Inside one ISO's right-to-repair battle with a leading MR manufacturer
November 21, 2023
by Gus Iversen, Editor in Chief
Image Technology Consulting LLC, an independent MR and CT service company based in Lancaster, Texas, has been servicing Philips MR systems for more than 20 years, but the company alleges that a software update released in 2018 illegally blocked it from installing the machines.
Unable to satisfy existing service contracts or take on new clients, director of operations Marshall Shannon says he initially reached out to Philips, the FDA, local authorities in Texas, and the FTC for assistance resolving the issue. When that didn’t work, he says he attempted to circumvent the software “a few times” before ultimately giving up and turning away clients with scanners running the updated software.
The attempts at unauthorized access have become central to a lawsuit filed by Philips North America in January 2022, alleging proprietary materials were hacked, and seeking damages from Shannon and Image Technology Consulting under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Defend Trade Secrets Act, the Texas Uniform Trade Secrets Act, and fraud.
In a countersuit, filed in December of 2022, Image Technology Consulting contends that Philips broke federal law when it blocked access to software menus that are necessary for installing and servicing the machines, and that the litigation is less about trade secrets than about intimidation and a desire for market control. If access had not been unlawfully denied, Shannon argues, he would never have utilized a workaround.
Regardless of how the court rules, the case gets to the heart of right-to-repair, a topic where medical equipment independent service organizations (ISOs) and original equipment manufacturers (OEMs) have long struggled to see eye to eye. Where is the line between protected intellectual property and necessary instructions for service? Who decides when technology has reached end of life? What recourse do servicers have for dealing with uncooperative manufacturers? And how do patient safety and fair competition factor into all of this?
In the interest of full transparency, Image Technology Consulting is an advertiser with DOTmed.com, the publisher of HealthCare Business News. Philips, which has advertised with DOTmed.com in the past, declined to answer specific questions for this article, but a company spokesperson provided the following statement:
Philips is a long-term, trusted partner of healthcare providers globally, committed to help our customers improve their performance, such as their clinical, operational, financial and patient/staff satisfaction performance. We have a comprehensive portfolio of services, including maintenance services that are dedicated to maximizing our customer’s technology uptime.
Philips has a history of supporting and building relationships with independent service providers (ISOs), based on mutually agreed policies and procedures.
Our top priority regarding services and solutions are patient safety and quality, in alignment with regulatory compliance requirements, as well as product cybersecurity best practices. We believe these are mutual goals, for the maximization of safety and effectiveness, and the minimization of potential risk.
Regarding your questions, customers have been made aware of ongoing updates related to this area, particularly regarding ensuring stronger product security. In relation to regulatory requirements, manufacturers maintain records of installations and provide them to original installers as needed.
CSIP and Service Pack 5
According to court records, Philips internally classifies equipment support and service information as Customer Service Intellectual Property (CSIP), where different CSIP Levels correspond to different degrees of access. Based on those designations, Image Technology Consulting was Level 0 and thus unauthorized to access the Philips MR service menus in question. As Level 1 CSIP, the menus were “available only to Philips' employees and customers with a valid contract and subject to nondisclosure agreements.”
That may explain why Philips had long been unresponsive when Shannon contacted the company seeking installation documents and service manuals, (by his own count, he sought them 14 times over 12 years for various scanner models). Historically, when those requests failed, he tracked the necessary information down independently and carried on with his business.
That all changed, Shannon says, with a software update released in late 2018 through InCenter, the Philips online document distribution platform, called Release 3.2.3 Service Pack 5 (or R3.2.3 SP5). A summary of the update from Philips was reviewed by HCB News and included the following passages:
“We have embraced circularity as a way to take back products and to recoup the value, and to recoup the scarce material to avoid [their going] to the landfill, but actually, closing the loop is good business because I don't want our medical equipment to fall in the hands of third parties, who then cannibalize the systems and destroy my spare parts business,” he said, according to transcripts.
The Service Pack 5 update essentially locked servicers without CSIP Level 1 credentials or higher, such as Image Technology Consulting, out of the software menus they had previously been accessing without the manufacturer's knowledge or express consent. It's logical to assume that over time the effect would be end users abandoning the exiled ISOs and bringing their service business to Philips.
