Maybe I'm only alive because of her: why do apnea patients rely on a program written by a hacker?

An Australian hacker spent thousands of hours breaking DRM installed by manufacturers of medical equipment on CPAP machines to create a free program that allows patients to regulate the treatment process

Christy Lynn experienced a constant feeling of fatigue, and after many months spent trying to diagnose the problem, one of the doctors decided that he had guessed what the problem was.



“I didn’t fit any of the descriptions of the symptoms of apnea,” she told me by phone. - I am a woman, I do not have excess weight. It never occurred to anyone to test me, except for one doctor who had a similar medical history. ”

')

Lynn, who lives in the countryside of Arizona, conducted pulsoximetry at home, measuring the level of oxygen in the blood, and then passed a sleep study. She was diagnosed with apnea , a disease that causes patients to suddenly stop breathing in their sleep for a while, and which most often follows men who are overweight. She was given a CPAP machine (a device for artificial ventilation of the lungs with constant positive pressure) with a mask - this device blows air into the respiratory throat so that the air passages remain open - and sent home.



However, a year and a half and three somnologists after her symptoms did not improve. Her apnea-hypopnea index (AGI), describing the number of stops breathing in a dream, was at the level of "terrible."



“None of the doctors managed to lower my AGI, and, to be honest, none of them particularly worried about it,” she said. She started googling for help and stumbled upon the CPAPtalk.com forum. On it, users talked about the program SleepyHead.



This free, open , and definitely not approved by the FDA Food and Drug Administration (FDA) program resulted from thousands of hours of hacking and development spent by the only Australian developer Mark Watkins. As a result, he helped thousands of patients with apnea take control of their own treatment from overworked and underpaid doctors. The software gives the patient access to sleep data that their CPAP machine generates, but which usually turn out to be inaccessible, hidden behind proprietary data formats that only an authorized user (doctor) can read using a proprietary program that patients cannot download or even buy . SleepyHead and community-supported forums such as CPAPtalk.com and ApneaBoard.com have helped patients bypass medical device manufacturers who prefer that there are no such programs at all.



“I can’t tell you how much my experience in using CIPAP has changed thanks to this program. It's just day and night, ”Lynn said. “Perhaps I am alive only because of her.”







Most modern CPAP machines generate a huge amount of data during use. They track indicators such as average air pressure, AGI, average number of uses per night, air leak rate from the mask, “flow restriction index” and other data describing the operation of the machine and the patient's sleep quality. They are usually stored on an SD card, which the patient assigns to the doctor once every six months (some modern devices can transfer data wirelessly to the application; but the data available for viewing in the application, as the patients told me, are rarely as detailed as the ones that the car actually collects). This data can be used to change the treatment process, increase or decrease the pressure thresholds and other settings of the machine, which can improve the result.



But many doctors, as several SleepyHead users have informed me, look at these figures in passing, and then send patients back home. Several industry research studies have found a shortage of somnologists, which means that very few doctors can provide the patients with the special care that many crave. In a work from 2015 conducted by the American Academy of Sleep Medicine, a "serious shortage of certified sleep medicine specialists" was found, and it was noted that "in some parts of the United States, this area of ​​medicine is poorly supported or not supported at all."



Thomas Penzel, a sleep physiologist, scientific director of the European Sleep Research Society, told me by mail that he "believes that any intelligent patient can do what he wants."



“The patient can adjust the pressure if he understands what he is doing. Some of our patients self-tuned blood pressure, he added. - If something goes wrong, they may die in bed. This is their personal risk. CPAP is not a toy, but a medical instrument. ”



He agreed that most of the patients with apnea around the world received insufficient help. "Doctors do not listen to them, and they have no time - and so it is in the whole world."



“The doctor asks you to bring a chip or card, reads it, but reads not for diagnosis. “He reads it to follow the rules of the insurance company to make sure you use the car,” Steve Levin, a California user from SleepyHead, told me. “Everyone is trying to take you in, take you out and make a profit at your expense.”



Some CPAP machines allow patients to see scraps of data on the screen, but few machines give patients real access to all the data collected. One popular manufacturer of CPAP, ResMed, produces ResScan data analysis software, which, due to the requirements of the law, can only be obtained if you are a medical professional or “ordered by a therapist”.



Such a prohibitive approach to the treatment of apnea and CPAP data led to the emergence of a whole direction of independent CPAP hacking and changing settings.



