First federal ‘right to repair’ legislation filed in US to help hospitals through pandemic

An opinion piece by Robert J. Kerwin

Senator Ron Wyden (D-Ore) and Rep. Yvette Clark (D-NY) filed today in the U.S. Senate and the U.S. House of Representatives the first federal right to repair legislation.

“There is no excuse for leaving hospitals and patients stranded without necessary equipment during the most widespread pandemic to hit the U.S. in 100 years,” Wyden said in a statement. “It is just common sense to say that qualified technicians should be allowed to make emergency repairs or do preventative maintenance, and not have their hands tied by overly restrictive contracts and copyright laws, until this crisis is over.”

Many are regarding this as the first formal recognition in Congress that some manufacturers are imposing undue restraints on hospital biomeds and independent servicers’ access to repair information in a manner which could be impeding hospitals treating their patients during a national health crisis.

Wyden and Clark are seeking that the legislation be given immediate consideration to aid medical providers grappling with shortages of critical equipment. Titled, “Critical Medical Infrastructure Right-To-Repair Act of 2020”, the bill seeks temporary relief during the pandemic emergency from provisions of the copyright and patent laws which could be used to limit rights to service access information.

Some manufacturers have previously used these provisions in lawsuits to claim copyright or patent infringement for accessing equipment maintenance information or circumventing technological measures that control access. If adopted, not only would this ‘Right to Repair’ legislation enable lawful circumvention under the language of the legislation, but it would also allow incidental copies of service materials made during maintenance or repair of ‘critical medical infrastructure’.

The language of the bill is narrow and by its terms expires at the end of the declared public health emergency. By law Public Health Emergencies expire at the end of 90 days unless renewed. The current renewal of the public health emergency was declared by HHS Secretary Azar on July 23, 2020 and will expire in October if it is not renewed at that time.

IAMERS has worked with Senator Wyden and U.S. P.I.R.G. and other industry leaders in a coalition to help fashion the legislation. Supporters of the bill include American College of Clinical Engineering (ACCE), National Rural Health Association (NRHA), National Association of Rural Health Clinics (NARHC), Alliance for Quality Medical Device Servicing (AQMDS), ISS Solutions Healthcare Technology Management, The Repair, Association Electronic Frontier Foundation (EFF), Color of Change, Public Knowledge, R Street Institute, Lincoln Network, Niskanen, Center Colorado Association of Biomedical Equipment Technicians (CABET)Maine General Medical Center Pennsylvania Public Interest Research Group (PennPIRG) Center for Democracy & Technology (CDT)

“I’ve talked to over a hundred biomeds since the start of the crisis—all they want is to be able to fix broken equipment and protect the patients in their hospitals,” said U.S. P.I.R.G. Right to Repair advocate Kevin O’Reilly. “By giving these frontline workers access to service materials, Sen. Wyden’s bill helps them get their job done”.

The legislation encompasses not just biomeds but includes “any person engaged in the diagnosis of problems with respect to, or the service, maintenance, or repair, of critical medical infrastructure.” It provides relief from the copyright and patent laws to “covered service providers”, which includes an owner or a licensee of a copy of service materials, or their agent.

The bill imposes a duty to disclose service materials upon manufacturers of ‘critical medical infrastructure’ so that hospitals may readily obtain service access information for medical equipment being used for diagnosis and treatment. ‘Critical medical infrastructure’ is defined as, “a device, computer program, or other product or equipment used to provide medical services.”

