Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Software, a Matter of Life and Death

Posted by kdawson on from the serious-as-it-gets dept.

ChiefMonkeyGrinder writes "Software on medical implants is not open to scrutiny by regulatory bodies. Glyn Moody writes: 'Software with the ability to harm as well as help us in the physical world needs to be open to scrutiny to minimise safety issues. Medical devices may be the most extreme manifestation of this, but with the move of embedded software into planes, cars and other large and not-so-large devices with potentially lethal side-effects, the need to inspect software there too becomes increasingly urgent.' A new report 'Killed by Code: Software Transparency in Implantable Medical Devices' from the Software Freedom Law Center points out that, as patients grow more reliant on computerized devices, the dependability of software is a life-or-death issue. 'The need to address software vulnerability is especially pressing for Implantable Medical Devices, which are commonly used by millions of patients to treat chronic heart conditions, epilepsy, diabetes, obesity, and even depression.' Will making the source code free to scrutiny address the issue of faulty devices?"

42 of 197 comments (clear)

  1. I've got to say... by fuzzyfuzzyfungus · · Score: 4, Funny

    That the Pacemaker Genuine Advantage warning I got last week was a bit of a shock...

    1. Re:I've got to say... by natehoy · · Score: 2, Funny

      ... or potential lack thereof when you need it.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    2. Re:I've got to say... by jaak · · Score: 2

      Haha, just think... somewhere out there is someone who is thinking it would be a great idea to run Windows Embedded in a pacemaker.

    3. Re:I've got to say... by Mongoose+Disciple · · Score: 5, Funny

      Blue Screen of Death, now with real death?

    4. Re:I've got to say... by fuzzyfuzzyfungus · · Score: 4, Funny

      Well, do you want your pacemaker to have intuitive manageability through Group Policies, or not?

    5. Re:I've got to say... by Mongoose+Disciple · · Score: 5, Funny

      Thanks!

      At least I didn't say it'd be the first killer app for the platform. Man, these jokes write themselves!

    6. Re:I've got to say... by Sponge+Bath · · Score: 4, Funny

      Roy: [answers phone] Hello, IT. Have you tried turning it off and on again?

    7. Re:I've got to say... by jgagnon · · Score: 2, Informative

      Make sure you leave it off for at least 15 seconds before turning it back on...

      --
      Remember to maintain your supply of /facepalm oil to prevent chafing.
    8. Re:I've got to say... by Monkeedude1212 · · Score: 3, Informative

      I wish we could up-vote comments ourselves, I'd give this a ++.

      We do. You just have to earn them, that's all. And once you earn them, you can waste them on as many +funny's as you want.

    9. Re:I've got to say... by angelwolf71885 · · Score: 2, Funny

      i can just see it now bonzi buddy taping his bongos to the heart beat

    10. Re:I've got to say... by camperdave · · Score: 4, Funny

      just think... somewhere out there is someone who is thinking it would be a great idea to run Windows Embedded in a pacemaker.

      Just think... Somewhere out there is someone who writes pacemaker software who is thinking "There are alternatives to Windows Embedded?"

      --
      When our name is on the back of your car, we're behind you all the way!
    11. Re:I've got to say... by davester666 · · Score: 2, Insightful

      If this were important, then why is it so difficult to get to examine the software used in devices that can get your vehicle taken away, your drivers license suspended and/or revoked, and yourself thrown in jail for varying lengths of time?

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Same article different day by guruevi · · Score: 4, Informative

    Dupe! This was covered a couple of days ago.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Same article different day by betterunixthanunix · · Score: 2, Informative

      And as people pointed out the first time around, medical devices are tested extensively before being deployed. I am an ardent free software supporter, but the safety/reliability issue is simply the wrong argument. I would say the more important argument when it comes to medical software is control -- do you really want to have a corporation that you have absolutely no control over to be in control of a device that sustains your very life? What happens if that company goes bankrupt, and the source code dies with the company? What if they decide they want to start charging people a yearly fee for using their pacemakers (a situation that does not seem too far fetched, given what I have seen proprietary software companies do in the past)?

      --
      Palm trees and 8
    2. Re:Same article different day by fuzzyfuzzyfungus · · Score: 4, Funny

      Not to worry. Authentication dongles will be available in a variety of sizes, to make insertion endurable for all our users.

    3. Re:Same article different day by Anonymous Coward · · Score: 2, Insightful

      That's not specific to software-controlled devices though. If you're dependent on taking a pill every week to keep you alive and/or healthy, you're in trouble if the supply chain gets disrupted in any way.