FDA requires OEMs to provide instructions to third parties
Independent servicers and biomedical engineers have long complained that certain manufacturers withhold necessary installation and service documents or materials. Many of the comments submitted to a 2016 FDA docket on the topic of medical device service pointed to uncooperative OEMs as a top safety concern for ISOs trying to do their jobs.
The Code of Federal Regulations Title 21, Section 820 is the Quality System Regulation (QSR) concerning medical device quality and safety requirements. Section 820.170 states, in part:
Is it possible that documents Philips classified as CSIP Level 1 (“available only to customers with a valid contract and subject to nondisclosure agreements”) were required by FDA regulations to be accessible to anyone qualified to work on the machines? As the question pertains to the lawsuit filed by Philips, court filings suggest it may be beside the point.
The legal representatives for Image Technology Consulting cited Section 820.170 as part of a motion to dismiss the lawsuit in July of 2022, but were denied in part because the case is concerned with the “acquisition, sale, and use of fake and/or unauthorized IST certificates,” which the court determined does not require interpretation of FDA regulations.
A medical device copyright exemption
In 2021, three years after the release of Service Pack 5 and in the shadow of the COVID-19 pandemic, the Librarian of Congress approved an exemption to the Digital Millennium Copyright Act (DMCA) permitting medical device owners and third parties to access system software necessary for the purposes of diagnosing, maintaining, and repairing the equipment.
The ruling specifically limited DMCA liability for working around OEM access controls to copyrighted software and related data files on lawfully acquired systems, when access is a necessary step in maintaining or restoring a device to work in accordance with its original specifications.
In its lawsuit, Philips asserts the exemption does not shield Image Technology Consulting from liability for two reasons. One, because it does not apply to "unfettered access to Philips’ protected CSIP materials and expressly excludes conduct that modifies software" and two, because the exemption is not retroactive. Whether or not those arguments are persuasive remains to be seen, but other industry stakeholders have sought to make the case that the exemption is unlawful to begin with.
The Medical Imaging Technology Alliance (MITA) and AdvaMed, groups representing the interests of medical equipment manufacturers, sued the Library of Congress over the exemption in February 2022. They claimed that the software protections employed by medical device manufacturers are essential to safeguard patients and their privacy — and that the Library’s rule would allow independent service providers to “piggyback” off the work done by the device’s original developers. The complaints were denied in federal court, but MITA and AdvaMed have appealed the ruling and the case remains pending.
Right-to-repair: The big picture
While medical equipment manufacturers have long sought to frame independent servicers as a patient safety hazard, a 2018 report by the FDA cast doubt on those fears, finding "objective evidence is not sufficient" to justify the implementation of new regulatory requirements on third parties.
In that report, the FDA called on in-house, independent, and OEM equipment stakeholders from the public and private sector to proactively work together in Collaborative Communities to solve shared problems, as well as problems unique to other members, in an environment of trust and openness. In 2020, MITA and AdvaMed announced they would no longer be participating in those efforts, but other OEM representatives have remained in the group.
Since then, the FDA has turned its attention toward "remanufacturing" activities, and what distinguishes them from "servicing" activities. The industry is still waiting for final guidance on that.
In 2021, the FTC issued its own report, Nixing The Fix: An FTC Report to Congress on Repair Restrictions, which seemed to further support the 2018 FDA findings, and in a context above and beyond medical devices. The FTC concluded that proponents of repair restrictions did not provide sufficient data to support their argument that safety issues could occur because of repairs by consumers or independent repair shops.
One reason ISOs are popular with healthcare providers is because they can often provide affordable service contracts on older technology. The Center for Healthcare Quality and Payment Reform reports nearly 30% of rural hospitals are at risk of shutting down due to financial challenges, so it isn’t surprising that the issue of right-to-repair resonates with those communities.
"In rural areas, having a repair person nearby is less likely,” U.S. Representative Morgan Griffith (R-VA 9th District), recently said. “Being forced to use only the manufacturer’s representative could mean longer wait times for hospital and doctor’s office equipment to be repaired."
