How Medical Device Manufacturers Inject Copyright Into Treatments

Copyright seems an odd topic for a blog devoted to health IT, and I assure readers that I would not subject them to copyright's intricacies, had not a set of conniving device manufacturers exploited it for business methods of dubious ethics.

I remember when, during the cresting peer-to-peer file-sharing crisis in 2001 or so, a judge ruled that college students found sharing files would have to take a 90-minute course on copyright law. I assailed that as a violation of the Eighth Amendment to the Constitution. Despite the complexity of the issue I am addressing today, therefore, I will keep your attention for far less than 90 minutes.

The sinister evolution from MPEG files to medical data

The most recent major change to copyright law in the U.S. is the Digital Millennium Copyright Act (DMCA) of 1996. Lawmakers were struggling with the emerging realization that digitization and the Internet were disrupting content production and distribution in ways at least as profound as the invention of the printing press.

In particular, music and movie producers were adding encryption and certificates to their content in order to control who could have access. Theoretically, one could watch a movie one paid for but not give it to a friend to watch. But the "technical protection" measures they used were weak and buggy, so they looked for a legal work-around: an "anti-circumvention" clause in the DMCA that would criminalize attempts to break the encryption. Similar clauses were being added to international copyright agreements.

Computer experts leaped on this clause immediately, arguing that it would be anti-competitive and would hold back both research and innovation. Had the DMCA come to a vote in 2016 instead of 1996, these experts might well have prevailed, because the computer industry and Internet companies are much better organized and represented in Washington than they were 20 years ago. But at the time, Hollywood and other content producers reined within the Beltway, so section 1201 became part of the DMCA and standard computing practices suddenly threatened jail time.

The omens uttered by computer experts were soon vindicated. In 2001, a Russian security expert who had discovered flaws in the universal Adobe PDF format was arrested as he attended a conference in Las Vegas to discuss his findings. Although Adobe triggered the arrest, the company soon repented of its hard-line stance and withdrew its complaint. Still, the US prosecutor insisted on pursuing it. Many computer conferences and researchers subsequently refused to meet on US soil because participants' safety could not be guaranteed.

In 2002, a manufacturer of computer printers named Lexmark sued another company for selling cartridges that worked with its printers. The purpose of Lexmark's lawsuit was directly anti-competitive. But they invoked the anti-circumvention clause as their justification. They won a preliminary injunction, and although their lawsuit was subsequently defeated, it had a chilling effect. In particular, it created a model followed by several manufacturers of medical devices.

Manufacturers like to claim that technical measures preserve security, prevent competitors from stealing their code, and prevent patients from hurting themselves through the use of data. But these are thin excuses. Encryption does not have to be a barrier to patients, because they could be granted access rights. Open source code is a totally different issue from open patient data. And the patients asking for access have solid reasons for requesting the data. Essentially, hoarding patient data is part of a strategy to keep treatment and innovative uses under the control of the manufacturer.

Hugo Campos wants to be able to access the data in his medical devicePutting the law on our side

The DMCA leaves open a provision to forbear from prosecuting users who break technical protection measures. This is like granting corporations the right to dump toxic waste on your lawn, and then granting a strictly limited right under certain conditions for you to shovel away the waste. Nevertheless, if provides a recourse for device users to get their data lawfully.

Last November, a law professor submitted a petition and a long set of comments in keeping with the DMCA, to create an exemption for device owners or researchers who break the encryption on medical devices. A hearing was held on the request on May 29.

Hugo Campos, who was outfitted years ago with an Implantable Cardioverter Defibrillator, stated that patients can significantly improve their health and chances of living by combining device data with other knowledge of their bodies and lifestyles. Appendix C, paragraphs 8 and 9 of the comments summarize his findings. Health hacker Dana Lewis filled in some context for the empowered patient movement.

At the hearing, open source programmer and medical device user Benjamin West estimates tht six to eight manufacturers of medical devices now use technical measures to keep data out of the hands of users. But the field has pulled together around a defense of their practice.

As for the opposition, their statements are replete with cynically twisted arguments and general chutzpa. Having gussied up their devices to add technical protection measures, the manufacturers now thunder that the devices might fail if the owners try to circumvent the measures (pp. 1-2 of the Advanced Medical Technology Association comment). LifeScience Alley's comment takes this argument to an even more convoluted level, saying "Any circumvention activities would be outside of the manufacturer’s design, potentially voiding any warranty associated with the device. " Several opponents of the petition complain about its breadth, although it merely matches breadth of the restrictions that technical protection measures impose.

The Advanced Medical Technology Association invokes the hackneyed "security by obscurity" argument, suggesting that keeping flaws secret is safer than revealing them (p 7). They claim that the health care provider has all the information relevant to patient needs and can provide it, but experiences in the field suggest otherwise. Anyway, data from devices is important to researchers searching for errors or adverse effects of devices, not just to individual patients. Whether or not it's hysteria (pp. 4-5 of the comment) or speculative (p. 1 of the comment by the Intellectual Property Owners Association to worry about such things, independent researchers have both the right and the responsibility to check up on commercial companies.

Benjamin West singing the Blues as he can't get his medical data

Where is HIPAA when we need it?

Although much maligned in health care circles, HIPAA sets down admirable principles about giving patients access to their medical records, as well as using proper security to protect them from leaking. If HIPAA applies to medical device data, patients clearly have right to their medical record which would translate to their data held in the device.

Device manufacturers are not health care providers, so HIPAA does not a priori apply to them. However, many doctors request device data, and in providing that data, the device manufacturers have to become business associates under HIPAA. Naively, then, one would believe that they are covered by HIPAA and have to give patients their data. So the Advanced Medical Technology Association took a big risk in asserting that they need technical protection measures to enforce HIPAA protections (p. 5 of their comment).

How do they sidestep this legal mandate, then? According to Campos, they claim that HIPAA applies to the doctor rather than the manufacturer, and that the patient can acquire the necessary information from the doctor. (A funny defense considering that they argue elsewhere that the patient would be harmed by getting the data.) Campos then skewers them with the truth of the matter: all they provide to doctors is summary reports, often in hard-to-handle PDF formats. The raw data that patients like him needs is never revealed.

Summing up

Arguments for proprietary data hoarding have been aired in the computer movement for decades, and have been decisively overturned by open source advocates and security experts. The real question is why any patient should be denied access to data that can improve his quality of life and chances of survival. In an age where "patient activation" and "Quantified Self" are buzzwords uttered throughout the medical industry, it is inconceivable that it could tolerate the present situation.

That copyright law should be the vehicle for denying patient rights lends an even more bizarre cast to the question. In the stately hallways and chambers of government, such obvious points tend to get lost. The Copyright Office should obviously grant the exemption for circumventing measures on medical devices. But it's really up to the institutions that order these devices and keep their manufacturers in business to put an end to this nonsense.


It's all about the money

Wow. Andy Oram with an unvarnished point of view. I love it, especially since you're on the side of the angels.

Sending patients to doctors for device data is a cynical ploy that in the present fee-for-service world will add to the practitioners' revenue and in the coming payment for value world will add the inconvenience and cost of an office visit or other physician-patient interaction for no marginal benefit.

I'm also wondering about what the TransPacific Partnership Treaty (TPP) will do to buttress the DMCA. Nothing good for patients and endusers, I'd wager.