Lawyer Demands Pacemaker Vendor Supply Source Code

oztiks writes "Lawyer Karen Sandler's heart condition means she needs a pacemaker to ward off sudden death. Instead of trusting that the vendor will create a flawless platform for the device to operate, Sandler has demanded to see the device's source code. Sandler's reasoning brings into question the device's reliably, stability, and oddly enough, security."

It's not forced on her

[whoda]

She could just let her heart regulate itself naturally.

Re:It's not forced on her

If the pacemaker vendor doesn't want to make the source code available its perfectly within its right to refuse to supply the pacemaker. Lawyer can go look for someone else to acquiesce to her ridiculous demand, assuming she doesn't die waiting for someone to give in, but any delay is entirely of her own creation.

Re:It's not forced on her

[repvik]

But does that imply that someone has the right to force the manufacturer to open up their source code?

Does she require the code to be "opened up"? AFAICT, she wants to check the code, nothing more.

If I was the manufacturer of the device, she'd sign an NDA and get the code. Worst case, she spreads the code and gets sued. Best case, she improves the reliability or security of the code.

I don't really see any problem here.

Re:It's not forced on her

Secondly, because this is approved by the FDA, the manufacturer is exempt from liability for this kind of problem.

Untrue. Just because a product is FDA approved does not absolve a manufacturer from liability. This is not only true for medical devices, but pharmaceuticals as well.

The FDA does no review of the software at all, but their review of the hardware means that the manufacturer is completely immune to lawsuits if someone dies as a result of a bug in their software.

Once again, untrue. As a Software Quality Engineer for a major medical device manufacturer, I can tell you the FDA does review software and has regulations and guidance surrounding software development. In recent years the scrutiny of software based device has increased so much, that companies are having a difficult understanding exactly what the FDA excepts.

Japan does not review software for devices, only hardware. However in order to get your product into the country it must be FDA approved.

Re:It's not forced on her

[superwiz]

Usually, I wouldn't see how this is different from Coke not telling you what's in their secret recipe is. Ie, trade secrets are trade secrets. But if you listen to the interview, she makes, what I see, a compelling point: these devices have WiFi connections.

So they can be potentially controlled by a 3rd party after the fact of installing them in the recipients. Certainly, there are some people who don't understand the full implications of a medical device having a WiFi connection. So no one can claim that a layman would have an informed consent unless independent experts have reviewed the code.

Re:It's not forced on her

[Hognoxious]

But if you listen to the interview, she makes, what I see, a compelling point: these devices have WiFi connections.

Tinfoil vest.

Re:It's not forced on her

[pimpsoftcom]

Mod Parent Up. I am currently a software developer with an FDA regulated product, and we have to sign a form explaining what we did when we check in. Yes, a hand written form, showing and explaining what was changed, how it was changed, and its impact on the product. Not just your normal check-in comments; this is a multiple page form/essay that what we checked in is what we said we checked in. Every time. The FDA has STRICT rules about software quality and security due to what in the FDA regulated software industry is known as "negative impact events".. basically anything that hurts the patient or has the ability to risk the patients health, even if they just have a worry (as stress can create physiological pain, etc). In this case, the security exploit by itself would be so negative that it can get a product pulled and the company selling it fined into oblivion. If anything the company that build this software is trying to cover its ass, and will fight as much as it can to not release the source code.. or risk death by FDA audit. And yes they exist; all FDA projects get audited sometimes, but when it happens its a massive company wide effort not to piss off the auditors or show them things they donty ask for explicitly as they are usually only raping with no lube.. it can get MUCH worse.

Re:It's not forced on her

[AK+Marc]

If she dies because of the actions or inactions of the company, the company could be successfully sued, as they knowingly took an action that resulted in the death of a person. The car analogy is:
You are driving down the road, you see someone preparing to jump from the bridge above you. You choose to not stop and the examination reveals they were killed by the impact with your car, if you had stopped, they likely would have died from the impact with the road. You would be held liable, as your failure to stop caused the death, even if the death was imminent anyway.

