Slashdot Mirror
Patient Just Wants To See Data From His Implanted Medical Device
An anonymous reader writes "Hugo Campos got an implanted cardiac defibrillator shortly after collapsing on a BART train platform. He wants access to the data wirelessly collected by the computer implanted in his body, but the manufacturer says No. It seems weird that a patient can't get access to data about his own heart. Hugo and several medical device engineers are responding to live Q/A on Sunday night on such topics via ACM MedCOMM webcast at ACM SIGCOMM."
Here's a link to the actual post.
Your hair look like poop, Bob! - Wanker.
It seems weird that a patient can't get access to data about his own heart.
No more weird than your stem cells and DNA being patented. In fact, according to intellectual property law, you don't own your body, or any of the parts implanted in it... it's all covered by a patchwork of patents on genetic materials and derived medical uses. You should be careful with yourself... it's a felony to damage government property... Or was that corporations? I confuse the two so much these days... (-_-)
#fuckbeta #iamslashdot #dicemustdie
Someone will have the data in a matter of minutes, and you might even live long enough to see it yourself.
While security through obscurity isn't a good approach I figure with something such as a that you'd want to take every step you can to make sure as little information gets out about it as possible.
Next year on defcon - learn how to hotwire your neighbour! Literally! From your android device! (or iphone, but you have to be jailbroken and pay 99c for the app. But it comes with a jump-o-meter to measure how high he jumps.)
Not very useful if it's encrypted unless you have the private key or can crack it.
Any entity that collects medical data on you MUST provide a way to get you copies of that information. If he really wants the data that badly, I'd contact a lawyer and pursue it from the HIPAA angle. Chances are very good there's probably not a hell of a lot of information in it. If he's really worried about it, he should contact his cardiologist and have them order an interrogation the pacer. Pretty simple stuff really and that way its covered under insurance..(probably unless there's no medical reason to do so). They probably aren't going to come out and interrogate it in the home, because they fiddle with the settings to make sure its working right and for that reason it needs to be done only in a setting where he's on telemetry and has medical staff standing by.
(To be clear, I didn't RTFA yet so I dunno if it is or not.)
Not knowing his specific one I can't say for sure. But I can say MOST medical devices have very little in the way of security... its really pitiful how far back the medical field is.
the dude is probably thinking of tampering with the device's firmware settings and increasing his own pulse so he can go on a rampage around town like in that movie "Crank"
a) Would he understand what the data meant?
Maybe not, but maybe he wanted to get (n+1)th opinion.
b) Maybe the software and what not is proprietary?
But he doesn't want the 'ware. He wants the data it produces.
Just some thoughts that come to mind
In this case those are gross overstatements.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
This might be the reason they don't want to provide that information. Security through obscurity you know.
Website Just Down For Me? Find out
There are legitimate medical reasons why some patients shouldn't have access to all raw medical data.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
Now, if the company is refusing to share the raw data with the patient's doctor, that's just plain wrong and it should be illegal. Likewise, if they are refusing to share it with the patient's attorney, then the attorney should have an absolute right to subpoena it.
Likewise, if the doctor doesn't have a bona fide medical reason for refusing to pass that data on to the patient, that should be called medical malpractice.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
so his heart will go pitter-patter like a 20 year old in love
Politics is Treachery, Religion is Brainwashing
I suspect their refusal to allow access might be along the lines of hiding from potential liability if the product reacts or behaves improperly at any time. Imagine a grieving widow who discovers a pattern in the data where the device takes 3 minutes too long to respond properly every 500 or 1000 times it stimulates the heart or the input says it should.
You would think that you would have a right to any data produced by your body or devices used in keeping it alive and it would be available to at least you or your doctor. Perhaps they are worried the control signals would be discovered and after a trip to an electronics store, the widow could be celebrating getting rid of her husband instead of grieving? I see no other reason for keeping it hidden other then to avoid liability or stop potential abuse.
Kramer at doctor's
Kramer : I like what you've done with that .
Attendant : May I help you ?
Kramer : Yes , yes . I am Dr. Vanostran from the clinic . I need Elaine Benes
chart . She's a patient of mine and she's not going to make it . It's uh very
bad very messy .
Attendant : I see and what clinic is that again ?
Kramer : That's correct .
Attendant : Excuse me .
Kramer : From The Hoffer-Mandale Clinic in Belgium .
Attendant : Really ?
Kramer : The Netherlands ?
There are legitimate medical reasons why some patients shouldn't have access to all raw medical data.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
Now, if the company is refusing to share the raw data with the patient's doctor, that's just plain wrong and it should be illegal. Likewise, if they are refusing to share it with the patient's attorney, then the attorney should have an absolute right to subpoena it.
Likewise, if the doctor doesn't have a bona fide medical reason for refusing to pass that data on to the patient, that should be called medical malpractice.
He is not a psych patient so all his healthcare info legally belongs to the him...
Concerning the (absence of) malfunctions, wasn't that the goddamn job of the FDA in the first place?
As for the remote tinkering, what does the output have to do with the input? Suppose some sort of requests are required to yank the data out. What possibly could be the problem in making the readout plain and setup secure?
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
And perhaps the other people with this kind of implant would prefer this guy not be given the private key.
Not to sound against it, but
a) Would he understand what the data meant?
b) Maybe the software and what not is proprietary?
Just some thoughts that come to mind
a) He certainly isn't going to have a better chance of understanding the data if he isn't allowed to see them... Would I be polishing my 'I told you so' reflexes if he decides to do a bit of amateur reprogramming? Sure. Does denying somebody access to even view data because they might not understand it make sense? About as much sense as keeping books away from children because they aren't yet literate...
b) Given that the manufacturer won't disclose it, it apparently is proprietary. That's sort of the entire issue. We have now(and, barring exciting economic apocalypse of some flavor) and will have in greater numbers and in more significant capacities, a population for which 'binary blobs' are inside their bodies, not their laptops. Some of them don't like this.
