If It Ain’t Broke …

By Peter J. Pitts, Former Associate FDA Commissioner | RealClear Health

On June 21, 2024, Suzanne Schwartz, director of the FDA Office of Strategic Partnerships and Technology Innovation, informed the Copyright Office that the FDA stands behind the proposed exemption from the Digital Millennium Copyright Act that would apply “to circumvention [of technological protections] that is conducted solely to obtain data access for the purpose of diagnosis, maintenance or repair of devices.”

Unlike much FDA correspondence, Dr. Schwartz’s language is neither arcane nor ambiguous. FDA does not support circumvention for the purpose of device modification. The agency’s view is that “an exemption from liability under 17 U.S.C. §1201 for circumvention conducted solely for [repair] purposes would not necessarily and materially jeopardize the safety and effectiveness of medical devices in the United States with respect to cybersecurity.”

The so-called “right-to-repair” must be limited when it intrudes on the FDA’s ability to protect the public health. Specifically, “The ability to conduct maintenance and repair of devices to restore them or ensure they work in accordance with their original specifications and any changes to those specifications authorized for such devices or systems is critical to the continued safe and effective use of devices postmarket.”

The Digital Millennium Copyright Act provides that the Librarian of Congress, upon the recommendation of the Register of Copyrights, may adopt temporary exemptions to the Section 1201 prohibition against circumvention of technological measures that control access to copyrighted works. As the Copyright Office notes, “[t]he ultimate goal of the proceeding is to determine whether there are particular classes of works as to which users are or are likely to be in the next three years, adversely affected in their ability to make non-infringing uses due to the prohibition on circumventing access controls”. When these classes are identified, the Librarian of Congress may promulgate regulations exempting the classes from the prohibition for the following three years.

FDA-regulated medical devices fall squarely into this definition.

In a recent FDA discussion paper, “Strengthening Cybersecurity Practices Associated With Servicing Medical Devices: Challenges and Opportunities,” the agency asks, “How can entities that service medical devices contribute to strengthening the cybersecurity of medical devices?”

According to the FDA “defines service to be the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the original equipment manufacturer (OEM) and to meet its original intended use.”

In other words, the first step in advancing medical device cybersecurity is to limit and ensure that those who control repairs and maintenance of these highly sophisticated pieces of health care technology are regulated by FDA manufacturers.

Read the full piece in RealClear Health.