Service materials when used with respect to ‘critical medical infrastructure’ includes any information or material that the manufacturer provides ‘directly indirectly or wirelessly’ to technicians of the manufacturer or repair facilities authorized by the manufacturer and includes:

  • Schematics, wiring diagrams, mechanical layouts, and other pertinent data with respect to the critical medical infrastructure;
  • Computer programs used in diagnosing problems or in calibrating, repairing, or maintaining the critical medical infrastructure;
  • Service keys that are required to access diagnostic information or otherwise authorize repairs;
  • Access to error legs that are required to diagnose required repairs;
  • Preventative and corrective maintenance, inspection and repair manuals;
  • Safety alerts, recalls, service bulletins, specification updates and the need for adjustments to maintain efficiency safety and convenience;
  • Any other information provided to diagnose the programs with respect to service, maintain, repair, activate, certify or install ;
  • Training materials

Manufacturers would be required to provide on fair and reasonable terms, access to information and tools used to diagnose problems and service. Under the legislation, the information available to a “covered service provider” would include schematics, service keys, error logs, manuals, safety alerts, recalls, specification updates and other information to diagnose problems with respect to repairing critical medical infrastructure.

There are other key provisions in the legislation designed to facilitate equipment repair. Provisions in existing contracts with manufacturers are to be deemed null and void during the emergency if they prohibit or restrict repair or maintenance options for the healthcare provider. There is even a provision which permits a covered healthcare provider to fabricate a part on a non-commercial basis, and as needed, for the repair or maintenance of critical medical infrastructure. The legislation is silent as to whether other regulatory authorities such as the FDA may have to be notified as presumably the FDA could perceive these actions as some form of adulteration of the device and need to weigh in on safety issues.

The legislation also states that it is not a violation of the Copyright law for a covered healthcare provider to manufacture, import, or otherwise traffic in technological means to circumvent a technological measure that effectively controls access to a work protected under the copyright laws if that action by a covered healthcare provider enables a repair or maintenance permitted under this legislation to occur.

The U.S. Federal Trade Commission is charged under the proposed legislation with promulgation of regulations and enforcement. Violations of this act and any rule-making will be treated under the legislation as unfair or deceptive acts or practices under existing FTC laws and regulations. Manufacturers would presumably be monitored by the FTC for compliance with the legislation or at least wary that conduct violative of this legislation could be reported by the hospitals or their agents. The legislation also calls for the FTC to conduct a study within one year regarding the impact and effectiveness of the Act, with respect to innovation and anticompetitive practices in the market and enforcement.

Some industry thought leaders, while applauding this legislation, have noted that this legislation, if adopted, would be in effect for a limited period of time.

“This legislation is a good first step during the pandemic,” said Marc Schaefer, president of Alabama-based Medical Imaging Systems. “We do feel that this level of access needs to be granted permanently and not just for a crisis. In many ways you add to the crisis by limiting supporting information.” Schaefer added: “all discussions on healthcare should start with one focus: will this affect the patient? Greater cooperation [on access] means more resources for better patient outcomes.”

As Jimmy Kallam, president of East Coast Medical, observes, “it should always just be about helping the patient.”

“We need to do more to help the rural communities and we are hoping that there will be other steps taken to ensure that rural communities have better access,” said Jason Kitchell, president of Missouri-based Universal Medical Resources.

Some detractors have said that the bill offers no answers for what happens to the service access information when the national emergency ends. However, IAMERS president Diana Upton observed that, “the hospital accrediting organization, The Joint Commission, already requires this information to be provided anyway.”

Joint Commission Standard EC.01.01.01 requires that a Hospital have a library of information regarding inspection, testing and maintenance of equipment. Moreover, there are appropriate compliance/risk reasons for the Joint Commission’s requirement. Among them is the need for the hospital to address potential natural disasters. As many have recently experienced power outages with seasonal storms and bad weather, this equipment maintenance information should be available when an emergency arises. As FEMA has noted, when there is a disruption of power hospitals should have an emergency plan for restoration. (See FEMA info at p.9). Manufacturers are not always readily available during a disaster or emergency as they may be geographically unable to assist. In any event, in addition hospitals should have choices to either use in-house biomeds or independent servicers.

This legislation addresses the elephant often in the room when manufacturers claim that they are permitted to withhold service access information as the equipment maintenance information is a trade secret. The legislation provides that a manufacturer of critical medical infrastructure may not withhold information on the ground that disclosing the information would divulge methods or processes entitled to protection as trade secrets if that information is provided directly or indirectly to authorized dealers or service providers. Tools including software must likewise be made available on fair and reasonable terms.

