Lawyer Demands Pacemaker Vendor Supply Source Code 334
oztiks writes "Lawyer Karen Sandler's heart condition means she needs a pacemaker to ward off sudden death. Instead of trusting that the vendor will create a flawless platform for the device to operate, Sandler has demanded to see the device's source code. Sandler's reasoning brings into question the device's reliably, stability, and oddly enough, security."
FDA requirements (21 CFR 820) (Score:5, Informative)
It's called software validation and it's a pain in the ass. It's such a pain for medical devices that everyone avoids it unless absolutely needed. Which is why medicine is 10 years behind when it comes to electronics.
For a "quick" overview, here's a start: http://www.fda.gov/RegulatoryInformation/Guidances/ucm126954.htm [fda.gov]
Re:first, we kill all of the lawyers (Score:4, Informative)
No - lawyers are disliked because they charge absorbent fees for sitting in an office and talking, or standing in a court and talking. They make nothing, and have the moral values of a squashed tomato*
You're assuming that the device she's due to have fitted is exactly the same design and construction as the ones they used 25 years ago. This is obviously false. For example, the original pacemakers paced the heart all the time, and as a result had a very limited battery life. Pacemakers these days are far more intelligent, and sense when a regulating beat is needed.
Having said that, your point about the qualified experts still holds.
* I'm probably going to get sued now by some lawyer representing squashed tomatoes for defamation of character.
wow (Score:5, Informative)
It is very unlikely that the source code in these devices have any remaining bugs due to the length of time that these devices have been used
hahahahaahaha ahaahah.
you spoke like someone who has zero experience in software development.
Modern pacemakers have WiFi built in. (Score:5, Informative)
The summary is pretty bad, but one of the more salient points is that modern pacemaker/debrillators have Wi-Fi in them. Yes, WiFi. According the the recording, someone at defcon has already managed to hack into an insulin pump equipped with WiFi and been abe to manipulate the delivery rate (which could kill the patient). So the security concerns aren't completely unwarranted.
Demanding the source code is a bit silly. How many people are really going to be able to review the source code for a pacemaker/debriliator? Very very few. Even if they do, there's a hell of a lot more to a pacemaer/debrillator than the software, so why is it just the software that's her concern?
A more sane approach would be demanding the software follow basic security rules like not allowing the wi-fi connection to ever change anything in the medical device. (It's supposed to be a reporting mechanism so the doctor can follow the progress of the patient). I can't believe she has anylegal grounds to demand source code, so this is a fight for the minds of the public rather than a legal one. Demanding source code is a bit silly since most of the public doesn't even understand that there is such a thing as source code. The public is by now very aware of security problems and hackers, so ensuring that the wi-fi is read-only would be an easier battle to win.
Re:It's not forced on her (Score:5, Informative)
Secondly, because this is approved by the FDA, the manufacturer is exempt from liability for this kind of problem.
Untrue. Just because a product is FDA approved does not absolve a manufacturer from liability. This is not only true for medical devices, but pharmaceuticals as well.
The FDA does no review of the software at all, but their review of the hardware means that the manufacturer is completely immune to lawsuits if someone dies as a result of a bug in their software.
Once again, untrue. As a Software Quality Engineer for a major medical device manufacturer, I can tell you the FDA does review software and has regulations and guidance surrounding software development. In recent years the scrutiny of software based device has increased so much, that companies are having a difficult understanding exactly what the FDA excepts.
Japan does not review software for devices, only hardware. However in order to get your product into the country it must be FDA approved.
Re:It's not forced on her (Score:5, Informative)
I saw her talk (Score:5, Informative)
Last year at OSCON. Sadly the line was too long for me to shake her hand and say thanks for starting this.
There's a few points I'd like to add, many already covered.
1) She's qualified to do this. Not to review the software. But she has plenty of good colleagues for that.
She's a director of GNOME (I know, I know...), former GC of the SFLC, an attorney... and ... from listening to her talk, she either genuinely gets software -- or someone that did wrote her whole speech for her.
2) This is a real, not a hypothetical problem.
People commenting without RTFA need to understand--These devices are 802.11 enabled. Remote exploits /have/ been demonstrated.
This is not a wholly uncommon situation -- one of my coworkers has a daughter with a computerized glucose pump that has also had remote compromise demonstrated.
