“The unintended consequence of the Copyright Office’s ruling [on the right-to-repair] is that what was once an illegal activity that was hard to track is now a legal activity that is hard to track and increases threats not only to patient safety but to patient privacy.”
A recent recommendation by the U.S. Copyright Office allowing for the bypassing of technological protection measures (TPMs) in medical devices for purposes of repair, maintenance and service has been adopted and immediately put into effect. This is bad news for patient safety.
At a time when we’re loudly and publicly debating the relative merits of the Build Back Better Act, the U.S. Copyright Office’s announcement, deep inside the Federal Register and written in very user unfriendly dense government jargon, landed not with a bang, but with a whimper. On purpose. Hiding in plain sight. This terrible ruling offered without a comment period or any other appeals mechanism, will have a profoundly negative impact on America’s public health.
What it boils down to is an exemption to the Digital Millennium Copyright Act (DMCA) regarding medical devices. In keeping with the traditional bureaucratic trick of obfuscation by omission, the ruling allows for “bypassing” cybersecurity measures so that anyone can hack into secure medical devices for only “repair” purposes. Alas, the obvious problem is that one person’s hack for repair is a less scrupulous person’s hack for more nefarious purposes. There are no special ways to “hack for repair.” This absurd and ill-considered rule basically allows anyone to hack for any reason and claim it was for repair.
Why shouldn’t anyone be allowed to repair anything? Well, for starters, medical devices are highly sophisticated and precise technologies. Consider the medical devices that determine whether or not you’re COVID-19 positive. Scheduled repair and recalibration to ensure accuracy is regular and crucial. Expert knowledge is required. Do you really want hackers (such as those in the aggressive employ of terrorist groups) to have access to these devices?
“Facts,” as John Adams reminds us, “are pesky things.” Hacking is a covert activity, meaning our theoretically empowered watchdog regulators (such as those at the under-funded and under-staffed Food and Drug Administration) will have no advance knowledge or awareness of these activities until something goes catastrophically wrong. Similarly, manufacturers won’t have any visibility into who is accessing their devices or for what purposes. As per the FDA, ““Designing devices to limit access only to privileged device users (“privileged access”) is a key component of ensuring a secure medical device.”
Danger, Will Robinson. Danger.
Previously, if a “hacker” sought to bypass the cybersecurity measures built into in a medical device to access servicing materials, the manufacturer would have had recourse under the DMCA. The new Copyright Office ruling eliminates this fail-safe mechanism, in essence declaring “open season” for medical device hacking.
There is no such thing as a small breach of the Hoover Dam, a small malfunction in airplane landing gear, or a slight miscalibration in an MRI machine. Will independent servicing organizations stay within the limits of this new exemption? How will highly qualified (and strictly regulated) manufacturers know when their security mechanisms are breached? Straying beyond the limits of “repair” could very well result in installing new software, changing system configurations, etc. These activities raise real and relevant patient safety and cybersecurity concerns for FDA-regulated medical devices.
The unintended consequence of the Copyright Office’s ruling is that what was once an illegal activity that was hard to track is now a legal activity that is hard to track and increases threats not only to patient safety but to patient privacy. When you hack into a device – legally or not – you can also access (theoretically protected and private) patient information. Now it’s’ all accessible to any hacker – responsible or otherwise – and legal.
Enhancing “right-to-repair” may sound good to some, but the practical reality is that it facilitates a very real risk to the public health. And that’s unacceptable.
Image Source: Deposit Photos