Re:It's not forced on her

[Suddenly_Dead]

Coke has its "secret" recipe on every can, by law (not all of it, but what's in it, the part you asked for).

No they don't. A lot of it is hidden under "natural flavours". We know they use a flavouring agent from the Coca leaf, for instance, but that doesn't appear in the ingredients list. Exactly what colouring agent they're using also doesn't appear.

Re:It's not forced on her

[shilly]

Jesus Christ on a bike, I know this is a US site but you are all being just a teensy bit US-centric here. I'm pretty sure that, what with the article appearing on a .com.au site, she's Australian. And therefore different rules may apply

Re:It's not forced on her

[HornWumpus]

So in your world, if some idiot holds a gun to your own head and demands all my money his heirs can sue me when I tell him: 'wait a second while I get the money' then come back with a gun of my own (after all he are armed) and a video camera and tell him 'fuck off! you're going to be on Rotten.com!'

Even if the video includes me telling the idiot to 'fuck off' I'm legally free and clear.

Your analogy is just simply wrong. If someone jumps onto the freeway in front of you, you are not liable. Their heirs will pay to fix your car. No reasonable person would expect him/her to jump. Should I lock up my brakes every time someone is walking on the sidewalk of an overpass?

Re:It's not forced on her

[evil_aaronm]

I also work for an FDA regulated company - blood chemistry immuno diagnostics device - and we are certainly audited, periodically, but not to the extent that you portray. We have code check-in forms and the auditors look at traceability: can they show that the files checked in were traced back to a particular defect record or change request item, etc. And our check-in forms are simple "Who wrote this change? Who reviewed it? Who's the manager signing off on it." That's about it. No justifications, no explanation of changes - except changes due to issues found during a review - no summaries of potential impact, or anything really substantive.

first, we kill all of the lawyers

This sort of demand is why lawyers are disliked. The life science industry has to follow the FDA directive to perform a source code review. It is very unlikely that the source code in these devices have any remaining bugs due to the length of time that these devices have been used.
In addition to the source code for the software running the device, which is most likely to be extremely robust given the long time that these devices have been in use (+25 years), she might as well ask for the manufacturing process details for the battery, the casing, the electronic components, and the design of the microprocessor.
This is pointless since any qualified experts on the code are likely to be working for the device manufacturer.

Re:first, we kill all of the lawyers

[NatasRevol]

Did you just seriously say that there are no more software bugs in their code?

You're the reason lawyers exist.

Re:first, we kill all of the lawyers

[Stormthirst]

No - lawyers are disliked because they charge absorbent fees for sitting in an office and talking, or standing in a court and talking. They make nothing, and have the moral values of a squashed tomato*

You're assuming that the device she's due to have fitted is exactly the same design and construction as the ones they used 25 years ago. This is obviously false. For example, the original pacemakers paced the heart all the time, and as a result had a very limited battery life. Pacemakers these days are far more intelligent, and sense when a regulating beat is needed.

Having said that, your point about the qualified experts still holds.

* I'm probably going to get sued now by some lawyer representing squashed tomatoes for defamation of character.

Re:first, we kill all of the lawyers

There are many assumptions here that should be questioned.

Source code reviews are highly imperfect ways to ensure stable and accurate software, and good ones are extremely hard on the developers involved. Techniques like test driven development and paired programming offer a much better solution at lower cost.

New medical devices are released all the time and they have new code operating them, even if that general type of device has been in use for decades. New models with new or modified code have new bugs.

Perhaps owners of electronic devices that have caught fire or misbehaved in other physical ways have learned to start inquiring about manufacturing, mean time between failure and other manufacturing and quality issues.

I have worked in the medical software industry for thirty years as a developer, and was at one time an employee of Medtronic. I have a Medtronic pacemaker/defibrillator embedded in my chest which can be remotely accessed and controlled. I am professionally qualified to study and understand my device's software, development and testing methodology, and security issues - but Medtronic declined to share with me their source code when asked. The technical manuals for my devices which appear to provide all necessary information for hacking my pacemaker/defibrillator are available online.