In the consumer space, California's Right To Repair Act was recently signed into law, requiring manufacturers to make appropriate tools, parts, software, and documentation available for their products for three to ten years, depending on the cost. That legislation was notably supported by Apple, a company whose Genius Bars have long made them synonymous with manufacturer-only service.
Two companies at odds
If the big picture suggests right-to-repair advocates have the wind at their backs, the outlook remains uncertain for Image Technology Consulting. Even if the court recognizes Shannon as a competent ISO with an FDA-regulated right to Philips equipment service documents, it’s not clear if the DMCA medical device copyright exemption will be enough to dismiss all of the allegations for accessing software without authorization.
A similar case in the Western District of North Carolina between Philips and TEC Holdings (or Transtate, which is now part of Avante Health Solutions) could offer clues into how Image Technology Consulting’s case may shake out. When Philips claimed Transtate stole intellectual property and hacked software without credentials, Transtate countered that Philips refused to provide necessary information and wanted to shut others out of the parts and service repair market.
A federal jury ruled that Transtate did not misappropriate Philips trade secrets, but would still be on the hook for violations of the DMCA. If affirmed on appeal, Transtate may have to pay Philips over $1 million in DMCA statutory damages, or approximately $500,000 in actual damages added to over $3.5 million in profits, (totaling over $4 million) for 941 DMCA violations.
Transtate, in turn, was awarded over $2.5 million in damages due to Philips "unfair and deceptive trade practices" based on its "refusal to provide documents, programs, or information necessary to perform repair and maintenance on systems, in a timely or unhindered manner,” according to court documents.
Shannon says that Image Technology Consulting has lost over a million dollars litigating its case, as well as service contracts, employees, partners, vendors, and long-term customers.
"Philips has hired a team of high-priced lawyers to flood me with motions, made discovery drops of over 400,000 documents in an attempted proceeding, not designed for redress, but in my opinion to attempt to control or monopolize the market," Shannon wrote in a GoFundMe page to raise money for his legal expenses. "Of course, I am working with the FDA and other government agencies but while I’m in litigation I can expect little help with getting answers to the claims Philips is making that I believe are false."
Shannon's lawyers are again seeking a dismissal of the case, this time based partly on the Library of Congress DMCA exemption for medical devices. In October 2023, the U.S. Copyright Office announced it would be recommending a three-year renewal of the exemption. Four organizations filed petitions to oppose the renewal: The American Consumer Institute, MITA, AdvaMed, and Philips North America.
Unable to satisfy existing service contracts or take on new clients, director of operations Marshall Shannon says he initially reached out to Philips, the FDA, local authorities in Texas, and the FTC for assistance resolving the issue. When that didn’t work, he says he attempted to circumvent the software “a few times” before ultimately giving up and turning away clients with scanners running the updated software.
The attempts at unauthorized access have become central to a lawsuit filed by Philips North America in January 2022, alleging proprietary materials were hacked, and seeking damages from Shannon and Image Technology Consulting under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Defend Trade Secrets Act, the Texas Uniform Trade Secrets Act, and fraud.
Marshall Shannon
Regardless of how the court rules, the case gets to the heart of right-to-repair, a topic where medical equipment independent service organizations (ISOs) and original equipment manufacturers (OEMs) have long struggled to see eye to eye. Where is the line between protected intellectual property and necessary instructions for service? Who decides when technology has reached end of life? What recourse do servicers have for dealing with uncooperative manufacturers? And how do patient safety and fair competition factor into all of this?
In the interest of full transparency, Image Technology Consulting is an advertiser with DOTmed.com, the publisher of HealthCare Business News. Philips, which has advertised with DOTmed.com in the past, declined to answer specific questions for this article, but a company spokesperson provided the following statement:
Philips' global headquarters in Amsterdam (via Philips)
Philips has a history of supporting and building relationships with independent service providers (ISOs), based on mutually agreed policies and procedures.
Our top priority regarding services and solutions are patient safety and quality, in alignment with regulatory compliance requirements, as well as product cybersecurity best practices. We believe these are mutual goals, for the maximization of safety and effectiveness, and the minimization of potential risk.
