Lawyer Demands Pacemaker Vendor Supply Source Code

oztiks writes "Lawyer Karen Sandler's heart condition means she needs a pacemaker to ward off sudden death. Instead of trusting that the vendor will create a flawless platform for the device to operate, Sandler has demanded to see the device's source code. Sandler's reasoning brings into question the device's reliably, stability, and oddly enough, security."

It's not forced on her

[whoda]

She could just let her heart regulate itself naturally.

Re:It's not forced on her

If the pacemaker vendor doesn't want to make the source code available its perfectly within its right to refuse to supply the pacemaker. Lawyer can go look for someone else to acquiesce to her ridiculous demand, assuming she doesn't die waiting for someone to give in, but any delay is entirely of her own creation.

Re:It's not forced on her

[repvik]

But does that imply that someone has the right to force the manufacturer to open up their source code?

Does she require the code to be "opened up"? AFAICT, she wants to check the code, nothing more.

If I was the manufacturer of the device, she'd sign an NDA and get the code. Worst case, she spreads the code and gets sued. Best case, she improves the reliability or security of the code.

I don't really see any problem here.

Re:It's not forced on her

Secondly, because this is approved by the FDA, the manufacturer is exempt from liability for this kind of problem.

Untrue. Just because a product is FDA approved does not absolve a manufacturer from liability. This is not only true for medical devices, but pharmaceuticals as well.

The FDA does no review of the software at all, but their review of the hardware means that the manufacturer is completely immune to lawsuits if someone dies as a result of a bug in their software.

Once again, untrue. As a Software Quality Engineer for a major medical device manufacturer, I can tell you the FDA does review software and has regulations and guidance surrounding software development. In recent years the scrutiny of software based device has increased so much, that companies are having a difficult understanding exactly what the FDA excepts.

Japan does not review software for devices, only hardware. However in order to get your product into the country it must be FDA approved.

Re:It's not forced on her

[pimpsoftcom]

Mod Parent Up. I am currently a software developer with an FDA regulated product, and we have to sign a form explaining what we did when we check in. Yes, a hand written form, showing and explaining what was changed, how it was changed, and its impact on the product. Not just your normal check-in comments; this is a multiple page form/essay that what we checked in is what we said we checked in. Every time. The FDA has STRICT rules about software quality and security due to what in the FDA regulated software industry is known as "negative impact events".. basically anything that hurts the patient or has the ability to risk the patients health, even if they just have a worry (as stress can create physiological pain, etc). In this case, the security exploit by itself would be so negative that it can get a product pulled and the company selling it fined into oblivion. If anything the company that build this software is trying to cover its ass, and will fight as much as it can to not release the source code.. or risk death by FDA audit. And yes they exist; all FDA projects get audited sometimes, but when it happens its a massive company wide effort not to piss off the auditors or show them things they donty ask for explicitly as they are usually only raping with no lube.. it can get MUCH worse.

Who owns data that an implanted device collects

[davidannis]

A related story on NPR today points out that as a patient you don't have access to the data collected in and about your own body. The story focuses on one man's attempt to see his own data. He's looking for someone with technical skills to help him get at the data. Seems to me that somebody on /. should be able to help. http://www.onthemedia.org/2012/jan/20/who-owns-data-inside-your-body/

Re:first, we kill all of the lawyers

[NatasRevol]

Did you just seriously say that there are no more software bugs in their code?

You're the reason lawyers exist.

Re:I trust my life to Boeing every time I fly

[rtfa-troll]

Yet I don't demand to audit their code.

Well, if you don't demand that somebody audits their code you are pretty stupid. Unaudited code and code which is proprietary and never shared with outside bodies (this doesn't have to mean the public; just at least someone external) just doesn't have a place in any critical parts of our infrastructure. It is as irresponsible as it would be if Boeing didn't have to hand over the mechanical specifications of their planes, which of course they do. However, If you had read the article you would have seen this quote:

Regulatory authorities don't see or review the software either.

She simply has to trust that the vendor is telling the truth and doing things right.

I think you will find that aircraft software, whilst it isn't open source and available to everyone, gets a bit more review than that.

Apart from that, the plane code isn't part of you and is, as a passenger, something you just visit for a short time. I think people have a right to understand fully, to the level of their own ability, things that are made part of their body.

FDA requirements (21 CFR 820)

[jbeaupre]

It's called software validation and it's a pain in the ass. It's such a pain for medical devices that everyone avoids it unless absolutely needed. Which is why medicine is 10 years behind when it comes to electronics.

For a "quick" overview, here's a start: http://www.fda.gov/RegulatoryInformation/Guidances/ucm126954.htm

thump

10 thump
20 thump
30 sleep 1s
40 go to 10

Re:CTL-ALT-DEL

[CAPSLOCK2000]

Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits.

Experst are for hire.

I'm not an architect. The blueprints of my house are useless to me, but I can hire an architect to read them for me. That architect can than tell me if the house I'm living in is well designed or not. He won't be able to tell if the building-materials are of sufficient quality, but if the design is not sound the materials used don't even matter.

I'm dissappointed in Slashdot. One would expect that over here people would see the value of having access to the source of the software that keeps you alive.

Re:first, we kill all of the lawyers

There are many assumptions here that should be questioned.

Source code reviews are highly imperfect ways to ensure stable and accurate software, and good ones are extremely hard on the developers involved. Techniques like test driven development and paired programming offer a much better solution at lower cost.

