GNOME's Sandler: Is there a killer in the code?

GNOME's Sandler: Is there a killer in the code?

Summary: Is there a killer in the software code running millions of medical devices? GNOME Executive Director Karen Sandler, formerly of the Software Freedom Law Center, has been fighting to get this software opened up for inspection and review since she received her own implanted defibrillator in 2008. The FDA and Supreme Court have been no help. She recently shared her journey at OSCON 2011.


Imagine if your life depended on software --and the source code was proprietary?

That's the dilemma faced by recently-appointed GNOME executive director Karen Sandler. who was diagnosed with a serious heart condition in 2006 that required the implantation of a cardioverter defibrillator.

Yes, the software running her defibrillator , a Medtronic EnTrust cardioverter -- is proprietary.

It is perhaps ironic that Sandler was an attorney at the Software Freedom Law Center in 2006. Yet in spite of her depth of knowledge about software, she was unable to convince the manufacturer to give her access to the code.

As she mulled the software dilemma, her medical team advised her to move forward with the procedure or risk sudden death.  Her IMD was implanted in 2008.

""I have a high risk of suddenly dying. I can't think about running to catch a bus or I might keel over," said Sandler, 36, who opened up about her personal situation at OSCON 2011 in an effort to educate the audience about the plight of millions of Implantable Medical Devices (IMD) recipients.    

"I asked the doctor what [software] the device ran and he looked at me like Iwas mad .... I called three major defribullator manufacturers and asked if I [could]  see the source code since I'm going to put [the device]in my body and I'd feel more comfortable knowing what's connected to my heart and that went nowhere. I offered to sign an NDA ... I don't want to rely on Medtronics for something as essential as my heart."

Unfortunately, her fears are not unfounded. As noted in a paper she wrote in July 2010 for the Software Freedom Law Center, called "Killed by Code: Software Transparency in IMDs, at least 212 deaths occured from device failures in five different brands of IMDs from 1997 to 2003.

The FDA issued 23 Class I (potentially fatal) recalls of defective devices during the first half of 2010 -- and at least six of them were likely caused by software defects," Sandler wrote in her paper, noting that while the FDA did not "explicitly cite software defects as the official Reason for Recall, the "description of device failures match those associated with source code errors."

In that paper, she cites one case in particular:

The death of 21-year-old Joshua Oukrop in 2005 due to the failure of a Guidant device has increased calls for regulatory reform at the FDA. In a paper published shortly after Oukrop’s death, his physician, Dr. Hauser concluded that the FDA’s post-market ICD device surveillance system is broken.

Sandler has worked tirelessly to make people aware of the dangers and try to force manufacturers to open up the code to professional audit. In 2009, she filed requests for information as part of the Freedom of Information Act. She still has not heard back.

To date, the courts have not been particularly helpful.

Here are some key excerpts from her paper:

In 2008, the Supreme Court of the United States’ ruling in Riegel v. Medtronic, Inc. made people with IMDs even more vulnerable to negligence on the part of device manufacturers.4 Following a wave of high-profile recalls of defective IMDs in 2005, the Court’s decision prohibited patients harmed by defects in FDA-approved devices from seeking damages against manufacturers in state court and eliminated the only consumer safeguard protecting patients from potentially fatal IMD malfunctions: product liability lawsuits. Prevented from recovering compensation from IMD-manufacturers for injuries, lost wages, or health expenses in the wake of device failures, people with chronic medical conditions are now faced with a stark choice: trust manufacturers entirely or risk their lives by opting against life-saving treatment.

This is the remedy she sought, along with like-minded open source attorneys:

We at the Software Freedom Law Center (SFLC) propose an unexplored solution to the software liability issues that are increasingly pressing as the population of IMD-users grows--requiring medical device manufacturers to make IMD source-code publicly auditable. As a non-profit legal services organization for Free and Open Source (FOSS) software developers, part of the SFLC’s mission is to promote the use of open, auditable source code5 in all computerized technology.


"The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled.