How often have you seen a device that transmits *something* wireless being properly secured when the companies goes "No, we can't give you access to that...because...it is too complex for you to understand!" or "Why should we give you that data?"?
The less data/information they give to personal injury lawyers the safer they are. Even if there's nothing wrong with the device a jury could be convinced that something was wrong with pretty graphs that show...something.
But then, the refusal itself could be construed as indication that something is wrong with the device, because otherwise, why hide the data?
The Tao of math: The numbers you can count are not the real numbers.
...it is available to anyone with a receiver.
Available, yes, but if you decrypt it, you have broken the law.
The manufacturers take the fairly sensible approach of not giving the raw data directly to the patients. On his blog one of the reasons he says the manufacturers give is that patients with raw data would be worried by things they don't understand and constantly wanting to see their doctor for reassurance. He dismisses that objection out of hand.
Patients (and non-patients) DO this all the time. Med students are famous for diagnosing themselves with all sorts of problems. The tech who gives you an x-ray, CT or MRI scan won't give you the images either. You can request them from your doctor, and he will (or may have to) give them to you, but he'll probably want to sit down and go through them with you first.
Patients do try to interpret their own data, usually pessimistically. And besides the stress it causes them and the wasted time it causes their doctors, there was a Slashdot story just the other day about how believing there's something wrong can produce real, potentially dangerous physical effects.
If this guy really wants his data he can go to his doctor and ask for it. There are several very good reasons why he shouldn't have a raw feed from the device manufacturer.
These things tend not to be quite so frivolous when you look into them.
Straight Dope Boards suggests that there was a design issue that the gas can manufacturer knew about, that would result in an explosion. A slight redesign would have meant that the 4 year old would have survived.
20120420 08:00:22 CARDIAC SYSTEM INIT
20120420 08:00:24 VENTRICLE TEST OK
20120420 08:00:25 AORTA TEST OK
20120420 08:00:26 BATTERY TEST OK
20120420 08:00:27 0MG GR0W B1GG3R P3N1$ 1N 3 W33K$!
20120420 08:00:27 CHINA HANDBAG SHOES FASHION LOWEST PRICE
20120420 08:00:27 MEET SEXY SINGLES IN UR AREA
20120420 08:00:27 URGENT FROM WELLS FARGO BANK ACCOUNT RESET!
i had a blitz brand gas can, it was a leaky piece of shit and the spout fell apart on me when i was pouring. i don't know the details of the lawsuit but i am not surprised they got sued out of business using such low quality construction for something as hazardous as holding gasoline.
http://www.lowes.com/pd_90258-1362-80033_0__?productId=3126289 this is the nozzle mine had (smaller can not the 5 gallon). parts shattered and flew out from under the handle about 6 months after i got it, while trying to pour gas.
Snowden and Manning are heroes.
Come on even Bacardi 151 has a flame arrestor on the bottle. Get with the times other companies can make a better gas can so you better do so as well or you will lose your company. It is called the American Dream or Capitalism.
If it's encrypted, then this would give them access to both the cyphertext and cleartext of the data, which is the essentials of what you need to reverse engineer the cryptography.
Now ideally, the control and reporting cryptography would use different keys, but there is only so much code you can fit into a small embeddable medical devices, and it's likely they are the same code, if not the same key pair.
In this case, it's reasonable to not give samples of both sets of data out to prevent reverse engineering of the control channel which could then be used on someone else's implanted medical device.
Yes. He was also found to be at fault.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
I don't see how that would help a paranoiac.
Give me Classic Slashdot or give me death!
The same justification could be given to forbid patients from seeing their blood tests, or even reading any medical literature. That is bullshit. Medics are not all knowing and patients are not retarded children. Patients have the right to decide for themselves what they want done with their own bodies and to fully exert this right the more information they have the better.
He is not a psych patient so all his healthcare info legally belongs to the him...
How do you know? May be, he was just having a panic attack and they implanted an Altoids Tin Can into his chest to trigger the Placebo effect.
For the last time -- off my couch!
You would think that you would have a right to any data produced by your body or devices used in keeping it alive and it would be available to at least you or your doctor
You already have a right to all of your medical records. I don't understand how this data is not a "medical record."
.: Semper Absurda
a) Maybe he would?
b) Why doesn't the FDA require all medical device software to be disclosed? THAT would make a lot of sense actually. Competitors couldn't copy it because when they build a device, they too need to disclose the source. Reviews would be much better.
Don't tell that to your doctor...
Why can't
What if the company goes bust, or refuses to fix a problem? What if the company screwed up and it can be hacked (not impossible)?
In addition, that is their data - you can't get more personal than heart data, I think..
Insert
That is an important point on this subject. Implants are only going to become more common in the future. That implant and it's software are a part of him now. What percent of a person can be outright owned by another person before we call them a slave? 1%, 10%, does it have to be 100%?
I don't predict it will be much longer before there will be no further drive to innovate
Not necessarily. AFAIK, all innovation has to do is to avoid the USA..
The problem isn't so much where there is *real* abuse, it's the ability for the bigger players to nuke a small innovator off the playing field by draining its pockets in court.
Wasn't it Mark Twain who said that courts are where justice is dispensed with?
Insert
There are several very good reasons why he shouldn't have a raw feed from the device manufacturer./quote? Yes, the same reason that some people shouldn't be allowed to vote, or should be owned instead of being responsible for their own well being....
I usually avoid hospitals and the medical profession in general unless it is needed, ie, broken bones or donating a kidney (Which I did recently.) A couple years ago while camping my some broke a bone. I put it in a splint then took him to the hospital to get a get it set and placed in a cast. This was on a Saturday in a very "out-in-the-boonies" location. Before the staff would even look at my son, I had to sign a patient's "Bill of Rights." indicating that I had read the items on their list... There were around a dozen items and I don't remember what they were except for the first one. "The Patient has a Right to all medical records assembled during the visit." Maybe this is enforced in other hospitals. I don;t know.
.)
Anyway, My son was X-Rayed and dealt with and released.