Among the bill’s detractors is the Medical Imaging Technology Alliance (MITA), which represents the interests of medical equipment manufacturers and argued that patient safety could be compromised by the legislation.

“While the intention of the bill’s sponsors is to protect patients, the unintended consequences of this legislation would increase the risk to patient safety,” said Patrick Hope, executive director of MITA. “Especially during the pandemic, we should want the most qualified, trained experts servicing essential medical equipment, not third-party servicers unknown to the FDA who are not held to any requirements.”

A 2018 FDA report determined there was insufficient evidence of a safety issue with non-OEM service entities to warrant increased oversight.

About the author: Robert Kerwin is general counsel to IAMERS and has served in that capacity for over twenty-five years.

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/52106

Reviewing some of the key considerations for cyber insurance

June 24, 2020
By Robert J. Kerwin 

The 2020 global increase in malicious cyberactivity against companies has been well reported. As of March 30, 2020, the FBI’s Internet Crime Complaint Center (IC3) reported it had received and reviewed more than 1,200 complaints related to COVID-19 scams. 

In a previously published report, the global cyber education company, Cybint, noted that 64% of companies experience web-based attacks. Of these companies 43% of the cyber attacks target small business. Despite those threats, only a relatively small percentage of firms have cybersecurity insurance to cover all risks. 

Many companies don’t fully realize the scope and breadth of their cyberpolicies until a cyberattack occurs, which is not the time to determine how good your policies are. Companies need to review their cyberpolicies now. Moreover, a company’s future business may, in part, 

depend upon whether they carry cyber insurance. Recognizing the perilous nature of these cyber threats, more and more hospitals and manufacturers are requiring their vendors to carry cyber insurance. 

Wading into the confusing world of cyber insurance is not easy. There are complicated coverage terms including: Incident response costs, legal and regulatory costs, IT security and forensic costs, crisis communication costs, privacy breach management costs, third party breach management costs, post breach remediation costs, theft of funds in escrow, theft of personal funds, extortion, corporate identity theft, push payment fraud and unauthorized use of computer resources, system damage and rectification costs, income loss, business interruption, reputational harm, claim preparation, hardware replacement costs, fines, intellectual property infringement. 

Navigating all of the above is no walk in the park — especially after completing an extensive application form which requires disclosure of all controls and policies currently in place. The questions will vary from insurer to insurer, but they will all want to know if you had an independent third party cybersecurity audit and an account of any remediation that was performed. Candor is important, especially with respect to the training being given to employees in cybersecurity and whether your policies and procedures are being followed. Will an insurer pay claims submitted if they come to learn that the application disclosed policies and procedures that were never followed? 

So where do you begin? Cyber insurance is not like any other insurance. Several acknowledged authorities encourage simplifying the coverage inquiry to: Why do you need it? Are your biggest vulnerability concerns privacy obligations (PII or PHI)? Is your concern loss of data? One must begin with data mapping: where does your data sit? If it’s in the cloud with a third-party, you will want to have third-party coverage. If your company uses a social media platform, you may want to look into media liability coverage. Can you obtain coverage retroactively? You want to have a vulnerability assessment conducted, and of course undertaken remediation. That is the point you can assess: what coverages are needed? You should have a solid data governance program. What are your document retention and destruction policies? Most states have long required that you maintain a written information security plan (WISP) so when incidents occur, you can use your WISP to respond in real time to the threats. Most importantly, you need within the company an “owner”. 

Tip: don’t base the owner of the data governance policy on the “org” chart. Appoint someone whose real job it is to manage the data privacy and governance concerns. She or he should have good data from inside the company to establish continuity plans and to modify plans as times and threats change. While many will want to use outside consultants to quickly get up to speed, don’t forget your insurance libraries. I use the Insurance Library Association of Boston. Yearly membership costs are relatively modest, and they respond to my emails on various insurance topics. 

