Modern field guide to security and privacy

What new DMCA rules mean for medical device research

This week the Library of Congress issued exemptions to the Digital Millennium Copyright Act that pave the way for independent researchers to begin examining medical devices for software flaws.

The Library of Congress in Washington issued copyright exemptions this week that pave the way for independent researchers to examine software in some medical devices.

Expectant mothers often have health concerns, but Brooklynite Karen Sandler's are different than most. Doctors had outfitted Ms. Sandler with an implantable defibrillator several years before her pregnancy due to a heart condition.

But defibrillator makers aren't exactly focused on how their devices might affect pregnancies – and it has already shocked her twice reacting to an elevated heart rate, something fairly normal for pregnant women. 

For years, Sandler has campaigned to see the source code of her defibrillator. An engineering graduate from Cooper Union, she always said she would have more peace of mind if third-party researchers could examine the functionality of medical devices.

But that kind of independent research has been banned under a nearly 20-year-old law known as the Digital Millennium Copyright Act (DMCA). One provision bars anyone from bypassing systems designed to protect copyrights for any reason, whether they were pirating a movie or making sure their insulin pump wasn’t malfunctioning. 

Now, however, because of sweeping copyright reforms passed by the Library of Congress, which updates the DMCA every three years, independent researchers will be legally allowed to investigate most medical devices as well as perform other sorts of good faith research on automobile software and other consumer devices.

In recent years, consumer and tech groups have pushed for changes to the law across a variety of, especially in light of independent research revealing software vulnerabilities in carstraffic signals, and baby monitors. After the DMCA was updated, exempting security research from copyright laws received most of the fanfare, followed by the right to modify cell phones and smart TVs.

But Sandler, who heads up the open source software advocacy group Software Freedom Conservancy that has advocated for copyright reform, and other advocates believe the medical devices will be just as important - even life saving. The FDA calculated that around 15% of all device recalls are spurred by errors in software.

"It’s a big win," she said. "It was only a little less than everything we had been suggesting. This is definitely a win."

As Sandler noted, the Library of Congress granted the exemption with caveats. The rule will not take effect for a full year, and won't permit all forms of research. Investigators will have free reign to study devices that are not implanted inside the body. But for devices that had been or would be implanted, researchers will be allowed to "passively" study those in ways that don't affect functionality.

Sandler had hoped researchers would be allowed unlimited access to implanted devices as long as they obtain patient permission. Instead, the Library of Congress sided with medical device manufacturers that argued that batteries – and therefore functionality – would be negatively affected if researchers regularly access their devices. When implant batteries fail, patients require additional surgeries to replace them. 

Still, said Sandler, the changes in copyright law will allow a tremendous amount of research to take place that is currently forbidden under current laws.

Andy Sellars, a Harvard University Cyberlaw Clinic staff lawyer, worked with Sandler to prepare her comments to the Library of Congress in favor of the changes. While he agreed the limits to the copyright exemptions wouldn't stymie current research, he said the Library of Congress decision making on the matter does raise concerns about the DMCA review process.

"Battery life isn’t an issue of protecting copyright – none of the arguments against research were about protecting copyright,” said Mr. Sellars.

Since the Library of Congress lacks the subject matter expertise of an agency such as the FDA, which regulates medical devices, it may be unqualified to make decisions about how copyright issues could affect technical performance, said Sellars. "They can only rely on their intuition about the effects to batteries," he said. "And intuition is not a good standard to evaluate the safety of devices."

The FDA addressed some of these concerns in a letter it submitted to the Library of Congress during the DMCA deliberation. While it supported an exemption for devices that were not currently and never would be implanted, it also made clear its concern that "third parties that modify medical devices may become regulated manufacturers under the [law]. As such, it may be useful for those who might circumvent [copyright protections] to understand that other federal laws may apply and that the circumvention exemption is not an exemption from other applicable regulations."

As for device makers, one of their chief complaints is that allowing third parties to audit software will invite copyright infringement.

"Intellectual property is the lifeblood of the industry," said Genevieve Plumadore, vice president of government relations for the Minnesota industry group LifeScience Alley, which lobbied against an exemption. "Without intellectual property, businesses will dry up."

But she does align with Sellars’s sentiments that the copyright office is not the place to make decisions with real medical consequences – something she agrees is best left to the experts at the FDA.

Ms. Plumadore says that while the industry is comfortable being regulated by multiple agencies, the DMCA ruling makes it seem like agencies are not on the same page about regulation. She said the FDA has extreme trepidation even letting the manufacturers tinker with their own software, and that this decision sends the exact opposite message.

"It’s frustrating to see agencies are not communicating with each other. The FDA is trying to address some of the security concerns with software, as is the Department of Homeland Security. We would like to see more of a coordinated effort," she said.

The FDA will have a chance to take back some of the reigns when it comes to regulating the independent research of medical devices. The Library of Congress has instated a one-year buffer period before the exemption will take place, giving all interested federal agencies a chance to raise new concerns and suggest further restrictions.

Both sides of the debate have criticized the one-year waiting period.

For Plumadore, it’s a further sign that the agencies did not coordinate in advance of the rule change.

To advocates of independent medical device research, it means another year will go by before work can begin. And, since DMCA exemptions need to be renewed every three years, it cuts off valuable time before the future becomes uncertain.


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to What new DMCA rules mean for medical device research
Read this article in
QR Code to Subscription page
Start your subscription today