Slashdot Mirror
Patient Just Wants To See Data From His Implanted Medical Device
An anonymous reader writes "Hugo Campos got an implanted cardiac defibrillator shortly after collapsing on a BART train platform. He wants access to the data wirelessly collected by the computer implanted in his body, but the manufacturer says No. It seems weird that a patient can't get access to data about his own heart. Hugo and several medical device engineers are responding to live Q/A on Sunday night on such topics via ACM MedCOMM webcast at ACM SIGCOMM."
Here's a link to the actual post.
Your hair look like poop, Bob! - Wanker.
It seems weird that a patient can't get access to data about his own heart.
No more weird than your stem cells and DNA being patented. In fact, according to intellectual property law, you don't own your body, or any of the parts implanted in it... it's all covered by a patchwork of patents on genetic materials and derived medical uses. You should be careful with yourself... it's a felony to damage government property... Or was that corporations? I confuse the two so much these days... (-_-)
#fuckbeta #iamslashdot #dicemustdie
While security through obscurity isn't a good approach I figure with something such as a that you'd want to take every step you can to make sure as little information gets out about it as possible.
Next year on defcon - learn how to hotwire your neighbour! Literally! From your android device! (or iphone, but you have to be jailbroken and pay 99c for the app. But it comes with a jump-o-meter to measure how high he jumps.)
Any entity that collects medical data on you MUST provide a way to get you copies of that information. If he really wants the data that badly, I'd contact a lawyer and pursue it from the HIPAA angle. Chances are very good there's probably not a hell of a lot of information in it. If he's really worried about it, he should contact his cardiologist and have them order an interrogation the pacer. Pretty simple stuff really and that way its covered under insurance..(probably unless there's no medical reason to do so). They probably aren't going to come out and interrogate it in the home, because they fiddle with the settings to make sure its working right and for that reason it needs to be done only in a setting where he's on telemetry and has medical staff standing by.
the dude is probably thinking of tampering with the device's firmware settings and increasing his own pulse so he can go on a rampage around town like in that movie "Crank"
a) Would he understand what the data meant?
Maybe not, but maybe he wanted to get (n+1)th opinion.
b) Maybe the software and what not is proprietary?
But he doesn't want the 'ware. He wants the data it produces.
Just some thoughts that come to mind
In this case those are gross overstatements.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
There are legitimate medical reasons why some patients shouldn't have access to all raw medical data.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
Now, if the company is refusing to share the raw data with the patient's doctor, that's just plain wrong and it should be illegal. Likewise, if they are refusing to share it with the patient's attorney, then the attorney should have an absolute right to subpoena it.
Likewise, if the doctor doesn't have a bona fide medical reason for refusing to pass that data on to the patient, that should be called medical malpractice.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I suspect their refusal to allow access might be along the lines of hiding from potential liability if the product reacts or behaves improperly at any time. Imagine a grieving widow who discovers a pattern in the data where the device takes 3 minutes too long to respond properly every 500 or 1000 times it stimulates the heart or the input says it should.
You would think that you would have a right to any data produced by your body or devices used in keeping it alive and it would be available to at least you or your doctor. Perhaps they are worried the control signals would be discovered and after a trip to an electronics store, the widow could be celebrating getting rid of her husband instead of grieving? I see no other reason for keeping it hidden other then to avoid liability or stop potential abuse.
Not to sound against it, but
a) Would he understand what the data meant?
b) Maybe the software and what not is proprietary?
Just some thoughts that come to mind
a) He certainly isn't going to have a better chance of understanding the data if he isn't allowed to see them... Would I be polishing my 'I told you so' reflexes if he decides to do a bit of amateur reprogramming? Sure. Does denying somebody access to even view data because they might not understand it make sense? About as much sense as keeping books away from children because they aren't yet literate...
b) Given that the manufacturer won't disclose it, it apparently is proprietary. That's sort of the entire issue. We have now(and, barring exciting economic apocalypse of some flavor) and will have in greater numbers and in more significant capacities, a population for which 'binary blobs' are inside their bodies, not their laptops. Some of them don't like this.
But then, the refusal itself could be construed as indication that something is wrong with the device, because otherwise, why hide the data?
The Tao of math: The numbers you can count are not the real numbers.
20120420 08:00:22 CARDIAC SYSTEM INIT
20120420 08:00:24 VENTRICLE TEST OK
20120420 08:00:25 AORTA TEST OK
20120420 08:00:26 BATTERY TEST OK
20120420 08:00:27 0MG GR0W B1GG3R P3N1$ 1N 3 W33K$!
20120420 08:00:27 CHINA HANDBAG SHOES FASHION LOWEST PRICE
20120420 08:00:27 MEET SEXY SINGLES IN UR AREA
20120420 08:00:27 URGENT FROM WELLS FARGO BANK ACCOUNT RESET!
If it's encrypted, then this would give them access to both the cyphertext and cleartext of the data, which is the essentials of what you need to reverse engineer the cryptography.
Now ideally, the control and reporting cryptography would use different keys, but there is only so much code you can fit into a small embeddable medical devices, and it's likely they are the same code, if not the same key pair.
In this case, it's reasonable to not give samples of both sets of data out to prevent reverse engineering of the control channel which could then be used on someone else's implanted medical device.
You would think that you would have a right to any data produced by your body or devices used in keeping it alive and it would be available to at least you or your doctor
You already have a right to all of your medical records. I don't understand how this data is not a "medical record."
.: Semper Absurda
I usually avoid hospitals and the medical profession in general unless it is needed, ie, broken bones or donating a kidney (Which I did recently.) A couple years ago while camping my some broke a bone. I put it in a splint then took him to the hospital to get a get it set and placed in a cast. This was on a Saturday in a very "out-in-the-boonies" location. Before the staff would even look at my son, I had to sign a patient's "Bill of Rights." indicating that I had read the items on their list... There were around a dozen items and I don't remember what they were except for the first one. "The Patient has a Right to all medical records assembled during the visit." Maybe this is enforced in other hospitals. I don;t know.
.)
Anyway, My son was X-Rayed and dealt with and released.
On the way out, I asked the secretary, who made me sign the "Patient's Bill of Rights," for a copy of my sons X-Rays and a print out of the Vitals they recorded. I was told "No, Those are not for you." I put on my "Contrary-Old-Bastard Hat" and stated that I have a "right" to those and read back the 1st item on theh "Patient's Bill of Rights." I explained that the X-Ray and vitals were records of the visit and that the hospital, before my son was allowed any medical attention, made me sign a form to acknowledge that I have a right to those records. I was told that I had to go through the Records department and Billing in order to get the records. These offices would not be open until the following Tuesday (due to a Holiday.) Not wanting to get mad at the secretary for doing her job, I asked to talk to her boss or whoever was in charge of the hospital that day. She informed to me with all of her arrogance that since it was the weekend, she was in charge. So I ranted to her for a while and then read the entire "Patient's Bill of Rights" to her. I strongly emphasized that nowhere in this document, which we both signed, did is mention that I should go through Billing and records. After ranting a bit more she let me know that my son's doctor can request the records and the records will be sent without charge. I explained more how I am his parent/Guardian and in charge of his primary care and that I want the records to that I can hand deliver the records when I can return and set an appointment for cast removal. Again I read the entire "Patient's Bill of Rights" to her and then explained that nowhere on it did it say that my doctor was to get the records. I asked her bluntly to obtain a copy of the records. She actually stomped her foot and said, "No."
"OK," I said, "since I have been forced to acknowledge that I have a right to my son's records, I am going to sit right here in the middle of this hallway until I get them." And I did; I sat down in the middle of the hallway. (My son was looking at me in a state of shock -- He was at that Jr. High age when anything a parent does is considered embarrassing
The secretary stared at me for about 30 seconds. then left. A minute after that she came out with a doctor and he asked what was up. I mentioned that I was waiting for a copy of my son's medical records. He nodded, went behind the counter and gave me the X-Rays and vitals papers. I said "Thank you" and left.
This anecdote is not so that I can say I am an old cantankerous fart, it it to illustrate that even though people have rights to information, the ones that hold the information feel compelled not to give it up. THis is true with software, medical data, music... I don;t know where this attitude comes from.
[off my soapbox]
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
They have to give them to you here in my country (Brazil), here your doctor can only see your tests through you. He asks for the exams, you go to the lab, they collect your samples, and when the results are ready you go there and get them (or get them through the internet) and bring them to the doctor, if you so wish. If you prefer you can just get the results and bring them to another doctor and never go back to the former one, who requested the tests, or you can bring them to both.
I don't know specifics about how the procedures are in US, but I do know that under HIPAA they must give you any results you request They can't legally refuse to do so.
If the information is common to everyone with the same implant is it, by definition, not personally identifiable or private health information. Disclosing the existence of patient Q to patient R, or visa versa, would be a violation. But merely telling either of both of them independently that they have their implant set to "Mode B" is not, just as telling patient Q that he has a heart rate of 79 is not a violation if patient R happens to also have a heart rate of 79.
Also, even if there is some private data that needs to be hidden, it's entirely possible to design a crypto system that's secure against known-plaintext attacks. Almost are modern crypto systems are; you'd have to do something dumb to not get that feature from any common crypto library.
You don't get to peek inside your machine to see for yourself it's a good one, just like the airline will not let you take a wrech to the jet engine or even kick the plane's tires.
I have one of these devices since last year after my (4th) heart attack. I am also a physician, so I would understand the data. But honestly I don't see the need. When I go get checked up, the Boston Scientific staff are more than happy to explain anything I ask - and I do ask some detailed questions. I am quite sure that the device and its software are proprietary and also trade secrets of the company.
But there's another reason: Honestly one shouldn't go around tinkering or "hacking" an implanted device. They come with limited battery life - most of which is covered by warranty (if my battery runs out before 10 years I get the device replaced and the procedure paid for by the company, anywhere in the world). Radio signals require energy, asking the device to read its cache requires energy, and the manufacturer would be put in a position where it might have to cover a warranty on a battery that didn't fail because of design, but because of tinkering. They can hardly say "no" and let the patient die. That, and of course what if the "hacker" manages to mistakenly change the machine's settings so it's firing inappropriately, draining the battery within days, or better yet firing and triggering a lethal arrhythmia. The company would be blamed (at least initially) for a "faulty" device. It's bad business, and I understand it.
I really don't feel like playing with my implant. I really don't feel like paying for someone else who wants to play with their implants, in the form of increased costs because the company has to set more aside for liability. I selected my device after both research into the company, the model, and this type of device as a whole. And my cardiologist's opinion. And a 2nd opinion. You can look at the statistics for the device, compiled in a scientific manner, and compare it to other devices, and that's it.
Seven puppies were harmed during the making of this post.
The tech who gives you an x-ray, CT or MRI scan won't give you the images either. You can request them from your doctor, and he will (or may have to) give them to you, but he'll probably want to sit down and go through them with you first.
Hey, that's false! My wife got an MRI recently, and I asked the technician to give us a copy of the data. There was no objection or hesitation, the technician simply burned a CD and handed it to us on our way out. I learned that their images are stored in a proprietary format, but conveniently the CD came with the software necessary to view the images.
First, the FDA isn't some magic group that never gets anything wrong. They have approved devices, drugs and treatments that later was found to have significant life threatening problem. They are supposed to test and weed those problems out or even approve of the dangers as acceptable and manageable considering the goals of the device, drug or treatment. The FDA simply is not a magical group of people who never allow something potentially harmful outside of it's labs. It's design was traditionally to validate claims and ascertain harmful effects so we didn't have electrified dildos out there still treating female hysteria and hair loss or leaching to treat pneumonia.
Second, knowing the output can isolate the input not used to initiate the output. It can also be used to determine or differentiate the control signals verses the information. Also, if you are used to cracking wifi encryption, assuming these things use some sort of encryption, knowing what most of the signal will say- even just portions of it- goes a long way at finding the key to cracking the encryption and the signal altogether.
As for access to the output, I don't have a problem with it. I actually think it should be a right of the patient. I know the doctor gets access to the readout and makes changes to the devices based on it. Perhaps they don't want the patent influencing those changes by discussing them with the doctor? There are a load of reasons ranging from the paranoid to the idiotic and from the quality of operation to hiding the workings from competitors.
Odd, I was thinking about the same thing. Except that it's the receptionist who needs that speech, not the poster. The poster wanted nothing more than that the reception spend literally a couple of minutes getting what he had a clearly documented right to have. Three cheers for the poster! If more people would refuse to put up with bureaucratic bullshit, the world would be a much better place. I hope his son grows up to be just like him.
Do you really though? If you ask your hospital for a copy of your record, do they give it to you or do they redact it first?
I work for a hospital, and I can answer that: they redact the shit out of it. And they're so fired up about making sure they can redact the information that I would be fired if I ever opened my own medical record. The best part is that they claim in the pretty pamphlet they give new hires that medical records are copyrighted property of the hospital board.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Did you just call DICOM proprietary?
Technically correct. It *is* a copyrighted standard, with the copyright being held by the National Electrical Manufacturers Association. When defining proprietary software as "computer software licensed under exclusive legal right of the copyright holder", this standard would fall into that category.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
The tech who gives you an x-ray, CT or MRI scan won't give you the images either.
Nor really true anymore, but not for the reason you'd expect.
So many hospitals send you to private locations for imaging these days that you often ARE given your MRI and CT scan results simply because you're expected to cart them to your Dr. yourself. Saves them a buck.
Also, many hospitals no longer put casts on broken limbs, they simply diagnose & xray and send you with the xrays to an orthopedist.
I scanned the xrays of my broken ankle and put them on Flickr.
When I got a CT scan of my head, I used images of my brain as my Facebook profile photo.
When I got an MRI they handed me the data disc to take to the Dr. I made a copy, figured out the strange image format and will post those to flickr some day when I'm bored.
Meanwhile when I got to the Dr. with the original disc, I ended up having to show HIM how to use the included app and view the images.
This space available.