New medical devices are released all the time and they have new code operating them, even if that general type of device has been in use for decades. New models with new or modified code have new bugs.

Perhaps owners of electronic devices that have caught fire or misbehaved in other physical ways have learned to start inquiring about manufacturing, mean time between failure and other manufacturing and quality issues.

I have worked in the medical software industry for thirty years as a developer, and was at one time an employee of Medtronic. I have a Medtronic pacemaker/defibrillator embedded in my chest which can be remotely accessed and controlled. I am professionally qualified to study and understand my device's software, development and testing methodology, and security issues - but Medtronic declined to share with me their source code when asked. The technical manuals for my devices which appear to provide all necessary information for hacking my pacemaker/defibrillator are available online.

I think that more can and should be done with oversight of medical device manufacturers and their software than the FDA currently requires, but this is true of all mission critical software like military and aerospace systems as well. The problem is neither uppity lawyers nor uncaring medical device manufacturers but instead the way we build software. Anyone with personal experience in the software industry who relies on a programmable medical device but who is not concerned over the accuracy and stability of the software running it is not thinking clearly.

Not even the FDA has audited the code yet

[SgtChaireBourne]

If you read the article or ones on the same topic from last year, you'll find that the reason she is making the request is that not even the FDA has audited the code. It's just there.

Other embedded hardware has been found to be easily crackable and able to deliver fatal doses of medication. Someone has to audit the code, since the FDA is not doing it, Karen is making an issue of it. In these cases, there is no excuse for the code not being 100% open. People's lives hang in the balance.

It's not surprising a lawyer has a defective heart

[trout007]

I thought they had their hearts removed when they passed the bar at the same place that performs MBA lobotomies.

Modern pacemakers have WiFi built in.

[Vellmont]

The summary is pretty bad, but one of the more salient points is that modern pacemaker/debrillators have Wi-Fi in them. Yes, WiFi. According the the recording, someone at defcon has already managed to hack into an insulin pump equipped with WiFi and been abe to manipulate the delivery rate (which could kill the patient). So the security concerns aren't completely unwarranted.

Demanding the source code is a bit silly. How many people are really going to be able to review the source code for a pacemaker/debriliator? Very very few. Even if they do, there's a hell of a lot more to a pacemaer/debrillator than the software, so why is it just the software that's her concern?

A more sane approach would be demanding the software follow basic security rules like not allowing the wi-fi connection to ever change anything in the medical device. (It's supposed to be a reporting mechanism so the doctor can follow the progress of the patient). I can't believe she has anylegal grounds to demand source code, so this is a fight for the minds of the public rather than a legal one. Demanding source code is a bit silly since most of the public doesn't even understand that there is such a thing as source code. The public is by now very aware of security problems and hackers, so ensuring that the wi-fi is read-only would be an easier battle to win.

Re:It's not surprising a lawyer has a defective he

[paiute]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

You forgot empathy.

If you had measurable empathy in the first place, they wouldn't have let you in.

I saw her talk

Last year at OSCON. Sadly the line was too long for me to shake her hand and say thanks for starting this.

There's a few points I'd like to add, many already covered.

1) She's qualified to do this. Not to review the software. But she has plenty of good colleagues for that.

She's a director of GNOME (I know, I know...), former GC of the SFLC, an attorney... and ... from listening to her talk, she either genuinely gets software -- or someone that did wrote her whole speech for her.

2) This is a real, not a hypothetical problem.

People commenting without RTFA need to understand--These devices are 802.11 enabled. Remote exploits /have/ been demonstrated.

This is not a wholly uncommon situation -- one of my coworkers has a daughter with a computerized glucose pump that has also had remote compromise demonstrated.

And even a trivial interest in breathatlizers reveals there has been...myriad incidences of these devices not just being a total failure of design, but having rollover and similar bugs in their implementations.

3) People may be correct that it would be hard to get people to understand the code. That is wholly irrelevant and a false front of an argument. I don't care what your medical experience is in your industry or company. What your experience with regulators or lawsuits are. There's companies that commit fraud, lie, cheat, steal. They exist. This is indisputable. There's places where MBA's and biologists that can barely write a hello world by themselves compose pointer arithmetic, hit compile, hit test, and go home at the end of the day. I've worked at places like that on applications that could kill if they failed. It is why I do not as of two years ago.

I presently work with a woman that could not compose a CSV in a basic ETL from another filetype without help. She has the language being used using on her resume. Her workflow involved copy/paste off of the internet, and then changing one line at a time, saving it as file.### and trying to run it. If it didn't crash, she'd examine the output and try to put in what she thought would fix it. If it did, she'd try to find the error. When I offered a hand, she was currently at over her 500th revision.

So let me be damend clear -- even an unqualified person can do a basic code review just by running a fucking linter on it and looking at the warnings. Because if it generates one or a million -- that says something about the quality right there.

Why? Because unless you're in a business whose core business *IS* software, my personal experience is that 80% plus of the developers have never heard of one, and 95% don't know how to use it if they have. And that is why my code has less bugs than my colleagues.

Now -- even if my experiences are anecdotal, and "invalid" -- I've just proven the existence of the problem.

This is her life we're talking about. Her life entrusted to a piece of cybernetics that has had a demonstrated remote exploit.

Please /., have a little bit of humanity for once. This isn't about corporate profits, NDAs, lawsuits. This is about someone asking to read something to make an informed choice about their continued existence.