Sage Journals: Discover world-class research

Abstract

Background:

In today’s data-driven era, openness promotes transparency and accessibility, particularly in health initiatives like the European Health Data Space. Diabetes management relies on real-time data from medical devices, such as continuous glucose monitors (CGMs), insulin pumps, and hybrid closed-loop systems. These devices provide critical insights for treatment adjustments, making real-time data access essential.

Methods:

This article explores real-time data access for third-party applications, focusing on primary (treatment) and secondary (research) use. We examine how application programming interfaces (APIs) enable secure data retrieval and assess the impact of terms of service and copyright law on patient-driven innovation in open-source communities. Our research evaluates diabetes medical devices and software solutions in Norway, assessing their real-time data access and API functionalities. In addition, we analyze legal frameworks governing these technologies, focusing on challenges faced by open-source solutions. Based on our findings, we propose an interoperability model to improve data accessibility while ensuring security and transparency.

Results:

Findings reveal seven diabetes devices and nine regulated software solutions, with only one offering a publicly accessible API. This emphasizes a significant gap in real-time data access. Comparisons between vendor-specific and open-source software expose interoperability and accessibility challenges. While Do-It-Yourself (DIY) solutions foster innovation, they face technical and legal barriers.

Conclusion:

Real-time diabetes management presents security, transparency, and access challenges. Regulatory decisions are needed to implement an interoperability model. The lack of real-time data access highlights the necessity of publicly accessible APIs that prioritize transparency, accessibility, and patient-driven innovation—marking a shift from today’s constrained diabetes management landscape.

Keywords

diabetes management interoperability openness real-time data access FHIR (Fast Healthcare Interoperability Resources)

Introduction

The concept of “openness” in the context of health data, software, and research is increasingly prominent, especially within the European Union (EU) and European economic area (EEA).¹ This movement, characterized by transparency, participatory engagement, and data sharing,² is exemplified by the European Health Data Space, which seeks to empower individuals and organizations through accessible and reusable health data.³ Complementing this trend is the General Data Protection Regulation (GDPR), which advocates for the rights of European citizens in data processing.⁴ Application programming interfaces (APIs) play a critical role in facilitating technical data access⁵ and promoting interoperability,⁶ aligning with the GDPR’s core principles. These user-friendly APIs empower developers to meet their data needs and usage objectives, fostering data access and GDPR compliance. Consequently, APIs unlock possibilities for Big Data applications,⁷ making it easier for different health care and research systems to work together.⁸

In the intricate and competitive field of diabetes management, “openness” presents unique challenges, especially concerning real-time data access,⁹ a topic we explore further in this article.

Diabetes Management and Data Sharing

Diabetes is a common chronic disease managed with various devices, including blood glucose meters, blood ketone meters, continuous glucose monitors (CGMs), and insulin pumps. Whether stand-alone or connected, these tools often integrate with mobile apps for glucose tracking, physical activity, pregnancy management, and other health aspects, enhancing diabetes care.^10-13

Managing a long-term chronic condition like diabetes requires ongoing monitoring, personalized treatment, and regular health care consultations.¹⁴ In addition to patients and health care providers (HCPs), other important contributors, such as informal caregivers (like family members and next of kin), play a crucial role, especially in the care of children. This highlights the need for real-time data sharing.^15,16 Having access to accurate and up-to-date health information allows caregivers to offer better support.

Given these factors, it is more important than ever to establish effective and accessible data-sharing mechanisms for diabetes management. Strengthening interoperability between systems like electronic health record (EHR) and enabling secure, real-time data exchange among all stakeholders—including patients, caregivers, health care professionals, researchers, and developers—is essential. In addition, these elements play a vital role in driving innovation through research activities.¹⁷

Innovation From Do-It-Yourself Communities and Off-Label Use

Diabetes management has significantly evolved with the Do-It-Yourself (DIY) movement, known under several hashtags on social media, such as #WeAreNotWaiting. Since its beginning in the United States in 2013, this movement has globally advanced diabetes technologies, particularly in open-source hybrid closed-loop systems and improved access to CGM data.^18-20 Hybrid closed-loop systems were commercialized in 2016 but faced delayed accessibility in Norway and other countries, leading to reliance on DIY solutions.^21,22 A similar situation is occurring in the 2020s with automated insulin delivery (AID) systems, reflecting hybrid closed-loop systems‘ initial challenges.²³

Do-It-Yourself solutions have proven to be highly beneficial for individuals who strongly emphasize improving their quality of life. They offer convenient insulin management via smartphones, smartwatches, and other remote control features, which is particularly helpful for parents managing their children’s diabetes.²³ These solutions have cultivated a strong online community where users exchange information and seek support.^24,25 In some cases, they also coordinate activities, such as reverse-engineering original software or modifying vendor applications to gain more control over their medical devices.