On the way out, I asked the secretary, who made me sign the "Patient's Bill of Rights," for a copy of my sons X-Rays and a print out of the Vitals they recorded. I was told "No, Those are not for you." I put on my "Contrary-Old-Bastard Hat" and stated that I have a "right" to those and read back the 1st item on theh "Patient's Bill of Rights." I explained that the X-Ray and vitals were records of the visit and that the hospital, before my son was allowed any medical attention, made me sign a form to acknowledge that I have a right to those records. I was told that I had to go through the Records department and Billing in order to get the records. These offices would not be open until the following Tuesday (due to a Holiday.) Not wanting to get mad at the secretary for doing her job, I asked to talk to her boss or whoever was in charge of the hospital that day. She informed to me with all of her arrogance that since it was the weekend, she was in charge. So I ranted to her for a while and then read the entire "Patient's Bill of Rights" to her. I strongly emphasized that nowhere in this document, which we both signed, did is mention that I should go through Billing and records. After ranting a bit more she let me know that my son's doctor can request the records and the records will be sent without charge. I explained more how I am his parent/Guardian and in charge of his primary care and that I want the records to that I can hand deliver the records when I can return and set an appointment for cast removal. Again I read the entire "Patient's Bill of Rights" to her and then explained that nowhere on it did it say that my doctor was to get the records. I asked her bluntly to obtain a copy of the records. She actually stomped her foot and said, "No."
"OK," I said, "since I have been forced to acknowledge that I have a right to my son's records, I am going to sit right here in the middle of this hallway until I get them." And I did; I sat down in the middle of the hallway. (My son was looking at me in a state of shock -- He was at that Jr. High age when anything a parent does is considered embarrassing
The secretary stared at me for about 30 seconds. then left. A minute after that she came out with a doctor and he asked what was up. I mentioned that I was waiting for a copy of my son's medical records. He nodded, went behind the counter and gave me the X-Rays and vitals papers. I said "Thank you" and left.
This anecdote is not so that I can say I am an old cantankerous fart, it it to illustrate that even though people have rights to information, the ones that hold the information feel compelled not to give it up. THis is true with software, medical data, music... I don;t know where this attitude comes from.
[off my soapbox]
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
They have to give them to you here in my country (Brazil), here your doctor can only see your tests through you. He asks for the exams, you go to the lab, they collect your samples, and when the results are ready you go there and get them (or get them through the internet) and bring them to the doctor, if you so wish. If you prefer you can just get the results and bring them to another doctor and never go back to the former one, who requested the tests, or you can bring them to both.
I don't know specifics about how the procedures are in US, but I do know that under HIPAA they must give you any results you request They can't legally refuse to do so.
"should be owned instead of being responsible for their own well being"
If someone is going to be responsible for his well being, he should be given the best possible information, not the raw, context free dump some engineering company e-mails him.
If you ever find a doctor who's willing to treat a close relative (or himself) for something serious, find another doctor. Most won't do it, and none of the good ones will. EVERYBODY's judgement is clouded when they're considering things seriously affecting their own health.
Yes, the ultimate responsibility lies with the patient. This guy should have access to his data (which he does), by asking the correct person for it.
My mechanic always explains what's wrong with my car when a decision needs to be made, and what was done when I pick it up. Is he being paternalistic, or giving me good service?
There are legitimate medical reasons why some patients shouldn't have access to all raw medical data.
You never know, he could get stuck in a feedback loop. He sees that his heart is beating a little fast because he's anxious about what his heart rate is. This causes more anxiety which causes his heart to beat faster. Seeing that it is out of control sends him into a panic and pushes the rate even higher, etc. Eventually he has a heart attack and sues the company.
the dude is probably thinking of tampering with the device's firmware settings and increasing his own pulse so he can go on a rampage around town like in that movie "Crank"
Computer says no.
"Oh, you own the implant, but the software is licensed. Make sure you keep up your license payments and come in for your monthly compliance review or we'll use the remote kill switch."
This is my sig. There are many like it but this one is mine.
Companies want to see data from fheir patients?
Why? Only make money? No.
Still, it is a serious moral contender to why Romney is so very much morally wrong.
For once, let the Moral Majority speak up - Dont Put A Price On My Child's Life.
How much is a Texan child worth compared to someone from Massachusetts?
If the information is common to everyone with the same implant is it, by definition, not personally identifiable or private health information. Disclosing the existence of patient Q to patient R, or visa versa, would be a violation. But merely telling either of both of them independently that they have their implant set to "Mode B" is not, just as telling patient Q that he has a heart rate of 79 is not a violation if patient R happens to also have a heart rate of 79.
Also, even if there is some private data that needs to be hidden, it's entirely possible to design a crypto system that's secure against known-plaintext attacks. Almost are modern crypto systems are; you'd have to do something dumb to not get that feature from any common crypto library.
HIPPA
U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C., 20201
Phone: (866) 627-7748
Web: www.hhs.gov
The Center for Medicare & Medicaid Services
toll free HIPAA Hotline: 1-866-282-0659
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
You don't get to peek inside your machine to see for yourself it's a good one, just like the airline will not let you take a wrech to the jet engine or even kick the plane's tires.
I have one of these devices since last year after my (4th) heart attack. I am also a physician, so I would understand the data. But honestly I don't see the need. When I go get checked up, the Boston Scientific staff are more than happy to explain anything I ask - and I do ask some detailed questions. I am quite sure that the device and its software are proprietary and also trade secrets of the company.
But there's another reason: Honestly one shouldn't go around tinkering or "hacking" an implanted device. They come with limited battery life - most of which is covered by warranty (if my battery runs out before 10 years I get the device replaced and the procedure paid for by the company, anywhere in the world). Radio signals require energy, asking the device to read its cache requires energy, and the manufacturer would be put in a position where it might have to cover a warranty on a battery that didn't fail because of design, but because of tinkering. They can hardly say "no" and let the patient die. That, and of course what if the "hacker" manages to mistakenly change the machine's settings so it's firing inappropriately, draining the battery within days, or better yet firing and triggering a lethal arrhythmia. The company would be blamed (at least initially) for a "faulty" device. It's bad business, and I understand it.