Always ask to see the cyber policy ahead of time. Don’t rely on summaries or websites. You will need to read the fine print. The old adage “don’t judge a book by its cover” is so applicable to the cyber insurance policies. 

Recently, I reviewed the proposed 30-page Policy Document for Cyber Insurance for a small company. The Declarations page displayed cyber incident response limitations of liability which, at first blush, looked ample. The document offered “Limit of Liability: $1,000,000 for each and every claim; legal and regulatory costs:$1,000,000,” and so on. 

The definitions told the real story. You likely don’t need a $1,000,000 coverage limit if it only pertains to the financial cost of contacting the insurer’s 24/7 cyber incident response line. The same goes for legal and regulatory costs if all that means is that you are able to use the insurer for drafting data breach notifications to governmental entities and customers. Wading through the 8 point font, it seemed that real losses were capped at $50,000. I guess I should have been tipped off when the premium quote for 12 months coverage was so low. 

Good cyber insurance is expensive compared to other policies. In part, the higher premium costs are reflective of the reality that cyber claims are now routine. Consider whether it makes sense to seek longer-term coverage if possible. Some insurers are contemplating exiting the market because of the high number of claims and the sad reality exists that cyberthreats are now a permanent business threat. 

About the author: Robert J. Kerwin is general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers Inc. and a member of the HSCC Legacy Medical Device Task Force.

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/51640

New IMDRF Cybersecurity Guidance: Crystal Ball on Regulator Expectations

June 4, 2020
By Robert J. Kerwin


In the wake of the enormous increase in cybersecurity incidents, medical device regulators world-wide have been engaged in the development of pre-market and post-market guidance outlining cybersecurity expectations. In March, the International Medical Device Regulators Forum (“IMDRF”) released the guidance, “Principles and Practices for Medical Device Cybersecurity”.

It is the first IMDRF guidance document which focused exclusively on medical device cybersecurity. Where it is a consensus document produced by an IMDRF Working Group, it is expected to contribute greatly to much of the ongoing industry cyber standards work.

In 2011, following the cessation of the Global Harmonization Task Force, the IMDRF was conceived as a forum to discuss future directions of regulatory harmonization and convergence. It is a voluntary group composed of regulators. The regulators are committed to accelerating strategically the international harmonization of medical device regulations. The IMDRF members include the United States, Europe, China, Japan, Russia, Canada, Brazil, and Australia. Official Observers include the World Health Organization.

The March IMDRF Guidance now provides recommendations to stakeholders on the general principles and best practices for medical device cybersecurity. The IMDRF Working Group chairs for the project were Suzanne Schwartz of the FDA and Marc Lamoureux of Health Canada. The Guidance includes recommendations to minimize cybersecurity risks and to ensure maintenance and continuity of device safety and performance. Note: with respect to safe and effective design/manufacture of medical devices, the March IMDRF Guidance acknowledges that this Guidance should be considered in conjunction with the IMDRF Essential Principles Guidance.

The March IMDRF Guidance addresses cybersecurity in the context of devices that either contain software or exist as software only. The scope of the Guidance is expressly limited to consideration of the “potential for patient harm.” While recognizing the importance of cybersecurity for a manufacturer’s enterprise and for harms associated with breaches of data privacy, these are not considered in the scope of this Guidance. Among the key takeaways:

• Total product lifecycle risks. Risks associated with cybersecurity threats and vulnerabilities should be considered throughout all phases in the TPLC (initial conception to end of support);
• Shared responsibility. Device cybersecurity is a shared responsibility between the manufacturer, healthcare provider, users, regulator, and vulnerability finders. All stakeholders are expected to “understand their responsibilities to work with other stakeholders to continuously monitor, assess, mitigate, communicate and respond to potential cybersecurity risks and threats throughout the life cycle of the medical device.”
• Information sharing. The Guidance notes: “[c]ybersecurity information sharing is a foundational principle in the TPLC approach to safe and secure medical devices”. The Guidance specifically encourages stakeholders to participate in Information Sharing Analysis Organizations to foster collaboration and communication as to cybersecurity incidents and threats.