Notable initiatives within the DIY movement in diabetes include OpenAPS²⁶ (Open Artificial Pancreas System), Loop,²⁷ and Nightscout²⁸ (CGM in the cloud).

Terms of Services, Copyright, and Cybersecurity

The use of diabetes medical devices in the EEA is governed by legal frameworks, including GDPR-compliant privacy policies and terms of service (ToS) documents²⁹—which often cover intellectual property rights and copyright.

In the context of open-source communities using medical devices off-label, conflicts with manufacturer ToS and copyright agreements can arise. However, exceptions exist under copyright laws. Directive 2009/24/EC in the EEA allows limited use of copyrighted material for specific purposes like achieving interoperability.³⁰ The implementation of this Directive varies among countries in the EEA. For example, Norway incorporates it through the Intellectual Property Act,³¹ while Germany does so through the Copyright Act.³² Despite these different approaches, both countries adhere to the same conditions as outlined in Table 1.

Table 1.

Conditions to Copyright Exception Directive 2009/24/EC in Norway and Germany.

Condition for decompilation in Norway and Germany
1. The action is performed by a user who holds a valid license
2. The necessary information for achieving interoperability has not been provided to the user
3. Only the portions of the software that are essential for achieving interoperability can be manipulated

Cybersecurity is another crucial aspect, with the EU adopting, at the end of 2024, a new law on the European Cyber Resilience Act^33,34 and the US Food and Drug Administration (FDA) issuing medical device security recommendations.³⁵ Regulatory bodies are especially vigilant in diabetes, warning about using CGM devices in unauthorized diabetes management solutions.³⁶ In response, manufacturers are proactively enhancing data security and safeguarding patient information, as they are responsible for ensuring software security in the products they release to the public.^33,35

Methods

This study explores real-time data access from diabetes medical devices approved in Norway, focusing on primary (treatment) and secondary (research) use cases. Central to our investigation is the role of APIs in facilitating secure and efficient data transfer.

We also investigate the feasibility of accessing the data using third-party software for research (secondary use) and treatment (primary use) and exclusively address real-time data. Data collection via the regulated software solution received ethical approval from the Norwegian Agency for Shared Services in Education and Research (SIKT N 671274).

We define “real-time” data in the context of diabetes as the capability to access and process data instantly or with minimal delay (maximum five minutes after registration), ensuring a timely and accurate reflection of the device’s status. The study concentrates on remote data access, excluding software solutions reliant on Bluetooth and Near-Field Communication (NFC) technologies.

Objectives and Research Questions

To provide a clear and structured overview of our study, we have summarized the main objectives and associated research questions in Table 2.

Table 2.

Objectives and Research Questions.

Objective	Research questions
Identify available diabetes medical devices in Norway and assess their real-time data access capabilities	Research Question 1: Real-time data from diabetes medical devices be accessed using regulated software solutions via publicly accessible APIs?Research Question 2: Is there any working off-label alternative available for real-time data access?
Evaluate the feasibility of using identified solutions for treatment (primary use) and research purposes (secondary use)	Research Question 3: Technologies are utilized for accessing real-time data from diabetes medical devices in third-party applications?Research Question 4: What are the key considerations within the terms of service governing the access to real-time data from diabetes medical devices in third-party applications?
Develop an interoperability model for data sharing and real-time access within third-party applications	Based on insights from RQ1 to RQ4

Study Structure

A visual representation of the sequential steps involved in our study is presented in Figure 1. Each step contributes to the overarching goal of establishing better interoperability in diabetes data. These stages include identifying relevant diabetes medical devices and exploring third-party applications, including assessing the technology landscape, analyzing ToS, synthesizing data, and ultimately proposing a transformative interoperability model in diabetes.

Figure 1.

Study steps—visual representation.

Results

Medical Devices Available in Norway and Associated Regulated Software

Table 3 presents the available medical devices in Norway at the beginning of 2024³⁷ and corresponding regulated software solutions capable of real-time data collection, reflecting the European context overall. In addition, we have reported cases where publicly accessible APIs are available for direct interaction with the data collected by the medical devices or associated software solutions.

Table 3.

Medical Devices Available in Norway and Associated Regulated Software Able to Provide Real-Time Diabetes Data.