I really don't feel like playing with my implant. I really don't feel like paying for someone else who wants to play with their implants, in the form of increased costs because the company has to set more aside for liability. I selected my device after both research into the company, the model, and this type of device as a whole. And my cardiologist's opinion. And a 2nd opinion. You can look at the statistics for the device, compiled in a scientific manner, and compare it to other devices, and that's it.
Seven puppies were harmed during the making of this post.
Really? Where do you live? My doctor always sits down with me and discusses it.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
The tech who gives you an x-ray, CT or MRI scan won't give you the images either. You can request them from your doctor, and he will (or may have to) give them to you, but he'll probably want to sit down and go through them with you first.
Hey, that's false! My wife got an MRI recently, and I asked the technician to give us a copy of the data. There was no objection or hesitation, the technician simply burned a CD and handed it to us on our way out. I learned that their images are stored in a proprietary format, but conveniently the CD came with the software necessary to view the images.
My wife and I had our annual physicals recently, and got our blood test results in the mail without even asking for them. (Of course, it kind of proves the other post's point since my wife freaked out about hers even though all her numbers were [barely] normal.)
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Uh, yeah. That is what he says. You get your results by asking your doctor, not the lab.
First, the FDA isn't some magic group that never gets anything wrong. They have approved devices, drugs and treatments that later was found to have significant life threatening problem. They are supposed to test and weed those problems out or even approve of the dangers as acceptable and manageable considering the goals of the device, drug or treatment. The FDA simply is not a magical group of people who never allow something potentially harmful outside of it's labs. It's design was traditionally to validate claims and ascertain harmful effects so we didn't have electrified dildos out there still treating female hysteria and hair loss or leaching to treat pneumonia.
Second, knowing the output can isolate the input not used to initiate the output. It can also be used to determine or differentiate the control signals verses the information. Also, if you are used to cracking wifi encryption, assuming these things use some sort of encryption, knowing what most of the signal will say- even just portions of it- goes a long way at finding the key to cracking the encryption and the signal altogether.
As for access to the output, I don't have a problem with it. I actually think it should be a right of the patient. I know the doctor gets access to the readout and makes changes to the devices based on it. Perhaps they don't want the patent influencing those changes by discussing them with the doctor? There are a load of reasons ranging from the paranoid to the idiotic and from the quality of operation to hiding the workings from competitors.
My goodness. How civilized.
I don't know specifics about how the procedures are in US, but I do know that under HIPAA they must give you any results you request They can't legally refuse to do so.
Actually, the way it typically works in the US is: The company can make the judgement that you don't have the funds (or the time ;-) for a successful court challenge, which will take a decade for all the appeals and more money than you'd believe. In the meantime, they can continue to refuse to give you their medical info, without any further legal repercussions than your lawsuit, which they will delay with every legal trick available. If you actually do have the funds (and live long enough), yes, you can get them to obey the law -- and give you their data from a decade earlier. Meanwhile, they've upgraded your implants, and the court didn't order them to give you the data from your current model(s), so they don't.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
you can't even see the raw data from the water temperature gauge, so of course we are all too dumb to see complex health data. The temp data is manipulated so the gauge needle stays in the middle nearly all the time. Exceptions are when the engine is very cold or when it overheats. Normal fluctuations are not shown because they cause unnecessary service calls. There was a recall on Jag sedans to put a resistor in series with the temp sender to damp out needle fluctuations. My MINI does the same thing (checked with data from the OBDII port).
Sorry, but gray text on gray background is making my eyes bleed.
Defibrillator app error message: "Your heart has unexpectedly quit. OK?"
Sorry, but gray text on gray background is making my eyes bleed.
The only reason this isn't happening is that the manufacturers want more money. The patients are basically asking for the data so that they can go wherever with it, do whatever with it, and that looks like dollar signs flying out the window to the manufacturers. What the patients might achieve with the data is irrelevant.
Obviously I don't know what he actually said here, there are polite ways to ask for things and impolite ways, but I've been on the receiving end of this "We won't give you your own information" bullshit before. In my case, the lady behind the counter claimed that there was some law preventing her from giving the information to me. I didn't have a piece of paper stating exactly the opposite, so I ultimately just had to leave without getting the test that I had come for.
It doesn't sound to me like he was being a dick. Maybe a lawsuit would have been more appropriate than sitting in the hallway, but this is a significant problem and I'm glad he stuck to his guns.
Odd, I was thinking about the same thing. Except that it's the receptionist who needs that speech, not the poster. The poster wanted nothing more than that the reception spend literally a couple of minutes getting what he had a clearly documented right to have. Three cheers for the poster! If more people would refuse to put up with bureaucratic bullshit, the world would be a much better place. I hope his son grows up to be just like him.
I must concede that it seems like so, not only in this case but regarding anything else. Apparently you only have to obey the law there if the other part can buy the enforcement.
Justice is not that badly warped here in this matter and in a few others, but it is just as warped (and maybe even more) when big corporations or politicians are involved.
They may try to discourage you, but if you are insistent, they will. They are legally required to.
If you produce data from my body, I think it's only fair that I get access to it. I want to know what data a company collects about me, especially if it's as personal as data from one of my vital organs.
If I don't understand the data, I can go to a doctor and have him translate it. If the software is proprietary, I'll go to you and have you extract the data, then you may give me the data. I trust that you didn't copyright numbers and letters?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well, the problem with your airplane analogy is that this airplane doesn't collect very intimate details about me while I sit in it. I guess the main trouble isn't that he doesn't trust the device to keep him alive, what he might be worried about (and what I'd surely worry about) is just what data this thingie is going to collect.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Now tell me why the secretary is allowed to be a dick and break the written rules in that situation.
Do you really though? If you ask your hospital for a copy of your record, do they give it to you or do they redact it first?
