‘Right To Repair’ Legislation Compromises Medical Device Cybersecurity
The COVID-19 pandemic has intensified various political and economic flashpoints. From health care to housing, drug pricing to food pricing, the societal strain of the pandemic has renewed the urgency and raised the stakes for long-standing issues.
The increasingly heated debate about the rules and regulations governing medical device servicing is an exemplar of this new reality. Although the dispute between independent aftermarket repair businesses and original equipment manufacturers (OEMs) isn’t new, it has shifted from auto repair, farm equipment, and consumer electronics to high-tech medical devices.
In the early days of the pandemic, aftermarket repair advocates and the businesses they represent leveraged the public health emergency to create a perceived political opening when they accused OEMs of withholding the resources and information necessary to properly repair ventilators and other medical devices used to treat COVID-19 patients. These baseless accusations were an opportunistic attempt to advance a false narrative that patients were endangered by a shortage of qualified personnel to maintain and repair medical devices.
Now, months later, aftermarket servicers have successfully pressured federal lawmakers to introduce legislation that would make manufacturer-developed medical equipment and software more vulnerable, putting patients and hospitals at greater risk. The Critical Medical Infrastructure Right-to-Repair Act of 2020 (House Resolution 7956) would shatter a number of long-standing norms and precedents, including the rights of innovators to protect their intellectual property. Even beyond the bill’s myriad defects, what’s most telling is the disingenuous rhetoric of the legislation’s most vocal advocates. Supporters of HR 7956 have repeatedly downplayed the negative implications of the bill, both for patient safety and for the security of medical devices.
Independent medical product repair businesses claim that broader access to manuals and service tools reduces maintenance and repair costs for the device owner, but fail to acknowledge the importance of full and proper training. Many newer medical devices are highly complex, contain a wide variety of unique hardware and software that must work seamlessly to provide safe functioning, and are highly regulated.
Nowhere is this oversight by independent servicers more evident than their misrepresentation of the cybersecurity challenges in the hospital environment. A recent example of this public misdirection comes from an article, “The Fight Heats Up,” published in 24×7. The piece, which provides a comprehensive recap of the OEM vs. aftermarket repair service business conflict, features a number of unsubstantiated, ill-informed, and self-serving claims about medical device cybersecurity from Gay Gordon-Byrne, executive director of The Repair Association. To the assertion from OEMs that HR 7956 fails to recognize or appreciate the potentially serious cybersecurity implications of allowing unregulated entities to operate on complex medical device software, Gordon-Byrne remonstrated that “either [a device] is cyber-secure or it isn’t. Repairing it is not the way risks are introduced.”
This statement underscores the problem with so many arguments presented by these aftermarket servicing businesses: the oversimplification of a complex and consequential issue.
The claim that the cybersecurity of a medical device is a strict binary, “secure” or “insecure,” is simply wrong. The security of any medical device, from large MRI machines to portable point-of-care ultrasound devices, is achieved through ongoing risk mitigation and prevention. It has been well established that cybersecurity is a shared responsibility among manufacturers, providers, servicers, regulators, and others who work in concert to mitigate risk. In this world, “security” is not a permanent state of being. It is an ongoing process.
Over the last few decades, as medical devices became increasingly reliant on a harmonized interaction between their hardware and software components, the cybersecurity consequences of even a slightly imprecise or careless maintenance job have become increasingly stark. It’s exactly for this reason that the Food and Drug Administration holds OEMs to mandatory Quality System/Current Good Manufacturing Practices, to ensure that device software updates, patches, and more comprehensive repair jobs are done correctly. Third-party servicers are held to no such standards, and by allowing these unregulated entities inappropriate access to device software, HR 7956 creates unnecessary risks that may undermine the security and functionality of a medical device. Moreover, the risks are multiplied by the fact that complex devices are frequently connected to other devices, databases, and hospital networks.
The life cycle of a medical device can last years, in some cases, more than a decade. That’s a long period of time in which cybersecurity threats could be introduced. Mitigating risk is a constant effort – and by oversimplifying and framing this issue as akin to a mobile phone or an aftermarket auto repair, advocates of HR 7956 are doing a disservice to providers and, more important, to patients.
Henry I. Miller, a physician and molecular biologist, was a 15-year veteran of the FDA and the founding director of its Office of Biotechnology.