‘Right to Repair’ Policies Could Exacerbate Cybersecurity Threats To Critical Infrastructure
By Roslyn Layton, PhD, regulatory and security policy scholar | Issues & Insights
Despite the best of intentions, laws and regulations often have unintended consequences. So, it makes sense to have narrowly tailored solutions – often with a sunset date – to help mitigate the challenges of sweeping policy changes.
Take, for example, the policy debate at a House Judiciary Committee hearing last month on the intersection of intellectual property rights and consumer “right to repair.” It’s a consideration that for many business sectors, like farming equipment and personal communications devices, might make sense to have easy access to information, tools, and spare parts from manufacturers.
But the requirement to “open” the tech and intellectual property on some types of devices could exacerbate critical infrastructure challenges we are facing, most notably the cyber vulnerabilities of hospitals and health care facilities, which according to reports are growing in frequency.
But even so, some believe sweeping so-called ‘right to repair’ bills are a good idea. However, giving unregulated access to the diagnostic software and IP that cyber-criminals already use to exploit our interconnected hospital infrastructures increases patient safety risk. If the appropriate steps are not followed, a hospital cannot ensure the device works as designed, resulting in both a cybersecurity and patient safety risk. Problems like bypassing safety mechanisms, failure to perform preventive maintenance at the proper intervals, and the use of improper or unqualified knock-off replacement parts are real threats hospitals can face when going with unregulated businesses.
The risks to patient safety and hospital networks are already at an all-time high. Do we really want to add to the proliferation of problems that hospitals and their operations technology are experiencing?