I think that more can and should be done with oversight of medical device manufacturers and their software than the FDA currently requires, but this is true of all mission critical software like military and aerospace systems as well. The problem is neither uppity lawyers nor uncaring medical device manufacturers but instead the way we build software. Anyone with personal experience in the software industry who relies on a programmable medical device but who is not concerned over the accuracy and stability of the software running it is not thinking clearly.

Re:first, we kill all of the lawyers

I assume you meant to say "exorbitant" although you could say that lawyers excel in absorbing their clients' money.

CTL-ALT-DEL

[ColdWetDog]

Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits. Does Mr. Lawyer want Medtronics to go over the schematics with him? Explain the physics?

Sometimes you just have to settle down and let things go. Yes, regulatory agencies should review operations of medical devices closely. No, they don't need to peek inside.

I don't even think the FAA looks at the code for the flight control computers on airliners. They test the planes (or actually they watch the manufacturer test the planes) but they don't get every part off the aircraft and look at it under a microsope.

Re:CTL-ALT-DEL

[CAPSLOCK2000]

Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits.

Experst are for hire.

I'm not an architect. The blueprints of my house are useless to me, but I can hire an architect to read them for me. That architect can than tell me if the house I'm living in is well designed or not. He won't be able to tell if the building-materials are of sufficient quality, but if the design is not sound the materials used don't even matter.

I'm dissappointed in Slashdot. One would expect that over here people would see the value of having access to the source of the software that keeps you alive.

Re:CTL-ALT-DEL

[rtfa-troll]

No, they don't need to peek inside.

Think about how much cheaper for everybody it would have been to have one small government testing lab verifying medical implants that it is going to be having to replace all of the breast implants in France / UK etc. etc. Think how much compulsory insurance is going to cost.

This is typical of the corporate welfare attitude that small people have to pay for the mistakes of big companies but no big company has to pay for anything.

Re:CTL-ALT-DEL

[Vairon]

I agree comment posters *seem* to acting very hypocritical today but it could be possible that a different set of people are objecting for a different set of reasons.

Also just to correct something which keeps being misrepresented in comments this laywer is a female. She also has an engineering degree and is a programmer. She intended to review the software herself with the help of fellow programmers.

Also people might be interested to know that she worked as a pro bono counsel for the Software Freedom Law Center from 2005 until 2011 and now works as an executive director for the GNOME foundation. She still accepts pro bono cases from the SFLC and is the SFLC treasurer.

http://www.softwarefreedom.org/about/team/
http://www.youtube.com/watch?v=5_pRH8lzaQo

Who owns data that an implanted device collects

[davidannis]

A related story on NPR today points out that as a patient you don't have access to the data collected in and about your own body. The story focuses on one man's attempt to see his own data. He's looking for someone with technical skills to help him get at the data. Seems to me that somebody on /. should be able to help. http://www.onthemedia.org/2012/jan/20/who-owns-data-inside-your-body/

Re:I trust my life to Boeing every time I fly

[rtfa-troll]

Yet I don't demand to audit their code.

Well, if you don't demand that somebody audits their code you are pretty stupid. Unaudited code and code which is proprietary and never shared with outside bodies (this doesn't have to mean the public; just at least someone external) just doesn't have a place in any critical parts of our infrastructure. It is as irresponsible as it would be if Boeing didn't have to hand over the mechanical specifications of their planes, which of course they do. However, If you had read the article you would have seen this quote:

Regulatory authorities don't see or review the software either.

She simply has to trust that the vendor is telling the truth and doing things right.

I think you will find that aircraft software, whilst it isn't open source and available to everyone, gets a bit more review than that.

Apart from that, the plane code isn't part of you and is, as a passenger, something you just visit for a short time. I think people have a right to understand fully, to the level of their own ability, things that are made part of their body.

