Medical devices and user privacy
Medical devices and user privacy
(edit: removed redundant rants and added updates)
I recently got diagnosed with a condition (sleep apnea) which means I need to use a machine (CPAP) to have a proper sleep, probably for the rest of my life. The doctor wanted me use the device for a few months, and bring the "report" generated by the device to monitor my progress and discuss further treatment.
I thought it would be a simple task, like using a program or accessing a local network service like a printer would and download a file. However, as I consulted to the device distributors in my area... their sales pitch (disregarding the actual medical functions) were:
A) The machine is constantly connected via wi-fi or cellular to manufacturer's server, and user downloads the report via manufacturer's website or an app.
B) The machine has an SD card slot to which data is copied, but user have to bring its contents to the authorized distributor so they can convert them into a report file.
TL;DR: Very unsatisfied with either options. I never asked for this.
Update #1: For the reports, there's a program called OSCAR (www.sleepfiles.com/OSCAR/) that supports conversion of SD card data. Check device compatibility first. For sleep apnea related discussion, there is a forum (www.apneaboard.com) dedicated to it.
Update #2: From all the available brands, I'm inclined to buy a Chinese brand (Yuwell) simply because of costs alone, even if it is not supported by OSCAR. I see a lot of people recommending ResMed (which has OSCAR support) both online and offline, but the cost is prohibitively expensive for someone in my financial situation with local market prices. Still have to think about it.
Update #3: There's an asshole in the comments arguing "what's so special" about sleep related statistics being copied around. I concern was how those statistics get associated with customer identification (metadata) as distributors often do. Anyways, won't waste my time with the "got nothing to hide" type of dumbfucks.
I have and use a resimed that does the phone home option. Once my doctor got what he needed I put it in airplane mode.
Distributor used the stats while I was reporting to call me and tell me I need new filters or other parts. I lol’d and bought them online for way cheaper. They stopped trying even before the doctor got all the data he needed.
Also, AFAICT it’s only data out, so I’m not worried about some exploit being delivered to the machine.
Final thought: I work in med tech. We have better security than credit agencies because we get fined more if we screw up. Personal data leaks are so common no one even cares anymore, but leaking someone’s medical info will shut a company down. You are likely safe, but ultimately never as safe as a “dumb” machine would be except they just don’t exist anymore.
Actual final thought: you will be amazed at how much better you feel every morning after actually sleeping instead of the dirty pseudo sleep you’re currently getting.
Thank you. I asked some acquaintances in health industry and received similar answers.
I thought it was data out only too, but at my sleep apnea orientation was told (and I double checked that they really meant it) that they could also tweak settings remotely. ResMed. Always possible that they had misunderstood something too, of course.
Here's something tangentially related that makes it difficult to find older options, the support. In the US a piece of medical device has to be supported for 7 years. My hospital has these bladder scanners that are in quite a few departments, regular fixture in hospitals (ultrasounds). Jan 1 2024 was when our came up on the 7 year mark. To do preventative maintenance calibration required logging on their server, guess what's no longer accessible? So to stay in compliance all of us in the biomed department has to figure out how to get new ones to replace the 10 $11k each paperweights we have now.
I found some older models around my area, but are all used and not very clear on what functions are still supported. I wish companies were more open about those things.
Just use OSCAR to get the data locally from the SD card.
https://www.sleepfiles.com/OSCAR/
Learn more about the machine and do your own management as well. It’s very easy to get into the machine settings to control your air flow, temperature settings, and so on. Take the time to learn what the data from the machine means.
Years ago the predecessor to Oscar didn't support BMC devices, and doesn't look like it's changed. Yuwell isn't listed either. Otherwise would be great. Maybe just don't connect one of the more established ones?
https://www.apneaboard.com/wiki/index.php/OSCAR_supported_machines
Just like the other commenter, thank you for the link. I should find one of the models available listed in there.
I currently use a Resmed Airsense 10 and can’t recommend it enough; best sleep I’ve ever had.
Just avoid anything by Philips Respironics. They’ve been messing around hard, class action suits and recalls and haven’t really made anyone whole from the debacle (myself included, I came out of pocket to replace my old Dreamstation).
Well fuck I'm suddenly looking at my pacemaker and the little box that sends the messages to the doctor with much more suspicion now.
As another has commented, medical devices (and especially pacemaker systems) are well regulated, such that misuse or illegal re-selling of patient health data is not worth it for most companies.
Cybersecurity is a big topic in the industry now and life-sustaining systems are scrutinised much more closely these days. I wouldnt be worried, but you can ask the company directly if you are still concerned.
Is there no longer an option to use the machine without the report or connection to internet?
Considering that, but the doctor needs the report so my condition can be treated in a proper way. I need to contact more distributors and see if there are any "customer privacy conscious" kind, but I'm not getting my hopes up.
I'm not familiar with the companies mentioned, but have you tried talking to the doctor or the clinic? They may be able to provide you with better guidance, or tell you about other machines that are compatible with your treatment plan. Even if they don't know about the privacy aspect, that might give you a shorter list to follow up on.
My guess (or hope) is that this is the option that the average person finds convenient, which is why the doctor recommended it. There should be other options that the doctor / clinic knows about, especially because an IOT CPAP machine is a fairly new thing.
Doctors modify treatment plans fairly often, even for things like patient comfort, and bringing this concern to their attention could also change what they recommend to future patients.
Personal thoughts unrelated to your case: This is a growing concern with healthcare technology and I think we need more attention on the harms. "Your insurance company will use it against you" is something that most people will understand.
What make/model?
It’s usually connected with a cellular modem.
You can put an SD card in the side and potentially use OSCAR to read the data with the ResMed Airsense 11.
My insurance, if in a poor cell area, would let me ship the data to them on an SD card. I had to if I didn’t want to pay full sticker price for the machine.
I was considering a BMC, but still asking providers. And thank you for the program's name - I knew there were more people like us.
PM me if you want more info
Hello! I have some experience on that as a user(cpap) and as someone that checked the IT system for an health provider that used resmed.
- it’s super late here already so I’ll in greater detail what usually happens with resmed equipment as well as what the company may be receiving in their systems
Hey there, it looks like the text got cut in the middle.
I've used a ResMed Airsense 10 for years now, and I too have always been unhappy with its phone home features, and the way it has limited info for users so they have to go to a provider. I shouldn't have to cough up extra for an appointment to get access to all of MY data from a machine that I OWN.
I would love to find an alternative.
How have been your experiences dealing with the provider? From what I've been asking, the provider "offers" the cloud or report-generating function for the duration of device's warranty. That means acquiring used devices are out of question, at least officially speaking.
What about rental programs, OP? You can try one for a month and see what models suit your needs.
Considered that, but I got tight budgets to run around. I want to avoid spending more than I should. But thank you.
What would a hacker even do with it? They would... maybe know how often you stop breathing at night?
So what? I post concerns about user privacy on a privacy forum and this is what I get? A gatekeeping comment about how my concerns are overblown? Way to promote the platform.
Ok. What privacy exactly are you concerned with?