I work for a hospital, and I can answer that: they redact the shit out of it. And they're so fired up about making sure they can redact the information that I would be fired if I ever opened my own medical record. The best part is that they claim in the pretty pamphlet they give new hires that medical records are copyrighted property of the hospital board.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
"Hugo Campos got an implanted cardiac defibrillator shortly after collapsing on a BART train platform. He wants access to the data wirelessly collected by the computer implanted in his body, but the manufacturer says No.
If he wants information about his heart, why isn't he talking to his cardiologist?
Someone who knows his medical history? Someone who can interpret the data correctly?
Does the manufacturer have the data he wants?
What Is Follow-Up Like with ICDs?
After your ICD is implanted, the doctor will want to see you four to six weeks after surgery to make sure the surgical site is fully healed and to answer any additional questions that may have occurred to you in the interim. Afterward, the doctor will usually want to see you in the office two to four times per year. During all these visits, your ICD will be wirelessly "interrogated" using the programmer. This interrogation gives the doctor vital information on how the ICD is functioning, the status of its battery, the status of the leads and whether and how often the ICD has needed to deliver therapy - both pacing therapy and shocking therapy.
Some modern ICDs have the capacity to wirelessly send this kind of information to the doctor from your home, through the Internet. This "remote interrogation" feature allows the doctor to evaluate your ICD whenever needed, without requiring you to come to the office. Even if your ICD has this remote feature, however, the doctor will want to see you in the office at least once a year.
The Implantable Defibrillator
Did you just call DICOM proprietary?
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
No, the FDA relies on the honesty of the submitter.
So if they get a thing saying thourgholy reviewed blah blah, they approve it.
They don't run studies either.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Call again later when someone more senior is available. Contact the patient's advocate at the hospital to lodge your complaint for the bureaucratic hoops you were forced to jump through. Move on with your life.
These are white people problems--get over it. The guys isn't Rosa Parks.
Did you just call DICOM proprietary?
Technically correct. It *is* a copyrighted standard, with the copyright being held by the National Electrical Manufacturers Association. When defining proprietary software as "computer software licensed under exclusive legal right of the copyright holder", this standard would fall into that category.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
As a former aircraft mechanic. I can tell you that kicking the airplanes tires would not tell you any thing. You should probably get out a tire gauge instead.
Health Information Privacy and PORTABILITY Act,
Sort of growing tired of fines being thrown around for the Privacy portion of this $@# piece of paper, where is the Portability enforcement?
Disclosure: I am a doctor, and I work with patients with pacemakers on a frequent basis.
If he wants a raw printout of the data generated, he should make an appointment, stop by his cardiologist's office, and ask the cardiologist. I've been asked a few times by curious patients to see the readouts. I always show it to them, give them the clinical interpretation of the data, and let them keep it if they want. Most don't; it's several hundred small pages of gibberish to an untrained eye, linked together like the old dot matrix printer pages.
If he feels uncomfortable with having a machine in his body that he can't check out himself every second of every day, he can ask to have it turned off ("turned off" being simplistic) or for a surgeon to remove it. [Insert belief system here] didn't give him the pacemaker growing in him when he was born - he can choose to use it as designed or choose not to use it, which is a valid choice. There are real potential harms to widely propogating machines that could decrypt the data; the exact same machines allow us to reprogram the device, including settings that could harm or kill the patient. The encryption IS the security on implantable, reprogrammable medical devices; password, 2 step authorization or the like is not possible due to the existence of medical emergencies in which prompt access by medical personnel not normally involved in his care to the input and output of the device can mean the difference between life and death.
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
Just some thoughts that come to mind
In this case those are gross overstatements.
Oops - question was how did this get moderated "interesting" rather "rude a-hole" ? The OP contributed a quite reasonable thought to kick off the discussion !
Neither does kicking automobile tires, but people seem to insist on doing it. I'm also sure a pressure gauge in the hands of joe 6-pack would do far more harm than good around airplane tires. What do you mean 230 PSI? No no there's too much pressure in those things!
Seven puppies were harmed during the making of this post.
I personally wouldn't see a problem with it. After all it's only data. I can't speak for the implant maker though. Maybe they'll burn a CD for you one day, like they do with almost everything else. Ultrasound? Here, take this CD home. Angioplasty? Here, have a CD... Heck it could even be a selling point.
Seven puppies were harmed during the making of this post.
this airplane doesn't collect very intimate details about me while I sit in it.
Playing the devil's advocate, there's not really anything intimate about your heart rate and the shape of your QRS complexes. It's not really "personally identifiable information", unlike say your name, DOB, passport number, destination, seat number, who you are travelling with, all your previous travel history and your credit card number kept by the airline, for example.
Seven puppies were harmed during the making of this post.
Since when is it ok for us to say "If you have nothing to hide you should not worry" to others?
"“Individually identifiable health information” is information, including demographic data, that relates to:
* the individual’s past, present or future physical or mental health or condition,
* the provision of health care to the individual, or
* the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual."
I agree that it's possible to design such a system; I do not agree that medical device vendors have designed their systems in that way. Generally, they were probably more concerned with making working medical devices rather than information security, since that's the problem right in front of them. See also:
http://www.massdevice.com/news/update-insulin-pump-hacker-outs-medtronic-company-responds
Note that this is the same company (Medtronic) that manufactures two of the pacemakers he was blogging about wanting data from.
That could explain his curious increase in strength...
If you hit a truck tire with a stone and you are a bit experienced, then you can get an impression about tire pressure from the sound of it. You can also compare the tires (on the same axle). If one out of four sounds differently, you know you need to do something about it.
"Trump!!", the new Godwin.
+1. There is a fine line between being polite and being a coward and the difference in people's opinions on this matter generally stems from how much they value contracts in general. If you are the kind of person who simply never reads what they sign and just accepts any perceived future unfairness (most people) then you're a lazy coward in my book who only has rights because of the "dicks" of this world. If you don't read what you sign but later resolve to fight perceived unfairness (by refusing to pay a termination fee for a phone contract for example) or you often/always read what you sign and frequently refuse to sign things until certain conditions are changed then you are a complete dick and the lazy, cowardly fucks of this world are indebted to you for making their lives easier.
