Maybe I'm only alive because of her: why do apnea patients rely on a program written by a hacker

An Australian hacker spent thousands of hours hacking a DRM installed by manufacturers of medical equipment on CPAP machines to create a free program that allows patients to regulate the treatment process

Christy Lynn experienced a constant feeling of fatigue, and after many months spent trying to diagnose the problem, one of the doctors decided that he had guessed what the problem was.

“I didn’t fit any of the descriptions of the symptoms of apnea,” she told me by phone. - I am a woman, I do not have excess weight. It never occurred to anyone to test me, except for one doctor who had a similar medical history. ”

Lynn, who lives in the countryside of Arizona, conducted pulse oximetry at home , measuring the level of oxygen in the blood, and then went through a sleep study. She was diagnosed with apnea , a disease that causes patients to suddenly stop breathing in their sleep for a while, and which most often follows men who are overweight. She was givenA CPAP machine (a device for artificial ventilation of the lungs with constant positive pressure) with a mask - this device blows air into the respiratory throat so that the airways remain open - and sent home.

However, a year and a half and three somnologists after her symptoms did not improve. Her apnea-hypopnea index (AGI), describing the number of stops breathing in a dream, was at the level of "terrible."

“None of the doctors managed to lower my AGI, and, to be honest, none of them particularly worried about it,” she said. She started to google in search of help and came across the CPAPtalk.com forum . On it, users talked about the program SleepyHead.

This free, open , and definitely not approved by FDA Office of the Food and Drug Administration USA (FDA) programappeared as a result of thousands of hours of hacking and development, spent by the only Australian developer Mark Watkins. As a result, he helped thousands of patients with apnea take control of their own treatment from overworked and underpaid doctors. The software gives the patient access to sleep data that their CPAP machine generates, but which are usually inaccessible, hidden behind proprietary data formats that only an authorized user (doctor) can read using a proprietary program that patients cannot download or even buy . SleepyHead and community-supported forums like CPAPtalk.com and ApneaBoard.comhelped patients bypass the manufacturers of medical equipment, who prefer that there are no such programs at all.

“I can’t tell you how much my experience in using CPAP has changed thanks to this program. It's just day and night, ”Lynn said. “Perhaps I am alive only because of her.”



Most modern CPAP machines generate a huge amount of data during use. They track indicators such as average air pressure, AGI, average number of uses per night, air leak rate from the mask, “flow restriction index” and other data describing the operation of the machine and the patient's sleep quality. They are usually stored on an SD card that the patient takes to the doctor every six months (some modern devices can transfer data wirelessly to the application; but the data that is available for viewing in the application, as the patients told me, are rarely as detailed as the ones that the car actually collects). This data can be used to change the treatment process, increase or decrease pressure thresholds and other settings of the machine,

But many doctors, as several SleepyHead users have informed me, look at these figures in passing, and then send patients back home. Several industry research studies have found a shortage of somnologists, which means that very few doctors can provide patients with the special care that many crave. In a work from 2015 conducted by the American Academy of Sleep Medicine, a "serious shortage of certified sleep medicine specialists" was found, and it was noted that "in some parts of the United States, this area of ​​medicine is poorly supported or not supported at all."

Thomas Penzel, a sleep physiologist, scientific director of the European Sleep Research Society, told me by mail that he "believes that any intelligent patient can do what he wants."

“The patient can adjust the pressure if he understands what he is doing. Some of our patients self-tuned blood pressure, he added. - If something goes wrong, they may die in bed. This is their personal risk. CPAP is not a toy, but a medical instrument. ”

He agreed that most patients with apnea around the world were not getting enough help. "Doctors do not listen to them, and they have no time - and so it is in the whole world."

“The doctor asks you to bring a chip or a card, reads it, but reads not for a diagnosis. “He reads it to follow the rules of the insurance company to make sure you use the car,” Steve Levin, a California user from SleepyHead, told me. “Everyone is trying to take you in, take you out and make a profit at your expense.”

Some CPAP machines allow patients to see fragmentary data on the screen, but few of which machines give patients real access to all the data collected. One popular manufacturer of CPAP, ResMed, produces ResScan data analysis software, which, due to the requirements of the law, can only be obtained if you are a medical professional, or “ordered by a therapist”.

Such a prohibitive approach to the treatment of apnea and CPAP data led to the emergence of a whole direction of CPAP self cracking and changing settings.