The Supreme Court’s decision in favor of Medtronic in 2008, increasingly flexible regulation of medical device software on the part of the FDA, and a spike in the level and scope of IMD usage over the past decade suggest a software liability nightmare on the horizon. We urge the FDA to introduce more stringent, mandatory standards to protect IMD-wearers from the potential adverse consequences of software malfunctions discussed in this paper. Specifically, we call on the FDA to require manufacturers of life-critical IMDs to publish the source code of medical device software so the public and regulators can examine and evaluate it. At the very least, we urge the FDA to establish a repository of medical device software running on implanted IMDs in order to ensure continued access to source code in the event of a catastrophic failure, such as the bankruptcy of a device manufacturer.

At Oscon 2011, one healthcare IT blogger expounded on the ramifications of open source in medical devices.

In an email this week, Sandler said she is busy with her life and work but she remains very concerned not only about software bugs in medical devices but in the increase in hacking IMDs and an increasing number of people receiving IMDs. Hackers?

Sandler received an award at OSCON 2011 for her legal work on Killer Code.

Sandler acknowledges there's no easy answer to the problem, but she thinks she and others should have the right to have professional audits performed on the code and/or the right to pursue other remedies suggested in her paper.

"You know, I don't think getting the software under NDA would be enough. It was really upsetting that I wasn't given even that, but in the end, patients aren't necessarily experts. Even though I used to be a programmer, I'm not sure I'd now be able to effectively review the code myself. And, if I found a problem, my only option would have been to not get the device - there was no way I could have talked about it or made sure the problem was fixed," she wrote in an email.

In her paper, however, Sandler contends that having access to the device software would make her and others feel more secure.

" I don't have any updates, other than the fact that the insulin pumps have been hacked now as well and that there's been a push to review issues related to the software on these devices I've been busy with my new job at GNOME, so beyond advocating for the issue I haven't had time."

Update: Medtronics' public relations department issued a statement on the matter late last week that was inadvertently omitted from the first version of this blog.

Medtronic always seeks the best available information technology solutions -- open-sourced or closed-source -- to serve our customers and patients. All software/firmware that resides in Medtronic devices and associated instrumentation is reviewed, approved and regulated by the FDA.

Software/firmware that runs on Medtronic devices is highly specialized to both our application as well as our unique, custom hardware platforms; to that end, it is not likely that a patient would see value in viewing software for our platforms.  Furthermore,

enabling a patient to view a program code for Medtronic's devices would require full disclosure of our proprietary hardware platforms and implementations. Security protocols and mechanisms leveraged by Medtronic's devices and associated instrumentation

are public and standardized; Medtronic has not created unique security mechanisms or protocols for our systems.

It is important to note that sudden cardiac arrest kills 95 percent of the people who experience it within minutes. The only effective treatment for sudden cardiac arrest is defibrillation. Defibrillators are 98 percent effective in terminating life threatening arrhythmias that lead to sudden cardiac arrest.

Topics: CXO, Government, Government US, Mobility, Open Source, Software, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • You have your freedom to choose......

    and if you don't agree with the EULA of a IMD, just don't sign it. Simple.
    • RE: GNOME's Sandler: Is there a killer in the code?

      @cym104 If you need the device to live, that's not really a choice.
      • RE: GNOME's Sandler: Is there a killer in the code?

        Then just choose another manufacturer!
        Oh, sorry, I forgot: true Open Source Heros compile their own defibrillators~
      • RE: GNOME's Sandler: Is there a killer in the code?

        @cym104 I don't really know how much choice people have as far as defibrillator manufacturers go, and I'm willing to bet all of their EULAs are similar.
      • RE: GNOME's Sandler: Is there a killer in the code?


        There are some pretty ignorant comments right at the top level here, comments by Cym104 specifically.

        The "shut up and sign it" approach to medicine is wrong! The author never said she wanted to modify the code, but she wants to know about the life saving, (or not,) device that is being surgically implanted in her chest. If you asked your doctor or pharmacist what was in the medicine you are taking or the procedure you are undergoing, that is your right and both would cooperate to the fullest. Most people are not chemists, but they want to know what is in the medicine they are taking. This is no different. All the IMD manufacturers ignored her requests.

