Slashdot Mirror
Patient Just Wants To See Data From His Implanted Medical Device
An anonymous reader writes "Hugo Campos got an implanted cardiac defibrillator shortly after collapsing on a BART train platform. He wants access to the data wirelessly collected by the computer implanted in his body, but the manufacturer says No. It seems weird that a patient can't get access to data about his own heart. Hugo and several medical device engineers are responding to live Q/A on Sunday night on such topics via ACM MedCOMM webcast at ACM SIGCOMM."
Here's a link to the actual post.
Your hair look like poop, Bob! - Wanker.
It seems weird that a patient can't get access to data about his own heart.
No more weird than your stem cells and DNA being patented. In fact, according to intellectual property law, you don't own your body, or any of the parts implanted in it... it's all covered by a patchwork of patents on genetic materials and derived medical uses. You should be careful with yourself... it's a felony to damage government property... Or was that corporations? I confuse the two so much these days... (-_-)
#fuckbeta #iamslashdot #dicemustdie
While security through obscurity isn't a good approach I figure with something such as a that you'd want to take every step you can to make sure as little information gets out about it as possible.
Next year on defcon - learn how to hotwire your neighbour! Literally! From your android device! (or iphone, but you have to be jailbroken and pay 99c for the app. But it comes with a jump-o-meter to measure how high he jumps.)
Not very useful if it's encrypted unless you have the private key or can crack it.
Any entity that collects medical data on you MUST provide a way to get you copies of that information. If he really wants the data that badly, I'd contact a lawyer and pursue it from the HIPAA angle. Chances are very good there's probably not a hell of a lot of information in it. If he's really worried about it, he should contact his cardiologist and have them order an interrogation the pacer. Pretty simple stuff really and that way its covered under insurance..(probably unless there's no medical reason to do so). They probably aren't going to come out and interrogate it in the home, because they fiddle with the settings to make sure its working right and for that reason it needs to be done only in a setting where he's on telemetry and has medical staff standing by.
Not knowing his specific one I can't say for sure. But I can say MOST medical devices have very little in the way of security... its really pitiful how far back the medical field is.
the dude is probably thinking of tampering with the device's firmware settings and increasing his own pulse so he can go on a rampage around town like in that movie "Crank"
a) Would he understand what the data meant?
Maybe not, but maybe he wanted to get (n+1)th opinion.
b) Maybe the software and what not is proprietary?
But he doesn't want the 'ware. He wants the data it produces.
Just some thoughts that come to mind
In this case those are gross overstatements.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
There are legitimate medical reasons why some patients shouldn't have access to all raw medical data.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
Now, if the company is refusing to share the raw data with the patient's doctor, that's just plain wrong and it should be illegal. Likewise, if they are refusing to share it with the patient's attorney, then the attorney should have an absolute right to subpoena it.
Likewise, if the doctor doesn't have a bona fide medical reason for refusing to pass that data on to the patient, that should be called medical malpractice.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
so his heart will go pitter-patter like a 20 year old in love
Politics is Treachery, Religion is Brainwashing
I suspect their refusal to allow access might be along the lines of hiding from potential liability if the product reacts or behaves improperly at any time. Imagine a grieving widow who discovers a pattern in the data where the device takes 3 minutes too long to respond properly every 500 or 1000 times it stimulates the heart or the input says it should.
You would think that you would have a right to any data produced by your body or devices used in keeping it alive and it would be available to at least you or your doctor. Perhaps they are worried the control signals would be discovered and after a trip to an electronics store, the widow could be celebrating getting rid of her husband instead of grieving? I see no other reason for keeping it hidden other then to avoid liability or stop potential abuse.
There are legitimate medical reasons why some patients shouldn't have access to all raw medical data.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
Now, if the company is refusing to share the raw data with the patient's doctor, that's just plain wrong and it should be illegal. Likewise, if they are refusing to share it with the patient's attorney, then the attorney should have an absolute right to subpoena it.
Likewise, if the doctor doesn't have a bona fide medical reason for refusing to pass that data on to the patient, that should be called medical malpractice.
He is not a psych patient so all his healthcare info legally belongs to the him...
Concerning the (absence of) malfunctions, wasn't that the goddamn job of the FDA in the first place?
As for the remote tinkering, what does the output have to do with the input? Suppose some sort of requests are required to yank the data out. What possibly could be the problem in making the readout plain and setup secure?
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Not to sound against it, but
a) Would he understand what the data meant?
b) Maybe the software and what not is proprietary?
Just some thoughts that come to mind
a) He certainly isn't going to have a better chance of understanding the data if he isn't allowed to see them... Would I be polishing my 'I told you so' reflexes if he decides to do a bit of amateur reprogramming? Sure. Does denying somebody access to even view data because they might not understand it make sense? About as much sense as keeping books away from children because they aren't yet literate...
b) Given that the manufacturer won't disclose it, it apparently is proprietary. That's sort of the entire issue. We have now(and, barring exciting economic apocalypse of some flavor) and will have in greater numbers and in more significant capacities, a population for which 'binary blobs' are inside their bodies, not their laptops. Some of them don't like this.
The less data/information they give to personal injury lawyers the safer they are. Even if there's nothing wrong with the device a jury could be convinced that something was wrong with pretty graphs that show...something.
But then, the refusal itself could be construed as indication that something is wrong with the device, because otherwise, why hide the data?
The Tao of math: The numbers you can count are not the real numbers.
...it is available to anyone with a receiver.
Available, yes, but if you decrypt it, you have broken the law.
These things tend not to be quite so frivolous when you look into them.
Straight Dope Boards suggests that there was a design issue that the gas can manufacturer knew about, that would result in an explosion. A slight redesign would have meant that the 4 year old would have survived.
20120420 08:00:22 CARDIAC SYSTEM INIT
20120420 08:00:24 VENTRICLE TEST OK
20120420 08:00:25 AORTA TEST OK
20120420 08:00:26 BATTERY TEST OK
20120420 08:00:27 0MG GR0W B1GG3R P3N1$ 1N 3 W33K$!
20120420 08:00:27 CHINA HANDBAG SHOES FASHION LOWEST PRICE
20120420 08:00:27 MEET SEXY SINGLES IN UR AREA
20120420 08:00:27 URGENT FROM WELLS FARGO BANK ACCOUNT RESET!
i had a blitz brand gas can, it was a leaky piece of shit and the spout fell apart on me when i was pouring. i don't know the details of the lawsuit but i am not surprised they got sued out of business using such low quality construction for something as hazardous as holding gasoline.
http://www.lowes.com/pd_90258-1362-80033_0__?productId=3126289 this is the nozzle mine had (smaller can not the 5 gallon). parts shattered and flew out from under the handle about 6 months after i got it, while trying to pour gas.
Snowden and Manning are heroes.
If it's encrypted, then this would give them access to both the cyphertext and cleartext of the data, which is the essentials of what you need to reverse engineer the cryptography.
Now ideally, the control and reporting cryptography would use different keys, but there is only so much code you can fit into a small embeddable medical devices, and it's likely they are the same code, if not the same key pair.
In this case, it's reasonable to not give samples of both sets of data out to prevent reverse engineering of the control channel which could then be used on someone else's implanted medical device.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
I don't see how that would help a paranoiac.
Give me Classic Slashdot or give me death!
The same justification could be given to forbid patients from seeing their blood tests, or even reading any medical literature. That is bullshit. Medics are not all knowing and patients are not retarded children. Patients have the right to decide for themselves what they want done with their own bodies and to fully exert this right the more information they have the better.
He is not a psych patient so all his healthcare info legally belongs to the him...
How do you know? May be, he was just having a panic attack and they implanted an Altoids Tin Can into his chest to trigger the Placebo effect.
For the last time -- off my couch!
You would think that you would have a right to any data produced by your body or devices used in keeping it alive and it would be available to at least you or your doctor
You already have a right to all of your medical records. I don't understand how this data is not a "medical record."
.: Semper Absurda
Don't tell that to your doctor...
Why can't
That is an important point on this subject. Implants are only going to become more common in the future. That implant and it's software are a part of him now. What percent of a person can be outright owned by another person before we call them a slave? 1%, 10%, does it have to be 100%?
There are several very good reasons why he shouldn't have a raw feed from the device manufacturer./quote? Yes, the same reason that some people shouldn't be allowed to vote, or should be owned instead of being responsible for their own well being....
I usually avoid hospitals and the medical profession in general unless it is needed, ie, broken bones or donating a kidney (Which I did recently.) A couple years ago while camping my some broke a bone. I put it in a splint then took him to the hospital to get a get it set and placed in a cast. This was on a Saturday in a very "out-in-the-boonies" location. Before the staff would even look at my son, I had to sign a patient's "Bill of Rights." indicating that I had read the items on their list... There were around a dozen items and I don't remember what they were except for the first one. "The Patient has a Right to all medical records assembled during the visit." Maybe this is enforced in other hospitals. I don;t know.
.)
Anyway, My son was X-Rayed and dealt with and released.
On the way out, I asked the secretary, who made me sign the "Patient's Bill of Rights," for a copy of my sons X-Rays and a print out of the Vitals they recorded. I was told "No, Those are not for you." I put on my "Contrary-Old-Bastard Hat" and stated that I have a "right" to those and read back the 1st item on theh "Patient's Bill of Rights." I explained that the X-Ray and vitals were records of the visit and that the hospital, before my son was allowed any medical attention, made me sign a form to acknowledge that I have a right to those records. I was told that I had to go through the Records department and Billing in order to get the records. These offices would not be open until the following Tuesday (due to a Holiday.) Not wanting to get mad at the secretary for doing her job, I asked to talk to her boss or whoever was in charge of the hospital that day. She informed to me with all of her arrogance that since it was the weekend, she was in charge. So I ranted to her for a while and then read the entire "Patient's Bill of Rights" to her. I strongly emphasized that nowhere in this document, which we both signed, did is mention that I should go through Billing and records. After ranting a bit more she let me know that my son's doctor can request the records and the records will be sent without charge. I explained more how I am his parent/Guardian and in charge of his primary care and that I want the records to that I can hand deliver the records when I can return and set an appointment for cast removal. Again I read the entire "Patient's Bill of Rights" to her and then explained that nowhere on it did it say that my doctor was to get the records. I asked her bluntly to obtain a copy of the records. She actually stomped her foot and said, "No."
"OK," I said, "since I have been forced to acknowledge that I have a right to my son's records, I am going to sit right here in the middle of this hallway until I get them." And I did; I sat down in the middle of the hallway. (My son was looking at me in a state of shock -- He was at that Jr. High age when anything a parent does is considered embarrassing
The secretary stared at me for about 30 seconds. then left. A minute after that she came out with a doctor and he asked what was up. I mentioned that I was waiting for a copy of my son's medical records. He nodded, went behind the counter and gave me the X-Rays and vitals papers. I said "Thank you" and left.
This anecdote is not so that I can say I am an old cantankerous fart, it it to illustrate that even though people have rights to information, the ones that hold the information feel compelled not to give it up. THis is true with software, medical data, music... I don;t know where this attitude comes from.
[off my soapbox]
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
They have to give them to you here in my country (Brazil), here your doctor can only see your tests through you. He asks for the exams, you go to the lab, they collect your samples, and when the results are ready you go there and get them (or get them through the internet) and bring them to the doctor, if you so wish. If you prefer you can just get the results and bring them to another doctor and never go back to the former one, who requested the tests, or you can bring them to both.
I don't know specifics about how the procedures are in US, but I do know that under HIPAA they must give you any results you request They can't legally refuse to do so.
"should be owned instead of being responsible for their own well being"
If someone is going to be responsible for his well being, he should be given the best possible information, not the raw, context free dump some engineering company e-mails him.
If you ever find a doctor who's willing to treat a close relative (or himself) for something serious, find another doctor. Most won't do it, and none of the good ones will. EVERYBODY's judgement is clouded when they're considering things seriously affecting their own health.
Yes, the ultimate responsibility lies with the patient. This guy should have access to his data (which he does), by asking the correct person for it.
My mechanic always explains what's wrong with my car when a decision needs to be made, and what was done when I pick it up. Is he being paternalistic, or giving me good service?
the dude is probably thinking of tampering with the device's firmware settings and increasing his own pulse so he can go on a rampage around town like in that movie "Crank"
Computer says no.
"Oh, you own the implant, but the software is licensed. Make sure you keep up your license payments and come in for your monthly compliance review or we'll use the remote kill switch."
This is my sig. There are many like it but this one is mine.
If the information is common to everyone with the same implant is it, by definition, not personally identifiable or private health information. Disclosing the existence of patient Q to patient R, or visa versa, would be a violation. But merely telling either of both of them independently that they have their implant set to "Mode B" is not, just as telling patient Q that he has a heart rate of 79 is not a violation if patient R happens to also have a heart rate of 79.
Also, even if there is some private data that needs to be hidden, it's entirely possible to design a crypto system that's secure against known-plaintext attacks. Almost are modern crypto systems are; you'd have to do something dumb to not get that feature from any common crypto library.
You don't get to peek inside your machine to see for yourself it's a good one, just like the airline will not let you take a wrech to the jet engine or even kick the plane's tires.
I have one of these devices since last year after my (4th) heart attack. I am also a physician, so I would understand the data. But honestly I don't see the need. When I go get checked up, the Boston Scientific staff are more than happy to explain anything I ask - and I do ask some detailed questions. I am quite sure that the device and its software are proprietary and also trade secrets of the company.
But there's another reason: Honestly one shouldn't go around tinkering or "hacking" an implanted device. They come with limited battery life - most of which is covered by warranty (if my battery runs out before 10 years I get the device replaced and the procedure paid for by the company, anywhere in the world). Radio signals require energy, asking the device to read its cache requires energy, and the manufacturer would be put in a position where it might have to cover a warranty on a battery that didn't fail because of design, but because of tinkering. They can hardly say "no" and let the patient die. That, and of course what if the "hacker" manages to mistakenly change the machine's settings so it's firing inappropriately, draining the battery within days, or better yet firing and triggering a lethal arrhythmia. The company would be blamed (at least initially) for a "faulty" device. It's bad business, and I understand it.
I really don't feel like playing with my implant. I really don't feel like paying for someone else who wants to play with their implants, in the form of increased costs because the company has to set more aside for liability. I selected my device after both research into the company, the model, and this type of device as a whole. And my cardiologist's opinion. And a 2nd opinion. You can look at the statistics for the device, compiled in a scientific manner, and compare it to other devices, and that's it.
Seven puppies were harmed during the making of this post.
The tech who gives you an x-ray, CT or MRI scan won't give you the images either. You can request them from your doctor, and he will (or may have to) give them to you, but he'll probably want to sit down and go through them with you first.
Hey, that's false! My wife got an MRI recently, and I asked the technician to give us a copy of the data. There was no objection or hesitation, the technician simply burned a CD and handed it to us on our way out. I learned that their images are stored in a proprietary format, but conveniently the CD came with the software necessary to view the images.
First, the FDA isn't some magic group that never gets anything wrong. They have approved devices, drugs and treatments that later was found to have significant life threatening problem. They are supposed to test and weed those problems out or even approve of the dangers as acceptable and manageable considering the goals of the device, drug or treatment. The FDA simply is not a magical group of people who never allow something potentially harmful outside of it's labs. It's design was traditionally to validate claims and ascertain harmful effects so we didn't have electrified dildos out there still treating female hysteria and hair loss or leaching to treat pneumonia.
Second, knowing the output can isolate the input not used to initiate the output. It can also be used to determine or differentiate the control signals verses the information. Also, if you are used to cracking wifi encryption, assuming these things use some sort of encryption, knowing what most of the signal will say- even just portions of it- goes a long way at finding the key to cracking the encryption and the signal altogether.
As for access to the output, I don't have a problem with it. I actually think it should be a right of the patient. I know the doctor gets access to the readout and makes changes to the devices based on it. Perhaps they don't want the patent influencing those changes by discussing them with the doctor? There are a load of reasons ranging from the paranoid to the idiotic and from the quality of operation to hiding the workings from competitors.
I don't know specifics about how the procedures are in US, but I do know that under HIPAA they must give you any results you request They can't legally refuse to do so.
Actually, the way it typically works in the US is: The company can make the judgement that you don't have the funds (or the time ;-) for a successful court challenge, which will take a decade for all the appeals and more money than you'd believe. In the meantime, they can continue to refuse to give you their medical info, without any further legal repercussions than your lawsuit, which they will delay with every legal trick available. If you actually do have the funds (and live long enough), yes, you can get them to obey the law -- and give you their data from a decade earlier. Meanwhile, they've upgraded your implants, and the court didn't order them to give you the data from your current model(s), so they don't.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Obviously I don't know what he actually said here, there are polite ways to ask for things and impolite ways, but I've been on the receiving end of this "We won't give you your own information" bullshit before. In my case, the lady behind the counter claimed that there was some law preventing her from giving the information to me. I didn't have a piece of paper stating exactly the opposite, so I ultimately just had to leave without getting the test that I had come for.
It doesn't sound to me like he was being a dick. Maybe a lawsuit would have been more appropriate than sitting in the hallway, but this is a significant problem and I'm glad he stuck to his guns.
Odd, I was thinking about the same thing. Except that it's the receptionist who needs that speech, not the poster. The poster wanted nothing more than that the reception spend literally a couple of minutes getting what he had a clearly documented right to have. Three cheers for the poster! If more people would refuse to put up with bureaucratic bullshit, the world would be a much better place. I hope his son grows up to be just like him.
If you produce data from my body, I think it's only fair that I get access to it. I want to know what data a company collects about me, especially if it's as personal as data from one of my vital organs.
If I don't understand the data, I can go to a doctor and have him translate it. If the software is proprietary, I'll go to you and have you extract the data, then you may give me the data. I trust that you didn't copyright numbers and letters?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Do you really though? If you ask your hospital for a copy of your record, do they give it to you or do they redact it first?
I work for a hospital, and I can answer that: they redact the shit out of it. And they're so fired up about making sure they can redact the information that I would be fired if I ever opened my own medical record. The best part is that they claim in the pretty pamphlet they give new hires that medical records are copyrighted property of the hospital board.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Did you just call DICOM proprietary?
Technically correct. It *is* a copyrighted standard, with the copyright being held by the National Electrical Manufacturers Association. When defining proprietary software as "computer software licensed under exclusive legal right of the copyright holder", this standard would fall into that category.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
My MINI does the same thing (checked with data from the OBDII port).
I thought you said you didn't have access to this info? What this guy wants is exactly like an ODBII port for his heart. Most people don't care if their gauge fluctuates some. That's normal. If you care, do like I do and leave a Bluetooth reader hooked up and get the android app torque that let's you pull that up whenever.
Disclosure: I am a doctor, and I work with patients with pacemakers on a frequent basis.
If he wants a raw printout of the data generated, he should make an appointment, stop by his cardiologist's office, and ask the cardiologist. I've been asked a few times by curious patients to see the readouts. I always show it to them, give them the clinical interpretation of the data, and let them keep it if they want. Most don't; it's several hundred small pages of gibberish to an untrained eye, linked together like the old dot matrix printer pages.
If he feels uncomfortable with having a machine in his body that he can't check out himself every second of every day, he can ask to have it turned off ("turned off" being simplistic) or for a surgeon to remove it. [Insert belief system here] didn't give him the pacemaker growing in him when he was born - he can choose to use it as designed or choose not to use it, which is a valid choice. There are real potential harms to widely propogating machines that could decrypt the data; the exact same machines allow us to reprogram the device, including settings that could harm or kill the patient. The encryption IS the security on implantable, reprogrammable medical devices; password, 2 step authorization or the like is not possible due to the existence of medical emergencies in which prompt access by medical personnel not normally involved in his care to the input and output of the device can mean the difference between life and death.
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
Just some thoughts that come to mind
In this case those are gross overstatements.
this airplane doesn't collect very intimate details about me while I sit in it.
Playing the devil's advocate, there's not really anything intimate about your heart rate and the shape of your QRS complexes. It's not really "personally identifiable information", unlike say your name, DOB, passport number, destination, seat number, who you are travelling with, all your previous travel history and your credit card number kept by the airline, for example.
Seven puppies were harmed during the making of this post.
Since when is it ok for us to say "If you have nothing to hide you should not worry" to others?
That could explain his curious increase in strength...
+1. There is a fine line between being polite and being a coward and the difference in people's opinions on this matter generally stems from how much they value contracts in general. If you are the kind of person who simply never reads what they sign and just accepts any perceived future unfairness (most people) then you're a lazy coward in my book who only has rights because of the "dicks" of this world. If you don't read what you sign but later resolve to fight perceived unfairness (by refusing to pay a termination fee for a phone contract for example) or you often/always read what you sign and frequently refuse to sign things until certain conditions are changed then you are a complete dick and the lazy, cowardly fucks of this world are indebted to you for making their lives easier.
TL;DR. When dealing with any organisation, company, or government, being a dick is a true virtue and being polite is selfish.
Exactly. You should only trust faith healers and chiropractors.
And homeopaths.
This space available.
The tech who gives you an x-ray, CT or MRI scan won't give you the images either.
Nor really true anymore, but not for the reason you'd expect.
So many hospitals send you to private locations for imaging these days that you often ARE given your MRI and CT scan results simply because you're expected to cart them to your Dr. yourself. Saves them a buck.
Also, many hospitals no longer put casts on broken limbs, they simply diagnose & xray and send you with the xrays to an orthopedist.
I scanned the xrays of my broken ankle and put them on Flickr.
When I got a CT scan of my head, I used images of my brain as my Facebook profile photo.
When I got an MRI they handed me the data disc to take to the Dr. I made a copy, figured out the strange image format and will post those to flickr some day when I'm bored.
Meanwhile when I got to the Dr. with the original disc, I ended up having to show HIM how to use the included app and view the images.
This space available.
Do you really though? If you ask your hospital for a copy of your record, do they give it to you or do they redact it first?
In the US, they redact it to protect your PHI, if they are sending records to third parties for certain purposes
You have a right under the law to your complete medical records.
Redaction, in case where you order all your medical records to be released to yourself, would be a violation of your patient privacy rights, and you could file a regulatory complaint against the hospital in that case.