Most of the discussion on the CPAPtalk.com and ApneaBoard.com forums, at the last of which approximately 71,000 people are registered, rotates around SleepyHead, which decodes data created by CPAP machines and allows ordinary patients to use them. The software literally decrypts the data: With great difficulty, Watkins cracked the proprietary data formats for each individual CPAP machine that the software now supports. These formats are intended to be read only by the manufacturers' own programs.



“All machines have embedded checks with the signature and verification of the checksums of the data formats, who has it more difficult, who has it easier,” Watkins told me. - Hacking a file format is a complex process that requires data for comparison, as a result of which you need to change the settings in the machine menu or work on PDF reports created by commercial programs based on well-known data sets that you first need to retrieve and collect from people who have access to machine and software.

Watkins began working on the SleepyHead project seven years ago, because he was interested in the "forbidden secrets" of the SD card of his own car. Since then, SleepyHead has become vital for the community of patients with apnea.

“Over time, I was increasingly averted by the way the CIPAP industry uses and abuses people's problems, and the need for a free CIPAP analysis tool that focuses on data and supports all formats became obvious.”

*

Technical means of copyright protection, used to prohibit access to data users of devices, are widespread in various industries. The problem faced by CPA users is similar to the problems of farmers who need to repair John Deere tractors, the problems of owners of Keurig coffee machines making coffee from authorized capsules only, and problems of independent specialistsrepair electronics, which are increasingly hampered in the repair of iPhones , MacBooks , servers, air conditioners, vacuum cleaners and devices connected to the Internet of things.

CPAP users, in particular, Watkins, are part of a new movement of patients trying to regain control of their data. Activist Hugo Kampos spoke at TEDx in 2011 , telling about his right to access data generated by his pacemaker, and the Nightscout group launched the DRM hacking application that didn’t allow patients to remotely monitor their children's glucometers.

Manufacturers of medical devices are generally dissatisfied with the emerging movement, but what Watkins does for the SleepyHead project does not violate the law.



In 2015, the Coalition of Medical Device Investigators, under the leadership of Campos, sent a petition to the Library of Congress and the United States Copyright Office demanding an exception to the Digital Millennium Copyright Act (DMCA), the most important copyright law in the United States — which would allow patients legally hacking their medical devices for security research and for accessing the data they create.

The medical industry argued that “patients who directly access data from their devices may not understand the data format or misinterpret it. Rights to access data should be provided through medical professionals. "

Campos “was tracking his pacemaker using Google Spreadsheet — not the best option for the patient,” said Andrew Sellars, a lawyer at the Berkman Internet Center and Community at Harvard, who represented Campos rights. - Pacemaker transmits data to the base station. He came up with the idea of ​​intercepting this signal in order to find out how his heart is occupied. ”

Medical device manufacturers fought fiercely against the Campos and Sellars petitions: “Medical device manufacturers took the following position: the data has a copyrighted format that falls under the DMCA,” said Cellars, who now works as director of the Cybernetic and Technological Jurisprudence Clinic.

Trade organization AdvaMed, lobbying for the interests of the medical industry, launched a petitionwhich blocks Campos' request, where she stated that “patients who get direct access to the data on their devices may not understand the data format or misinterpret it. Rights to access data should be ensured (and are already provided) by means of medical personnel with appropriate tools, trained to collect and protect patient data that does not violate the security and long-term operation of their devices. ”



The organization also argued that an exception that would legalize patient access to data would carry risks for the health and privacy of patients and could “speed up the process of discharging the battery.” Medical Alley Association, another manufacturer of medical devices, argued that "if you accept this exception, it will directly interfere with the interaction of doctors and patients, prompting patients to make decisions without the support of their attending physician."

In the meantime, the FDA told the US Copyright Office that any device modified by the user cannot be advertised or resold without FDA approval, and that if a patient suffers because of a modified machine, the agency will find it difficult to determine whether who modified the software. But in the end, the FDA did not try to interfere with the adoption of the exception: "The FDA recommends that the final report states that nothing in it will affect the regulation of products that are in the jurisdiction of other federal agencies."

The big victory for consumers was that the Library of Congress allowed this exception to be made, legalizing not only Campos' attempts to access the pacemaker, but also the hacks that Watkins is working on in the SleepyHead project. This year, the exception was updated, and none of the manufacturers of medical devices did not interfere with this. None of the producers of CPAP agreed to comment on the situation for this article.

*

But just because now breaking into CPAP machines to access data is legal does not mean that manufacturers will facilitate this task. Watkins says that without leakage of documentation on the hacking of a new data format (and for most manufacturers it is yours) hundreds of hours can go. It uses the Synalize It! Hex editor .for analyzing data formats and reverse engineering by means of validated data that is sent to his familiar insiders by Watkins.