FDA requirements (21 CFR 820)

[jbeaupre]

It's called software validation and it's a pain in the ass. It's such a pain for medical devices that everyone avoids it unless absolutely needed. Which is why medicine is 10 years behind when it comes to electronics.

For a "quick" overview, here's a start: http://www.fda.gov/RegulatoryInformation/Guidances/ucm126954.htm

thump

10 thump
20 thump
30 sleep 1s
40 go to 10

Answering questions from TFA

[Nidi62]

How do we know the software works as advertised? How do we know it's secure?

Well, let's see, what is the failure rate of pacemakers? A quick Google search brought this result (http://www.post-gazette.com/pg/06116/685028-114.stm):

In one study, Dr. Maisel and FDA researchers analyzed reports that pacemaker and ICD manufacturers were required to submit to the federal agency between 1990 and 2002. During that period, more than 17,000 malfunctions resulted in removal and replacement with a new device, researchers found. Battery, capacitor or electrical problems accounted for half the failures. Thirty deaths were attributable to pacemaker malfunction and 31 deaths to malfunctions in ICDs. The annual replacement rate for pacemaker malfunctions decreased during the study period, from 9 per 1,000 implants in 1993 to 1.4 in 2002. But the ICD replacement rate, after decreasing from 38.6 in 1993 to 7.9 in 1996, increased in the latter half of the study, peaking in 2001 at 36.4.

So, there is a failure rate of 1.4 per 1000 in 2002, and half of those were related to hardware issues. Only 30 people ended up dying. This article (http://circ.ahajournals.org/content/105/18/2136.full) claims 3,000,000 people worldwide with pacemakers in 2002, with 600,000 implanted yearly. That means in 2002 .001% of people with pacemakers died. Assuming hardware failure accounted for half of that, then the chances of being killed by a software defect in a pacemaker is extremely small. So, I'd say it's safe to assume that the hardware "works as advertised".

wow

[unity100]

It is very unlikely that the source code in these devices have any remaining bugs due to the length of time that these devices have been used

hahahahaahaha ahaahah.

you spoke like someone who has zero experience in software development.

Re:I trust my life to Boeing every time I fly

[hedwards]

GP lives in their flight path. Around here it's difficult to impossible to find a place to live where a rather large plane doesn't fly overhead on a regular basis.

Not even the FDA has audited the code yet

[SgtChaireBourne]

If you read the article or ones on the same topic from last year, you'll find that the reason she is making the request is that not even the FDA has audited the code. It's just there.

Other embedded hardware has been found to be easily crackable and able to deliver fatal doses of medication. Someone has to audit the code, since the FDA is not doing it, Karen is making an issue of it. In these cases, there is no excuse for the code not being 100% open. People's lives hang in the balance.

Special lawyer rights

[loufoque]

It she weren't a lawyer, we wouldn't even be speaking about it.

It's funny how lawyers seem to have extra rights in our society. They can make demands, we cannot.

It's not surprising a lawyer has a defective heart

[trout007]

I thought they had their hearts removed when they passed the bar at the same place that performs MBA lobotomies.

Modern pacemakers have WiFi built in.

[Vellmont]

The summary is pretty bad, but one of the more salient points is that modern pacemaker/debrillators have Wi-Fi in them. Yes, WiFi. According the the recording, someone at defcon has already managed to hack into an insulin pump equipped with WiFi and been abe to manipulate the delivery rate (which could kill the patient). So the security concerns aren't completely unwarranted.

Demanding the source code is a bit silly. How many people are really going to be able to review the source code for a pacemaker/debriliator? Very very few. Even if they do, there's a hell of a lot more to a pacemaer/debrillator than the software, so why is it just the software that's her concern?

A more sane approach would be demanding the software follow basic security rules like not allowing the wi-fi connection to ever change anything in the medical device. (It's supposed to be a reporting mechanism so the doctor can follow the progress of the patient). I can't believe she has anylegal grounds to demand source code, so this is a fight for the minds of the public rather than a legal one. Demanding source code is a bit silly since most of the public doesn't even understand that there is such a thing as source code. The public is by now very aware of security problems and hackers, so ensuring that the wi-fi is read-only would be an easier battle to win.