Medical equipment (n = 7)	Type	Regulated software that processes data (n = 9)	Publicly accessible APIs.
MiniMed 780G + Guardian Connect G4	Insulin pump and CGM—hybrid closed-loop system	CareLink Connect, MiniMed Mobile	No
Tandem t: slim X2™ Insulin pump Control-IQ + DXCM1 G6	Insulin pump and CGM—hybrid closed-loop system	Glooko	No
Omnipod DASH	Insulin patch pump	Not Available in Norway	No
Accu Check Solo	Insulin patch pump	RocheDiabetes Care Platform	No³⁸
Freestyle Libre 2	CGM	LibreView Data Management System, LibreLink Up, FreeStyle Apps for Libre 2 and Libre 3	No
Freestyle Libre 3	CGM		No
Dexcom G6	CGM	Dexcom G6 mmol/L DXCM1, Glooko	Yes³⁹

Table 3 does not include the Eversense E3 sensor because it was scheduled for removal in 2024, as confirmed by national authorities. In addition, the Omnipod cloud service, which includes cloud functionality for the Omnipod DASH, is unavailable in Norway. Therefore, data transfer with the Omnipod DASH system required a wired connection through Glooko, which was excluded since it does not provide real-time data. Finally, while the RocheDiabetes Care Platform has a publicly documented API,³⁸ it is not accessible to the public.

DIY Software and Off-Label Use

To access real-time data from diabetes medical devices, we searched for publicly available repositories and explored DIY alternatives. We identified mobile applications: Loop,²⁷ AndroidAPS⁴⁰ and OpenAPS.⁴¹ These systems can operate with either iPhone or Android devices, although they may require additional hardware to establish connections.⁴² It is crucial to emphasize that while these solutions enable real-time data access, they also control insulin delivery. It means they offer read-only data functionalities and allow direct input to the insulin pump, thereby providing control over the treatment process.

We also identified two repositories designed to interface specifically with Libre 2 and Libre 3 sensors,⁴³ and Dexcom G6.⁴⁴

Technological Assessment of Regulated and DIY Software

The technological assessment for all the software solutions identified is illustrated in Figure 2. This assessment follows two distinct paths: the regulated and the unregulated path. We also consider cardinality, which indicates how many users can connect via third-party applications for real-time data access, serving primary (eg, treatment) or secondary (eg, research) purposes. Some of the identified solutions need supplemental software for data retrieval.

Figure 2.

Technological assessment overview of regulated and DIY software.

Regarding medical equipment, the DIY software is designed to interface with the Libre 2 and Libre 3 sensors using the LibreLink Up app⁴⁵ or the Dexcom G6 mmol/L DXCM1 app.⁴⁴ The Omnipod DASH may connect with Loop and AndroidAPS systems, while newer Medtronic devices like MiniMed 780G are unavailable for open-source software. Open-source software enables data sharing with other software like Apple Health, Samsung Galaxy, and Nightscout, facilitating real-time data collection. Table 4 lists the limitations of the seven identified DIY software solutions.

Table 4.

Software Solutions That Enable Real-Time Access to Data Sharing and Their Limitations.

Solution identified (software category)	Limitation for a third-party application	Devices
OpenAPS (DIY software)	Additional software involved (Nightscout, Samsung Health, etc)Taking control over the insulin delivery in the pump	Dexcom G6, Freestyle Libre 2 and Libre 3
Android APS (DIY software)	1-1 user cardinalityAdditional software involved (Nightscout, Samsung Health, etc)Taking control over the insulin delivery in the pump	Omnipod DASH, Dexcom G6, Freestyle Libre 2 and Libre 3
Loop (DIY software)		Omnipod DASH, Dexcom G6, Freestyle Libre 2 and Libre 3
Dexcom Official (manufacturers’ device software)	None	Dexcom G6
Dexcom Authorized (manufacturers’ device software)	20 users with 30-minute delay (not real-time)
Dexcom DIY solution (DIY software)	1-1 user cardinality requiring plain username and password credentials for access
Libre (DIY software)	Limit to 15 users with one LibreLink Up accountNon-functional if 2FA (two-factor authentication) is enabled	Libre 2 and Libre 3

ToS Analysis

The solutions identified in Table 4 and visualized in Figure 2 are either based on or require the use of copyrighted software. This is the case for Freestyle Libre 2 and Freestyle Libre 3, requiring the official LibreLink Up app. In the ToS, among the statements of “Prohibited Uses,” users agree not to: “interfere with or disrupt the LibreView Data Management System (including accessing the LibreView Data Management System through any automated means, such as scripts or web crawlers),” and “reverse engineer, decompile, disassemble, decode, create derivative works of, gain access to the source code, or modify the LibreView Data Management System except and then solely to the extent permitted under applicable law.”⁴⁶ The term “applicable law” is a generic term that encompasses all laws relevant to this agreement.

Similarly, Dexcom applies a similar restriction: “Reverse engineer or derive the source code for any DexCom Product, DexCom Service, or Software App not provided to you in source code form, except to the extent such restriction is expressly prohibited by applicable law.”⁴⁷ The same principles apply to the Omnipod DASH.⁴⁸

Among the different “applicable laws,” the implementation of the Directive 2009/24/EC is one of these, and it provides exceptions for achieving interoperability. Even with such exceptions, direct use of these DIY software would not be feasible for large-scale use, even without technical limitations. Moreover, even if it were legally possible to employ these solutions, the existing technical constraints, as outlined in Table 4, would render them impractical for large-scale use and, in most cases, limited to 15 users or limited security measures.

