Vermont Legislature SmartTranscripts:

[Michael Marcotte (Chair)]: Good morning, everyone. This is the Vermont House Committee on Commerce and Economic Development. It is Thursday, 03/19/2026 at 09:04 in the morning. So we're beginning our day to have more testimony on H160, which is an act relating to creating a right to repair for medical devices. We have a couple of presenters. Good morning. Thank you for joining us.

[Justin Leventhal]: Thank you for having me.

[Michael Marcotte (Chair)]: So if you would like to just state your name and your affiliation and continue on with your testimony, that would be great.

[Justin Leventhal]: Happy to do so. My name is Justin Leventhal. I'm the senior policy analyst at the American Consumer Institute. Chair Marquette, vice chair of granting, ranking member White, and members of the state of Vermont house committee on commerce and economic development. I'm Justin Levinthal, senior policy analyst at the American Consumer Institute, a nonprofit research organization focused on consumer policy. Thank you for the opportunity to offer comments on h one sixty regarding medical device repair. I'm here today to express concerns about h one sixty and its potential impact on patient safety. I support competitive markets and I support repair, But when the product is a critical life saving medical device, the rules must be built around patient safety first and foremost. I'm here as a free market advocate speaking from the perspective of patient safety concerns surrounding the potential harm for when this equipment is repaired improperly. H one sixty would mandate that manufacturers provide parts, tools, software, documentation, and training to repair medical equipment to any third party who wants it, regardless of the quality of service the third party provides. Medical devices include high risk equipment such as ventilators, defibrillators, imaging machines, and more. H one sixty forces a broad mandate that risks patient harm. Medical devices are fundamentally different than consumer products because improper repairs risk patients' health and lives. Voiding a warranty when somebody makes a mistake trying to repair a computer has far less serious consequences than when a defibrillator or an MRI is repaired incorrectly. Authorized repair providers are held to the standards of the manufacturer and have been trained and proved by the manufacturer. Because the manufacturer retains liability after the repairs, it is incentivized to ensure that anyone authorized to repair the equipment is highly qualified. H one sixty would require manufacturers to provide repair and training to unauthorized repair providers as well as tools, but does not set any standard for those receiving the training. It removes the incentives for quality standards of manufacturer without replacing them in any way. Small errors in diagnostics, surgery, or countless other procedures can be the difference between life and death for patients. H one sixty mandates access to the tools of repair to repair medical equipment, not the outcome of those repairs or the quality of the work done. While H one sixty would remove manufacturer liability for errors made by unauthorized repair providers, it also makes those errors more likely. Patients are more concerned that nothing goes wrong with their medical equipment than who is liable if it does. Once something goes wrong, H160 opens the door for unauthorized repair providers to blame the manufacturer and the manufacturer to blame the provider regardless of who is at fault. If something goes wrong, patients will ask why lawmakers made it so hard to figure out who to hold accountable. Among the data that h one sixty would require to be provided are codes and passwords that allow access to the equipment. This greatly broadens the scope of people with access to information that can be used to compromise the security of medical equipment, again, without any standards or certification for who is receiving it. Hundreds of cyber attacks are already launched against hospitals each year, and making security information so easy to access risks patients' health and safety to potential actions. Patient safety and cybersecurity must be the non negotiable baseline. H 160 does not meet that baseline. Thank you for your consideration.

[Michael Marcotte (Chair)]: Thank you, Justin. Any question? Jonathan?

[Jonathan Cooper]: Thank you, Mr. Lamoille. The question I

[Michael Marcotte (Chair)]: had had

[Jonathan Cooper]: to do with the comment you made towards the conclusion of your testimony about information that would be shared with third party sort of not reaching thresholds for security, I guess maybe was the point. I was thinking about the amount of information that hospitals retain currently at a standard of confidentiality, etcetera, would that not Do you see there's some daylight between those two things or is that not where you think the information would be held?

[Justin Leventhal]: Breaking up a little bit. I think you're asking if it would compromise, if this is adding additional compromising information?

[Jonathan Cooper]: The question is, would the hospital IT networks provide the necessary amount of security given all the other sensitive information that is entrusted to them?

[Justin Leventhal]: Currently hospitals are already running into issues with IT security, with data being held and with cyber attacks. This opens up one more potential venue of that.

[Michael Marcotte (Chair)]: Other questions? Justin, you talked about unauthorized, untrained third party repair people, But if you were required, or if the company was required to provide the training to that third party person, wouldn't that be a certified training that they would become an authorized provider?

