By Roslyn Layton, PhD
Despite the best of intentions, laws and regulations often have unintended consequences. So, it makes sense to have narrowly tailored solutions – often with a sunset date – to help mitigate the challenges of sweeping policy changes.
Take, for example, the policy debate at a House Judiciary Committee hearing last month on the intersection of intellectual property rights and consumer “right to repair.” It’s a consideration that for many business sectors, like farming equipment and personal communications devices, might make sense to have easy access to information, tools, and spare parts from manufacturers.
But the requirement to “open” the tech and intellectual property on some types of devices could exacerbate critical infrastructure challenges we are facing, most notably the cyber vulnerabilities of hospitals and health care facilities, which according to reports are growing in frequency.
The number of cyberattacks on U.S. hospitals reportedly doubled between 2016 and 2021. Also, a recent report found the cost of a breach in the health care industry went up 42% since 2020, and for the 12th year in a row, health care had the highest average data breach cost of any industry.
This is a problem of life and death. Literally. One study conducted by the Ponemon Institute, which surveyed more than 600 health care facilities, found that 24% of institutions say mortality rates increased following a ransomware attack.
When a medical device is compromised, it puts the integrity of the entire hospital network at risk. Cybersecurity is not an “addition,” but “multiplication.” If you have a zero in one place, the entire outcome becomes zero. This is why health care facilities take very seriously the security integrity of their network.
The cybersecurity of hospital networks, medical devices, and health critical infrastructure has become a growing concern among stakeholders, politicians, and regulators alike. Medical device manufacturers are one group of stakeholders already taking cybersecurity seriously because they are required to under FDA law, regulation, and guidance. On the other hand, independent servicers are not subject to the same requirements.
But even so, some believe sweeping so-called ‘right to repair’ bills are a good idea. However, giving unregulated access to the diagnostic software and IP that cyber-criminals already use to exploit our interconnected hospital infrastructures increases patient safety risk. If the appropriate steps are not followed, a hospital cannot ensure the device works as designed, resulting in both a cybersecurity and patient safety risk. Problems like bypassing safety mechanisms, failure to perform preventive maintenance at the proper intervals, and the use of improper or unqualified knock-off replacement parts are real threats hospitals can face when going with unregulated businesses.
The risks to patient safety and hospital networks are already at an all-time high. Do we really want to add to the proliferation of problems that hospitals and their operations technology are experiencing?
The right-to-repair movement is not without merits. Maybe you can fix your phone or tractor. If it malfunctions, it’s just your property that fails. But if you hack your own Tesla to change the software and then drive it, you put other lives at stake. In fact, last month the Biden administration’s National Highway Traffic Safety Administration told automakers that a Massachusetts right-to-repair law poses an “unreasonable risk to motor vehicle safety.” The risk is similarly severe with medical equipment, and a key reason why the U.S. medical establishment and its connected products are closely regulated.
In addition to not meeting FDA quality requirements, these servicers are not required to report adverse repair events, so it is unclear how many lives they are putting in jeopardy, or what new vulnerabilities in hardware and software they’re opening up to hackers. The FDA estimated in May 2018 there could be as many as 21,000 firms performing medical device servicing in the U.S. Yet in their analysis of hundreds of thousands of adverse event reports collected by these firms, 98% were submitted by original manufacturers, not third parties. Bottom line: these groups comprise a significant portion of the industry about which the FDA knows very little due to the lack of regulatory oversight.
Therefore, policymakers should include carve-outs for categories of high-risk devices in right-to-repair laws like life-saving medical equipment. OEM professionals and in-house bio-medical engineering departments that often go through standards-based training and partner with specific manufacturers are the status quo that promotes accountability and patient safety. And given the cybersecurity challenges this sector is already facing, we cannot afford to open the door to firms that do not have regulatory oversight or accountability to standards.
While members aimed to hear all sides of this important debate during this week’s hearing, it’s critical that policymakers implement targeted policy solutions that get to the root of the problem, not make it worse by being decisively broad.
Roslyn Layton is a regulatory and security policy scholar and founder of ChinaTechThreat.com
Using these vague “policy violations,” Google is now threatening to demonetize us. It’s part of Big Tech’s effort to silence conservative voices.
Let me see if I can summarize, “Your government wants more regulatory power than it has. If we don’t get it, people will die. Danger, Will Robinson, Danger.”
People arguing against Right to Repair are effectively advocating for Security by Obscurity, which is a strategy that always fails.
Why are medical devices accessible from the internet? Convenience. There is no real necessity for internet access to “critical” medical devices, it is just more convenient and perhaps a little cheaper (as if anything in the medical field is cheap) than indirect access by having human intermediaries in the process.
The choice is always a tradeoff between security and convenience/cost, and that tension affects every user from the individual using his home computer to the international corporation. And WHOSE convenience is also a choice that has to be made. The CEO of a major corporation finds it inconvenient to use a randomly generated password which is impossible to remember and must be changed every thirty days, so he uses his wife’s maiden name and the IT department suffers the inconvenience of extra effort to secure his communications.