Apologies for posting a pay walled article. Consider subscribing to 404. They’re a journalist-founded org, so you could do worse for supporting quality journalism.
Trained repair professionals at hospitals are regularly unable to fix medical devices because of manufacturer lockout codes or the inability to obtain repair parts. During the early days of the COVID-19 pandemic, broken ventilators sat unrepaired for weeks or months as manufacturers were overwhelmed with repair requests and independent repair professionals were locked out of them. At the time, I reported that independent repair techs had resorted to creating DIY dongles loaded with jailbroken Ukrainian firmware to fix ventilators without manufacturer permission. Medical device manufacturers also threatened iFixit because it posted ventilator repair manuals on its website. I have also written about people with sleep apnea who have hacked their CPAP machines to improve their basic functionality and to repair them.
PS: he got it repaired.
Medical devices are required to comply with 21 CFR 820 in the United States, which establishes quality management standards. This includes minimum standards for the software development lifecycle, including software verification and validation testing.
In the EU, broadly equivalent standards include ISO 13485 and IEC 62304.
If an OEM wants to do a software update, they at minimum need to perform and document a change impact analysis, verification testing, and regression testing. Bigger changes can involve a new FDA submission process.
If you go around hacking new software features into your medical device, you are almost certainly not doing all of that stuff. That doesn’t mean that your software changes are low quality–maybe, maybe not. But it would be completely unfair to hold your device to the standard that the FDA holds them to–that medical devices in the United States are safe and effective treatments for diseases.
This may be okay if you want to hack your own CPAP (usually a class II device) and never sell it to someone else. But I think we all need to acknowledge that there are some serious risks here.
Yeah, I’m a big right to repair person. But medical equipment is a different level. This isn’t just affecting yourself, if a tech screws up people die.
Sure, there are risks, but if there alternatives are pony up $100k for a new exosuit, or just don’t fucking walk again, I see why repair is an enticing option.