[Justin Leventhal]: The training under this bill doesn't make them an authorized provider. The bill distinguishes between the authorized providers that the company has explicitly delegated and then thus retains reliability when they repair something, as compared to somebody else who can go through the training, doesn't necessarily have to maintain it, and the bill doesn't actually establish any standard for that training. So once the training is done, it doesn't necessarily mean that they are any more qualified than anybody else, especially if the company itself is not willing to put their name behind it.

[Michael Marcotte (Chair)]: That could be taken care of with some additional language. Any other questions?

[Unidentified Committee Member]: Hi. My question for you is about rural communities that have a hard time getting access to service. Do you have any thoughts on that and the sort of timeliness?

[Justin Leventhal]: Rural healthcare concerns are a major issue, as well as repairs and everything else. I don't have a specific thought on that, except that it isn't any more difficult for a repair person to get to a rural community than anywhere else. The typical issues there come down to how much money the hospital has to pay for repairs in the first place. And this bill does not necessarily do anything to reduce those costs.

[Michael Marcotte (Chair)]: Any other questions for Justin? Justin, thank you.

[Justin Leventhal]: Thank you very much.

[Michael Marcotte (Chair)]: Nathan, good morning.

[Nathan Proctor]: Good morning, thank you.

[Michael Marcotte (Chair)]: If you'd like to just state your name and your affiliation and go on with your testimony.

[Nathan Proctor]: Alright. Thank you, chair, members of the committee. My name is Nathan Proctor. I am the senior director of the Right to Repair Campaign for the Public Interest Research Group. I have written several does or more than a dozen reports on right to repair. I've studied it, conducted interviews with dozens and dozens of medical device technicians, and surveyed 220 in 2020 and and most recently, a 107 technicians to ask them exactly what they're experiencing in hospitals. So, yes, that that is the kind of basis of the information that I have. I I wanna start by saying that every hospital in Vermont already hires outside of original COVID manufacturers to conduct repairs. They have their own in house teams that do these repairs, and they hire independent service organizations. The FDA the hospital also keeps track of what happens with the devices when they fail. Just to make a comment on liability, by far, the most liable party, the one most likely to be sued, the one that's involved in the most lawsuits, as is probably obvious if you think about it for a second, are the actual medical facilities providing care. Those are the places that people sue. Those are the people people view as responsible, and those are the people with the strongest incentive to ensure the patient is being properly cared for and is not experiencing adverse effects. They they are the most liable party and therefore have the strongest incentive to ensure that the equipment is properly cared for. And they make a choice in many situations to hire outside of the manufacturers because the manufacturers are take take longer to respond. They don't do the work to the same level as their competitors, or they charge way more without having a noticeable quality difference. I know hospitals which carefully track the failure of different pieces of equipment and have found that manufacturers do not provide the same high level of quality as the ISO that they're contracting with. In that situation, why would we want to restrict that independent service organization's ability to provide safer, lower lower cost care to the hospital if the manufacturer can just program the equipment to lock out all service from the ISO because they're losing these contracts because their business is not competing properly. That seems just like wasting money in the health care system to get worse outcomes, and in fact, that is what the problem that I'm trying to solve by supporting legislation like this. You know, the FDA looked at millions of device failure reports submitted by hospitals, concluded that there was not a safety and quality issue with repair happening outside of the manufacturer's direct control, and that more regulation to to protect patients was not necessary, and to me, I mean, like, if there was an issue of patient safety, a group like US Public Interest Research Group, we would want to care for safety, but this is one of those very rare things in health care that both improves patient outcomes and cuts cost. And there's clear and obvious evidence that manufacturers are the most expensive way to fix medical equipment and that in house, you know, hospitals save a significant portion of revenue by being able to fix these devices in house. Their problem is that they're routinely denied access to the basic service information, service keys, and other parts, tools, and information you need to conduct repairs. In our most recent survey, 79% of the biomeds we surveyed, which worked some actually which worked for the manufacturers, most of which worked for hospitals, reported being denied access to service information like manuals somewhat frequently or most of the time. So that's close to 80% says it's at least somewhat frequently or most of the time. Seventy percent responded that they commonly experience diagnostic tool restrictions causing a delay in patient care. 83% say that equipment downtime increases from repair barriers happens either somewhat frequently or most of the time. Alright. None of the respondents in our recent survey reported that they had never been denied access to repairing critical information. The final thing I wanna say is about security and and cybersecurity. There are reasons why many the hospitals are targeted by ransomware gangs and other malicious actors. They almost always target known security vulnerabilities. The biggest examples have been around with older versions of Windows. The problem that we're facing is not that repair technicians are opening up this equipment to hacks. The equipment requiring physical access to the equipment to compromise it is not a viable strategy for a ransomware gang. They do not hire physical people to go into hospitals. They attack things over the Internet, and and those are just not implicated by this bill and and the problems that we have around securing medical devices. Honestly, it would be improved with greater access to to service information. It would empower the in the hospitals to better secure the devices because they would have more information and technical access that they might need to devise kind of an anti intrusion schema. With that, I'll conclude my testimony.

