Post
by archangle » Tue Dec 01, 2015 4:40 pm
I'll use ResMed as an example, but the same is true for Philips Respironics.
Radio Link
The RF (Radio Frequency) data link is though the cell phone network. Sometimes, the marketers will make distinctions between "cellular" and "wireless, LTE, 4G, etc.," but the data goes through the same towers and radio network used by your cell phone. (Or whatever you call the phone that you carry around and it works pretty much anywhere you go.)
The system is two way. Most, if not all, settings can be changed by an authorized person.
Payment
In concept, ResMed pays the cell phone companies and internet company for transmitting the data. There may be a lot of things that are subcontracted out. In concept, the DME, the doctor, or the insurance pays ResMed for access to the data. Once again, there may parts of the process that are subcontracted out. Some or all of the costs may be bundled into the wholesale price of the machine. The details may vary over time.
In practice, the cost of doing this is really minimal compared to the price of the machine. However, cell phone companies are used to predatory pricing, as are many others, so there may be some "real" costs to the DME or insurance.
Weighing the Risks
Don't forget that there is a REAL benefit to you for collecting your data. It makes a lot of information available to determine if your treatment is working. Even if you have a brick machine, the times you use the machine is useful information to you and your doctor. Even if your current doctor has a brick for a brain, your next doctor may find it useful. AHI and other data is very valuable.
Realistically, other than "compliance" concerns with insurance, the risks are small.
I've written a lot more below, mostly for geeky information purposes.
Big Brother Risk
Ignore, for the moment the risk of "hackers." Consider the following possibilities:
You get denied insurance payments or coverage because your records indicate you're not following the prescribed course of therapy. Or have your driver's license suspended. These things are already happening to some extent. It could get worse as the big brother/big business/big data system grows.
You have a car accident. The scumbag lawyer subpoenas your records and claims you were at fault because you weren't doing your CPAP properly, and were driving while impaired by apnea, or simply by lack of sleep because you weren't getting enough hours of sleep the previous few days. Or some scumbag government prosecutor does the same.
A divorce lawyer gets your data and claims you must have been cheating on certain dates because there is an unexplained gap in your CPAP data on nights your wife is out of town.
You get implicated in some crime because your wireless CPAP data indicates you were in certain places at certain times. (Same thing for the divorce lawyer.) A record of when and where you sleep is a useful tool to be used against you in some cases. Requiring you to account for your sleep time and location in court is a great way to intimidate someone in court, or make inferences and innuendo.
Technical Security/Hacking Risk
There are many levels of security concerns here.
In my professional data security guy opinion, the main risk is in the central servers that run the system, your insurance company, or your DME. i.e. the risks are in the computers at the other end, not in the modem part. Most of these risks exist whether or not you have a working modem in your CPAP machine.
While, in concept, someone could hack the system and change the settings on your CPAP, or read your CPAP data, it's not likely. The main reason I say this is that it would take a lot of effort, and there's not much profit in it, and most hackers these days are professional criminals who are in it for the money.
The easy and profitable thing to do is to hack into the servers run by the manufacturer, DME, or insurance, and steal the data such as name, address, social security number, credit card, etc. Messing with your CPAP machine will make it more likely they'll be caught and will lose access to their profitable access to credit cards or identity theft data.
One trend that is happening somewhat these days is "ransomware" and blackmail hacking. Someone will hack into a system, and threaten to do damage unless paid, or damage data and require payment for information on how to undo the damage. I suspect that there's not a lot of risk for this on CPAP, but it's possible.
It's possible that someone could hack the cellphone RF link or the internet network used to transmit the data, but I doubt that is much of a risk. It's so much easier to do the hacking in the central servers.
The data between the CPAP machine is probably encrypted in some way. However, modern big business does really bad jobs at securing such data, so it's probably hackable if someone's really interested. Once again, it's probably not worth the effort to do that because the data isn't that valuable for the effort involved. There are much juicier targets available. It's sort of like counterfeiting $1 bills. It's much more profitable to do higher denomination bills.
As for directly hacking the modem, it's possible, but probably unlikely anyone will do that and monitor or hack your CPAP. Someone would have to specifically go after your type of CPAP machine, and figure out the way the data stream works. Not that hard, but it is a considerable amount of work specific to CPAP. The attacker would then have to be within Radio range. Once again, possible, but not profitable enough to be likely.
Someone like the NSA might well have a system that could use the cell modem to track down a particular CPAP machine/cell modem. Technically, they do have systems that will locate a cell phone modem. Woe is you if you bought that used CPAP machine that used to belong to some ISIS guy they're looking for. Or if someone types the wrong number into their computer system and mixes the modem numbers up. Here comes the CPAP tracking missile. This is probably not a terribly big risk, and it applies to your cell phone as well.