Diabetes Patients Flood FDA with Comments on Cybersecurity for Medical Devices

Artur Debat/Getty

As the agency finalizes guidance for approving the sale of devices such as those used to monitor and control glucose levels, the comments highlight competition and consumer protection issues associated with a grassroots movement for the “right-to-repair.”

The Food and Drug Administration received more than a thousand comments—mainly from diabetes patients and their family members—in response to draft cybersecurity guidance for staff to use when processing submissions from medical-device manufacturers seeking the approval to market their products.     

“Please do not let medical device manufacturers use cybersecurity as a pretense to prevent me from accessing my OWN devices,” reads one entry from a sample of the comments FDA posted to the docket on the guidance. The emphasis is from the commenter. 

With a 90-day public comment period ending Thursday, the FDA will now begin the process of finalizing cybersecurity guidance for its pre-market submissions, according to a notice in the Federal Register

The FDA is under pressure from Congress to improve the cybersecurity of medical devices through its pre-market approval process, with some scholars saying what the agency does next could serve as a model for a sector-specific approach to regulating and enforcing reasonable measures to secure an increasingly connected world from malicious actors. 

The vast majority of the comments the FDA received followed a template, with individuals tailoring their entries to reflect personal circumstances surrounding their management of diabetes in themselves or others, but they all stressed its life-threatening nature and a need to have more control over their fates.

“I live with insulin-requiring diabetes, an incurable chronic disease requiring continuous monitoring of blood glucose values and administration of insulin,” reads one comment using only the boiler-plate language. “It is imperative that access to my own devices remain possible. The ability to receive glucose values from my continuous glucose monitor and the ability to command my insulin pump to deliver insulin are already permitted and expected of me. In fact, if I don't do [this], I will die. So please do not let medical device manufacturers use cybersecurity as a pretense to prevent me from accessing my own devices.”

The management of Type 1 diabetes, in particular, involves two devices: one to monitor glucose levels, and another to deliver the insulin used to regulate it in the body. The process typically requires patients or their caretakers to vigilantly read the levels off the first device and then manually perform a series of complicated calculations—based on factors like what they’ve eaten recently or whether they’ve exercised that day—to determine the correct amount of insulin they should instruct the second device to pump into their bloodstream. 

The process is draining, and miscalculations can lead to fatal overdoses, Howard Look told Nextgov. In 2011, after his daughter was diagnosed with the disease and prescribed the two devices, Look, a computer engineer, connected the two devices with an open source, do-it-yourself solution developed by members of the diabetes community. It was clunky, involving a single-board computer called a Raspberry Pi, a battery pack and a bunch of cables, but made a huge difference in her quality of life.

“I used to pack it up every morning and put it in a camera bag that was the size of a small football and stick it in my daughter's backpack and send her off to school,” he said. “It meant that she could just go about her day, she could just be a normal teenage kid and go to school and not have to worry about her glucose levels all day and not have to worry that she was going to go low while she was taking a test or go high [at other times], and she didn't have to worry that the alarms would keep going off at school.” 

Look went on to found Tidepool, a nonprofit where he is now president and CEO. Along with others from the diabetes community, the organization provides software that allows patients to see their data and better manage the disease. And supporters are working to make Tidepool Loop the first FDA approved app for more convenient automated insulin delivery. 

The comments are a materialization of “the passion of the diabetes community,” Look said, noting that the opportunity for their voices to be heard on the issue first came to his attention through diabetes forums with tens of thousands of members. 

It’s a “recognition that diabetes is a really hard disease to manage, and that people feel really, really strongly that they should be able to make their own individual choice,” he said, adding, “The energy that you're seeing is the fear that that right and that desire would somehow be restricted.” 

Tidepool’s own comments to the FDA express support for the agency’s cybersecurity efforts, but echo those concerns. They ask the FDA to clarify that the cybersecurity guidance is intended to prevent access that is unauthorized and that patients trying to access their data should not fall into that category.

“Following best practices for cybersecurity does not need to imply blocking patient users from accessing their own data or controlling their own devices,” the comments read. “Tidepool asserts there is a risk that the FDA guidance will be interpreted or misinterpreted to suggest restriction of access by the patient user is appropriate or encouraged. The FDA can mitigate this risk by clearly stating a patient user’s access to and use of their own device can be considered authorized access, and should not be considered a cybersecurity threat.”

Asked why he suspects device makers might try to prevent patients from accessing their own devices, Look said it’s because, “we've seen it happen in other industries.” He went on to describe campaigns for the right to repair, an issue that has been garnering momentum with recent enforcement actions from the Federal Trade Commission.

“The inkjet printer industry decided to use software encryption mechanisms to lock down the ability for people to use their own ink cartridges, John Deere tractor locked down software and went after people that tried to modify software for their own tractors or tried to repair their own tractors,” he said. 

Look said: “The cybersecurity guidance rightfully is saying, ‘Hey, device makers, you should use strong encryption and strong authentication to keep the bad actors out.’ What we're saying is that doesn't preclude a device maker from allowing the individual to have secure access to their own device. What we don't want to see is device makers locking out individuals from their own devices and saying, ‘you can't have access to your own data,’ where you can't control your own device the way you feel is best for your own individual therapy.”

There is a strong case for device makers locking patients out, Look said, noting the potential for new apps to disrupt and compete with their business model.

“We haven't seen that happen yet in the medical device world, at least I'm not aware of it, but you could imagine it happening,” he said.  

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.