As my grandmother used to say, “A half-truth is a whole lie.”
At first glance, “Right-to-Repair seems like a good idea. Why not make it easier for consumers to fix their broken electronics, without having to pay a costly sum to the original manufacturer? But, as HL Mencken reminds us, “For every complex problem there is an answer that is clear, simple, and wrong.” The reality is that Right-to -Repair presents many dangerous unintended consequences. The Number One problem is that it compromises patient safety.
The core of Right-to-Repair laws is to require innovative technology companies to make product repair information, replacement parts, and tools readily available to consumers and third-party repair shops. Should that be the case for devices such as Automated External Defibrillators and hospital ventilators? What about electrocardiograph (ECG) machines? Can physicians and patients be confident in non-FDA compliant vendors without the advanced training and technical ability to properly repair and recalibrate life-saving machines? Who could argue that “anyone can do it?”
Well – U.S. PIRG for one.
By allowing third parties without any FDA competence to repair regulated, complicated medical devices, Right-to-Repair also opens the door to breaches in cybersecurity. According to the FDA, “Cybersecurity is a widespread issue affecting medical devices connected to the Internet, networks, and other devices. Cybersecurity is the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”
In a recent FDA discussion paper, “Strengthening Cybersecurity Practices Associated with Servicing Medical Devices: Challenges and Opportunities,” the agency asks, “How can entities that service medical devices contribute to strengthening the cybersecurity of medical devices?” According to the discussion paper, “FDA defines service to be the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the original equipment manufacturer (OEM) and to meet its original intended use.” In other words, the first step in advancing medical device cybersecurity is to limit and ensure that those who control repairs and maintenance of these highly sophisticated pieces of healthcare technology are regulated FDA manufacturers.
On July 27th, the FDA is holding a public meeting on this topic. It couldn’t be timelier. The proper servicing and security of medical devices and other healthcare technologies is too important for uniformed posturing. U.S. PIRG should know better.