(edit: removed redundant rants and added updates)
I recently got diagnosed with a condition (sleep apnea) which means I need to use a machine (CPAP) to have a proper sleep, probably for the rest of my life. The doctor wanted me use the device for a few months, and bring the “report” generated by the device to monitor my progress and discuss further treatment.
I thought it would be a simple task, like using a program or accessing a local network service like a printer would and download a file. However, as I consulted to the device distributors in my area… their sales pitch (disregarding the actual medical functions) were:
A) The machine is constantly connected via wi-fi or cellular to manufacturer’s server, and user downloads the report via manufacturer’s website or an app.
B) The machine has an SD card slot to which data is copied, but user have to bring its contents to the authorized distributor so they can convert them into a report file.
TL;DR: Very unsatisfied with either options. I never asked for this.
Update #1: For the reports, there’s a program called OSCAR (www.sleepfiles.com/OSCAR/) that supports conversion of SD card data. Check device compatibility first. For sleep apnea related discussion, there is a forum (www.apneaboard.com) dedicated to it.
Update #2: From all the available brands, I’m inclined to buy a Chinese brand (Yuwell) simply because of costs alone, even if it is not supported by OSCAR. I see a lot of people recommending ResMed (which has OSCAR support) both online and offline, but the cost is prohibitively expensive for someone in my financial situation with local market prices. Still have to think about it.
Update #3: There’s an asshole in the comments arguing “what’s so special” about sleep related statistics being copied around. My concern was how those statistics get associated with customer identification (metadata) as distributors often do. Anyways, won’t waste my time with the “got nothing to hide” type of dumbfucks.
Is there no longer an option to use the machine without the report or connection to internet?
Considering that, but the doctor needs the report so my condition can be treated in a proper way. I need to contact more distributors and see if there are any “customer privacy conscious” kind, but I’m not getting my hopes up.
I’m not familiar with the companies mentioned, but have you tried talking to the doctor or the clinic? They may be able to provide you with better guidance, or tell you about other machines that are compatible with your treatment plan. Even if they don’t know about the privacy aspect, that might give you a shorter list to follow up on.
My guess (or hope) is that this is the option that the average person finds convenient, which is why the doctor recommended it. There should be other options that the doctor / clinic knows about, especially because an IOT CPAP machine is a fairly new thing.
Doctors modify treatment plans fairly often, even for things like patient comfort, and bringing this concern to their attention could also change what they recommend to future patients.
Personal thoughts unrelated to your case: This is a growing concern with healthcare technology and I think we need more attention on the harms. “Your insurance company will use it against you” is something that most people will understand.
What would a hacker even do with it? They would… maybe know how often you stop breathing at night?
The nature of his medical condition isn’t relevant here. It could be his blood pressure, heart beats, whatever that makes an insurance company charge a premium on that poor sucker.
I get your message, but I was not referring to the machine. I was referring that the what kind of data logged by the machine didn’t matter in the context of privacy.
So what? I post concerns about user privacy on a privacy forum and this is what I get? A gatekeeping comment about how my concerns are overblown? Way to promote the platform.
Here’s something tangentially related that makes it difficult to find older options, the support. In the US a piece of medical device has to be supported for 7 years. My hospital has these bladder scanners that are in quite a few departments, regular fixture in hospitals (ultrasounds). Jan 1 2024 was when our came up on the 7 year mark. To do preventative maintenance calibration required logging on their server, guess what’s no longer accessible? So to stay in compliance all of us in the biomed department has to figure out how to get new ones to replace the 10 $11k each paperweights we have now.
Well fuck I’m suddenly looking at my pacemaker and the little box that sends the messages to the doctor with much more suspicion now.
As another has commented, medical devices (and especially pacemaker systems) are well regulated, such that misuse or illegal re-selling of patient health data is not worth it for most companies.
Cybersecurity is a big topic in the industry now and life-sustaining systems are scrutinised much more closely these days. I wouldnt be worried, but you can ask the company directly if you are still concerned.
