The major health care and cybersecurity risk of ‘Right-to-Repair’ laws

The major health care and cybersecurity risk of ‘Right-to-Repair’ laws

Just like other devices we rely on, medical devices can improve our quality of life — so long as they are maintained to work properly. When they are not — or not maintained or serviced in line with FDA approval — there can be huge health care and cybersecurity risks.

In the brief on a just-released FDA discussion paper, William Maisel, notes, “Many medical devices are reusable and need preventative maintenance and repair during their useful life; therefore, proper servicing is critical to their continued safe and effective use.” Maisel, M.D., is the director of the Office of Product Evaluation and Quality in FDA’s Center for Devices and Radiological Health. Who could possibly disagree with such a statement? Lawyers.

That’s right, the tort bar is prioritizing profit over patient safety. For shame. (No, I’m not surprised either.)

Quality is the glue that holds together our health care technology ecosystem. Whether it’s a medicine for high blood pressure, a COVID-19 vaccine or a medical device such as an implantable stent or a room-size MRI machine, the FDA’s mission rests upon a triad of trust — safety, effectiveness and quality. And the bedrock upon which quality rests is Good Manufacturing Practices. Who could be against that? Lawyers.

Consider the recent spate of suggested state and federal legislation on what is called “Right-to-Repair.” At first glance, it seems like a good idea. Why not make it easier for consumers to fix their broken electronics, without having to pay a costly sum to the original manufacturer? But, as HL Mencken reminds us, “for every complex problem there is an answer that is clear, simple, and wrong.” The reality is that Right-to-Repair presents many dangerous unintended consequences. The No.1 problem is that it compromises patient safety.

The core of Right-to-Repair laws is to require innovative technology companies to make product repair information, replacement parts and tools readily available to consumers and third-party repair shops. Should that be the case for devices such as Automated External Defibrillators and hospital ventilators? What about electrocardiograph (ECG) machines? Can physicians and patients be confident in non-FDA compliant vendors without the advanced training and technical ability to properly repair and recalibrate life-saving machines? Who could argue that “anyone can do it?” Lawyers.

Why? Because when things go wrong, when medical devices fail, when patients and their families suffer the consequences, when associated health care costs skyrocket — it seems lawyers see opportunity. And they aim their lightening lances of litigation at the deepest pockets — the original manufacturers. 

It seems the tort bar is creating a problem they can exploit for profit.

But wait, it gets worse. By allowing third parties without any FDA competence to repair regulated, complicated medical devices, Right-to-Repair also opens the door to breaches in cybersecurity. 

According to the FDA, “cybersecurity is a widespread issue affecting medical devices connected to the Internet, networks, and other devices. Cybersecurity is the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”

In the just-released FDA discussion paper that I referenced above, “Strengthening Cybersecurity Practices Associated with Servicing Medical Devices: Challenges and Opportunities,” the agency asks, “How can entities that service medical devices contribute to strengthening the cybersecurity of medical devices?”

According to the discussion paper, “FDA defines service to be the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the original equipment manufacturer (OEM) and to meet its original intended use.”

In other words, the first step in advancing medical device cybersecurity is to limit and ensure that those who control repairs and maintenance of these highly sophisticated pieces of health care technology are regulated FDA manufacturers.

On July 27, the FDA is holding a public meeting on this topic. It couldn’t be timelier. The proper servicing and security of medical devices and other health care technologies mustn’t be subsumed for profit.

Peter J. Pitts, a former FDA Associate Commissioner, is president of the Center for Medicine in the Public Interest and a visiting professor at the University of Paris School of Medicine.