TL;DR. When dealing with any organisation, company, or government, being a dick is a true virtue and being polite is selfish.
Data about your heart is very personal and matters to you a lot more than it does anyone else. The bad searches are the other way around.
More from Karen Sandler... IT Conversations has an interesting podcast featuring Karen Sandler talking about her efforts to get source code for her defibrillator.
Signatures are a waste of bandwi (buffering...)
And people think I'm cynical for refusing to trust doctors.
I don't suffer from insanity, I enjoy every minute of it! --Longbottle
In this case, it's more of a, "If you have nothing to hide, then why are you making me worry?" The medical device company might not need to worry about a lawsuit (if the data is hidden, only they can know if they need to worry), but the medical device bearer might prefer to catch something early rather than let his family obtain the data through the discovery process in an unlawful death suit....
Can you be Even More Awesome?!
Oops - question was how did this get moderated "interesting" rather "rude a-hole" ?
There is no -1 rude. Flamebait, perhaps, but there hasn't been any flames, unless we count your post.
But more to the point, a post can be both interesting and rude. The latter does not invalidate the former. What was said tends to be more important than how it was said, at least to us ??TP types.
So, yes, +1 Interesting. And a rude one too.
I am quite sure that the device and its software are proprietary and also trade secrets of the company.
That's a failure of the patent system then.
I see no reason for it to be a trade secret unless the medical company wants to (a) keep it secret because it violates patents, or (b) they want to keep it secret for longer than what patent protection offers. To hell with those who dies because they can't afford to buy it, but would have been able to buy a clone after the patent expiry.
Anyhow, the data produced by a device are not covered by trade secrecy. That you don't want to see the data doesn't mean that someone who wants to shouldn't be able to, like all other medical records. Not wanting a patient to be needlessly scared is not a valid reason. The road to hell is paved with good intentions.
My mechanic always explains what's wrong with my car when a decision needs to be made, and what was done when I pick it up. Is he being paternalistic, or giving me good service?
Although it's a good idea to get this information from your mechanic, the raw data is not exclusively available only through mechanics. There is a standard interface to obtain the data - OBDII, which I think is kind of the opposite of the point you were trying to make....
Can you be Even More Awesome?!
when they shoved a computer chip in our chest.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
When we know (rather than merely suspect) that you do hide something, and that something pertains to us in a very direct and intimate way.
If someone is going to be responsible for his well being, he should be given the best possible information, not the raw, context free dump some engineering company e-mails him.
The problem is that you decide for that person on who is best to give him "the best possible information". I would like to be able to decide that for myself, thank you very much. In other words, I want the raw data, which I will then take to the professional of my choice for interpretation. Or not, as it may be. It's not up to you, my doctor, or device manufacturer to tell me that I don't need to know.
If you don't like it... Well, you always have the option of refusing to have it done or put in.
No, but you might have copyrighted (or be a trade secret) the frequency the data is collected, or the structures the data is stored in or examined.
It is not only that. But on every test you make there are a couple of things, by law, that must come: 1. The result; 2. The method; 3. The reference numbers; 4. The technician responsible for taking it, full name and medical register; 5. In case of X-rays, Pet scans, and similar, besides the results, they must give you the medical report. If you have to go to a hospital, when you are discharged they MUST give you every single exam they took. Unless YOU ask them NOT too.
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
On his blog one of the reasons he says the manufacturers give is that patients with raw data would be worried by things they don't understand and constantly wanting to see their doctor for reassurance.
The correct way of dealing with this is to publish reference material explaining how the data can be interpretted rather than just denying access.
This likely wouldn't fly here in the UK - the data contained in the device constitutes data relating to an individual and therefore is covered by the DPA.
http://blog.nexusuk.org
No, but you might have copyrighted (or be a trade secret) the frequency the data is collected, or the structures the data is stored in or examined.
Something as trivial as a frequency isn't copyrightable. Nor are simple structs (plenty of case law showing that .h files containing structs aren't copyrightable). Complex data structures may be copyrightable, but there's also no requirement to provide the data in this form, it could just be exported into a simple form.
http://blog.nexusuk.org
Exactly. You should only trust faith healers and chiropractors.
And homeopaths.
This space available.
The tech who gives you an x-ray, CT or MRI scan won't give you the images either.
Nor really true anymore, but not for the reason you'd expect.
So many hospitals send you to private locations for imaging these days that you often ARE given your MRI and CT scan results simply because you're expected to cart them to your Dr. yourself. Saves them a buck.
Also, many hospitals no longer put casts on broken limbs, they simply diagnose & xray and send you with the xrays to an orthopedist.
I scanned the xrays of my broken ankle and put them on Flickr.
When I got a CT scan of my head, I used images of my brain as my Facebook profile photo.
When I got an MRI they handed me the data disc to take to the Dr. I made a copy, figured out the strange image format and will post those to flickr some day when I'm bored.
Meanwhile when I got to the Dr. with the original disc, I ended up having to show HIM how to use the included app and view the images.
This space available.
Something as trivial as a frequency isn't copyrightable.
I think you mean that only trivial frequency isn't copyrightable. There are many reasons why frequency would be copyrightable. For example, frequency that changes based on specified events.
Nor are simple structs (plenty of case law showing that .h files containing structs aren't copyrightable). Complex data structures may be copyrightable, but there's also no requirement to provide the data in this form, it could just be exported into a simple form.
Correct, but complex data structures are copyrightable. See i4i. See 17 U.S.C. I03(a)(1994). Here's a link for you to harvard law on data structure copyrightability: http://jolt.law.harvard.edu/articles/pdf/v10/10HarvJLTech239.pdf
Assume that the data structures are not "simple" and are either copyrightable, patented, or a trade secret. True, the data MAY be able to be exported, but could such data be exported in such a way as to fully represent all data collected, and if not, then who would be legally liable if "errors" were introduced, and by "errors" I am referring to an non-exact representation of the data collected? And even if so, who would be responsible for converting the data from that format to one that did not contain said copyrightable/patented/trade secret information? Why would any manufacturer in their right mind agree to such a thing when it would open them up to possible lawsuits and expenses?