And even a trivial interest in breathatlizers reveals there has been...myriad incidences of these devices not just being a total failure of design, but having rollover and similar bugs in their implementations.
3) People may be correct that it would be hard to get people to understand the code. That is wholly irrelevant and a false front of an argument. I don't care what your medical experience is in your industry or company. What your experience with regulators or lawsuits are. There's companies that commit fraud, lie, cheat, steal. They exist. This is indisputable. There's places where MBA's and biologists that can barely write a hello world by themselves compose pointer arithmetic, hit compile, hit test, and go home at the end of the day. I've worked at places like that on applications that could kill if they failed. It is why I do not as of two years ago.
I presently work with a woman that could not compose a CSV in a basic ETL from another filetype without help. She has the language being used using on her resume. Her workflow involved copy/paste off of the internet, and then changing one line at a time, saving it as file.### and trying to run it. If it didn't crash, she'd examine the output and try to put in what she thought would fix it. If it did, she'd try to find the error. When I offered a hand, she was currently at over her 500th revision.
So let me be damend clear -- even an unqualified person can do a basic code review just by running a fucking linter on it and looking at the warnings. Because if it generates one or a million -- that says something about the quality right there.
Why? Because unless you're in a business whose core business *IS* software, my personal experience is that 80% plus of the developers have never heard of one, and 95% don't know how to use it if they have. And that is why my code has less bugs than my colleagues.
Now -- even if my experiences are anecdotal, and "invalid" -- I've just proven the existence of the problem.
This is her life we're talking about. Her life entrusted to a piece of cybernetics that has had a demonstrated remote exploit.
Please /., have a little bit of humanity for once. This isn't about corporate profits, NDAs, lawsuits. This is about someone asking to read something to make an informed choice about their continued existence.
Re:It's not forced on her (Score:4, Informative)
No they don't. A lot of it is hidden under "natural flavours". We know they use a flavouring agent from the Coca leaf, for instance, but that doesn't appear in the ingredients list. Exactly what colouring agent they're using also doesn't appear.
Re:It's not forced on her (Score:5, Informative)
Jesus Christ on a bike, I know this is a US site but you are all being just a teensy bit US-centric here. I'm pretty sure that, what with the article appearing on a .com.au site, she's Australian. And therefore different rules may apply
Re:I trust my life to Boeing every time I fly (Score:5, Informative)
In the 90s, the FDA realized that even if it could see the could, there was no way it could realistically audit code for all the devices it is required to review annually. So they switch from attempting to verify devices directly to insisting that devices be design and developed under a very high quality engineering paradigm.
So instead of looking at code trying to find problems, what they do is demand artifacts of a very disciplined design development and test process, reasoning that if people are in fact actually writing out test cases, doing internal code reviews with documented changes arising from them, maintaining requirements traceability matrices linking each line of code to a user requirement and then a lower level system requirement, then that process will result in better code than the FDA could accomplish by their own audit or that of a 3rd party. So the woman should be asking to see the details of the company's FDA submission, presumably under NDA from the company.
Now, whether the FDA is employing Design Control in a strict enough way is definitely a fair question - in particular the 510k (predicate device) submission process has left a lot of loopholes (due to its risk class, a pacemaker does not go through 510k, it goes through the more demanding PMA process). But to suggest that she or someone she hires will just be able to wade through the code to decide if she thinks it's high quality seems to me more like grandstanding than anything else.
Re:It's not forced on her (Score:3, Informative)
The FDA does no review of the software at all, but their review of the hardware means that the manufacturer is completely immune to lawsuits if someone dies as a result of a bug in their software.
Once again, untrue. As a Software Quality Engineer for a major medical device manufacturer, I can tell you the FDA does review software and has regulations and guidance surrounding software development. In recent years the scrutiny of software based device has increased so much, that companies are having a difficult understanding exactly what the FDA excepts.
The FDA provides minimal guidance on software. I'm working with a Medical Application Vendor now who insists that we install MS SQL Server 2005 SP3 (which is out of support) for their new released product. This is what the FDA approved. The FDA also has guidelines for commercial off the shelf software that require vendor comply with security updates. That isn't really a priority once something is approved, you see. Strictly speaking, the FDA considers devices using commercial off the shelf software to be end of life when any software vendor ends support. Medical Application Vendor's take is they have FDA approval, don't worry. We'll wind up installing this, but with enough conference calls and meetings to point auditors and lawyers at the vendor.