Most of the discussion on the CPAPtalk.com and ApneaBoard.com forums, at the last of which about 71,000 people are registered, rotates around SleepyHead, which decodes data created by CPAP machines and allows ordinary patients to use them. The software literally decrypts the data: With great difficulty, Watkins cracked the proprietary data formats for each individual CPAP machine that the software now supports. These formats are intended to be read only by the manufacturers' own programs.







“All machines have embedded checks with the signature and verification of the checksums of the data formats, who has it more difficult, who has it easier,” Watkins told me. - Hacking a file format is a complex process that requires data for comparison, as a result of which you need to change the settings in the machine menu or work on PDF reports created by commercial programs based on well-known data sets that you first need to retrieve and collect from people who have access to machine and software.



Watkins began working on the SleepyHead project seven years ago, because he was interested in the "forbidden secrets" of the SD card of his own car. Since then, SleepyHead has become vital for the community of patients with apnea.



“Over time, I was increasingly averted by the way the CIPAP industry uses and abuses people's problems, and the need for a free CIPAP analysis tool that focuses on data and supports all formats has become obvious.”



*



Technical means of copyright protection, used to prohibit access to data users of devices, are widespread in various industries. The problem faced by CIPAP users is similar to the problems of farmers who need to repair John Deere tractors, the problems of owners of Keurig coffee machines making coffee only from authorized capsules, problems of independent electronics repair specialists who are increasingly hampered in repairing iPhones , MacBooks servers, air conditioners, vacuum cleaners and devices connected to the Internet of things.



CPAP users, in particular, Watkins, are part of a new movement of patients trying to regain control of their data. Activist Hugo Kampos spoke at TEDx in 2011, telling about his right to access data generated by his pacemaker, and the Nightscout group launched an application that cracked DRM and didn’t allow patients to remotely monitor their children’s glucometers.



Manufacturers of medical devices are generally dissatisfied with the emerging movement, but what Watkins does for the SleepyHead project does not break the law.







In 2015, the Coalition of Medical Device Investigators, under the leadership of Campos, sent a petition to the Library of Congress and the United States Copyright Office demanding an exception to the Digital Millennium Copyright Act (DMCA) —the most important copyright law in the United States — which would allow patients legally hacking their medical devices for security research and for accessing the data they create.



The medicine industry has argued that “patients who directly access data from their devices may not understand the format of the data or misinterpret them. Rights to access data must be ensured through medical professionals. "



Campos “was tracking his pacemaker using Google Spreadsheet — not the best option for the patient,” said Andrew Sellars, a lawyer at the Berkman Internet Center and Community at Harvard who represented Campos rights. - Pacemaker transmits data to the base station. He came up with the idea of ​​intercepting this signal in order to find out how his heart is occupied. ”



Medical device manufacturers fought fiercely against the Campos and Sellars petitions: “Medical device manufacturers took the following position: the data has a copyrighted format that is covered by the DMCA,” said Cellars, who now works as director of the Cybernetic and Technological Jurisprudence Clinic.



The trade organization AdvaMed, which lobbies the interests of the medical industry, launched a petition blocking the request of Campos, where it stated that “patients who have direct access to the data on their devices may not understand the data format or misinterpret it. Rights to access data must be ensured (and are already provided) by means of medical personnel with appropriate tools, trained to collect and protect patient data that does not violate the security and long-term operation of their devices. ”







The organization also argued that an exception that would legalize patient access to data would carry risks for the health and privacy of patients and could “speed up the process of discharging the battery.” Medical Alley Association , another manufacturer of medical devices, argued that "if you accept this exception, it will directly interfere with the interaction of doctors and patients, encouraging patients to make decisions without the support of their primary care physician."



In the meantime, the FDA informed the US Copyright Office that any device modified by the user cannot be advertised or resold without FDA approval, and that if a patient suffers from a modified machine, it will be difficult for the agency to determine whether it was the manufacturer’s fault or who modified the software. But in the end, the FDA did not try to interfere with the adoption of the exception: "The FDA recommends that the final report states that nothing in it will affect the regulation of products that are in the jurisdiction of other federal agencies."



The big victory for consumers was that the Library of Congress allowed this exception, legalizing not only Campos' attempts to access the pacemaker, but also the hacks that Watkins is working on in the SleepyHead project. This year, the exception was updated, and none of the manufacturers of medical devices did not interfere with this. None of the producers of CPAP agreed to comment on the situation for this article.



*



But just because now breaking into CPAP machines to access the data is legal does not mean that manufacturers will facilitate this task. Watkins says that without leakage of documentation on the hacking of a new data format (and for most manufacturers it is yours) hundreds of hours can go. It uses the Synalize It! Hex editor . for analyzing data formats and reverse engineering by means of validated data that is sent to his familiar insiders to Watkins.