    4. Re:Same article different day by bws111 · · Score: 4, Informative

      http://hardware.slashdot.org/story/10/07/22/2346253/SFLC-Wants-To-Avoid-Death-by-Code?art_pos=46

    5. Re:Same article different day by kipd · · Score: 4, Informative

      Yes... No bugs, thoroughly tested: http://www.ccnr.org/fatal_dose.html

    6. Re:Same article different day by shentino · · Score: 2, Interesting

      Running out of pills is one thing.

      Having your pace-maker shut down due to non-compliance with an EULA is quite another.

      Sure, corporations can make a killing...but it will come with a murder conviction.

      I seriously doubt it would EVER be legal to remotely disable a pace-maker.

    7. Re:Same article different day by mcgrew · · Score: 2, Interesting

      do you really want to have a corporation that you have absolutely no control over to be in control of a device that sustains your very life?

      I'm glad my eye implant is mechanical and doesn't have any software.

      medical devices are tested extensively before being deployed

      I'm damned glad of that, too, but as it was only approved three years before I had the surgery, I do worry that the struts might break twenty or thirty years down the road. OTOH, I wouldn't have wanted to wait until I was 70 to have it; it's an acceptable risk to me.

      --
      Free Martian Whores!
    8. Re:Same article different day by westlake · · Score: 2, Insightful

      Do you really want to have a corporation that you have absolutely no control over to be in control of a device that sustains your very life?

      It can't be any other way.

      The development, testing, and licensing of the device could cost ten million dollars, a hundred million. There is no upper limit - and any company taking over the production and distribution of the device is going to see costs on the same scale.

      There simply aren't very many companies with the strength and experience to do that.

           

    9. Re:Same article different day by bberens · · Score: 2, Insightful

      Do you also doubt that a pacemaker manufacturer would refuse to provide a critical software update unless each pacemaker user pays them for it?

      Wait, do you mean before or after I talked to Action 9 news?

      --
      Check out my lame java blog at www.javachopshop.com
    10. Re:Same article different day by DerekLyons · · Score: 2, Insightful

      I would say the more important argument when it comes to medical software is control -- do you really want to have a corporation that you have absolutely no control over to be in control of a device that sustains your very life?

      And how is that worse having a group of random self appointed individuals, over whom I have absolutely no control, in control of a device that sustains my very life?
       

      What happens if that company goes bankrupt, and the source code dies with the company?

      From the number of FOSS projects I've seen die on the vine because the developers drift away to other interests or just drift away, I'm not certain that FOSS is any better. Making the assumption, of course, that for such a project as pacemaker code that a sufficient number of developers with the proper experience can be herded together at one time... This isn't a video codec or yet another word processor clone. This is a device upon which, as you said, people's lives depend. I'd be hesitant to trust 'some guy in a basement'.

  3. Makes sense by MBGMorden · · Score: 4, Insightful

    To me, this is just common sense. This code doesn't necessarily have to be FL/OSS in my mind - let them keep the copyright, but it most definitely should have code available for public review. Would you be willing to take a new wonderdrug where the drug company won't tell anyone what's actually in it, but assures you that it'll work? If they must disclose the formula to their drugs, then they ought to be required to disclose the code to their software. Let existing laws like copyright ensure that no one else uses it.

    --
    "People who think they know everything are very annoying to those of us who do."-Mark Twain
    1. Re:Makes sense by betterunixthanunix · · Score: 2, Insightful

      Except that the mechanisms behind many of the drugs we use are not fully understood by the companies that make those drugs. They only disclose the chemical formula behind the drugs, not the logic of why that particular chemical works the way it does.

      --
      Palm trees and 8
    2. Re:Makes sense by MBGMorden · · Score: 2, Insightful

      Some level of documentation for such things will be available. How do you think A&P's all over the country work on them? Just pop the hood and figure it out as they go along?

      And yes, I think that anything on which the safety of a life depends should be open to scrutiny. Alarm clocks and keyboards? Not so much.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    3. Re:Makes sense by Hatta · · Score: 2, Informative

      This code doesn't necessarily have to be FL/OSS in my mind - let them keep the copyright

      Authors of open source software retain their copyright.

      --
      Give me Classic Slashdot or give me death!
    4. Re:Makes sense by Blakey+Rat · · Score: 2, Interesting

      The cheap Chinese copies made from the "open to scrutiny" plans are probably not going to be as safe as the Boeing originals.

      --
      Comment of the year
    5. Re:Makes sense by JWSmythe · · Score: 2, Insightful

          It's the same argument that an automobile manufacturer doesn't release the detailed specs of a vehicle, because the owners manual doesn't show a breakdown of the engine. They are available (for a price, of course) to the people that need the information.

          Here's the list of manuals for a Boeing 777.