Interoperability Model for Diabetes Data

The findings highlight a significant gap in real-time data access for diabetes management, as evident in the regulated (Table 3) and DIY solutions (Table 4). To address this issue, we propose an interoperability model tailored to enhance diabetes data accessibility.

Given the unavailability of real-time data from any hybrid closed-loop system, we investigated data generated by the hybrid closed-loop system, using the MiniMed 780G as an illustrative example. This system offers an option to produce a proprietary CSV file, which generates historical data in 32 columns and additional metadata.⁴⁹ We also developed a code that analyses the patient-generated data.⁵⁰ The data volume can be significant, typically comprising thousands of CGM glucose readings, hundreds of manual glucose measurements and carbohydrate estimations, and approximately a thousand insulin injections per month—distributed across closed-loop auto-correction and patient input.

A typical need is the post-processing of data using internal algorithms, including glucose measurements, insulin data, carbohydrate information and related metadata relevant to both primary and secondary use.

A Set of Standards to Ease Diabetes Data Transfer

In diabetes data management, there are established standards and practices designed to ensure interoperability. We have technically demonstrated this interoperability model in our work, detailed in Randine.⁵¹ This implementation specifically illustrates how we realized real-time data access from Libre medical devices. We achieved this by adapting the DIY repository⁴⁵ to illustrate its application in both primary and secondary use cases. This demonstration⁵¹ provides a practical example of how interoperability can be achieved in diabetes data management, a more efficient data flow between different systems and platforms.

The proposal aligns with international best practices, and it is based on recommendations for the European Electronic Health Record exchange format,⁵² other standardization projects focusing on diabetes data^53,54 and the RocheDiabetes Care Platform implementation.³⁸

The technological proposal is summarized in Figure 3. To promote interoperability and the reuse of diabetes health care data, the proposal advocates for adopting the widely accepted and user-friendly REST API architecture,⁵⁵ with requests and responses. Furthermore, it recommends implementing authorization (eg, OAuth 2.0) and authentication (eg, OpenID Connect) protocols to enhance security and control data access. In addition, the proposal underscores the importance of two-factor authentication (2FA), recognized as one of the most effective security measures,⁵⁶ to further fortify patient data protection.

Figure 3.

Proposal for a set of standards that will enable diabetes data sharing between end-users, equipment, vendors, researchers, and health care services.

For integration with EHR systems and health care settings, the proposal embraces the Fast Healthcare Interoperability Resources (FHIR) standard.⁵⁷ FHIR is designed to ensure efficient data exchange across diverse health care platforms.⁵⁸ Within the FHIR framework, specific resources are tailored to represent critical data elements effectively. The proposal includes the use of clinical terminology (eg, SNOMED CT, LOINC) codes to ensure precise clinical interoperability, aligning with the EU’s intention for cross-border data exchange.⁵⁹

Discussion

The interoperability challenges and barriers in diabetes health care are widely recognized.⁶⁰ Our study, set in the Norwegian context, identified seven diabetes medical devices and nine regulated software solutions, with the Dexcom G6 CGM device being a notable exception in offering publicly accessible APIs (Table 3). Meanwhile, the RocheDiabetes Care Platform has a publicly FHIR-based documented API that is not directly accessible to the public.³⁸ The limited availability of official real-time data access solutions prompted us to explore seven DIY software alternatives (Table 4). These alternatives revealed technical and practical limitations (Table 4), underscoring the impracticality of regulated and off-label medical device use for real-time data access in diabetes, particularly in hybrid closed-loop systems.

The crucial insight from our research is the availability of the required technology for effective data access, but the lack of cohesive governance, policy, and security measures in diabetes data processing complicates its use and reuse. To counter these challenges, we introduce an interoperability model for diabetes (Figure 3) aiming for a transformative shift in treatment and health care practices by leveraging existing standards.

Why is a Model for Interoperability Needed?

The data fragmentation evident in diabetes management highlights the urgent need for a regulated interoperability model. While some APIs, such as Dexcom, provide valuable solutions,³⁹ they represent a rare exception in a landscape where the norm is limited real-time data access for crucial activities like treatment and research. This situation contrasts with other sectors where APIs promote interoperability and innovation.⁶¹

Current software, primarily controlled by device manufacturers, often restricts data access. Typically, these software tools are designed not as comprehensive EHR systems but as analytical and reporting tools for HCPs, leading to a reliance on manual data entry into EHRs.⁶² This manual process increases the workload of HCPs, introduces potential errors and inconsistencies in patient records⁶³ and elevates the risk of medical errors.⁶⁴ Furthermore, given the time constraints faced by HCPs,⁶⁵ the need for a standardized and accessible interoperability framework in diabetes care becomes imperative, allowing HCPs to prioritize patient treatment and consultation over the burden of data access.