Re:It's not surprising a lawyer has a defective he

[NevergoldMel]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

Re:It's not surprising a lawyer has a defective he

[newcastlejon]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

You forgot empathy.

Re:It's not surprising a lawyer has a defective he

[paiute]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

You forgot empathy.

If you had measurable empathy in the first place, they wouldn't have let you in.

I saw her talk

Last year at OSCON. Sadly the line was too long for me to shake her hand and say thanks for starting this.

There's a few points I'd like to add, many already covered.

1) She's qualified to do this. Not to review the software. But she has plenty of good colleagues for that.

She's a director of GNOME (I know, I know...), former GC of the SFLC, an attorney... and ... from listening to her talk, she either genuinely gets software -- or someone that did wrote her whole speech for her.

2) This is a real, not a hypothetical problem.

People commenting without RTFA need to understand--These devices are 802.11 enabled. Remote exploits /have/ been demonstrated.

This is not a wholly uncommon situation -- one of my coworkers has a daughter with a computerized glucose pump that has also had remote compromise demonstrated.

And even a trivial interest in breathatlizers reveals there has been...myriad incidences of these devices not just being a total failure of design, but having rollover and similar bugs in their implementations.

3) People may be correct that it would be hard to get people to understand the code. That is wholly irrelevant and a false front of an argument. I don't care what your medical experience is in your industry or company. What your experience with regulators or lawsuits are. There's companies that commit fraud, lie, cheat, steal. They exist. This is indisputable. There's places where MBA's and biologists that can barely write a hello world by themselves compose pointer arithmetic, hit compile, hit test, and go home at the end of the day. I've worked at places like that on applications that could kill if they failed. It is why I do not as of two years ago.

I presently work with a woman that could not compose a CSV in a basic ETL from another filetype without help. She has the language being used using on her resume. Her workflow involved copy/paste off of the internet, and then changing one line at a time, saving it as file.### and trying to run it. If it didn't crash, she'd examine the output and try to put in what she thought would fix it. If it did, she'd try to find the error. When I offered a hand, she was currently at over her 500th revision.

So let me be damend clear -- even an unqualified person can do a basic code review just by running a fucking linter on it and looking at the warnings. Because if it generates one or a million -- that says something about the quality right there.

Why? Because unless you're in a business whose core business *IS* software, my personal experience is that 80% plus of the developers have never heard of one, and 95% don't know how to use it if they have. And that is why my code has less bugs than my colleagues.

Now -- even if my experiences are anecdotal, and "invalid" -- I've just proven the existence of the problem.

This is her life we're talking about. Her life entrusted to a piece of cybernetics that has had a demonstrated remote exploit.

Please /., have a little bit of humanity for once. This isn't about corporate profits, NDAs, lawsuits. This is about someone asking to read something to make an informed choice about their continued existence.

Re:I trust my life to Boeing every time I fly

[electroniceric]

In the 90s, the FDA realized that even if it could see the could, there was no way it could realistically audit code for all the devices it is required to review annually. So they switch from attempting to verify devices directly to insisting that devices be design and developed under a very high quality engineering paradigm.

So instead of looking at code trying to find problems, what they do is demand artifacts of a very disciplined design development and test process, reasoning that if people are in fact actually writing out test cases, doing internal code reviews with documented changes arising from them, maintaining requirements traceability matrices linking each line of code to a user requirement and then a lower level system requirement, then that process will result in better code than the FDA could accomplish by their own audit or that of a 3rd party. So the woman should be asking to see the details of the company's FDA submission, presumably under NDA from the company.

Now, whether the FDA is employing Design Control in a strict enough way is definitely a fair question - in particular the 510k (predicate device) submission process has left a lot of loopholes (due to its risk class, a pacemaker does not go through 510k, it goes through the more demanding PMA process). But to suggest that she or someone she hires will just be able to wade through the code to decide if she thinks it's high quality seems to me more like grandstanding than anything else.