT devices can provide threat actors with easy network entry points. Organizations across all sectors have faced an uptick in cybersecurity exposures as interconnectivity increases, prompting them to ramp up vulnerability management programs in order to manage thousands of internet-connected devices at once.

On the consumer side, smart devices used at home can also be subject to cyber risk, the FCC suggested.

Just like the Energy Star program provides assurances about energy-efficient appliances, the US Cyber Trust Mark would appear on devices that have met widely accepted security standards established by the National Institute of Standards and Technology (NIST).

With a glance at the Cyber Trust Mark logo on a device, consumers would be empowered to make purchasing decisions without sacrificing security. The mark will signal to consumers that the device meets select NIST-based cybersecurity criteria surrounding strong default passwords, software updates, and incident detection capabilities.

What’s more, the FCC intends to leverage QR codes to link to a national registry of certified devices, allowing consumers to compare and contrast the cyber safety of various devices.

This development arrives just a few months after the Omnibus was signed into law, requiring medical device manufacturers to provide certain cybersecurity information to the FDA in their premarket device submissions. The rule goes into effect on October 1st and is largely seen as a win for those advocating for increased medical device security.

Somasundaram expressed hope that the US Cyber Trust Mark would similarly contribute to greater market trust in IoT and IoMT devices as the federal government works toward streamlining security assurance processes for smart devices.

“To be clear, the Cyber Trust Mark program will initially be geared toward labeling consumer devices. It should cover home healthcare devices, with the result of allowing consumers to feel more assured in utilizing internet-connected medical devices and equipment,” Somasundaram noted.

“However, as the government hammers out the details and as the program evolves following its initial rollout, I believe that other critical devices like IoMT would see some form of certification as well.”

While the initial Cyber Trust Mark proposal is centered around consumer devices rather than medical devices used in hospitals, there is potential for this initiative to grow. Furthermore, the rising popularity of telehealth and medical devices made for at-home use are blurring the lines between consumer and commercial devices.

Jim Hyman, CEO at Ordr, similarly expressed positivity regarding the US Cyber Trust Mark, especially as the definition of a medical device continues to change.

“Two years from now, our nurses and doctors will not be transcribing their notes into a software package. They will just be dictating them, and then that message will be automatically deciphered and sent to all the necessary systems. And while that's a really amazing thing from a functionality, usability, and patient experience perspective, it opens up a whole new category of what this mark can be used for,” Hyman shared in an interview with HealthITSecurity.

“The attack surface is going to grow exponentially over the next couple of years, and so I think it makes this type of program even more important.”

Even so, Hyman expressed that these types of standards have their limitations.

“These actions are shining a light on the problem that exists with respect to the healthcare industry and devices,” Hyman said. “Having said that, there's only so much that the government on its own can do.”

Effectively managing risk today requires organizations take charge of device management on their own and establish strong internal processes for addressing security vulnerabilities found in internet-connected devices.

The complexity of home healthcare devices differs significantly from devices at a hospital, Hyman also emphasized. A fitness tracker may be used for three to four years, while an MRI machine’s lifespan can last for 20 years. With these considerations in mind, applying a similar cyber trust model to healthcare would be challenging.

Additionally, Hyman stated, a cyber trust mark on a healthcare device would not replace an organization’s need to validate controls, run risk assessments, and check devices against their compliance programs.

From Somasundaram’s perspective, the Cyber Trust Mark could at the very least streamline these processes. In addition, organizations could use the Cyber Trust Mark designation as an additional tool in confidently recommending secure home healthcare devices to patients.

“Hopefully in the future, HDOs will be able to look to Cyber Trust Mark certification to identify and procure IoMT devices with stronger security, and in turn expand their fleets with more speed and confidence,” Somasundaram added.

If adopted by a vote of the FCC, the US Cyber Trust Mark could be in operation as soon as late 2024. The Commission has already applied to register a national trademark for the US Cyber Trust Mark logo with the US Patent and Trademark Office.

Although the program will be voluntary, several major manufacturers and retailers have already made commitments to expand the program, including Google, Best Buy, Amazon, Logitech, LG Electronics USA, and Samsung.

Now, the FCC is seeking public input on key issues such as the scope of devices that should be eligible for inclusion in the labeling program, who should oversee the program, and how to establish and demonstrate compliance with security standards.

“Medical device manufacturers and [healthcare organizations] should also keep an ear to the ground on the specifics of government certification requirements as the US Cyber Trust Mark program and others develop,” Somasundaram suggested.

“From a practical operational perspective, certification itself needs to be a streamlined and rapid process so that more secure consumer and hospital-grade devices reach the market quickly. Manufacturers and [healthcare organizations] will no doubt voice their opinions as the government finds its footing in bringing sharper cybersecurity enforcement to the IoMT.”