Enhancing Diabetes Data Access for Citizens

Patients and informal caregivers often encounter difficulties downloading diabetes data.^66,67 Although device manufacturers provide machine-readable CSV files to comply with the GDPR, our study found that none of the hybrid closed-loop systems in Norway enable real-time data collection through public APIs or DIY solutions. The complexity and incomplete documentation of these data⁴⁹ may potentially conflict with the GDPR’s Right to Data Portability,⁴ making it challenging for individuals without advanced technical skills to effectively reuse their data, as also observed in our testing.⁵⁰ This raises an important question: Does giving patients a CSV file—often challenging to understand—truly allow them to “own” their data? While the GDPR grants individuals rights over their health information, the absence of standardized and user-friendly formats limits practical accessibility and control.

The lack of a standardized data exchange format, resulting in proprietary formats, makes it challenging to promote openness and data reuse by the European Health Data Space.³ To address these challenges, we propose implementing a FHIR-based RESTful architecture with publicly accessible APIs (Figure 3) to facilitate easier data exchange among EHRs and research initiatives. In addition, simplifying data representation would enhance patients’ understanding of these data.

Navigating the Complex Landscape of DIY Diabetes Management Solutions

Do-It-Yourself users prioritize functionality over regulatory concerns,⁶⁸ with limited technical skills and the need for technology maintenance being their primary apprehension.⁶⁹ Our study findings validate this concern due to identified technical complexities (see Table 4, Figure 2). Unlike CE (Conformité Européene)-marked and Medical Device Regulation (MDR)-approved systems, which adhere to security regulations, DIY solutions may provide valid technical functionality. Still, they could raise concerns regarding data privacy, security, and the accountability of HCPs.²³

Legal frameworks like Directive 2009/24/EC, as implemented in Norway and Germany,^31,32 set conditions for software use, focusing on interoperability rather than new functionalities or research applications. The technical constraints of DIY solutions (Table 4) make them impractical for large-scale projects and health care institutions. Security concerns, such as the lack of 2FA and reliance on plain passwords, make this solution unsuitable for future use.^33,35

Despite these challenges, patients and caregivers may still opt for DIY solutions due to their valued functionality and good community support. However, HCPs cannot formally recommend these unregulated solutions,⁷⁰ and users might risk legal liability under the Medical Devices Act and Product Liability Act.³³ Manufacturers are aware of these solutions, which are often publicly accessible and may expose software vulnerabilities, as we have also tested and observed in our testing.⁵¹

Limitations

Our study addresses the key research questions (RQ1-RQ4) and offers important insights, and it is geographically limited to Norway. However, these findings may still offer relevance to the broader EEA/EU context and outside Europe, as EEA countries do not have a unified policy regarding the availability of diabetes devices, resulting in significant variability among nations. Finally, technology evolves, and the list of DIY software examined in this study will eventually become outdated, as well as the devices available to patients in Norway and other international users.

Conclusion

There is an ongoing discussion in the EU about mandatory interoperability requirements with EHR systems.⁷¹ Our study, set within the context of diabetes management in the EU, underscores the delicate balance between data privacy, manufacturer transparency, and individual empowerment. The challenge lies in reusing health data and accessing real-time information in a complex landscape. While real-time data access is currently unregulated with limited publicly documented APIs, developing and implementing necessary policies can potentially enhance diabetes treatment and research.

Do-It-Yourself alternatives may not align with ToS agreements, raising questions about market regulation, especially in contrast to governmental regulations. The EU has recently implemented the MDR,⁷² which covers devices used for medical purposes. Given that the diabetes devices discussed in this article fall under the MDR, one approach for promoting data access in health care is mandating publicly documented APIs and an interoperability model as proposed within the new medical device regulation.

Our call to action is for regulatory frameworks to facilitate secure and standardized health data access. The necessary technology is available; the challenge lies in interoperability and data accessibility, as outlined in our study.

Footnotes

Acknowledgements

The authors would like to express their gratitude to Gunnar Hartvigsen and Martin Steinert for their valuable insights during the study design phase. In addition, they extend their thanks to Katja Pauline Czerwinska for providing feedback on the document figures. They are also grateful to Sykehusinnkjøp HF for their assistance in reviewing the landscape of currently available diabetes devices in Norway, and Mikael Rinnetmäki for assisting the understanding of real-time data access in the evaluated systems.

Abbreviations

2FA, two-factor authentication; AID, automated insulin delivery; APIs, application programming interfaces; CGM, continuous glucose monitor; CSV, comma-separated values; DIY, Do-It-Yourself; EEA, European economic area; EHR, electronic health record; EU, European Union; FDA, Food and Drug Administration; FHIR, Fast Health Care Interoperability Resources; GDPR, General Data Protection Regulation; HCPs, health care providers; MDR, Medical Device Regulation; OpenAPS, open artificial pancreas system; REST, representational state transfer; SNOMED CT, Systematized Medical Nomenclature for Medicine—Clinical Terminology; ToS, terms of service.