[Michael Marcotte (Chair)]: Any questions for Nathan?

[Unidentified Committee Member]: Thank you for your testimony. I'm interested, you referenced FDA data about safety and looking at So I'm wondering if you can provide more information on that or reference so I can take a look at the study.

[Nathan Proctor]: Yeah. I'm pretty sure that that was discussed, you know, at length in the last hearing, but I'm talking about the 2018 FDA servicing report where they looked at, you know, millions of of device failure records and concluded that there's no safety problems. I I I would say would be essential, I would say, you're considering this legislation to at least read the executive summary of that report. It's it's

[Unidentified Committee Member]: Yeah. Thanks. Thanks. I do remember it was discussed, but that's helpful to know the title. So I'll look it up.

[Michael Marcotte (Chair)]: Other questions for Nathan? Monique?

[Monique Priestley (Clerk)]: Thanks, Nathan. I'm just curious, like reading the report that you sent, it sounds like, I think a question that's come up has been around like training and certification, but it sounds often, I guess I would like to hear from you, thoughts on people who are, it sounded like people who are qualified and or certified to access this, to fix these machines couldn't do so because they're locked out, like either legally or contractually or whatever, rather than or like physical devices or software devices keeping them from doing it rather than like their ability to like fix a thing. Like, it's I'm just wondering if you could expand

[Michael Marcotte (Chair)]: on that a little bit.

[Nathan Proctor]: Yeah. You're exactly correct. Your ability your qualifications from a technical standpoint and your permission from the manufacturer are two completely separate items. I know technicians who work part time for the manufacturer, so are authorized, credentials credentialed, and allowed to fix equipment Monday, Tuesday, and Wednesday, and are unqualified, uncertified on Thursday and Friday. It has nothing to do with the technician's actual ability. It is a mechanism for the manufacturer to control access. Their essential argument is that it's a benevolent, you know, dictatorship over the control of that, that they do it to protect the patients and the hospitals. There is no evidence that that is, in fact, true, but they it it is incredibly commercially valuable to them to be able to control who and under what conditions people are allowed to fix equipment.

[Michael Marcotte (Chair)]: Any other questions? Nathan, thank you. Doctor, do have anything else you want to add? No, I think we have. Think we've our position pretty far. Okay. Thank you both very much for joining us this morning. But I think there's two things that we can do for language to make it clear if we've missed crossover deadline anyway. I think that you all can give a lot of thought to this. I think it's something that we really should push on next year. I don't see many valid reasons why they're do something. The testimony that we've taken so far, mechanical engineers that are doing the repairs, I think a lot of it just sits with the manufacturers not wanting to give them to letting a third party by the by the repairs be controllable for fiefdom sounds like. Does the the liability

[Jonathan Cooper]: question is interesting. When a third party performs repairs, is there a give and take or is, would the, let's say, let's say a hospital expect that liability would still rest fully with the infection?

[Michael Marcotte (Chair)]: I think that's something that could be talked about. I think that there could be a requirement that there is liability where the manufacturer could be indemnified if the third party made the the repairs.

[Unidentified Committee Member]: Yeah, with other kinds of equipment, there's that.

[Michael Marcotte (Chair)]: Right. I think there's a reason around a lot of the issues that have been brought up. I think you want language in your thoughts about third party paper person needs to be qualified, like a mechanical engineer type.

[Unidentified Committee Member]: And I also think there was just testimony that the hospitals quite harmed innocent by working no matter what because typically the consumer is going go to them first. Yep. Okay.

[Michael Marcotte (Chair)]: I think that's all we have until 10:00. So we'll go off live. We'll be back at ten. We'll be hearing from Rick Gardner from he's a whole battle protection officer to let us know. So we'll go