GNOME's Sandler: Is there a killer in the code?

Is there a killer in the software code running millions of medical devices? GNOME Executive Director Karen Sandler, formerly of the Software Freedom Law Center, has been fighting to get this software opened up for inspection and review since she received her own implanted defibrillator in 2008. The FDA and Supreme Court have been no help. She recently shared her journey at OSCON 2011.

Imagine if your life depended on software --and the source code was proprietary?

That's the dilemma faced by recently-appointed GNOME executive director Karen Sandler. who was diagnosed with a serious heart condition in 2006 that required the implantation of a cardioverter defibrillator.

Yes, the software running her defibrillator , a Medtronic EnTrust cardioverter -- is proprietary.

It is perhaps ironic that Sandler was an attorney at the Software Freedom Law Center in 2006. Yet in spite of her depth of knowledge about software, she was unable to convince the manufacturer to give her access to the code.

As she mulled the software dilemma, her medical team advised her to move forward with the procedure or risk sudden death.  Her IMD was implanted in 2008.

""I have a high risk of suddenly dying. I can't think about running to catch a bus or I might keel over," said Sandler, 36, who opened up about her personal situation at OSCON 2011 in an effort to educate the audience about the plight of millions of Implantable Medical Devices (IMD) recipients.    

"I asked the doctor what [software] the device ran and he looked at me like Iwas mad .... I called three major defribullator manufacturers and asked if I [could]  see the source code since I'm going to put [the device]in my body and I'd feel more comfortable knowing what's connected to my heart and that went nowhere. I offered to sign an NDA ... I don't want to rely on Medtronics for something as essential as my heart."

Unfortunately, her fears are not unfounded. As noted in a paper she wrote in July 2010 for the Software Freedom Law Center, called "Killed by Code: Software Transparency in IMDs, at least 212 deaths occured from device failures in five different brands of IMDs from 1997 to 2003.

The FDA issued 23 Class I (potentially fatal) recalls of defective devices during the first half of 2010 -- and at least six of them were likely caused by software defects," Sandler wrote in her paper, noting that while the FDA did not "explicitly cite software defects as the official Reason for Recall, the "description of device failures match those associated with source code errors."

In that paper, she cites one case in particular:

The death of 21-year-old Joshua Oukrop in 2005 due to the failure of a Guidant device has increased calls for regulatory reform at the FDA. In a paper published shortly after Oukrop’s death, his physician, Dr. Hauser concluded that the FDA’s post-market ICD device surveillance system is broken.

Sandler has worked tirelessly to make people aware of the dangers and try to force manufacturers to open up the code to professional audit. In 2009, she filed requests for information as part of the Freedom of Information Act. She still has not heard back.

To date, the courts have not been particularly helpful.

Here are some key excerpts from her paper:

In 2008, the Supreme Court of the United States’ ruling in Riegel v. Medtronic, Inc. made people with IMDs even more vulnerable to negligence on the part of device manufacturers.4 Following a wave of high-profile recalls of defective IMDs in 2005, the Court’s decision prohibited patients harmed by defects in FDA-approved devices from seeking damages against manufacturers in state court and eliminated the only consumer safeguard protecting patients from potentially fatal IMD malfunctions: product liability lawsuits. Prevented from recovering compensation from IMD-manufacturers for injuries, lost wages, or health expenses in the wake of device failures, people with chronic medical conditions are now faced with a stark choice: trust manufacturers entirely or risk their lives by opting against life-saving treatment.

This is the remedy she sought, along with like-minded open source attorneys:

We at the Software Freedom Law Center (SFLC) propose an unexplored solution to the software liability issues that are increasingly pressing as the population of IMD-users grows--requiring medical device manufacturers to make IMD source-code publicly auditable. As a non-profit legal services organization for Free and Open Source (FOSS) software developers, part of the SFLC’s mission is to promote the use of open, auditable source code5 in all computerized technology.

More....

"The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled.

The Supreme Court’s decision in favor of Medtronic in 2008, increasingly flexible regulation of medical device software on the part of the FDA, and a spike in the level and scope of IMD usage over the past decade suggest a software liability nightmare on the horizon. We urge the FDA to introduce more stringent, mandatory standards to protect IMD-wearers from the potential adverse consequences of software malfunctions discussed in this paper. Specifically, we call on the FDA to require manufacturers of life-critical IMDs to publish the source code of medical device software so the public and regulators can examine and evaluate it. At the very least, we urge the FDA to establish a repository of medical device software running on implanted IMDs in order to ensure continued access to source code in the event of a catastrophic failure, such as the bankruptcy of a device manufacturer.

At Oscon 2011, one healthcare IT blogger expounded on the ramifications of open source in medical devices.

In an email this week, Sandler said she is busy with her life and work but she remains very concerned not only about software bugs in medical devices but in the increase in hacking IMDs and an increasing number of people receiving IMDs. Hackers?

Sandler received an award at OSCON 2011 for her legal work on Killer Code.

Sandler acknowledges there's no easy answer to the problem, but she thinks she and others should have the right to have professional audits performed on the code and/or the right to pursue other remedies suggested in her paper.

"You know, I don't think getting the software under NDA would be enough. It was really upsetting that I wasn't given even that, but in the end, patients aren't necessarily experts. Even though I used to be a programmer, I'm not sure I'd now be able to effectively review the code myself. And, if I found a problem, my only option would have been to not get the device - there was no way I could have talked about it or made sure the problem was fixed," she wrote in an email.

In her paper, however, Sandler contends that having access to the device software would make her and others feel more secure.

" I don't have any updates, other than the fact that the insulin pumps have been hacked now as well and that there's been a push to review issues related to the software on these devices I've been busy with my new job at GNOME, so beyond advocating for the issue I haven't had time."

Update: Medtronics' public relations department issued a statement on the matter late last week that was inadvertently omitted from the first version of this blog.

Medtronic always seeks the best available information technology solutions -- open-sourced or closed-source -- to serve our customers and patients. All software/firmware that resides in Medtronic devices and associated instrumentation is reviewed, approved and regulated by the FDA.

Software/firmware that runs on Medtronic devices is highly specialized to both our application as well as our unique, custom hardware platforms; to that end, it is not likely that a patient would see value in viewing software for our platforms.  Furthermore,

enabling a patient to view a program code for Medtronic's devices would require full disclosure of our proprietary hardware platforms and implementations. Security protocols and mechanisms leveraged by Medtronic's devices and associated instrumentation

are public and standardized; Medtronic has not created unique security mechanisms or protocols for our systems.

It is important to note that sudden cardiac arrest kills 95 percent of the people who experience it within minutes. The only effective treatment for sudden cardiac arrest is defibrillation. Defibrillators are 98 percent effective in terminating life threatening arrhythmias that lead to sudden cardiac arrest.