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: The author MP has also received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement no. 871767 (ReHyb project).

ORCID iDs

Pietro Randine

Miriam Kopperstad Wolff

Matthias Pocs

Ian R. O. Connell

Joseph A. Cafazzo

Eirik Årsand

References

European Parliament, Council of the European Union. Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast). Published 2019. Accessed March 15, 2024. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32019L1024

Schlagwein

Conboy

Feller

Leimeister

Morgan

. “Openness“ With and Without Information Technology: A Framework and a Brief History. London, UK: Sage; 2017:297-305.

European Parliament, Directorate-General for Internal Policies of the Union; Marcus

Martens

Carugati

, et al. The European Health Data Space. Luxembourg: European Parliament; 2022.

Mazzella MR III, The European Parliament and the Council of the European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46. OJEU. 2016;59(1-88):294.

Mazzella

III MR

Dilday

. Oracle America, Inc. v. Google Inc.: copyrightability of application programming interfaces and a fair use of defense. Geo L Tech Rev. 2016;1:62.

Asay

. Software’s copyright anticommons. Emory LJ. 2016;66:265.

Rhahla

Allegue

Abdellatif

. Guidelines for GDPR compliance in big data systems. J Inf Secur Appl. 2021;61:102896.

Kouroubali

Katehakis

. The new European interoperability framework as a facilitator of digital transformation for citizen empowerment. J Biomed Inform. 2019;94:103166.

Cafazzo

. A digital-first model of diabetes care. Diabetes Technol Ther. 2019;21(S2):S2-52.

10.

El-Gayar

Timsina

Nawar

Eid

. Mobile applications for diabetes self-management: status and potential. J Diabetes Sci Technol. 2013;7(1):247-262.

11.

Tanenbaum

Hanes

Miller

Naranjo

Bensen

Hood

. Diabetes device use in adults with type 1 diabetes: barriers to uptake and potential intervention targets. Diabetes Care. 2017;40(2):181-187.

12.

Ramesh

Aburukba

Sagahyroon

. A remote healthcare monitoring framework for diabetes prediction using machine learning. Healthc Technol Lett. 2021;8(3):45-57.

13.

Domingo-Lopez

Lattanzi

Schreiber

LHJ

, et al. Medical devices, smart drug delivery, wearables and technology for the treatment of diabetes mellitus. Adv Drug Deliv Rev. 2022;185:114280.

14.

Bernell

Howard

. Use your words carefully: what is a chronic disease? Front Public Health. 2016;4:159.

15.

Martin

. Chronic disease and illness care: adding principles of family medicine to address ongoing health system redesign. Can Fam Physician. 2007;53(12):2086-2091.

16.

Von Korff

Gruman

Schaefer

Curry

Wagner

. Collaborative management of chronic illness. Ann Intern Med. 1997;127(12):1097-102.

17.

The OPEN Project Consortium. The OPEN project. Published 2023. Accessed December 15, 2023. https://www.open-diabetes.eu

18.

Omer

. Empowered citizen ‘health hackers‘ who are not waiting. BMC Med. 2016;14(1):118.

19.

Lewis

. History and perspective on DIY closed looping. J Diabetes Sci Technol. 2019;13(4):790-793.

20.

Lewis

Leibrand

, OpenAPS Community. Real-world use of open source artificial pancreas systems. J Diabetes Sci Technol. 2016;10(6):1411.

21.

Moon

Jung

Park

. Current advances of artificial pancreas systems: a comprehensive review of the clinical evidence. Diabetes Metab J. 2021;45(6):813-839.

22.

Diabetesforbundet. Dette er de nye pumpene og sensorene. Published 2019. Accessed December 15, 2019. https://www.diabetes.no/for-helsepersonell/diabetesfag/dette-er-de-nye-pumpene-og-sensorene/

23.

Heinemann

Lange

. “Do it yourself“(DIY)—automated insulin delivery (AID) systems: current status from a German point of view. J Diabetes Sci Technol. 2020;14(6):1028-1034.

24.

Årsand

Bradway

Gabarron

. What are diabetes patients versus health care personnel discussing on social media? J Diabetes Sci Technol. 2019;13(2):198-205.

25.

Gabarron

Arsand

Wynn

. Social media use in interventions for diabetes: rapid evidence-based review. J Med Internet Res. 2018;20(8):e10303.

26.

Dana Lewis, OpenAPS community. OpenAPS. Published 2023. Accessed December 15, 2023. https://openaps.org

27.

LoopKit Project. LoopDocs. Published 2023. Accessed December 15, 2023. https://loopkit.github.io/loopdocs/

28.

Nightscout Project. Nightscout (CGM in the cloud). Published 2017. Accessed December 15, 2023. http://www.nightscout.info

29.

