As we discussed in our last post, the U.S. Copyright Office recently published its sixth set of exemptions to the Digital Millennium Copyright Act (“DMCA”). In Part 1 of our multi-part analysis we discussed the DMCA’s statutory privacy exception. Today we begin with the new exemptions – specifically two exemptions related to medical devices.
The Medical Device Research Coalition (“MDRC”) filed a petition for an exemption for computer programs on implanted medical devices – such as pacemakers, implantable cardioverter defibrillators (“ICDs”), insulin pumps, and continuous glucose monitors – and their corresponding personal monitoring systems. MDRC’s proposed exemption would allow research on software security flaws and also allow patients access to the data generated by their own medical devices. The Register of Copyrights decided to split the class into two subclasses – 27A concerning security research and 27B concerning access to patient data – in order to better address the issues. USCO Recommendation (Oct. 2015); Final Rule, 80 Fed. Reg. 65944.
Class 27A: Security research on software on medical devices
According to some experts, it is possible for hackers to remotely and (relatively) anonymously commandeer devices, including pacemakers and implanted drug pumps and cause serious harm to patients implanted with these devices. For example, see FDA Medical Device Safety Notice (July 31, 2015). Fans of the Showtime series Homeland may remember that fictional VP William Walden met such a demise when Brody gave Abu Nazir the serial number to the Veep’s pacemaker.
Accordingly, proponents of the exemption for research on security flaws in the software controlling medical devices asserted that this research is crucial because security flaws can potentially lead to serious consequences, including physical injury or even death. Opponents expressed similar concerns for public health and safety, arguing however that information obtained through security research could be used by bad actors, a point with which several government agencies, including FDA, agreed.
Nevertheless, the Copyright Office adopted an exemption that allows for good-faith security research on medical devices; but delayed it for 12 months in order to allow government agencies sufficient opportunity to respond. The narrow exemption limits research on medical devices to those that are not and will not be used by patients and mandates that the research be carried out in a controlled environment so as to avoid harm to individuals and the public.
The exemption does not, however, include specific language about disclosure of research findings. Opponents relayed their concerns about disclosure, including the possibility that if security flaws were made public, consumers might lose faith in their medical devices. Opponents also argued that researchers should be required to inform the software developer or product manufacturer before the software flaws are made public so that the developer/manufacturer has an opportunity to correct them and thus preventing bad actors from exploiting the flaw. The exemption only states that any research activity be used “primarily to promote the security or safety of the class of devices or machines on which the computer program operates.” It will have to be seen how that caveat affects the behavior of researchers in practice.
The 12-month delay in implementation will give government agencies and industry actors a chance to assess their positions and make any pre-emptive changes. For medical device manufacturers, it may be beneficial to expand their own security research initiatives over the next year. If manufacturers are able to show that their own research is sufficiently robust, opponents of the exemption may push back more strongly and argue to further limit the exemption.
Class 27B: Patient data from networked medical devices
Many implanted medical devices today measure and record data and wirelessly send them to personal monitoring systems or to a physician’s office. The MDRC requested an exemption that would allow patients to access the data generated by their own devices and personal monitoring systems so that they can monitor their health in real-time without having to visit their doctor. Opponents expressed concerns over the strain that repeated requests for data could place on the battery life of medical devices and contended that research on the software could affect the devices’ performance or lead to malfunctions.
Considering the opponents concerns, the Copyright Office adopted an exemption that allows for circumvention “undertaken by a patient for the sole purpose of lawfully accessing the data generated by his or her own device or monitoring system” and limits circumvention to passive monitoring of wireless transmissions that the devices would be producing anyway, so as not to reduce their battery life. Unlike the exemption for Class 27A, there will not be a delay in implementation of this exemption.
An issue that the Register wrestled with in making the recommendation is that most of the data outputs of medical devices are not copyrightable at all. However, proponents asserted – and some opponents admitted – that there are certain outputs in the form of compilations of data that would qualify as protectable literary works, to which the exemption is limited.
The ability of patients to access their own health data has been a hotly contested issue for some time now. In a world where people now have resources to take control over monitoring their health through fitness apps on cell phones and wearable health monitoring devices like the Fitbit, some consumers want to take a more active role in managing their serious health concerns. Allowing people to access directly the data from their implanted devices would allow them to identify fluctuations and patterns, which can be an important aspect of managing health conditions like arrhythmias, for example.
If medical device manufacturers hope to avoid having consumers intercept wireless data communications from their medical devices through third party means, they may wish to develop accessible, understandable reports and mechanisms for delivering them directly to patients. Health care providers who currently receive the data from patients’ medical devices could also develop their own patient reporting processes, which would obviate the need for patients to find other ways to access their data themselves. While there may be issues with patients becoming overwhelmed by complicated data, it will be interesting to see if, as proponents of the exemption suggested, giving patients access to their own medical data will help patients better monitor and treat long-term medical conditions.
This article was prepared by Mayura Noordyke under the supervision of Sue Ross.
Section 1201 Rulemaking: Sixth Triennial Proceeding to Determine Exemptions to the Prohibition on Circumvention, Recommendation of the Register of Copyrights (U.S. Copyright Office, Oct. 2015)
Final Rule, 80 Fed. Reg. 65944
Jeremy Kirk, “Pacemaker hack can deliver deadly 830-volt jolt.” Computer World, IDG News Service (Oct. 17, 2012)
“Citing hacking risk, FDA says Hospira pump shouldn’t be used.” CNBC online (Aug. 3, 2015)
FDA Medical Device Safety Notice (July 31, 2015)
Hugo Campos, “The Heart of the Matter. I can’t access the data generated by my implanted defibrillator. That’s absurd.” Slate, New America and ASU (March 24, 2015)