Regarding your questions, customers have been made aware of ongoing updates related to this area, particularly regarding ensuring stronger product security. In relation to regulatory requirements, manufacturers maintain records of installations and provide them to original installers as needed.
CSIP and Service Pack 5
According to court records, Philips internally classifies equipment support and service information as Customer Service Intellectual Property (CSIP), where different CSIP Levels correspond to different degrees of access. Based on those designations, Image Technology Consulting was Level 0 and thus unauthorized to access the Philips MR service menus in question. As Level 1 CSIP, the menus were “available only to Philips' employees and customers with a valid contract and subject to nondisclosure agreements.”
That may explain why Philips had long been unresponsive when Shannon contacted the company seeking installation documents and service manuals, (by his own count, he sought them 14 times over 12 years for various scanner models). Historically, when those requests failed, he tracked the necessary information down independently and carried on with his business.
That all changed, Shannon says, with a software update released in late 2018 through InCenter, the Philips online document distribution platform, called Release 3.2.3 Service Pack 5 (or R3.2.3 SP5). A summary of the update from Philips was reviewed by HCB News and included the following passages:
- A limited number of tasks have been identified as being rare or highly complex. Because of this, certain service functions that you may have previously been able to access on older software versions will no longer be available with your service login. […]
All users who need to access the service menus on the device will now need to have a Philips IST (Integrated Security Tool) Smartcard and a valid IST account with appropriate entitlements for the MR system.
“We have embraced circularity as a way to take back products and to recoup the value, and to recoup the scarce material to avoid [their going] to the landfill, but actually, closing the loop is good business because I don't want our medical equipment to fall in the hands of third parties, who then cannibalize the systems and destroy my spare parts business,” he said, according to transcripts.
The Service Pack 5 update essentially locked servicers without CSIP Level 1 credentials or higher, such as Image Technology Consulting, out of the software menus they had previously been accessing without the manufacturer's knowledge or express consent. It's logical to assume that over time the effect would be end users abandoning the exiled ISOs and bringing their service business to Philips.
FDA requires OEMs to provide instructions to third parties
Independent servicers and biomedical engineers have long complained that certain manufacturers withhold necessary installation and service documents or materials. Many of the comments submitted to a 2016 FDA docket on the topic of medical device service pointed to uncooperative OEMs as a top safety concern for ISOs trying to do their jobs.
A Philips Ingenia 1.5T MR undergoing installation by Image Technology Consulting
- Each manufacturer of a device requiring installation shall establish and maintain adequate installation and inspection instructions, and where appropriate, test procedures. Instructions and procedures shall include directions for ensuring proper installation so that the device will perform as intended after installation. The manufacturer shall distribute the instructions and procedures with the device or otherwise make them available to the person(s) installing the device.
Is it possible that documents Philips classified as CSIP Level 1 (“available only to customers with a valid contract and subject to nondisclosure agreements”) were required by FDA regulations to be accessible to anyone qualified to work on the machines? As the question pertains to the lawsuit filed by Philips, court filings suggest it may be beside the point.
Image Technology Consulting's facility in Lancaster, Texas
A medical device copyright exemption
In 2021, three years after the release of Service Pack 5 and in the shadow of the COVID-19 pandemic, the Librarian of Congress approved an exemption to the Digital Millennium Copyright Act (DMCA) permitting medical device owners and third parties to access system software necessary for the purposes of diagnosing, maintaining, and repairing the equipment.
The ruling specifically limited DMCA liability for working around OEM access controls to copyrighted software and related data files on lawfully acquired systems, when access is a necessary step in maintaining or restoring a device to work in accordance with its original specifications.
In its lawsuit, Philips asserts the exemption does not shield Image Technology Consulting from liability for two reasons. One, because it does not apply to "unfettered access to Philips’ protected CSIP materials and expressly excludes conduct that modifies software" and two, because the exemption is not retroactive. Whether or not those arguments are persuasive remains to be seen, but other industry stakeholders have sought to make the case that the exemption is unlawful to begin with.