Do you really though? If you ask your hospital for a copy of your record, do they give it to you or do they redact it first?
In the US, they redact it to protect your PHI, if they are sending records to third parties for certain purposes
You have a right under the law to your complete medical records.
Redaction, in case where you order all your medical records to be released to yourself, would be a violation of your patient privacy rights, and you could file a regulatory complaint against the hospital in that case.
Odd, I was thinking about the same thing. Except that it's the receptionist who needs that speech, not the poster.
Exactly. It's an iconic example of BAD customer service.
Yes... "go bother someone else, ask the records department" may meet the legal requirements. In reality, the secretary with that kind of an attitude towards customers should be fired.
I've had 5! Count 'em 5 ICDs. When they do the reading, you can always get a copy of the readout. They print them up, and clear the memory.
Every time, without exception no matter the technician, over the course of at least a hundred of these data dumps did I NEVER get a copy and I still have quite a few of them. They even go over them with you. You do have to have a modicum of cardiac AND electric knowledge or it's pointless of course. I have plenty of both so it wasn't an issue. EVER.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
Since psychiatric diagnoses are used to detain and forcibly treat people I don't see how it can possibly be justified to deny patients the same access rights as anyone else. Especially when they are not in an acute stage of their illness.
http://marriedmansexlife.com/
And that is one of the many reasons why the data should be released.
The same justification has been used to restrict access to many kinds drugs, resulting in great profits for both doctors and drug companies.
So what happens if the company goes out of business? Or if there is new research results that would allow you to select better treatments? Or if the device has some kind of error and you want to prove your case in court?
Getting data doesn't mean any active interference with the device. However, given that it's implanted into your own body, I don't see why you shouldn't have the right to control the device.
You're also a fool.
It is not the doctor's job to decide what's "better" for a legally competent person. For example, a doctor may guess that a medical test result may make it likely that a patient will commit suicide, but the suicide is the patient's choice and the doctor has no moral right to interfere with it.
So, the secretary that tells someone to drive back for another couple of hours after the weekend to get the records she could get in a minute right now is supposed to be "civilized"?
Have you ever refused to give a patient information they asked for, even though you knew they were too ignorant to understand it?
No. I probably give them too much information in fact. As for "ignorant", I don't like that word. I wasn't born with a medical degree. A patient has no obligation to be an expert on his/her own body and health. So if a patient lacks education, it's my job to provide it. Not mock a patient for not knowing what he's not expected to know.
Have you ever forced a patient to go through with a procedure they were hesitant to undergo, despite your being certain that it was vital for their long-term survival?
I have never forced a conscious patient to do anything. I have performed life-saving procedures on unconscious patients in emergency situations without their permission. But apart from that I've never forced. Medicine is not about force. It's about educating, and helping a patient see why a particular treatment or procedure is in their best interest.
Because they're fucking human beings, and as such they're entitled to fuck their own lives up if they so choose. Your job is to lead them to water, not to drown them if they're too stupid to drink.
Where is this coming from? I don't see how it's pertinent to the discussion at all. Denying a patient access to information from a medical device is not forcing a patient to do anything, just like denying you the keys to the medicine cabinet where I keep the morphine and fentanyl is not "forcing you" to do anything. You are entitled to medical care, and you are entitled to ask me to do any appropriate medical procedure. However that's where it ends. You can't insist that your doctor do something illegal, immoral, or just plain unethical under the guise of patient "rights". A pacemaker is a proprietary device. If you want to build one yourself, go ahead. Make sure you clear all the government red tape before you use it in a human, though - including yourself. But their trade secrets are their trade secrets, and paying $20k for a device doesn't give you the right to fiddle with it. If you're so desperate to learn how it works then get a job at the pace-maker company.
Seven puppies were harmed during the making of this post.
No, you see no reason for it to be a trade secret because it prevents you from winning the argument. Not the same. Go ask Coca Cola for their "secret formula". Or KFC for their secret "11 herbs and spices". Have fun.
Seven puppies were harmed during the making of this post.
You're also a fool.
Perhaps I am. Do you feel better now?
Seven puppies were harmed during the making of this post.
The difference is that without access to Coca-Cola's "formula X" or KFCs secret spice blend, no one dies.
Making sure that the public gets access to medical technology after a short patent period can save lives, and keeping it secret doesn't.
Please cite an example where a patient has died because he could not access the data cache on his pace-maker. You act as if these devices were not tested in extensive clinical trials before being sold to the public. The software works - it's not miraculous, but it works well enough that it can be demonstrated scientifically that your odds are better off having it implanted than not. You can do that without looking at the code, by looking at the end result. In two groups of similar patients, the group with the device had fewer adverse events than the group without the device. And in fact that's really the only thing that matters. If you're upset, then don't get one implanted. It's not obligatory.
Seven puppies were harmed during the making of this post.
I had a similar problem with my wife's insulin pump manufacturer. The unit is controlled by a wireless PDA. I read everything I could about the unit, but as a penetration tester, I was concerned that their security was not up to standard. I emailed and phoned the company, who flatly refused to disclose the details of their wireless technology or how it was secured. I even offered to sign a non-disclosure agreement. They just said "trust us, it's really complicated stuff". Fast forward a couple of years, and it appears that someone has indeed, broken their layer of obscurity. I've seen papers detailing how it may be possible to send commands to the pump to deliver the entire insulin reservoir. I again contacted the company, one of their managers answered "Who would want to do a thing like that?". I guess he never heard of 'For the Lulz'.
First, the FDA isn't some magic group that never gets anything wrong. They have approved devices, drugs and treatments that later was found to have significant life threatening problem.
And yet Nutrasweet was approved -- and remains on the market -- despite the data against it. Thanks a bunch, Rumsfeld.
