It's chilling how casually we have allowed something as essential and personal as a medical device to inform on us to someone we have a fundamentally adversarial business relationship to.

Do the insurance company's intercoms also send you recordings of their meetings so you can check if they're conspiring to illegally deny coverage, or is the spying strictly one-way?

I don’t think this is casual or just “allowed”. The insurance company holds all the cards here. The choice is between getting treated or not for a great many people.

I got my machine from a local company that does the monitoring and configuration by mailing an SD card back and forth. I suspect my sleep patterns still end up in a database somewhere but at least it’s not real-time.

The insurance company will also be a lot less antsy about monitoring if you buy the machine out-of-pocket, which brings up another issue with pervasive IOT: opting out is, if even possible, more expensive, making it potentially yet another modern method of class striation.

>However, sometimes it becomes unavoidable. After a recent diagnosis with sleep apnea, I got a cpap machine, which has a cellular network connection in it, which connects to a centralized service where the sleep technicians can tune the device to deliver the right pressure for my sleeping patterns.

I too have such a device. I did a little (<5 minutes) research and was able to access the device's settings to disable the cellular modem.

The manufacturer complained about this to me and I told them to go fuck themselves. My insurance company never even asked about it.

> On the other hand, no hacker is going to be able to compromise my network via this device, so maybe this truly is a better path forward for IOT devices?

But on the other hand, your network has already been compromised, in the sense that you have a connected device within your home that you cannot control at all, that connects to the internet as long as it has power and can do whatever it is programmed to do...

Maybe for a sleep apnea machine this isn't catastrophic, but consider this Ubiquiti hack that's in the news; it wouldn't surprise me if the security situation around medical stuff isn't any better than with a networking company, after all.

Me, I want to control what's connected in my house. At least a little.

I think they meant it connects via a cellular network rather than wifi, so even if it were compromised it couldn't do anything to devices on the internal network. So security breaches are limited to the one device, and doesn't provide an opening to other devices.

I had a ResMed CPAP that came with a wifi attachment that plugs into the machine. However the machine also had an SD card slot and recorded the usage data and some diagnostics to the card; the data on the card provides proof that the patient is using the machine. There was no requirement to use the wifi attachment. I never used it. All the physicians I have seen always ask for the SD card. If you have Windows you can download the ResMed software to read the card yourself.

Are the newer machines not using SD cards anymore?

Also I have always wondered if anyone has opened up and tinkered with the ResMed wifi attachment. Perhaps it could be used as general purpose hardware.

As far as I know the SD cards are still standard, even on connected machines. Everybody is working on connectivity but on medical devices it's pretty hard because of regulations you need hosting accreditation for health data and specific anonymization processes and even then it doesn't mean you have a right to use the data you collect. In my opinion it's the one industry where IOT would be a boon to society, it'd enable medical research in a huge way. We put so many protections in place to protect people's health data, and paradoxically insurers have a easier time getting access to it than the scientists who do medical research. I'd encourage anyone in this thread using a mechanical ventilator to donate their respiratory data anonymously. If you look for respiratory data online you'll see it's meager what's openly available, and hospitals/doctors who do this kind of research guard their datasets fiercely, not because of privacy concerns mind you since they're anonymized but because it gives them a competitive advantage.

To really hammer home what I'm talking about, if tonight you extracted your data from that SD cards and you published the recordings from your last 10 nights of breathing with your machine you'd create one the largest open respiratory datasets online. It'd take 1 to 2 years for a medical researcher with industry or hospital backing to go through the process to have the right to gather this kind of data on a patient.

Do you have to keep using the device indefinitely?