“From experience, getting documentation from a manufacturer without signing a non-disclosure agreement is no easier than getting blood from a stone,” said Watkins. “Most of them ignore my email, some even resent my attempts.”







CPAP users regularly ask Watkins to hack their car, and it came to the point that Watkins had to stop developing the main program in order to spend all the time supporting new devices. Although he has done most of the work on software development and hacking, other members of the community help him with certain projects, and sometimes there are joint hacking attempts, when users together understand particularly intricate data formats.



“Contec oximeters were very interesting to break, I did the hacking of Protocol 7, after sitting there all night, a couple of other hackers send me the interception data from serial ports, helping to break protocols using python code, check the data import into SleepyHead,” said he.



Thousands of hours of development were not in vain for Watkins - according to him, he periodically suffers from burnout symptoms, the development of SleepyHead is jerky, and depends on his own health and employment (he is now looking for paid developer work).



“I didn’t do work because I was a householder, I was sitting with my daughter, and although this benefited the SleepyHead project and my daughter, in the long run it didn’t benefit my family’s well-being,” he said. - Over the past seven years, I was mainly supported by my wife, who was patient with me and supported my work on the project, but now my health has improved, and my daughter has grown up - and I have no choice but to put the responsibility to my family first and return to work. And until I enter into a rhythm with this and find a job that brings income and is suitable for my situation, I will have to temporarily postpone the development of the project. ”



He said that he wanted to create an open-type CPAP machine that was free of DRM and that it would be easy to repair.



“I am very pleased that my work helps others, I am pleased to receive from them supporting words, donations, examples of data, to feel their desire to wait despite the slow progress in development - all this helped me to remain motivated,” he said. “I am proud of my achievements, despite the fact that I did it without commercial support.”







When a new machine is hacked and added to the list of supported ones, it is noted in the group on Facebook and on the CPAPtalk and Apnea Board forums, which is also crucial for patients: the user base of the forums helps new patients to understand the data that SleepyHead gives out. It also helps patients decide what changes to make to their therapy, and exactly how their machines need to be set up (the menu with setting changes is often hidden and only doctors should usually get access to them).



“The main goal of the Apnea Board is to promote„ empowering patients “when the patient is actively involved in the treatment of his apnea,” SuperSleeper, who founded the forum in 2004, told me. - The apnea industry as a whole is overloaded and unable to provide the personal service that many CPAP users need. They do an excellent job of organizing events for which grandmas can get (sleep research, visiting a doctor, selling CPAP machines and related products), but they do not have the time and financial incentive to help solve the questions and problems that arise from CPAP users. ”



The Apnea Board has become a bastion of information and self-taught apnea experts. The forum has a private section where users can download instructions intended for doctors. They have written down how to enter the “clinical menu”, in which they can change the settings for CPAP according to the information on their therapy available on SleepyHead.



“The Apnea Board freely distributes clinical instructions, publishes the“ secrets ”of CPAP-machines so that our users can learn and take control of their own apnea therapy at will, SuperSleeper told me. “Knowing these“ secrets ”, it is enough just to enter the“ clinical menu ”and program most of the CPAP machines, although manufacturers gradually complicate this task for patients, and some machines will have to“ hack ”a little.



Levin and Lynn say that SleepyHead and the forums have completely changed their lives and therapies. “After the first diagnosis, you feel lonely,” said Levin. - On the forum, people write: Hey, this is what happened to me last night, and this is what I did. What do you recommend? "



Lynn said that when her doctors analyzed her data, they looked at averaging over the past six months, rather than on individual nights that could be different from the rest for the worse: “They don’t get to the places where your problems occur. “With SleepyHead, I can see the daily numbers and adjust the settings,” she said. - I increased the pressure on the exhale to reduce the performance. Now I feel much better than during the first diagnosis. I have more energy, I sleep better. ”



Several apnea sufferers I have talked with say that worrying about the threats associated with self-adjusting therapy is groundless; Many are convinced that these are just horror stories from doctors and device manufacturers, and they all said that they could not make changes without fully understanding how these machines work and what the data tells them.



Lynn said that self-medication is the only thing that worked for her, and this is the only option she has left. “I’m 62, I don’t have health insurance because I can’t afford it, and I’m self-employed,” she said. - For me it would be a disaster to lose this program. If I quit working, I don’t know what I would do. ”