Right to Repair (RtR, R2R) is a movement by consumers and repair shops to have Original Equipment Manufacturers (OEM) make available normally proprietary information of their products, as well as provide any necessary tools and spare parts. That way, product owners or such shops can make repairs or even update the products as they see fit without resorting to OEM-approved outlets. Such information can range from password access to a smartphone’s firmware to use of diagnostic computers normally used by an automaker’s technicians. 

Bills for Right to Repair are overwhelmingly proposed at a state level, with the product varying per bill; e.g., tractors, restaurant ice-cream machines, medical PCs, etc. For this blog post, we’ll be covering the arguments’ pro and con on medical devices like ventilators, CT machines, infusion pumps, and imaging scanners.  

Patient Safety Comes First

When a smartphone goes on the fritz, you’re temporarily inconvenienced by a lack of phone or access to social media. When a tractor goes down, the farmer can lose thousands of dollars of crops. The consequences, though, are quite different when a ventilator or a heart monitor machine goes down. Nader Hammoud, a biomedical engineering manager and member of the California Medical Instrumentation Association, may have summed it best about the differences between medical devices and other manufactured items like the above smartphone: “If you don’t get that device up and running in an hour or two hours, that patient will die.” This was echoed by FTC Commissioner Rohit Chopra: “During the FTC’s review of this [Right to Repair] issue, we heard about hospitals worried that they would be unable to fix a ventilator because a manufacturer was seeking to deny access to repair it. Outages caused by repair restrictions like these can make the difference in times of emergencies.” 

Both proponents and opponents point to patient safety in their arguments about Right to Repair. A survey conducted in 2020 by the pro group United States Public Interest Research Group (USPIRG) revealed 80 percent of biomedical equipment technicians couldn’t service medical devices on-site because of OEM restrictions to even service materials like manuals. The situation was worse in rural hospitals, which have to endure waiting for hours, days, or even weeks for service.   

OEMs have a different take. They stress the complexity of their products, and the importance of them being repaired by authorized technicians. As for evidence, they simply point to what happens when healthcare groups turn to Independent Service Organizations (ISO) like Tenacore and Avante Health Solutions. Apparently both medical device manufacturers had made changes to one or more devices without the OEMs’ authorization. This led to major issues with the devices, resulting in at least one death.

Government Regulation (and Lack of)

Medical devices are highly regulated by the government. This is not surprising, given the life-and-death nature of many devices. But here’s an interesting fact. Unlike medical device manufacturers, there is no federal body that regulates ISOs. In fact, the FDA doesn’t really know how many ISOs can be found in the US. In reply, ISOs say they don’t need such regulation. Instead, they point to their relevance based on a 2018 FDA report that opines the “continued availability of third-party entities to service and repair medical devices is critical to the functioning of the U.S. healthcare system.” Also, Right to Repair advocates claim the FDA’s only “real” form of regulation is licensing the production of medical devices. Afterwards, it’s the buyer who determines how they’re used. This includes repairs. As Gay Gordon-Byrne,  Executive Director of the Digital Right to Repair Coalition, countered: “The common arguments made by these planted pieces start with the premise that the FDA regulates repair — which is does not. … The FDA regulates the production of products and CMS (Center for Medicaid and Medicare Services) and TJC (The Joint Commission) regulates care facilities. Hospitals are in charge of how they maintain and repair their equipment — and not the OEM. Independent technicians are hired for their skills and expertise, and not off the street in the manner of a paving crew.”

Medical device OEMs, as you can imagine, take exception to the RtR arguments. Their compliance to FDA regulations go way beyond the production of their devices. The Advanced Medical Technology Association, which represents device makers in the medical group industry, says OEMs are required to service their devices. Moreover, they have to meet specific requirements from the training of service technicians to the maintenance of service records. Issues with their devices must be reported to the FDA with corrective actions including recalls when necessary. Finally, the FDA can inspect OEMs to ensure they comply with these regulations. ISOs face no such FDA scrutiny.   

(As an aside, at the time of this writing, there have been no available articles of ISOs willing to support any form of regulation especially at the federal level.) 

Cybersecurity Spotlights Legacy

Cybersecurity in the healthcare field is a big issue. And, unfortunately, it looks like it’ll be getting worse before it gets better. One major reason is healthcare’s continued use of legacy ﹘ outdated software, hardware, or both that are no longer supported by their OEMs. According to cybersecurity firm Sensato, more than 40 percent of medical devices can be considered legacy. Issues from costs, regulation, to the importance of legacy equipment, make it difficult to upgrade to more secure devices. And even medical equipment like medical box PCs, which can provide many modern security features like RFID scanners and Imprivata Single Sign On (SSO) to verify authorized users, have limits against hackers.  

Proponents of Right to Repair, when accused of contributing to the lack of cybersecurity via lack of (admittedly) proprietary knowledge, point to the recent “Nixing the Fix ” report by the Federal Trade Commission. In it, the agency writes, “The record contains no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data. Furthermore, although access to certain embedded software could introduce new security risks, repair advocates note that they only seek diagnostics and firmware patches.”

OEMs, again, counter that they are held to FDA standards while ISOs are not. And new, public discussions on upcoming cybersecurity measures emphasize this even further: “FDA defines service to be the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the original equipment manufacturer (OEM) and to meet its original intended use.” In other words, who would know best on how to repair a device to its original state than its manufacturer? 

Closing Thoughts

Proponents of Right to Repair look to give buyers not only the right to repair their purchases, but have the manufacturers provide the information and tools to do so. The issue escalates with medical devices due to the risks and regulations. Contact an expert at Cybernet to see how medical equipment plays a part in this ongoing debate. Or follow Cybernet on  Facebook, Twitter, and Linkedin to stay up to date.