If a new phone would cost you as much as to repair the old one, what would you do? It’s a no-brainer - even the most sincere environmentalists would consider just throwing the old device out. But the right-to-repair is about to change it.
The US president Joe Biden signed an executive order requesting the FTC (Federal Trade Commission) to draw up rules preventing manufactures from imposing restrictions on independent repair shops or do-it-yourself repair. At least 27 states in the US are also considering the right to repair legislation. The pressure on manufacturers to allow consumers to repair their devices themselves is growing in the EU and the UK, too.
It’s not only phones. The executive order that Biden has signed also talks about all kinds of other technology - farm vehicles, refrigerators, and even medical equipment. Meanwhile, in Europe, the right to repair concept now only entails electrical appliances but could be expanded in the future.
The problem is that manufacturers have strict rules about who can repair their technology. It means that they restrict access to original parts and manuals. Meanwhile, people still search for cheaper repair alternatives by going to third-party repair shops. Having limited access to the original parts, they might be using some alternatives made in China, making the device less secure. Some devices can’t be repaired because of the lack of both original parts and repair manuals.
In its recent article about the right to repair, The Guardian explored how the right to repair could change daily lives. For example, if a tractor is broken on a farm, a farmer would probably have to wait weeks or even longer to get his vehicle repaired. In the middle of the harvest, this only translated to huge losses. That’s why farmers are eager to try and fix their internet-connected technology themselves.
There are countless examples of industries that are looking forward to the right to repair, believing it would significantly influence their business while decreasing the amount of e-waste at the same time.
However, cybersecurity experts are urging to look at this carefully and determine whether the right to repair concept will not introduce any additional security loopholes.
A sustainable approach
The right to repair would empower customers and local repair shops, as well as support the secondary market, addressing e-waste and sustainability issues, Fredrik Forslund, Vice President of Cloud and Data Center Erasure for Blancco, told CyberNews.
“Consumers will benefit from having access to parts to repair their devices, with more choice in terms of repair shops that they can take their devices to. That access to parts also empowers local repair shops, and with more devices being repaired in line with industry best practices, it will be significant in supporting the secondary market. More affordable options for second-hand purchasers, a greater volume of devices that can be safely donated to organizations and communities that need IT equipment, as well as the creation of sustainable jobs in the refurbishment of electronics and components, are all positive outcomes from the right-to-repair,” he said.
He made an analogy with the right to repair in the automotive industry. When the brakes need to be repaired or tires changed, consumers don’t buy a new car. Because many devices are now priced above $1,000, the same approach should be applied.
“The legislation will be huge in inspiring a step-change in our attitudes to electronics and device repair, overhauling current approaches that are simply unsustainable,” he said.
Of course, the right to repair comes with specific challenges. For example, it is essential to ensure everyone is playing by the same rules and following industry data management best practices.
“Of course, if a device is repaired or processed by an unauthorized third party, using unofficial parts, then there will certainly be potential for data misuse. However, by ensuring local repair shops and third parties are both using authorized Original Equipment Manufacturer (OEM) parts and following best practice certifiable data sanitization, then the cybersecurity challenges are largely eliminated,” Forslund said.
He stressed that currently, there are differences across geographies in what the right-to-repair legislations cover. In Europe, for example, it now only covers electrical appliances such as refrigerators, washing machines, and TVs. But Forslund believes that the right to repair should be applied to all equipment and devices, including the ones used in healthcare institutions.
Ransomware spikes no matter what
“As far as the right-to-repair concept is concerned, we need to consider the implications of this law, especially as it pertains to medical devices,” EY Americas Life Sciences and Health Cybersecurity Leader Liz Mann told CyberNews.
According to her, considerations around data privacy, data regulation, and patient safety need to be top of mind.
“Ensuring quality and functionality are certainly concerns for everyone, but we must also think through how individuals will access these devices and whether granting access will create security loopholes that could compromise patient data and, most importantly, patient safety. There are considerations when it comes to this law around data privacy, data regulation, and patient safety that need to be top of mind,” she said.
The right to repair concept would mean that manuals would be fully obtainable, and people could access devices.
“Leaders would need to make sure certain devices are better controlled than others as patient safety is at stake here. Right to repair often comes down to intellectual property protection, but we need to prioritize the patient’s wellbeing as healthcare professionals. Additionally, we need to consider the fact that repairs could lead to an inability to patch an issue down the road, particularly if there is a need to address something by a manufacturer,” she said.
Even if the third party is granted access to repair the particular device, hospitals do not necessarily have to use their services. They should still use discretion when working with third parties for repairs, particularly with large, diagnostic, and health-sustaining equipment.
However, personal devices are harder to control once the patient has left the hospital. “This is an issue with implanted and remote medical devices – the patient moves with the device, and right to repair could threaten functionality and health of patients,” Mann said.
For years, she and her colleagues have observed the risks that third-party access can carry. Third-party risks are not specific to the repair process, but they are pervasive.
“Organizations depend on these partners and service providers, but they must prioritize access management, privileges, and durability of access first. Open access to devices leaves a path for attackers to be malicious, and often when this entry point is not managed properly, the same access is available to a large pool of devices, so one path leads to many devices,” Mann said.
Healthcare organizations have already been in the spotlight because of the rise in ransomware. One of the recent incidents in Dusseldorf involved a woman diying in hospital due to a cyberattack.
“There may not be a direct correlation with the law here, but we are seeing a continued rise in ransomware and other types of breaches in the healthcare space in general. The threat is substantial, and new examples emerge every day,” Mann said.
The recent survey by EY showed that 81% of executives were forced to bypass cybersecurity processes due to COVID-19. All the while, these respondents are experiencing an evident rise in attacks over the last 12 months.
Over 75% of respondents to this year’s Global Information Security Survey warn that they have seen an increase in the number of disruptive attacks since last year. By contrast, just 59% saw an increase in the prior 12 months. More than half (55%) of respondents say cybersecurity is coming under more scrutiny today than at any other point in their careers.
More from CyberNews:
Subscribe to our newsletter