Software Freedom's latest target is medical devices

Software Freedom's latest target is medical devices

Summary: Heart disease patients like Dick Cheney are vulnerable to buggy software and hack-attacks aimed straight at the devices implanted near their hearts. Open source could offer hope.


Heart disease patients like Dick Cheney are vulnerable to buggy software and hack-attacks aimed straight at the devices implanted near their hearts.

Worse, they have no legal recourse. But open source could offer hope.

The Software Freedom Law Center says software is responsible for one-fourth of the problems commonly found in Implantable Medical Devices (IMDs) like pacemakers and defibrillators.

If the software were open source, the group says, such problems could be found and ended.

While admitting no deaths have yet been attributed to insecure IMD software, the group's paper also described how researcher Kevin Fu was able to simulate a successful attack on an IMD in 2008. As devices become increasingly software-based the danger grows worse.

The paper suggests open source would be more secure than current closed-source solutions, less subject to bugs, noting that patients could be protected from hackers by "cloaking" device access through encryption and passwords.

The real target here, however, appears to be the Supreme Court, which ruled in the 2008 case of Riegel vs. Medtronic that patients have no legal recourse against defective devices. FDA device approval (which has since proven to have been faulty during the period in question) gives device makers immunity from suits, the court held.

With the successful regulatory capture of the FDA by manufacturers, the elimination of patients' access to the courts, and an increased reliance on possibly-buggy software that could be vulnerable to attack, the SFLC is suggesting open source as a possible solution.

It won't get it. But we may get better medical device regulation. At least for the next few years.

Topics: Software, CXO, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Software Freedom's latest target is medical devices

    I don't buy the SFLC's reasoning. The problem being that how many people in the open source world are going to look at the code, and if they do how many of them have the experience, knowledge, and expertise to be able to troubleshoot code for medical devices? I don't think the code needs to be open as the company can open it if they want but I don't think they would get much support from the community. Also, since it is the medical industry and most are out to make obscene profits they wouldn't want to give up the code anyway for their competitors to view. An alternative solution would be to have a rigorous testing/debugging process. Something along the lines of six sigma for coding. I'm not a coder so I couldn't tell you if something like that already exists.
    Loverock Davidson
    • RE: Software Freedom's latest target is medical devices

      @Loverock Davidson If vendors can cooperate on a standard, they can knock the bugs out.
  • RE: Software Freedom's latest target is medical devices

    Having worked for NASA, I can tell you that I totally disagree with this idea. The Space Shuttle systems are completely isolated from the rest of the infrastructure to prevent intrusion. This is a valid measure to save both lives and property. Medical implants should enjoy the same isolation. Open source would be a HUGE mistake. It would be best for the FDA/FCC to come to an agreement to keep the software top secret and under wraps, only to be accessed by qualified personnel. It would only take one cracker to kill or injure millions of implant users!
    • RE: Software Freedom's latest target is medical devices

      @Rand777 There's your problem. You can't isolate software the way you think. It can't be kept "under wraps." So it's inevitable someone underground will find a way in, and exploit it. Now are we going to prevent that or just wait for it to happen?
  • RE: Software Freedom's latest target is medical devices

    Open source is the way to go with this. How many people would look at the code? Practically everyone who writes computer programs will look at the code. I certainly will. This is an emerging field of programming and it needs lots more ideas.
  • RE: Software Freedom's latest target is medical devices

    @Loverock Davidson ,
    I totally agree. Wow, I didn't think I would say that to one of your posts, but I do agree with you.

    I have worked, briefly, in the medical device industry, as a software engineer, and I can attest to the fact that the testing is rigorous. Anything that was to come in contact with a patient was put through a battery of tests and peer reviews (from people who both understood the application and the hardware into which it was going) before being sent out for clinical trials.

    I cannot see a benefit from opening the source. These are not applications running on a desktop. Some of this code is running on non-standard operating systems or no OS at all and would require an in-depth knowledge of the hardware to understand the functionality. The hardware design would have to be open sourced as well, and that would open the door for cheap (both in price and quality) counterfeit devices.

    I cannot see medical devices being open sourced, and I think it would be a bad idea.

    Absolving the companies of responsibility is also a bad idea.

    • RE: Software Freedom's latest target is medical devices

      @fromthehip You put your finger on something Loverock ignored, that's important.

      Right now device makers have a license to kill. The FDA didn't test their stuff, but their OK makes them immune to suit. And there are deaths from these things. Not just from software. Anyone remember that old Law & Order episode about the bad heart leads -- from when Michael Moriarty was playing the D.A. I mentioned it on some blog somewhere...
  • RE: Software Freedom's latest target is medical devices

    Having written my share of code, not device specific but wrote an EMR medical records system I can attest to the fact that this should not be open sourced as the software is not out there for beta testing in humans and the companies I know do a lot of testing but even with the best of all minds something gets missed. Look at what we use for operating systems where we get Tuesday updates for a good example.

    The software is designed for very specific hardware. There are a couple sites out there like E-Zassi whereby companies can look for specific matches with developers and companies like Medtronic use those sites too.

    When writing an EMR I was doctor's shadow as I had to watch and try to encompass everything he did and create the user solutions for ease of use as best I could so it's group effort with users/coders by all means and with software/devices being so specific today it's too dangerous to throw it out there. Now if you had a portion of an entire solution that needed work, part of a program that could be crowd sourced a bit, but that is almost specific beta testing if you will.

    Drugs are now being designed virtually with software too with virtual virus, in other words they show the same functionality with software as they would in real life so this is getting pretty technical and designing a drug and device are 2 very different issues. The FDA often uses outside 3rd parties for their testing/approval process too so that is not all in house either.

    Now for what really gets me going are recalls on these devices and I have a campaign going since last October to get bar coding, Microsoft Tags on drugs and devices and have a synchronized data base at the FDA because people are implanted with devices that don't get pulled from the shelves that are defective, recalls were sent out and they were missed, so now we have a patient that died as he/she was implanted with a device that missed the recall efforts and this happens more than we want to think about as the FDA has no recall system. Here's my case and if you like it vote as it would help in many ways and this same technology is used with personal health records too, the Withings WiFi scale uses it, and there's a working solution for the same technology to authenticate a physician with the new DEA rules for controlled substances. Nothing upsets me more than to have someone die as a recalled product was missed and used in surgery. Scan that stent first! I have about 30 posts on this and when the recalls come up, it's time for another post for the cause.

    Here's the e-prescribing solution:

    Here's how you connect Google Health and HealthVault PHRs so you could store the device tag right in the PHR too!
  • RE: Software Freedom's latest target is medical devices

    It's scary the idea of a virtual virus can manifest itself into an error in prescription drug manufacturing. It's deplorable that the FDA does not have a recall system and <a style="text-decoration: none; color: #333333;" href="">you health</a> or the health of a loved one can unnecessarily be at risk.