“According to experience, getting documentation from a manufacturer without signing a non-disclosure agreement is no easier than getting blood from a stone,” said Watkins. “Most of them ignore my email, some even resent my attempts.”



CPAP users regularly ask Watkins to hack their car, and it came to the point that Watkins had to stop developing the main program in order to spend all the time supporting new devices. Although he has done most of the work on software development and hacking, other members of the community help him with certain projects, and sometimes joint hacking attempts occur, when users together understand particularly intricate data formats.

“Contec oximeters were very interesting to break, I did the breaking of Protocol 7, after sitting there all night, a couple of other hackers are sending me interception data from serial ports, helping to break protocols with the help of python code, checking the data import into SleepyHead,” said he.

Thousands of hours of development were not in vain for Watkins - according to him, he periodically suffers from burnout symptoms, the development of SleepyHead is jerky, and depends on his own health and employment (he is now looking for paid developer work).

“I didn’t do work because I was a householder, I was sitting with my daughter, and although this benefited the SleepyHead project and my daughter, in the long run it didn’t benefit my family’s well-being,” he said. - Over the past seven years, I was mainly supported by a wife who was patient with me and supported my work on the project, but now my health has improved, and my daughter has grown up - and I have no choice but to put the responsibility to my family first and return to work. And until I get into the rhythm with this and find a job that brings income and is suitable for my situation, I will have to temporarily postpone the development of the project. ”

He said that he wanted to create an open-type CPAP machine that was free of DRM, which would be easy to repair.

“I am very pleased that my work helps others, I am pleased to receive supportive words, donations, examples of data from them, to feel their desire to wait despite the slow progress in development - all this helped me to remain motivated,” he said. “I am proud of my achievements, despite the fact that I did it without commercial support.”



When a new machine is hacked and added to the list of supported ones, it is noted in the group on Facebook and on the CPAPtalk and Apnea Board forums, which is also crucial for patients: the user base of the forums helps new patients to understand the data that SleepyHead gives out. It also helps patients decide what changes to make to their therapy, and how exactly their cars need to be set up (the menu with settings changes is often hidden and only doctors should usually get access to them).

“The main goal of the Apnea Board is to promote„ empowering patients “when the patient is actively involved in the treatment of his apnea,” SuperSleeper, who founded the forum in 2004, told me. - The apnea industry as a whole is overloaded and unable to provide the personal service that many CPAP users need. They do an excellent job with organizing events for which grandmas can get (sleep research, visiting a doctor, selling CPAP machines and related products), but they do not have the time and financial incentive to help solve issues and problems that arise among CPAP users during therapy. ”

The Apnea Board has become a bastion of information and self-taught apnea experts. The forum has a private section where users can download instructions intended for doctors. They contain how to enter the “clinical menu”, in which they can change the settings of CPAP in accordance with the information on their therapy available on SleepyHead.

“The Apnea Board freely distributes clinical instructions, publishes the“ secrets ”of CPAP-machines so that our users can learn and take control of their own apnea therapy at will, SuperSleeper told me. “Knowing these" secrets ", it is enough just to enter the" clinical menu "and program most of the CPAP machines, although manufacturers gradually complicate this task for patients, and some machines will have to hack a little.

Levin and Lynn say that SleepyHead and the forums have completely changed their lives and therapies. “After the first diagnosis, you feel lonely,” said Levin. - On the forum, people write: Hey, that's what happened to me last night, and that's what I did. What do you recommend? ”

Lynn said that when her doctors analyzed her data, they looked at averaging over the past six months, rather than on individual nights that could be different from the rest to the worse:“ They don’t get to the places where your problems. “With SleepyHead, I can see the daily numbers and adjust the settings,” she said. - I increased the pressure on the exhale to reduce the performance. Now I feel much better than during the first diagnosis. I have more energy, I sleep better. ”

Several apnea sufferers I have talked with say that worrying about the threats associated with self-adjusting therapy is groundless; Many are convinced that these are simply horror stories from doctors and device manufacturers, and they all said that they could not make changes without fully understanding how these machines work and what the data tells them.

Lynn said that self-medication is the only thing that worked for her, and this is the only option she has left. “I’m 62, I don’t have health insurance because I can’t afford it, and I’m self-employed,” she said. - For me it would be a disaster to lose this program. If I quit working, I don’t know what I would do. ”