“Continuing to grant section 1201 exemptions for medical device repair continues an open season on patient safety, provider confidence and healthcare cybersecurity.”
The contentious issues surrounding Right to Repair are getting super-heated as the U.S. Copyright Office concludes its triennial rulemaking review of exemptions to section 1201 of the Digital Millennium Copyright Act (DMCA). Exemptions granted would be in force for three years beginning October 2024.
When is an exemption not an exemption? When it’s an exemption from common sense.
According to the Washington Legal Foundation, Section 1201 was intended to limit access to proprietary software embedded in medical equipment. In a final rule adopted in the eighth triennial rulemaking in 2021, the Library exempted companies that repair medical devices, allowing them to bypass Section 1201’s robust copyright protections. During the most current review, Independent Service Organizations (ISOs) are again calling for petitions for renewing exemptions for medical device repair. Bad idea then, bad idea now. It’s nonsense. Why? Cybersecurity concerns to be sure – but most importantly, public health and patient safety.
Here’s why the Library of Congress should deny ISOs request for continuing ill-considered exemptions for medical device repair:
- ISOs exist outside the Food and Drug Administration (FDA)-mandated quality control ecosystem. They aren’t required to adhere to the same mandated FDA safety protocols as original equipment manufacturers original equipment manufacturers (OEMs).
- ISOs are seeking the cover of legal authority for repair shops unregulated by the FDA to bypass Technological Protection Measures (TPMs) and hack into life-saving medical devices and data-rich hospital systems for the purposes of gaining access to sensitive repair information.
- ISOs are couching their request as “budget-friendly” ways for hospitals and provider groups to choose cheaper, unregulated repair options (compared with repairs done by the OEMs, which are strictly regulated by the FDA). In common parlance, this is known as “penny wise and pound foolish.” For patients, it may also be known as “deadly.” Cost-cutting by side-stepping quality is a fatal attraction.
- ISOs are not so subtly omitting the unintended (but not unpredictable) consequences to patient safety and growing cybersecurity threats. By hiding the unintended consequences of unregulated repair, ISOs are downplaying the long-term potential liability costs to hospitals and diagnostic accuracy to doctors and patients.
- As I’ve previously written, one person’s hack for high-quality repair is a less scrupulous person’s hack for more nefarious purposes, or even just to cut corners to save time (that increases risks of harm to patients). For example, consider a poorly calibrated MRI or CT machine with radiation dose controls out of whack.
- With an exemption, it’s impossible to know when “repair” turns into installing new software or changing delicate (and regulated) systems configurations, raising real and relevant patient safety and cybersecurity concerns for FDA-regulated medical devices.
ISOs will decry as “scare tactics” accusations that nefarious hackers would do anything other than their intended repair job. But courts have disagreed. In fact, several district courts have noted that such conduct violates federal and state laws, including claims under the federal Computer Fraud and Abuse Act.
According to one judgment, enabling unlicensed software required one defendant “to hack into the systems and circumvent technological measures.” The court determined this was “clearly motivated by an interest in profiting from…copyrighted works without paying for expensive licenses….” (Order Regarding Motion for Default Judgment, Dkt. 180 at 14, Philips North America LLC et al. v. KPI Healthcare, Inc. et al., No. 8:19-cv-01765-JVS-JDE (C.D. Ca., Sept. 1, 2021).
And according to another, “Defendants intentionally accessed a protected computer and exceeded their authorized level of access.” These acts weren’t undertaken by cyber terrorists, but rather by competing companies for profit. (Final Amended Order, Dkt. 641 at 32, Philips Medical Systems Nederland B.V. et al v. TEC Holdings, Inc. et al, No. 3:20-cv-00021-MOC-DCK (W.D.N.C. Feb. 16, 2023)
As the judge in the Philips v. KPI case put it, “This constitutes willful and unreasonable conduct that the Court believes it is appropriate to deter.”
Contrary to the ISO spin machine, hacking for repair isn’t limited to hacking for repair. Since there are over 22,000 ISOs that aren’t regulated or even known by the FDA, it’s impossible for the agency to fully understand the scope of patient safety risks until something goes catastrophically wrong.
And there’s no line of sight for innovator manufacturers to see who is accessing their devices or for what purpose. As per the FDA, “Designing devices to limit access only to privileged device users (“privileged access”) is a key component of ensuring a secure medical device.”
Let’s face it, continuing to grant section 1201 exemptions for medical device repair continues an open season on patient safety, provider confidence and healthcare cybersecurity. The U.S. Copyright Office must address the facts and do the right things to address this triennial trifecta.
Image Source: Deposit Photos
Image ID: 22591901