Scott Trevino, Senior Vice President of Cybersecurity, TRIMEDX06.28.22
The push for a medical device “Right to repair” law will not disappear — because it shouldn’t. A marketplace free of uncompetitive restrictions encourages healthcare organizations, service providers, and original equipment manufacturers to work openly and collaboratively for patient benefit while decreasing costs and improving cybersecurity.
The pandemic underscored how beneficial such a collaborative relationship can be. A New York health system, for instance, relied on independent service organizations to service medical equipment because, in many cases, the OEMs lacked enough personnel available to perform testing.
Although a legal measure that would have removed manufacturer-imposed barriers to fixing medical equipment during the pandemic failed to advance in Congress, the momentum behind the Critical Medical Infrastructure Right-to-Repair Act of 2020 and similar efforts continues.
“Right to repair” advocates remain persistent because they know that many of the criticisms are anecdotes or myths that mask the benefits of lifting restrictions. By restricting access to service manuals, software key codes, cybersecurity patches, and other servicing materials, manufacturers limit the scope of what healthcare providers, in-house biomed service teams and third-party clinical asset management providers can do. Such constraints negatively impact the patient, increase repair costs, delay repair completion, reduce device lifespans and limit hospital choice in selecting service providers.
But OEMs themselves now hire individual service organizations to help test and service equipment. The “trade secrets” argument grows faint in the background during times of convenience. And as the pandemic showed, collaboration better serves the needs of patients, which should stand out as the number one priority for all of those concerned. Additionally, access to service materials should come at a “reasonable” cost.
But many ISOs, because they are providing services for hospitals on site, are governed by the same regulatory framework and accrediting conditions as end-users. The degree of regulatory accountability that applies to hospitals applies to ISOs. More simply, ISOs are not unregulated.
Also, and more directly to the point, there is no evidence that suggests the lack of FDA oversight under which manufacturers fall compromises medical device safety. There is no data to support such a claim of inferior competency.
In fact, quite the opposite:
But accessibility to service materials by ISOs improves cybersecurity. They are able to ensure devices have the most up-to-date patches, compensating controls and configurations in the timeliest manner.
Time and speed are critical when fending off a cyberattack. Federal cybersecurity experts have urged organizations to establish “a more aggressive turnaround time” to protect themselves from urgent, active threats.
ISOs make medical devices safe.
Scott Trevino is senior vice president of cybersecurity at TRIMEDX, and in this capacity he leads efforts to define the strategy to deliver value, growth, and evolution of TRIMEDX’s cybersecurity solutions. He is responsible for identifying trends in cybersecurity technology, as well as recognizing and anticipating the evolution of clients, market, and industry needs to translate them into market-leading solutions that meet the needs of and bring value to clients.
The pandemic underscored how beneficial such a collaborative relationship can be. A New York health system, for instance, relied on independent service organizations to service medical equipment because, in many cases, the OEMs lacked enough personnel available to perform testing.
Although a legal measure that would have removed manufacturer-imposed barriers to fixing medical equipment during the pandemic failed to advance in Congress, the momentum behind the Critical Medical Infrastructure Right-to-Repair Act of 2020 and similar efforts continues.
“Right to repair” advocates remain persistent because they know that many of the criticisms are anecdotes or myths that mask the benefits of lifting restrictions. By restricting access to service manuals, software key codes, cybersecurity patches, and other servicing materials, manufacturers limit the scope of what healthcare providers, in-house biomed service teams and third-party clinical asset management providers can do. Such constraints negatively impact the patient, increase repair costs, delay repair completion, reduce device lifespans and limit hospital choice in selecting service providers.
Myth No. 1: OEMs Need to Protect Their Intellectual Property
Manufacturers say that disclosing their proprietary technologies would erode the incentive for innovation because they would be unable to recoup much of their time, energy, and financial investment.But OEMs themselves now hire individual service organizations to help test and service equipment. The “trade secrets” argument grows faint in the background during times of convenience. And as the pandemic showed, collaboration better serves the needs of patients, which should stand out as the number one priority for all of those concerned. Additionally, access to service materials should come at a “reasonable” cost.
Myth No. 2: ISOs Threaten Device Safety
Some OEMs point to how as equipment manufacturers they are regulated by the Food and Drug Administration to follow federal guidelines regarding software updates, patches, and comprehensive repairs. Independent Service Organizations (ISOs), OEMs say, are held to less stringent standards because the FDA requirement applies only to manufacturers, not end-users such as hospitals.But many ISOs, because they are providing services for hospitals on site, are governed by the same regulatory framework and accrediting conditions as end-users. The degree of regulatory accountability that applies to hospitals applies to ISOs. More simply, ISOs are not unregulated.
Also, and more directly to the point, there is no evidence that suggests the lack of FDA oversight under which manufacturers fall compromises medical device safety. There is no data to support such a claim of inferior competency.
In fact, quite the opposite:
- The FDA has noted that objective evidence indicates that third parties provide high-quality, safe, and effective servicing of medical devices.
- A 2018 study by the nonprofit ECRI Institute found that of 2.1 million device failure reports submitted to the FDA over a 10 year period, only 0.005% could be attributed to service or maintenance issues across both OEMs and ISOs.
Myth No. 3: ISOs Compromise Device Cybersecurity
Some OEMs say making software key codes and other proprietary technology available to what they argue are less qualified third parties will put the devices at risk. “Opening up” the devices, they say, renders them more susceptible to cyberattacks.But accessibility to service materials by ISOs improves cybersecurity. They are able to ensure devices have the most up-to-date patches, compensating controls and configurations in the timeliest manner.
Time and speed are critical when fending off a cyberattack. Federal cybersecurity experts have urged organizations to establish “a more aggressive turnaround time” to protect themselves from urgent, active threats.
ISOs make medical devices safe.
What ‘Right to Repair’ is Really About
The medical device “Right to repair” movement is about providing freedom of choice for healthcare providers, keeping costs in check, and improving device and patient safety. Arguments against “Right to repair” fail the credibility test and compromise care.Scott Trevino is senior vice president of cybersecurity at TRIMEDX, and in this capacity he leads efforts to define the strategy to deliver value, growth, and evolution of TRIMEDX’s cybersecurity solutions. He is responsible for identifying trends in cybersecurity technology, as well as recognizing and anticipating the evolution of clients, market, and industry needs to translate them into market-leading solutions that meet the needs of and bring value to clients.