Lawyer Demands Pacemaker Vendor Supply Source Code

oztiks writes "Lawyer Karen Sandler's heart condition means she needs a pacemaker to ward off sudden death. Instead of trusting that the vendor will create a flawless platform for the device to operate, Sandler has demanded to see the device's source code. Sandler's reasoning brings into question the device's reliably, stability, and oddly enough, security."

I trust my life to Boeing every time I fly

[gatkinso]

...and incidentally every time one of their products flies over my house to land at the DC area airport I live close to.

Yet I don't demand to audit their code.

Re:I trust my life to Boeing every time I fly

[rtfa-troll]

Yet I don't demand to audit their code.

Well, if you don't demand that somebody audits their code you are pretty stupid. Unaudited code and code which is proprietary and never shared with outside bodies (this doesn't have to mean the public; just at least someone external) just doesn't have a place in any critical parts of our infrastructure. It is as irresponsible as it would be if Boeing didn't have to hand over the mechanical specifications of their planes, which of course they do. However, If you had read the article you would have seen this quote:

Regulatory authorities don't see or review the software either.

She simply has to trust that the vendor is telling the truth and doing things right.

I think you will find that aircraft software, whilst it isn't open source and available to everyone, gets a bit more review than that.

Apart from that, the plane code isn't part of you and is, as a passenger, something you just visit for a short time. I think people have a right to understand fully, to the level of their own ability, things that are made part of their body.

Re:I trust my life to Boeing every time I fly

[hedwards]

GP lives in their flight path. Around here it's difficult to impossible to find a place to live where a rather large plane doesn't fly overhead on a regular basis.

first, we kill all of the lawyers

This sort of demand is why lawyers are disliked. The life science industry has to follow the FDA directive to perform a source code review. It is very unlikely that the source code in these devices have any remaining bugs due to the length of time that these devices have been used.
In addition to the source code for the software running the device, which is most likely to be extremely robust given the long time that these devices have been in use (+25 years), she might as well ask for the manufacturing process details for the battery, the casing, the electronic components, and the design of the microprocessor.
This is pointless since any qualified experts on the code are likely to be working for the device manufacturer.

Re:first, we kill all of the lawyers

There are many assumptions here that should be questioned.

Source code reviews are highly imperfect ways to ensure stable and accurate software, and good ones are extremely hard on the developers involved. Techniques like test driven development and paired programming offer a much better solution at lower cost.

New medical devices are released all the time and they have new code operating them, even if that general type of device has been in use for decades. New models with new or modified code have new bugs.

Perhaps owners of electronic devices that have caught fire or misbehaved in other physical ways have learned to start inquiring about manufacturing, mean time between failure and other manufacturing and quality issues.

I have worked in the medical software industry for thirty years as a developer, and was at one time an employee of Medtronic. I have a Medtronic pacemaker/defibrillator embedded in my chest which can be remotely accessed and controlled. I am professionally qualified to study and understand my device's software, development and testing methodology, and security issues - but Medtronic declined to share with me their source code when asked. The technical manuals for my devices which appear to provide all necessary information for hacking my pacemaker/defibrillator are available online.

I think that more can and should be done with oversight of medical device manufacturers and their software than the FDA currently requires, but this is true of all mission critical software like military and aerospace systems as well. The problem is neither uppity lawyers nor uncaring medical device manufacturers but instead the way we build software. Anyone with personal experience in the software industry who relies on a programmable medical device but who is not concerned over the accuracy and stability of the software running it is not thinking clearly.

CTL-ALT-DEL

[ColdWetDog]

Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits. Does Mr. Lawyer want Medtronics to go over the schematics with him? Explain the physics?

Sometimes you just have to settle down and let things go. Yes, regulatory agencies should review operations of medical devices closely. No, they don't need to peek inside.

I don't even think the FAA looks at the code for the flight control computers on airliners. They test the planes (or actually they watch the manufacturer test the planes) but they don't get every part off the aircraft and look at it under a microsope.

Re:CTL-ALT-DEL

[CAPSLOCK2000]

Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits.

Experst are for hire.

I'm not an architect. The blueprints of my house are useless to me, but I can hire an architect to read them for me. That architect can than tell me if the house I'm living in is well designed or not. He won't be able to tell if the building-materials are of sufficient quality, but if the design is not sound the materials used don't even matter.

I'm dissappointed in Slashdot. One would expect that over here people would see the value of having access to the source of the software that keeps you alive.

Re:CTL-ALT-DEL

[rtfa-troll]

No, they don't need to peek inside.

Think about how much cheaper for everybody it would have been to have one small government testing lab verifying medical implants that it is going to be having to replace all of the breast implants in France / UK etc. etc. Think how much compulsory insurance is going to cost.

This is typical of the corporate welfare attitude that small people have to pay for the mistakes of big companies but no big company has to pay for anything.

Re:CTL-ALT-DEL

Before I started reading the comments, I knew it would skew heavily against the lawyer because, well... he's a lawyer. No other reason.

