How Cybersecurity Could be at Risk With Right to Repair

Conversations in state houses across the country are surfacing around right to repair. Just last month, California finalized their version of a right to repair bill that addressed the requirement of manufacturers such as Apple to allow customers to fix their broken or damaged devices. But important caveats exist in this debate, especially when considering the level of access right to repair laws can give some of our most critical systems.

A recent op-ed by Retired Army Major General James “Spider” Marks in the Washington Times looks at the notion of right to repair and highlights how for some classes of products there are significant cyber security risks that could result from increased and – what many advocate for – unfettered access to highly connected and critical devices.

Proponents of right to repair laws in the medical device space ask manufacturers of devices to release proprietary information to Independent Service Organizations (ISOs) that are not regulated by the Food and Drug Administration (FDA), posing a serious threat to patient safety. Marks points out the vulnerabilities and risks being taken with mandates that open up information about the parts and operations. In consideration of the healthcare industry, he emphasizes their status as frequent targets of cyberattacks and states, “medical devices require connectivity, which means they could be turned against their infrastructure, if compromised.”

These intricate medical devices often serve patients, with lives on the line, and Marks reiterates the need to keep these devices “highly regulated by the federal government, which acts as a kind of stopgap to prevent widespread access to any vulnerabilities these critical systems may have.”