What new DMCA rules mean for medical device research
This week the Library of Congress issued exemptions to the Digital Millennium Copyright Act that pave the way for independent researchers to begin examining medical devices for software flaws.
Expectant mothers often have health concerns, but Brooklynite Karen Sandler's are different than most. Doctors had outfitted Ms. Sandler with an implantable defibrillator several years before her pregnancy due to a heart condition.
But defibrillator makers aren't exactly focused on how their devices might affect pregnancies – and it has already shocked her twice reacting to an elevated heart rate, something fairly normal for pregnant women.
For years, Sandler has campaigned to see the source code of her defibrillator. An engineering graduate from Cooper Union, she always said she would have more peace of mind if third-party researchers could examine the functionality of medical devices.
But that kind of independent research has been banned under a nearly 20-year-old law known as the Digital Millennium Copyright Act (DMCA). One provision bars anyone from bypassing systems designed to protect copyrights for any reason, whether they were pirating a movie or making sure their insulin pump wasn’t malfunctioning.
Now, however, because of sweeping copyright reforms passed by the Library of Congress, which updates the DMCA every three years, independent researchers will be legally allowed to investigate most medical devices as well as perform other sorts of good faith research on automobile software and other consumer devices.
In recent years, consumer and tech groups have pushed for changes to the law across a variety of, especially in light of independent research revealing software vulnerabilities in cars, traffic signals, and baby monitors. After the DMCA was updated, exempting security research from copyright laws received most of the fanfare, followed by the right to modify cell phones and smart TVs.
But Sandler, who heads up the open source software advocacy group Software Freedom Conservancy that has advocated for copyright reform, and other advocates believe the medical devices will be just as important - even life saving. The FDA calculated that around 15% of all device recalls are spurred by errors in software.
"It’s a big win," she said. "It was only a little less than everything we had been suggesting. This is definitely a win."
As Sandler noted, the Library of Congress granted the exemption with caveats. The rule will not take effect for a full year, and won't permit all forms of research. Investigators will have free reign to study devices that are not implanted inside the body. But for devices that had been or would be implanted, researchers will be allowed to "passively" study those in ways that don't affect functionality.
Sandler had hoped researchers would be allowed unlimited access to implanted devices as long as they obtain patient permission. Instead, the Library of Congress sided with medical device manufacturers that argued that batteries – and therefore functionality – would be negatively affected if researchers regularly access their devices. When implant batteries fail, patients require additional surgeries to replace them.
Still, said Sandler, the changes in copyright law will allow a tremendous amount of research to take place that is currently forbidden under current laws.
Andy Sellars, a Harvard University Cyberlaw Clinic staff lawyer, worked with Sandler to prepare her comments to the Library of Congress in favor of the changes. While he agreed the limits to the copyright exemptions wouldn't stymie current research, he said the Library of Congress decision making on the matter does raise concerns about the DMCA review process.
"Battery life isn’t an issue of protecting copyright – none of the arguments against research were about protecting copyright,” said Mr. Sellars.
Since the Library of Congress lacks the subject matter expertise of an agency such as the FDA, which regulates medical devices, it may be unqualified to make decisions about how copyright issues could affect technical performance, said Sellars. "They can only rely on their intuition about the effects to batteries," he said. "And intuition is not a good standard to evaluate the safety of devices."
The FDA addressed some of these concerns in a letter it submitted to the Library of Congress during the DMCA deliberation. While it supported an exemption for devices that were not currently and never would be implanted, it also made clear its concern that "third parties that modify medical devices may become regulated manufacturers under the [law]. As such, it may be useful for those who might circumvent [copyright protections] to understand that other federal laws may apply and that the circumvention exemption is not an exemption from other applicable regulations."
As for device makers, one of their chief complaints is that allowing third parties to audit software will invite copyright infringement.
"Intellectual property is the lifeblood of the industry," said Genevieve Plumadore, vice president of government relations for the Minnesota industry group LifeScience Alley, which lobbied against an exemption. "Without intellectual property, businesses will dry up."
But she does align with Sellars’s sentiments that the copyright office is not the place to make decisions with real medical consequences – something she agrees is best left to the experts at the FDA.
Ms. Plumadore says that while the industry is comfortable being regulated by multiple agencies, the DMCA ruling makes it seem like agencies are not on the same page about regulation. She said the FDA has extreme trepidation even letting the manufacturers tinker with their own software, and that this decision sends the exact opposite message.
"It’s frustrating to see agencies are not communicating with each other. The FDA is trying to address some of the security concerns with software, as is the Department of Homeland Security. We would like to see more of a coordinated effort," she said.
The FDA will have a chance to take back some of the reigns when it comes to regulating the independent research of medical devices. The Library of Congress has instated a one-year buffer period before the exemption will take place, giving all interested federal agencies a chance to raise new concerns and suggest further restrictions.
Both sides of the debate have criticized the one-year waiting period.
For Plumadore, it’s a further sign that the agencies did not coordinate in advance of the rule change.
To advocates of independent medical device research, it means another year will go by before work can begin. And, since DMCA exemptions need to be renewed every three years, it cuts off valuable time before the future becomes uncertain.