The Library of Congress has granted several exemptions to copyright rules that in effect mean it's OK to sometimes hack medical devices in search of security and design flaws.
The exemptions were granted last week to Section 1201 of the Digital Millennium Copyright Act (DMCA), which prohibits the circumvention of technological methods used to protect copyrights--think jailbreaking a smartphone, an exemption that was renewed.
The exemptions allow "good-faith security research" to be performed on computer programs that run on cars, implanted medical devices and a host of other things including voting machines.
The devices must be acquired lawfully and the research in all other ways also must be lawful.
The Medical Device Research Coalition (MDRC), a group of patients and researchers, had sought an exemption on implanted medical devices such as pacemakers, defibrillators, insulin pumps, continuous glucose monitors, and their corresponding personal monitoring systems for two uses: research into their safety, security and efficacy; and to allow patients access to information generated by their own devices.
Several devicemakers opposed allowing patients access to their data, arguing that some of it could be proprietary, and that it could affect device performance and harm patients.
Those two uses were split into separate exemptions, both ultimately approved, with patients allowed passive access to data already being generated or transmitted by the device.
The exemptions don't go into effect for one year.
A security researcher at the BlackBerry Security Summit this summer demonstrated in 10 minutes how easy it is to hack a medical device--and that's presumably with flaws found without these exemptions.
Meanwhile, there have been myriad stories about patients frustrated about being unable to get their own data, including Hugo Campos, a San Francisco man who has an implanted cardioverter defibrillator.
To learn more:
- check out the exemptions (.pdf)