          But for both aircraft and auto manufacturers, I don't believe they release detailed specs of say the software that makes their vehicles work. I doubt A&P mechanics are fixing software flaws in the autopilot, just as auto mechanics can't fix the software in the cruise control. It's the same as a doctor wouldn't be able to change the software controlling a pacemaker.

          I know plenty of automobile electronics have been reverse engineered, but that's due to the number available to work with, and the potential profit to be had from tuning the software. Most of us wouldn't know where to get our hands on a new or used pacemaker to begin reverse engineering it. I definitely wouldn't be able to get my hands on a new or used 777, nor have anywhere to store it. It's a bit bigger than most of our garages, and I can't imagine our significant others not minding that we have one in the garage.

      --
      Serious? Seriousness is well above my pay grade.
    6. Re:Makes sense by JWSmythe · · Score: 2, Interesting

          I almost totally agree. Most parts are made to be replaced as a module. When's the last time you replaced the bearings in a hard drive, or soldered a pin on a memory stick? But, sometimes we do, and that's without the assistance of technical schematics.

          A few months ago, I was given a hard drive to fix. The machine had been hit by a power surge, and a chip on the control board (the one on the bottom of the hard drive) melted. I replaced the board, and the drive started working again. Normally I wouldn't have touched it, but there's a long back story on it, and I didn't want to send them off for a very expensive hard drive recovery. Even still, I could have opted to replace the chip, rather than replacing the whole board.

          In my car (4th gen TransAm), the headlight motor stopped working. Normal procedure is to replace the motor. The better fix is to replace the worn gear with a better one, which involves dismantling the defective component. GM doesn't provide documentation on doing that.

          I know with aircraft, if it's not done the "right" way, the FAA gets a bit upset. I'm not an aircraft mechanic, but I'd suspect if you cracked open a modular component and swapped a piece of the inside, they would be less than entertained.

      --
      Serious? Seriousness is well above my pay grade.
  4. Crowd sourcing your Quality Assurance department? by stagg · · Score: 2, Interesting

    I'm a big fan of FOSS, but I've got my QA methodology hat on right now. Opening up the source code isn't providing better Quality Assurance coverage, it's just getting more eyes on the code, and at best a bunch of User Acceptance Testing. (Though clearly not with pace makers, I doubt people are going to line up for that Beta test. Unless maybe Blizzard claims it's part of their next big MMO.) This could be as much an argument for higher standards of quality assurance as for open source software. In face, hell, I can see companies opening up the source to reduce their liability and cut the costs of their own QA.

  5. Re:Lots of tedious details by fuzzyfuzzyfungus · · Score: 3, Insightful

    I don't think that the notion is that all medical code is going to be written by happy-go-lucky FOSS volunteers, the notion is that people ought to be able to inspect the code that is going to becoming a part of their life-critical systems...

  6. Operator Error by Darkness404 · · Score: 2, Insightful

    Even the best software can go completely wrong with the wrong person operating it.

    --
    Taxation is legalized theft, no more, no less.
  7. Double-edged sword by gmueckl · · Score: 2, Interesting

    Making the code available for scrutiny is a double-edged sword. Sure, it might help to catch critical bugs in the software faster. But with some devices, it really raises a host of new issues. Some pacemakers out there are configurable wirelessly once they are in the patient's body. This is actually a very critical feature. But do you want to risk everyone being able to reverse-engineer the protocol used for adjusting the settings for such a device? A wrongly configured pacemaker can be deadly. Right now these things are fairly secure because they are rather rare and not interesting enough as targets for hacking.

    Besides, proving that some piece of code works as intended (or at least fails gracefully in all circumstances) in an essentially uncontrolled environment is quite a feat. Embedded equipment is hard to service, has to have a longer hardware lifespan than normal hardware, is often custom designed for a single application and thus may have subtle hardware defects not reproducible on similar test systems... oh, and who says that the compiler or even the CPU is bug free? This is all common knowledge around here, but I just want to give the full list. What this means is that just opening the source code might not cut it. The validation would have to be performed on the hardware it was designed to run. So, where's the call to open up the hardware design and documentation to public scrutiny as well?

    --
    http://www.moonlight3d.eu/
    1. Re:Double-edged sword by Hatta · · Score: 5, Insightful

      But do you want to risk everyone being able to reverse-engineer the protocol used for adjusting the settings for such a device?

      Yes. Security through obscurity is essentially no security at all. The only thing that should be secret is the private encryption key that is uniquely associated with the remote control, which should be under strict physical security at all times.

      What you say? There's no encryption implemented in these devices? That's a big problem whether the code is open or not.

      --
      Give me Classic Slashdot or give me death!
  8. The code is going to do you a whole lot of good .. by Ihlosi · · Score: 3, Interesting
    ... if you don't know the hardware it runs on and the external circuitry.

