Kaspersky introduces cyber policy for bionic devices

Cyber firm Kaspersky has become one of the first organisations in the world to develop and implement a security policy covering the use of bionic devices and other forms of human augmentation

Cyber technology supplier Kaspersky has become one of the first organisations in the world to try to address the security challenges of so-called human augmentation, developing and implementing a comprehensive policy designed to protect users of bionic devices in the workplace.

Bionic devices are defined in practice as something that replaces or augments a part of the human body with an artificial device or implant. This includes medical technology such as pacemakers, artificial sensory organs – visual prostheses or hearing aids – or bionic limb prostheses, but also devices such as chip implants and near-field communication (NFC) devices, which some organisations have introduced for identity and access management (IAM).

Kaspersky took action based on legitimate fears in the cyber security community that as more devices become electronically enhanced or are connected to the internet, too little attention is being paid to their security, leading to uncertainty and risk both for users and their employers, and for the future development of such tech. It consulted widely with user groups and other concerned parties in the design of the policy, and conducted real-world testing with employees who have had bionic chips implanted.

“Human augmentation is a burgeoning area of technology which in fact remains underexplored. That’s why making a first step towards clarifying issues related to its use, as well as strengthening security, will help us to ensure its potential is used in a positive way,” said Marco Preuss, director of Kaspersky’s European Global Research and Analysis Team (GReAT).

“We believe that to build a safer digital world for tomorrow, we need to digitally secure the future of human augmentation today.”

The proposed document, a copy of which has been shared with Computer Weekly, will be applied to Kaspersky’s entire corporate infrastructure and various units, including all staffers and employees of third-parties providing contract services. It covers aspects of the organisation’s security including access control, administration and maintenance processes, and the use of automated systems.

Some of the policies include:

  • The introduction of colour-coded security zones at Kaspersky sites, and how NFC chips can be used to access each level, from visitor parking through to lobbies and communal areas, and sensitive zones such as server rooms.
  • Security specifications to be applied to NFC chips, including device ID, and whether or not the device supports strong cryptographic encryption standards.
  • Patch management procedures for bionic devices, with a sliding scale of prioritisation based on the CVSS scores of disclosed vulnerabilities.
  • Guidance for employees with bionic prostheses, internal organs or sensory organs, covering situations such as passing through metal detectors where used.
  • Guidance for employees who may have a bionic device, such as a hearing aid, that is able to gather information, by recording audio or video files, or using built-in interfaces such as GPS or Wi-Fi.
  • Guidance for employees with bionic implants who may need to access locations with elevated electromagnetic radiation.

Kaspersky hopes its new policies will both enhance its cyber security posture, and improve inclusion within the firm, as many users of bionic devices will identify as disabled.

It also hopes that it can be used as a jumping off point to further engage the wider IT and human augmentation community around security issues relating to bionic technology, starting conversations around digital privacy and access rights, and mitigating threats relating to health.

Read more about medical tech

Read more on Security policy and user awareness