As the agency finalizes guidance for approving the sale of devices such as those used to monitor and control glucose levels, the comments highlight competition and consumer protection issues associated with a grassroots movement for the “right-to-repair.”
The Food and Drug Administration received more than a thousand comments—mainly from diabetes patients and their family members—in response to draft cybersecurity guidance for staff to use when processing submissions from medical-device manufacturers seeking the approval to market their products.
“Please do not let medical device manufacturers use cybersecurity as a pretense to prevent me from accessing my OWN devices,” reads one entry from a sample of the comments FDA posted to the docket on the guidance. The emphasis is from the commenter.
With a 90-day public comment period ending Thursday, the FDA will now begin the process of finalizing cybersecurity guidance for its pre-market submissions, according to a notice in the Federal Register.
The FDA is under pressure from Congress to improve the cybersecurity of medical devices through its pre-market approval process, with some scholars saying what the agency does next could serve as a model for a sector-specific approach to regulating and enforcing reasonable measures to secure an increasingly connected world from malicious actors.
The vast majority of the comments the FDA received followed a template, with individuals tailoring their entries to reflect personal circumstances surrounding their management of diabetes in themselves or others, but they all stressed its life-threatening nature and a need to have more control over their fates.
“I live with insulin-requiring diabetes, an incurable chronic disease requiring continuous monitoring of blood glucose values and administration of insulin,” reads one comment using only the boiler-plate language. “It is imperative that access to my own devices remain possible. The ability to receive glucose values from my continuous glucose monitor and the ability to command my insulin pump to deliver insulin are already permitted and expected of me. In fact, if I don’t do [this], I will die. So please do not let medical device manufacturers use cybersecurity as a pretense to prevent me from accessing my own devices.”
The management of Type 1 diabetes, in particular, involves two devices: one to monitor glucose levels, and another to deliver the insulin used to regulate it in the body. The process typically requires patients or their caretakers to vigilantly read the levels off the first device and then manually perform a series of complicated calculations—based on factors like what they’ve eaten recently or whether they’ve exercised that day—to determine the correct amount of insulin they should instruct the second device to pump into their bloodstream.
The process is draining, and miscalculations can lead to fatal overdoses, Howard Look told Nextgov. In 2011, after his daughter was diagnosed with the disease and prescribed the two devices, Look, a computer engineer, devised a way to automate her treatment by connecting the two devices. It was clunky, involving a single-board computer called a Raspberry Pi, a battery pack and a bunch of cables, but made a huge difference in her quality of life.
“I used to pack it up every morning and put it in a camera bag that was the size of a small football and stick it in my daughter’s backpack and send her off to school,” he said. “It meant that she could just go about her day, she could just be a normal teenage kid and go to school and not have to worry about her glucose levels all day and not have to worry that she was going to go low while she was taking a test or go high [at other times], and she didn’t have to worry that the alarms would keep going off at school.”
Look went on to found Tidepool, a nonprofit where he is now president and CEO. Along with others from the diabetes community, the organization provides software that allows patients to see their data and better manage the disease. And supporters are working to make Tidepool Loop the first FDA approved app for more convenient automated insulin delivery.
The comments are a materialization of “the passion of the diabetes community,” Look said, noting that the opportunity for their voices to be heard on the issue first came to his attention through diabetes forums with tens of thousands of members.
It’s a “recognition that diabetes is a really hard disease to manage, and that people feel really, really strongly that they should be able to make their own individual choice,” he said, adding, “The energy that you’re seeing is the fear that that right and that desire would somehow be restricted.”
Tidepool’s own comments to the FDA express support for the agency’s cybersecurity efforts, but echo those concerns. They ask the FDA to clarify that the cybersecurity guidance is intended to prevent access that is unauthorized and that patients trying to access their data should not fall into that category.
“Following best practices for cybersecurity does not need to imply blocking patient users from accessing their own data or controlling their own devices,” the comments read. “Tidepool asserts there is a risk that the FDA guidance will be interpreted or misinterpreted to suggest restriction of access by the patient user is appropriate or encouraged. The FDA can mitigate this risk by clearly stating a patient user’s access to and use of their own device can be considered authorized access, and should not be considered a cybersecurity threat.”
Asked why he suspects device makers might try to prevent patients from accessing their own devices, Look said it’s because, “we’ve seen it happen in other industries.” He went on to describe campaigns for the right to repair, an issue that has been garnering momentum with recent enforcement actions from the Federal Trade Commission.
“The inkjet printer industry decided to use software encryption mechanisms to lock down the ability for people to use their own ink cartridges, John Deere tractor locked down software and went after people that tried to modify software for their own tractors or tried to repair their own tractors,” he said.
Look said: “The cybersecurity guidance rightfully is saying, ‘Hey, device makers, you should use strong encryption and strong authentication to keep the bad actors out.’ What we’re saying is that doesn’t preclude a device maker from allowing the individual to have secure access to their own device. What we don’t want to see is device makers locking out individuals from their own devices and saying, ‘you can’t have access to your own data,’ where you can’t control your own device the way you feel is best for your own individual therapy.”
There is a strong case for device makers locking patients out, Look said, noting the potential for new apps to disrupt and compete with their business model.
“We haven’t seen that happen yet in the medical device world, at least I’m not aware of it, but you could imagine it happening,” he said.