Issues & Insights

‘Right To Repair’ Legislation Compromises Medical Device Cybersecurity

Thomas Angus, Imperial College London https://www.imperial.ac.uk/communications/photography/consent-and-permissions/

The COVID-19 pandemic has intensified various political and economic flashpoints. From health care to housing, drug pricing to food pricing, the societal strain of the pandemic has renewed the urgency and raised the stakes for long-standing issues. 

The increasingly heated debate about the rules and regulations governing medical device servicing is an exemplar of this new reality. Although the dispute between independent aftermarket repair businesses and original equipment manufacturers (OEMs) isn’t new, it has shifted from auto repair, farm equipment, and consumer electronics to high-tech medical devices. 

In the early days of the pandemic, aftermarket repair advocates and the businesses they represent leveraged the public health emergency to create a perceived political opening when they accused OEMs of withholding the resources and information necessary to properly repair ventilators and other medical devices used to treat COVID-19 patients. These baseless accusations were an opportunistic attempt to advance a false narrative that patients were endangered by a shortage of qualified personnel to maintain and repair medical devices.  

Now, months later, aftermarket servicers have successfully pressured federal lawmakers to introduce legislation that would make manufacturer-developed medical equipment and software more vulnerable, putting patients and hospitals at greater risk. The Critical Medical Infrastructure Right-to-Repair Act of 2020 (House Resolution 7956) would shatter a number of long-standing norms and precedents, including the rights of innovators to protect their intellectual property. Even beyond the bill’s myriad defects, what’s most telling is the disingenuous rhetoric of the legislation’s most vocal advocates. Supporters of HR 7956 have repeatedly downplayed the negative implications of the bill, both for patient safety and for the security of medical devices. 

Independent medical product repair businesses claim that broader access to manuals and service tools reduces maintenance and repair costs for the device owner, but fail to acknowledge the importance of full and proper training. Many newer medical devices are highly complex, contain a wide variety of unique hardware and software that must work seamlessly to provide safe functioning, and are highly regulated. 

Nowhere is this oversight by independent servicers more evident than their misrepresentation of the cybersecurity challenges in the hospital environment. A recent example of this public misdirection comes from an article, “The Fight Heats Up,” published in 24×7. The piece, which provides a comprehensive recap of the OEM vs. aftermarket repair service business conflict, features a number of unsubstantiated, ill-informed, and self-serving claims about medical device cybersecurity from Gay Gordon-Byrne, executive director of The Repair Association. To the assertion from OEMs that HR 7956 fails to recognize or appreciate the potentially serious cybersecurity implications of allowing unregulated entities to operate on complex medical device software, Gordon-Byrne remonstrated that “either [a device] is cyber-secure or it isn’t. Repairing it is not the way risks are introduced.”

This statement underscores the problem with so many arguments presented by these aftermarket servicing businesses: the oversimplification of a complex and consequential issue. 

The claim that the cybersecurity of a medical device is a strict binary, “secure” or “insecure,” is simply wrong. The security of any medical device, from large MRI machines to portable point-of-care ultrasound devices, is achieved through ongoing risk mitigation and prevention. It has been well established that cybersecurity is a shared responsibility among manufacturers, providers, servicers, regulators, and others who work in concert to mitigate risk. In this world, “security” is not a permanent state of being. It is an ongoing process. 

Over the last few decades, as medical devices became increasingly reliant on a harmonized interaction between their hardware and software components, the cybersecurity consequences of even a slightly imprecise or careless maintenance job have become increasingly stark. It’s exactly for this reason that the Food and Drug Administration holds OEMs to mandatory Quality System/Current Good Manufacturing Practices, to ensure that device software updates, patches, and more comprehensive repair jobs are done correctly. Third-party servicers are held to no such standards, and by allowing these unregulated entities inappropriate access to device software, HR 7956 creates unnecessary risks that may undermine the security and functionality of a medical device. Moreover, the risks are multiplied by the fact that complex devices are frequently connected to other devices, databases, and hospital networks.

The life cycle of a medical device can last years, in some cases, more than a decade. That’s a long period of time in which cybersecurity threats could be introduced. Mitigating risk is a constant effort – and by oversimplifying and framing this issue as akin to a mobile phone or an aftermarket auto repair, advocates of HR 7956 are doing a disservice to providers and, more important, to patients.

Henry I. Miller, a physician and molecular biologist, was a 15-year veteran of the FDA and the founding director of its Office of Biotechnology. 

We Could Use Your Help

Issues & Insights was founded by seasoned journalists from the IBD Editorials page. Our mission is to use our decades of experience to provide timely, fact-based reporting and deeply informed analysis on the news of the day.

We’re doing this on a voluntary basis because we think our approach to commentary is sorely lacking both in today’s mainstream media and on the internet. You can help us keep our mission going. If you like what you see, feel free to visit our Donations Page by clicking here. And be sure to tell your friends!

You can also subscribe to I&I: It's free!

Just enter your email address below to get started.

3 comments

Rules for Comments: Getting comments posted on this site is a privilege, not a right. We review every one before posting. Comments must adhere to these simple rules: Keep them civil and on topic. And please do not use ALL CAPS to emphasize words.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • There is nothing magical about a person employed by an OEM to warrant monopoly protections. Rather than grant them special rights in perpetuity, why not simply require them to provide technical repair manuals that specify what training is necessary to repair the device? If a unit requires a PhD to fix, it isn’t a product – it’s a prototype.

  • “In the early days of the pandemic, aftermarket repair advocates and the businesses they represent leveraged the public health emergency to create a perceived political opening when they accused OEMs of withholding the resources and information necessary to properly repair ventilators and other medical devices used to treat COVID-19 patients.”
    As a Biomedical Equipment Technician who worked at a Health Care facility for over 30 years with a focus on ventilators, I can attest to the fact that OEMs sometimes do, indeed, limit the ability of in-house repair staff to repair equipment that they own. The charge is not baseless. Furthermore, the health care facility is ultimately liable for any errors that harm patients- including those caused by equipment issues. Their interest is in hiring the best 3rd-party parts and repair companies for their needs and to responsibly effect repairs and maintenance to their equipment.

  • I’d be interested in a more nuanced analysis of the specific legislation. Right to repair is an important individual freedom to balance against intellectual property rights.

  • [print-me target="#post-%ID%"]

Subscribe to Issues & Insights via Email

Enter your email address to subscribe to I&I and you can receive notifications of new articles in your email. It’s simple, and free.

Join 4,265 other subscribers

Donations

If you like what you see, feel free to leave a donation. You can also set up regular donations if you like. Just click on the Tip Jar above. It will take you to a PayPal donations page. Your contributions will help us defray the cost of running this site. (Please note that we are not set up as a charitable organization, so donations aren't tax deductible.) Thank you!

About Issues & Insights

Issues & Insights is run by the seasoned journalists behind the legendary IBD Editorials page. Our goal is to bring our decades of combined journalism experience to help readers understand the top issues of the day. We’re doing this on a voluntary basis, because we believe the nation needs the kind of cogent, rational, data-driven, fact-based commentary that we can provide. 

%d bloggers like this: