UL, formerly called Underwriters Labs, soon expects to certify wearables for safety and security, including user privacy.
Founded in 1894 and more commonly known for certifying appliances for electrical safety, UL is developing draft requirements for security and privacy for data associated with Internet of Things devices, including wearables. A pilot program is underway, and UL plans to launch the program early in 2016, UL told Computerworld.
UL first announced its interest in wearable compliance services in January.
"When we think how wearables are used, there are a lot of different implications for security," said Anura Fernando, principal engineer for medical software and system interoperability at UL, in a recent interview. "It might be financially relevant data, but it also could be social engineering: If you use a medical device and happen to be addicted to drugs and are a good programmer, you may be inclined to alter data that provides information to a clinician to get the drugs you want."
Because most wearables will be wireless, UL's concerns include whether the personal data acquired by a smartwatch or other wearable that's associated with a Social Security number or name is secure over Wi-Fi or Bluetooth.
"Fraud could result if data is not properly maintained and authenticated with a proper level of assurance," Fernando added.
UL wants to "begin to raise the bar for how security should be addressed...and establish a minimal baseline for what should be addressed much like we did with electricity 120 years ago," he said. "We want to reach the point [of certifying IoT data security] without having to second-guess it."
Without offering many details, Fernando said that "the jury is still out" on how data privacy and security with wearables will be ultimately protected, or even how strictly it will be regulated by the government. Given the U.S. government's recent apparent willingness to let industry regulate itself in such matters, UL's role becomes more important.
Some wearable security history
In January, the U.S. Food & Drug Administration issued draft recommendations that say the FDA's Center for Devices does not intend to "examine low-risk general wellness products" like wearable devices and apps that monitor health and exercise under its duties outlined in the 1938 federal Food, Drug and Cosmetic Act.
After that draft appeared, President Obama's cybersecurity coordinator, Michael Daniel, went on the record in April calling for a UL-style industry certification model for security of connected devices. "We are very much interested in voluntary models," he said in an interview with Dark Reading at the time.
Without clear government regulations about wearables' data security and privacy, "a lot of manufacturers are nervous about innovating and [determining] what their liability is," Fernando said. Thus, UL's role becomes important.
Sign up for CIO Asia eNewsletters.