You dweebs here on /. get your panties in a bunch about *any* product for which source code is kept private. Operating systems, video card drivers, voting machines, etc.

But oh, god forbid a lawyer advocates for his client, WHOSE LIFE DEPENDS ON THIS FRIGGIN' DEVICE, and you go all 4chan on him.

No, the lawyer is NOT going to review the code. He's going to get a pacemaker software nerd to do that for him. That's assuming not all the pacemaker software nerds are posting this bullshit about him on /.

Really, the measure of your character is whether you stick to your stated beliefs (code should be available for review), even when the people trying to exercise those beliefs don't belong to your clique.

Idiots.

Answering questions from TFA

[Nidi62]

How do we know the software works as advertised? How do we know it's secure?

Well, let's see, what is the failure rate of pacemakers? A quick Google search brought this result (http://www.post-gazette.com/pg/06116/685028-114.stm):

In one study, Dr. Maisel and FDA researchers analyzed reports that pacemaker and ICD manufacturers were required to submit to the federal agency between 1990 and 2002. During that period, more than 17,000 malfunctions resulted in removal and replacement with a new device, researchers found. Battery, capacitor or electrical problems accounted for half the failures. Thirty deaths were attributable to pacemaker malfunction and 31 deaths to malfunctions in ICDs. The annual replacement rate for pacemaker malfunctions decreased during the study period, from 9 per 1,000 implants in 1993 to 1.4 in 2002. But the ICD replacement rate, after decreasing from 38.6 in 1993 to 7.9 in 1996, increased in the latter half of the study, peaking in 2001 at 36.4.

So, there is a failure rate of 1.4 per 1000 in 2002, and half of those were related to hardware issues. Only 30 people ended up dying. This article (http://circ.ahajournals.org/content/105/18/2136.full) claims 3,000,000 people worldwide with pacemakers in 2002, with 600,000 implanted yearly. That means in 2002 .001% of people with pacemakers died. Assuming hardware failure accounted for half of that, then the chances of being killed by a software defect in a pacemaker is extremely small. So, I'd say it's safe to assume that the hardware "works as advertised".

Not even the FDA has audited the code yet

[SgtChaireBourne]

If you read the article or ones on the same topic from last year, you'll find that the reason she is making the request is that not even the FDA has audited the code. It's just there.

Other embedded hardware has been found to be easily crackable and able to deliver fatal doses of medication. Someone has to audit the code, since the FDA is not doing it, Karen is making an issue of it. In these cases, there is no excuse for the code not being 100% open. People's lives hang in the balance.

Special lawyer rights

[loufoque]

It she weren't a lawyer, we wouldn't even be speaking about it.

It's funny how lawyers seem to have extra rights in our society. They can make demands, we cannot.

Re:It's not surprising a lawyer has a defective he

[NevergoldMel]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

Re:It's not surprising a lawyer has a defective he

[newcastlejon]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

You forgot empathy.

Re:It's not forced on her

If the pacemaker vendor doesn't want to make the source code available its perfectly within its right to refuse to supply the pacemaker. Lawyer can go look for someone else to acquiesce to her ridiculous demand, assuming she doesn't die waiting for someone to give in, but any delay is entirely of her own creation.

Re:It's not forced on her

[repvik]

But does that imply that someone has the right to force the manufacturer to open up their source code?

Does she require the code to be "opened up"? AFAICT, she wants to check the code, nothing more.

If I was the manufacturer of the device, she'd sign an NDA and get the code. Worst case, she spreads the code and gets sued. Best case, she improves the reliability or security of the code.

I don't really see any problem here.

Re:It's not forced on her

Actually, it seems she is the one holding the metaphorical gun to her own head, DEMANDING to see the source code before allowing the pacemaker vendor to increase her life expectancy. If the vendor refuses to give in, she has to find a vendor who will dance to her tune, or go without. She has about as much influence on the vendor as a single music fan who refuses to buy from the iTunes store.

Re:It's not forced on her

[superwiz]

Usually, I wouldn't see how this is different from Coke not telling you what's in their secret recipe is. Ie, trade secrets are trade secrets. But if you listen to the interview, she makes, what I see, a compelling point: these devices have WiFi connections.

So they can be potentially controlled by a 3rd party after the fact of installing them in the recipients. Certainly, there are some people who don't understand the full implications of a medical device having a WiFi connection. So no one can claim that a layman would have an informed consent unless independent experts have reviewed the code.

Re:It's not forced on her

[HornWumpus]

So in your world, if some idiot holds a gun to your own head and demands all my money his heirs can sue me when I tell him: 'wait a second while I get the money' then come back with a gun of my own (after all he are armed) and a video camera and tell him 'fuck off! you're going to be on Rotten.com!'

Even if the video includes me telling the idiot to 'fuck off' I'm legally free and clear.

Your analogy is just simply wrong. If someone jumps onto the freeway in front of you, you are not liable. Their heirs will pay to fix your car. No reasonable person would expect him/her to jump. Should I lock up my brakes every time someone is walking on the sidewalk of an overpass?