        My first suspicion is that they are aware that the source code is a hodgepodge of spaghetti code and they are afraid of being sued, so they are trying to prevent it from reaching the light of day. This CYA attitude turned a patient's curiosity into a potential cover up!
    • RE: GNOME's Sandler: Is there a killer in the code?

      @cym104 Must be by far the stupidest thing I've ever heard. She's not talking about buying an iPad or consenting with Facebooks EULA you know...
    • RE: GNOME's Sandler: Is there a killer in the code?

      @cym104 Interestingly
      Student from Bosnia
  • RE: GNOME's Sandler: Is there a killer in the code?

    So how is open source software going to prevent a device failure over proprietary code?
    The one and only, Cylon Centurion
    • RE: GNOME's Sandler: Is there a killer in the code?

      @Cylon Centurion It's probably the "many eyes makes all bugs shallow" hypothesis. It's unproven, but many open source people swear by it.
      • RE: GNOME's Sandler: Is there a killer in the code?

        @CobraA1 <br>It's funny how I keep getting updates for CentOS, Fedora, Ubuntu and Linux Mint.
      • RE: GNOME's Sandler: Is there a killer in the code?

        @CobraA1 Just like how it's unproven that he opposite is more secure.
        By the way, see OpenBSD. 2 notable security bugs in a decade. Adobe? Probably thousands. Microsoft? At least a hundred in just Windows. Apple? They hardly ever even talk about security.

        And no serious security expert ever trust a security system that do not follow open and widely reviewed standards (like AES, PGP and similiar).
      • RE: GNOME's Sandler: Is there a killer in the code?

        Who said some random 17yo should be able to patch YOUR device?
        This is simply just about read access, to be allowed to read the code to see how it works and what it does.
      • RE: GNOME's Sandler: Is there a killer in the code?

        @CobraA1 that is why we have a lot of updates to our Open Source software, as things are found, they are fixed!
      • RE: GNOME's Sandler: Is there a killer in the code?

        "Just like how it's unproven that he opposite is more secure."

        Personally, I believe that it's how the code is structured and what the testing methodology is that ultimately determines the security of the code, not some philosophy about how "open" the code is.

        I'm a big fan of automated testing. Unit tests and the like. I'd trust an automated testing framework long before I'd trust code reviews. Humans have a poor track record when it comes to reviewing code.

        "And no serious security expert ever trust a security system that do not follow open and widely reviewed standards (like AES, PGP and similiar)."

        And tested: There are suites of tests you can use against encryption standards to tell if they are working well or not. So they haven't just been reviewed by humans, they've also been tested by automated frameworks.

        And don't confuse the standard with the implementation. There are many cases of these standards being implemented poorly and leaving people vulnerable.
      • The 'many eyes' hypothesis is a bit like the infinite monkey theorem.

        @ CobraA1

        It's trivially true in the limit, but irrelevant in practice.
    • RE: GNOME's Sandler: Is there a killer in the code?

      @Cylon Centurion I don't think it's about the ability to change the code yourself, more like the option to file bugs so they can fix it themselves. And in that case you can not really argue against the fact that many reviewers will eventually uncover any bugs.
  • RE: GNOME's Sandler: Is there a killer in the code?

    Medical devices should undergo the same level of trials and research that regular medicines have to undergo (if they don't already). I agree that rigor is needed in the certification process for these devices.
    Why is the source code important? As long as the devices passed testing it should not matter whether the code is open or closed. We don't get to view the code that controls microwave ovens, airplanes or cars and shouldn't have to.
    • RE: GNOME's Sandler: Is there a killer in the code?


      They do have to undergo certification.
    • Good point. Nobody ever demands to see the source code

      controlling the avionics in Boeing or Airbus's systems, I can't remember reading the last time someone wanted to see the code controlling the ABS on a car, there are alot of things that we trust our lives to that we never think about the code controlling.

      I will say knowing that you need a device like this to stay alive really does get you thinking about your own mortality, maybe thats the difference.
      William Farrell
      • RE: GNOME's Sandler: Is there a killer in the code?

        @William Farrell Good point, but you don't implant a car inside your body. When a device becomes a part of you I can imagine that such stuff troubles you a bit more. Can you blame her?