    Really. Finding security holes in software that runs on a plain vanilla PC is one thing, finding the cause of glitches in the nanosecond range on an embedded system is another thing entirely.

  9. After Therac-25, there is no excuse by ChipMonk · · Score: 2, Interesting

    The Therac-20 radiation therapy device worked reasonably well. Despite the software flaws, the hardware safeties in place prevented any deadly accidents. Problem is, because of the hardware safeties, nobody knew just how bad the software was. It had never been formally verified.

    Then some numbskull decided, "Hey, let's let the software handle the safety interlocking, and we can cut down on hardware manufacturing costs!" The result was the Therac-25, which maimed and killed people.

    After the machine was recalled, someone finally sat down and did a real analysis of the code, and found a whole raft of problems and bad assumptions. Nancy Leveson wrote the definitive report (PDF) on the failures in the R&D processes that made the Therac-25 so deadly.

    Yet, armed with this warning (among many others), both manufacturers and purchasers keep human lives as transactions on a double-entry ledger. It simply comes down to, how many deaths per thousand uses are "acceptable"? Manufacturers and medical facilities already have so many costs. Is it worth it to add on the cost of formal code analysis?

    But nobody will ask the Therac-25 victims and their families.

    I decided early on in my I.T. career, that I didn't want the stress of people's lives depending on my correct code. I hadn't had any training in formal verification. In hindsight, I see my worries would have come from incompetent management, more than from myself.

  10. Licensed Professional Software Engineers? by davidwr · · Score: 2, Insightful

    Some mechanical devices and most bridges and buildings require licensed engineers or architects to put their stamp of approval on the designs. They do not require publication of the engineering or architectural drawings though.

    I for one would welcome professional licensing for certain "it can kill you if it goes wrong" software, particularly in isolated devices whose software can't be tampered with undetectably.

    If a licensed Professional Software Engineer puts his seal on a pacemaker or airplane, and the software kills someone, he's just as responsible as the civil engineer would be if a faulty bridge design kills someone. In both cases, the licensed professional's responsibility would come back to "was the engineer acting in accordance with professional standards at the time" and "was the device built and maintained in accordance with the design."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  11. Re:Formal methods, not open code by digitig · · Score: 2, Insightful

    Formal methods on their own are not enough -- at least, not with the current state of formal methods. Formal methods and testing tend to expose different bugs. But the principle is right: maybe an independent safety assessor evaluates the process and products, and the manufacturer submits their argument as to why the system is acceptably safe to a regulator.

    We need to be careful about what is "sufficiently safe" though. If somebody would die for sure without the implant then "the implant probably won't kill them" is a big improvement, whereas achieving "the implant almost certainly won't kill them" might price the implant out of reach of most people who need it so it goes back to the situation in which they die. As a rule of thumb, moving up one IEC61508 SIL increases costs by about an order of magnitude. Formal proofs mean that you're talking about SIL 4, so you're talking of the order of 10 000 times the cost of normal commercial standard software (treating that as SIL 0). Increase the development cost of a life-saving implant by a factor of 10 000 and unless you have massive economies of scale you're going to end up indirectly killing people by pricing it out of the market.

    --
    Quidnam Latine loqui modo coepi?
  12. Re:The code is going to do you a whole lot of good by Dribbitz · · Score: 2, Insightful

    ^THIS

    Implantable pacing devices, cardioverters, and pumps (life-sustaining devices) depend on complex custom hardware designs as their platform, and that hardware is *highly* interactive with the software. Many of these devices can only achieve their miraculous longevities on a primary cell by deferring functions to hardware. If you don't have access to the information re: the hardware, the code itself might as well be inscriptions in Atlantean glyphs. You'd have to bust trade-secret protection to get a public viewing of everything needed to review the code, because you'd have to see, *everything*.

  13. SNMP by wowbagger · · Score: 2, Funny

    "Well, do you want your pacemaker to have intuitive manageability through Group Policies, or not?"

    No, just a good SNMP MIB and traps.

    I was joking with an ex-sys-admin friend of mine who just underwent open heart valve replacement, and commenting on the idea that the wireless ECG gear needed SNMP to alert when it detected a loose lead. She laughed - not good when you were doing a good impression of an Aztec sacrifice just a couple of days previously.

    --
    www.eFax.com are spammers
  14. Re:Formal methods, not open code by russotto · · Score: 2, Funny

    Just require that all such software rigorously use formal methods to mathematically prove that it functions as intended. The manufacturer could then send their proofs to some regulatory/standards agency to verify.

    Look, if you don't like the idea of implanted medical devices controlled by software, just say so.