Actually, I don't buy into any of that crap. Except chiropractic. Despite all the MDs shitting all over it as useless, it has been more help for my chronic back problems (and cheaper!) than all the muscle relaxers and surgery they've tried to give me over the years. I have proof (in the form of xrays) that chiropractic undid a bone spur in my lower spine over the course of several years.
I don't suffer from insanity, I enjoy every minute of it! --Longbottle
Please cite an example where a patient has died because he could not access the data cache on his pace-maker
Uh? I never claimed that. LTFR.
The conversation you jumped was about whether the algorithms were patented or trade secrets. If patented, the design is made public, and others can build on it as long as they don't invalid the patent, and when it expires after a reasonable time, it becomes public domain, and every company can use it, which drives down prices.
With trade secrets, there is no such time limitation. That's the problem.
And there are enough of examples of life saving medical patents that have expired, and prices then dropped to where people could afford it.
If you're upset, then don't get one implanted. It's not obligatory.
That's disingenuous, if not downright stupid argumentation. It's the same logical argument that coal mine owners used to pay their workers in scrip - they didn't have to work there. They were free to go to jail for what they owed instead, and let their families starve to death.
When your life is at a line, it's not a real choice. At that time you don't have the luxury of saying no - you are in effect being strong-armed into accepting whatever they want you to sign, with your life as a hostage.
It's only legal to hide certain information from patients, such as information disclosed confidentially to a doctor.
Federally, right to access is guaranteed by HIPAA (though entities can charge a "reasonable" fee for access). There are also variety of state medical access laws. In New York, for example, a doctor may elect to redact information about a minor to prevent parents access, if they believe release would be harmful to the patient.
.: Semper Absurda
When it concerns data about me.
upon the advice of my lawyer, i have no sig at this time
When your life is at a line, it's not a real choice. At that time you don't have the luxury of saying no
I think I have a little more experience than you in these situations. Real life medicine is not a tv drama show where the suspense is built in 5 minutes and the decision is made right after the next commercial. We have all sorts of ectopic (over the skin) and temporarily implantable pace-makers for those very rare situations when "your life is on the line", and that's all covered by the consent form you or your relative signed when you were admitted to hospital. Getting an implanted pace-maker or defibrillator is not an emergency process - there's plenty of time to make an informed decision. And you do have the luxury of saying no. Admittedly you may have quality of life issues which have been explained to you, but it's your decision. I find the rest of your discussion has no bearing on the point I was making that I can see, so I'll leave it at that.
Seven puppies were harmed during the making of this post.
* Transcutaneous, not ectopic.
Seven puppies were harmed during the making of this post.
Your patients might feel better if you take them a little more seriously in the future than you seem to.
Filing a regulatory complaint against my employer would likely be a career-limiting-move.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Doesn't seem much different from a car exploding if driven recklessly. If a car explodes killing nearby pedestrians when driven above the speed limit, the manufacturer would be at fault as well.
Are you surprised that someone did something so stupid? If someone does do this, then there's a limit to how much harm you can prevent for the idiot doing so, but this then resulted in the death of bystanders, when the company knew full well how to prevent that. Manufacturers are expected to make things as safe as possible in the manner they're typically used. If they're typically used incorrectly, then this should be considered in the design.
If so, then it is going to be copyrighted down to the last bit. Can you imagine the fuss it would cause if somebody found out they were being kept alive by broadcasts emanating from the inner planetary broadcasting XENU channel? Enjoy.
This ain't no upwardly mobile freeway This is the road to hell
Every written creative output is copyrighted, unless it's in public domain, so that's a moot point. Whether the licensing terms allow free access is an entirely different issue. Please don't conflate them.
A successful API design takes a mixture of software design and pedagogy.
Trade secrets are such until someone independently figures them out. It would be 100% legal for anyone to reverse-engineer the formula for Pepsi or Coca-Cola and publish it. In spite of it being a trade secret.
A successful API design takes a mixture of software design and pedagogy.
What the heck would prevent the manufacturer granting their patients the license, then? Copyright is not some law that binds the manufacturers' hands. It gives them the sole disposition of certain aspects of their intellectual property. They are free to grant access to it as they please.
A successful API design takes a mixture of software design and pedagogy.
Why would any manufacturer in their right mind agree to such a thing when it would open them up to possible lawsuits and expenses?
In order to avoid a lawsuit and expenses? in the UK this would probably be covered under the DPA and they would likely be required to provide this data under penalty of criminal proceedings.
http://blog.nexusuk.org
Slashdot is unusable without noscript.
If you aren't logged in, you are absolutely right.
At least "classic" mode gives you some of the usability of the older user interface.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
donating a kidney (Which I did recently.)
On behalf of everyone who has needed or who may need a donated organ, let me say THANK YOU.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The bill of rights doesn't say you are entitled to such records immediately.
I wonder how long before they update their paperwork to clarify that most of the right you have can only be enforced during normal business hours.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
What part of "wireless" implies WiFi frequencies or protocols? The Medtronic Minimed Paradigm insulin pump, and the Deltec Cozmo, Animas Ping, Insulet OmniPod, Accu-chek Spirit Combo, and Sooil DiabecareIIS pumps all communicate wirelessly (one via infrared) and a couple will adjust dosing automatically based on an unencrypted wireless signal from a glucose meter (basically: lie about the glucose level to the pump until it empties its 200 dose unit cartridge into the wearer, or lie about it so they don't get any insulin whatsoever).
http://www.startribune.com/business/128427593.html?refer=y
Demonstrated at Black Hat in 2011: wireless forced shutdown of the device.
http://venturebeat.com/2008/08/08/defcon-excuse-me-while-i-turn-off-your-pacemaker/
A similar turn-off attack on Legend RF controlled pacemakers was shown at Defcon in 2008, and which demonstrated the ability to pull out HIPAA protected information from the device itself, including the identity of the patient, the doctor, the diagnosis, and the pacemaker instructions.