Flavián

Guinalíu

. Consumer trust, perceived security and privacy policy: three basic elements of loyalty to a web site. Ind Manag Data Syst. 2006;106(5):601-620.

30.

European Parliament, Council of the European Union. Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs. Published 2009. Accessed September 15, 2023. http://data.europa.eu/eli/dir/2009/24/oj

31.

Ministry of Justice and Public Security (Justis- og beredskapsdepartementet). Lov om behandling av personopplysninger (personopplysningsloven). Published 2018. Accessed September 15, 2023. https://lovdata.no/dokument/NL/lov/2018-06-15-38

32.

Federal Ministry of Justice and Consumer Protection (Tysklands justisdepartement). Gesetz über Urheberrecht und verwandte Schutzrechte (Urheberrechtsgesetz) § 69e Dekompilierung. Published 2021. Accessed September 15, 2023. https://www.gesetze-im-internet.de/urhg/__69e.html

33.

European Commission. Cyber resilience act. Published 2023. Accessed January 15, 2024. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

34.

European Union. Regulation (EU) 2024/2847 of the European Parliament and of the Council of 13 March 2024 on Horizontal Cybersecurity Requirements for Products With Digital Elements and Amending Regulation (EU) 2019/1020 (Cyber Resilience Act). Brussels, Belgium: European Union; 2025:1-44.

35.

U.S. Food and Drug Administration. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions: Draft Guidance for Industry and Food and Drug Administration Staff. Silver Spring, MD: U.S. Food and Drug Administration; 2023.

36.

U.S. Food and Drug Administration. FDA warns against the use of unauthorized devices for diabetes management. Published 2019. Accessed December 15, 2023. https://www.fda.gov/news-events/press-announcements/fda-warns-against-use-unauthorized-devices-diabetes-management

37.

Sykehusinnkjop. Insulinpumper, CGM og forbruksmateriell. Published 2023. Accessed December 15, 2023. https://www.sykehusinnkjop.no/nasjonale-avtaler/insulinpumper-cgm-og-forbruksmateriell

38.

Simplifier.net. RDC EMR implementation guide. Published 2023. Accessed December 15, 2023. https://simplifier.net/guide/RDCEMRImplementationGuide/EMRImplementationGuide?version=current

39.

Dexcom. Dexcom API. Published 2023. Accessed December 15, 2023. https://developer.dexcom.com/docs/

40.

AndroidAps Project. Welcome to the AAPS documentation- AndroidAPS 3.1 documentation. Published 2023. Accessed September 15, 2023. https://androidaps.readthedocs.io/en/latest/index.html

41.

OpenAPS Community. Welcome to OpenAPS. Published 2023. Accessed December 15, 2023. https://openaps.readthedocs.io/en/latest/index.html

42.

Yoo

Kim

. Advances in continuous glucose monitoring and integrated devices for management of diabetes with insulin-based therapy: improvement in glycemic control. Diabetes Metab J. 2023;47(1):27-41.

43.

timoschlueter. Nightscout LibreLink Up Uploader/Sidecar. Published 2023. Accessed September 15, 2023. https://github.com/timoschlueter/nightscout-librelink-up

44.

Gagebenne. Pydexcom. Published 2023. Accessed September 15, 2023. https://github.com/gagebenne/pydexcom

45.

LibreLinkUp. Published 2023. Accessed March 5, 2025. https://librelinkup.com/

46.

Abbott Diabetes Care Inc. Libreview patient/individual user terms of use. Published 2023. Accessed December 15, 2023. https://files.libreview.io/files/documents/en-US/pat-TOU_2023-04-21.html

47.

Dexcom. Terms of use. Published 2023. Accessed December 15, 2023. https://www.dexcom.com/linked/documentservice/TermsOfUse

48.

Omnipod. Terms of use. Published 2023. Accessed December 15, 2023. https://www.omnipod.com/en-no/terms-of-use

49.

Medtronic Diabetes. User guide. Published 2023. Accessed December 15, 2023. https://www.medtronicdiabetes.com/sites/default/files/library/download-library/user-guides/carelink-v2_1/EN_us_CareLinkProUserGuide.pdf

50.

Randine

. Medtronic-csv-FHIR. Published 2023. Accessed March 1, 2024. https://github.com/pra008/Medtronic-csv-FHIR

51.

Randine

. Libre-link-up-FHIR. Published 2023. Accessed March 1, 2024. https://github.com/pra008/Libre-link-up-FHIR

52.

European Commission. Commission Recommendation (EU) 2019/243 of 6 February 2019 on a European Electronic Health Record Exchange Format. Brussels, Belgium: European Union; 2019:18-27.

53.

Nguyen

DuBord

, et al. The launch of the iCoDE standard project. J Diabetes Sci Technol. 2022;16(4):887-895.

54.