The Library of Congress (Courtesy: Wikimedia Commons)
Right-to-repair: The big picture
While medical equipment manufacturers have long sought to frame independent servicers as a patient safety hazard, a 2018 report by the FDA cast doubt on those fears, finding "objective evidence is not sufficient" to justify the implementation of new regulatory requirements on third parties.
In that report, the FDA called on in-house, independent, and OEM equipment stakeholders from the public and private sector to proactively work together in Collaborative Communities to solve shared problems, as well as problems unique to other members, in an environment of trust and openness. In 2020, MITA and AdvaMed announced they would no longer be participating in those efforts, but other OEM representatives have remained in the group.
Since then, the FDA has turned its attention toward "remanufacturing" activities, and what distinguishes them from "servicing" activities. The industry is still waiting for final guidance on that.
In 2021, the FTC issued its own report, Nixing The Fix: An FTC Report to Congress on Repair Restrictions, which seemed to further support the 2018 FDA findings, and in a context above and beyond medical devices. The FTC concluded that proponents of repair restrictions did not provide sufficient data to support their argument that safety issues could occur because of repairs by consumers or independent repair shops.
One reason ISOs are popular with healthcare providers is because they can often provide affordable service contracts on older technology. The Center for Healthcare Quality and Payment Reform reports nearly 30% of rural hospitals are at risk of shutting down due to financial challenges, so it isn’t surprising that the issue of right-to-repair resonates with those communities.
"In rural areas, having a repair person nearby is less likely,” U.S. Representative Morgan Griffith (R-VA 9th District), recently said. “Being forced to use only the manufacturer’s representative could mean longer wait times for hospital and doctor’s office equipment to be repaired."
In the consumer space, California's Right To Repair Act was recently signed into law, requiring manufacturers to make appropriate tools, parts, software, and documentation available for their products for three to ten years, depending on the cost. That legislation was notably supported by Apple, a company whose Genius Bars have long made them synonymous with manufacturer-only service.
Two companies at odds
If the big picture suggests right-to-repair advocates have the wind at their backs, the outlook remains uncertain for Image Technology Consulting. Even if the court recognizes Shannon as a competent ISO with an FDA-regulated right to Philips equipment service documents, it’s not clear if the DMCA medical device copyright exemption will be enough to dismiss all of the allegations for accessing software without authorization.
A similar case in the Western District of North Carolina between Philips and TEC Holdings (or Transtate, which is now part of Avante Health Solutions) could offer clues into how Image Technology Consulting’s case may shake out. When Philips claimed Transtate stole intellectual property and hacked software without credentials, Transtate countered that Philips refused to provide necessary information and wanted to shut others out of the parts and service repair market.
A federal jury ruled that Transtate did not misappropriate Philips trade secrets, but would still be on the hook for violations of the DMCA. If affirmed on appeal, Transtate may have to pay Philips over $1 million in DMCA statutory damages, or approximately $500,000 in actual damages added to over $3.5 million in profits, (totaling over $4 million) for 941 DMCA violations.
Transtate, in turn, was awarded over $2.5 million in damages due to Philips "unfair and deceptive trade practices" based on its "refusal to provide documents, programs, or information necessary to perform repair and maintenance on systems, in a timely or unhindered manner,” according to court documents.
Marshall Shannon (left) poses on a job site with Image Technology Consulting crew members
"Philips has hired a team of high-priced lawyers to flood me with motions, made discovery drops of over 400,000 documents in an attempted proceeding, not designed for redress, but in my opinion to attempt to control or monopolize the market," Shannon wrote in a GoFundMe page to raise money for his legal expenses. "Of course, I am working with the FDA and other government agencies but while I’m in litigation I can expect little help with getting answers to the claims Philips is making that I believe are false."
Shannon's lawyers are again seeking a dismissal of the case, this time based partly on the Library of Congress DMCA exemption for medical devices. In October 2023, the U.S. Copyright Office announced it would be recommending a three-year renewal of the exemption. Four organizations filed petitions to oppose the renewal: The American Consumer Institute, MITA, AdvaMed, and Philips North America.