Of particular interest and concern, the guidance addresses a conceptual framework where legacy medical devices that cannot be protected are decommissioned/phased out of existence. The Guidance provides that no cyber support should be expected for medical device past the established cybersecurity ‘End of Support’ date.

The Guidance does acknowledge importantly that “compensating controls may be able to provide some level of protection. In the presence of available and successfully deployed compensating controls the medical device would not be considered legacy per this framework.” This is an important clarification as there are reportedly available nano-segmentation and other solutions which may prevent health data security risks.

Several other important takeaways are provided in the Guidance including the recommendation to establish clear points of contact with device manufacturers on vulnerabilities. This 46-page IMDRF guidance is an important read for those searching for a crystal ball to better understand regulator cybersecurity expectations.

About the author: Robert J. Kerwin the general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers.

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/51420

Draft Standard on Refurbishing Equipment Could Lead to Greater Manufacturer Control

May 27, 2020
By Robert J. Kerwin 

With the gradual reopening nationwide of the economy, we are understandably focused on getting back to business, while ensuring the health and safety of our families. Raising a discussion of new ‘refurbishing standards’ for certain non-imaging medical equipment may provoke the question: how could this be relevant to my business? 

Standards are essential tools for technology and business. One day the draft standard may become the industry standard or… a regulatory requirement. Standards offer important opportunities for consensus. Standards may provide key rules and metrics for technology and trade. The American National Standards Institute requires in its ‘Essential Requirements’ that the standards development process not be dominated by any single interest, category, or organization. It requires a balancing of interests and good faith efforts to harmonize. There should be no undue barriers to participation. 

The International Electrotechnical Commission (IEC) is another highly respected standards organization. Many consider the IEC to be the leading organization that prepares international standards for electrical, electronic, and related technologies. The IEC provides a platform for discussion and development of international standards. During its prestigious history, the IEC technical committees have considered devices ranging from instruments used in connection with ionizing radiation to MP3 players. 

One draft IEC standard, IEC 63120, which was prepared by an IEC Working Group and circulated for comment is titled ‘Refurbishment of medical electrical equipment, medical electrical systems and sub-assemblies and reuse of components as part of the extended life-cycle’. The standard does not cover medical imaging equipment which is addressed by a separate IEC standard. Many aspects of the IEC 63120 refurbishment process are very carefully considered and specify necessary risk management steps. The sections covered range from safety to the establishment of a refurbishment plan. Under the standard, refurbishment must be conducted under a certified quality management system such as ISO 13485:2016 or the equivalent. The refurbishment process of sub-assemblies is also addressed. 

The IEC draft reviewed includes language that may change, if ultimately adopted, who may refurbish and the requirements when the refurbishment is not performed by the manufacturer. Section 4.1 of the General Requirements for Refurbishment provides the refurbisher: 

• should be qualified by the Manufacturer prior to authorization; 

• should be authorized by the Manufacturer; 

• should be controlled by the manufacturer in an appropriate way; 

• should be accountable to provide feedback to the manufacturer; and 

• there should be a quality assurance agreement regarding post market information between the refurbisher and the manufacturer. 

While other requirements in the standard appropriately address important knowledge areas such as sterilization, disinfection and testing, the standard does not identify why those who refurbish must be qualified, approved and accountable to a manufacturer. Parenthetically, I am not aware of manufacturers who would voluntarily approve refurbishers who are not otherwise involved in a manufacturer joint venture or parent/subsidiary business arrangement. Such standard requirements seem inconsistent with appropriate balancing of interests and other requirements for adoption of a national or international standard. We hope that the highly respected IEC would not issue final approval on a standard which apparently requires manufacturers to vet, approve and control the refurbishing process. Perhaps there is another draft in the offing which omits this requirement. Compliance with QMS and safety requirements does not always necessitate that only those approved by the manufacturer may refurbish. 

About the author: Robert J. Kerwin the general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers.

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/51349 

Page 1 of 9512345...102030...Last »