Aaron

Tian

Yeung

Huang

Klonoff

Espinoza

. The launch of the iCoDE-2 standard project: integration of connected diabetes device data into the electronic health record. J Diabetes Sci Technol. 2024;18(1):82-88.

55.

Fielding

. Architectural Styles and the Design of Network-Based Software Architectures. Irvine, CA: University of California, Irvine; 2000.

56.

Directorate-General for Competition (DG COMP), European Commission. EU Login and Two-Factors Authentication (2FA) User Guide for External Users. Published 2021. Accessed March 15, 2024. https://competition-policy.ec.europa.eu/system/files/2021-09/econfidentiality_user_guide_external_users_version_1.0.pdf

57.

Health Level Seven International (HL7). FHIR. Published 2023. Accessed December 15, 2023. https://hl7.org/fhir/

58.

Benson

Grieve

. Principles of health interoperability. Principles of Health Interoperability. Berlin, Germany: Springer; 2021:79-102.

59.

SNOMED International. European Union drives use of standardized terminology in member states with funding for SNOMED CT. Published 2023. Accessed December 15, 2023. https://www.snomed.org/news/european-union-drives-use-of-standardized-terminology-in-member-states-with-funding-for-snomed-ct

60.

Galindo

Umpierrez

Rushakoff

, et al. Continuous glucose monitors and automated insulin dosing systems in the hospital consensus guideline. J Diabetes Sci Technol. 2020;14(6):1035-1064.

61.

Samuelson

Asay

. Saving software’s fair use future. Harv JL & Tech. 2017;31:535.

62.

Randine

Pocs

Cooper

, et al. Privacy concerns related to data sharing for European diabetes devices J Diabetes Sci Technol. 2023;0(0). doi:10.1177/19322968231210548.

63.

Odendaal

Anstey Watkins

Leon

, et al. Health workers’ perceptions and experiences of using mHealth technologies to deliver primary healthcare services: a qualitative evidence synthesis. Cochrane Database Syst Rev. 2020;3(3):CD011942.

64.

Ancker

Witteman

Hafeez

Provencher

Van de Graaf

Wei

. The invisible work of personal health information management among people with multiple chronic conditions: qualitative interview study among patients and providers. J Med Internet Res. 2015;17(6):e137.

65.

Irving

Neves

Dambha-Miller

, et al. International variations in primary care physician consultation time: a systematic review of 67 countries. BMJ Open. 2017;7(10):e017902.

66.

Wong

Neinstein

Spindler

Adi

. A minority of patients with type 1 diabetes routinely downloads and retrospectively reviews device data. Diabetes Technol Ther. 2015;17(8):555-562.

67.

Beck

. Downloading diabetes device data: empowering patients to download at home to achieve better outcomes. Diabetes Technol Ther. 2015;17(8):536-537.

68.

Huhndt

Chen

O‘Donnell

, et al. Barriers to uptake of open-source automated insulin delivery systems: analysis of socioeconomic factors and perceived challenges of caregivers of children and adolescents with type 1 diabetes from the OPEN survey. Front Clin Diabetes Healthc. 2022;3:876511.

69.

Braune

Krug

Knoll

, et al. Emotional and physical health impact in children and adolescents and their caregivers using open-source automated insulin delivery: qualitative analysis of lived experiences. J Med Internet Res. 2022;24(7):e37120.

70.

Oliver

Reddy

Marriott

Walker

Heinemann

. Open source automated insulin delivery: addressing the challenge. NPJ Digit Med. 2019;2:124.

71.

European Parliament, Committee on the Internal Market and Consumer Protection. Draft Opinion on the proposal for a regulation of the European Parliament and of the Council on the European Health Data Space. Published 2023. Accessed March 15, 2024. https://www.europarl.europa.eu/doceo/document/IMCO-PA-740773_EN.pdf

72.

The European Parliament and the Council of the European Union. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC. OJEU. 2017;60(L117):1-175.

Unlocking Real-Time Data Access in Diabetes Management: Toward an Interoperability Model

Abstract

Background:

Methods:

Results:

Conclusion:

Keywords

Introduction

Diabetes Management and Data Sharing

Innovation From Do-It-Yourself Communities and Off-Label Use

Terms of Services, Copyright, and Cybersecurity

Methods

Objectives and Research Questions

Study Structure

Results

Medical Devices Available in Norway and Associated Regulated Software

DIY Software and Off-Label Use

Technological Assessment of Regulated and DIY Software

ToS Analysis

Interoperability Model for Diabetes Data

A Set of Standards to Ease Diabetes Data Transfer

Discussion

Why is a Model for Interoperability Needed?

Enhancing Diabetes Data Access for Citizens

Navigating the Complex Landscape of DIY Diabetes Management Solutions

Limitations

Conclusion

Footnotes

Acknowledgements

Abbreviations

Declaration of Conflicting Interests

Funding

ORCID iDs

References