Patient Just Wants To See Data From His Implanted Medical Device 262
An anonymous reader writes "Hugo Campos got an implanted cardiac defibrillator shortly after collapsing on a BART train platform. He wants access to the data wirelessly collected by the computer implanted in his body, but the manufacturer says No. It seems weird that a patient can't get access to data about his own heart. Hugo and several medical device engineers are responding to live Q/A on Sunday night on such topics via ACM MedCOMM webcast at ACM SIGCOMM."
Unsurprising (Score:5, Insightful)
It seems weird that a patient can't get access to data about his own heart.
No more weird than your stem cells and DNA being patented. In fact, according to intellectual property law, you don't own your body, or any of the parts implanted in it... it's all covered by a patchwork of patents on genetic materials and derived medical uses. You should be careful with yourself... it's a felony to damage government property... Or was that corporations? I confuse the two so much these days... (-_-)
Re:Is it worth it? (Score:5, Insightful)
a) Would he understand what the data meant?
Maybe not, but maybe he wanted to get (n+1)th opinion.
b) Maybe the software and what not is proprietary?
But he doesn't want the 'ware. He wants the data it produces.
Just some thoughts that come to mind
In this case those are gross overstatements.
Re:Makes some degree of sense... (Score:2, Insightful)
While security through obscurity isn't a good approach I figure with something such as a that you'd want to take every step you can to make sure as little information gets out about it as possible.
Next year on defcon - learn how to hotwire your neighbour! Literally! From your android device! (or iphone, but you have to be jailbroken and pay 99c for the app. But it comes with a jump-o-meter to measure how high he jumps.)
Access to data doesn't have to mean code review or access to command and control functions.
I have access to the event logs on my MS Windows O/S, doesn't mean I have the Windows code base.
Re:Is it worth it? (Score:5, Insightful)
I suspect their refusal to allow access might be along the lines of hiding from potential liability if the product reacts or behaves improperly at any time. Imagine a grieving widow who discovers a pattern in the data where the device takes 3 minutes too long to respond properly every 500 or 1000 times it stimulates the heart or the input says it should.
You would think that you would have a right to any data produced by your body or devices used in keeping it alive and it would be available to at least you or your doctor. Perhaps they are worried the control signals would be discovered and after a trip to an electronics store, the widow could be celebrating getting rid of her husband instead of grieving? I see no other reason for keeping it hidden other then to avoid liability or stop potential abuse.
Re:His doctor should be entitled to the data, peri (Score:2, Insightful)
There are legitimate medical reasons why some patients shouldn't have access to all raw medical data.
This is particularly true in psychiatric medicine, where past therapists are required to pass on notes to future therapists, but patients don't necessarily have the right to read the notes themselves.
Now, if the company is refusing to share the raw data with the patient's doctor, that's just plain wrong and it should be illegal. Likewise, if they are refusing to share it with the patient's attorney, then the attorney should have an absolute right to subpoena it.
Likewise, if the doctor doesn't have a bona fide medical reason for refusing to pass that data on to the patient, that should be called medical malpractice.
He is not a psych patient so all his healthcare info legally belongs to the him...
Re:Is it worth it? (Score:3, Insightful)
Concerning the (absence of) malfunctions, wasn't that the goddamn job of the FDA in the first place?
As for the remote tinkering, what does the output have to do with the input? Suppose some sort of requests are required to yank the data out. What possibly could be the problem in making the readout plain and setup secure?
Re:Is it worth it? (Score:5, Insightful)
Not to sound against it, but
a) Would he understand what the data meant?
b) Maybe the software and what not is proprietary?
Just some thoughts that come to mind
a) He certainly isn't going to have a better chance of understanding the data if he isn't allowed to see them... Would I be polishing my 'I told you so' reflexes if he decides to do a bit of amateur reprogramming? Sure. Does denying somebody access to even view data because they might not understand it make sense? About as much sense as keeping books away from children because they aren't yet literate...
b) Given that the manufacturer won't disclose it, it apparently is proprietary. That's sort of the entire issue. We have now(and, barring exciting economic apocalypse of some flavor) and will have in greater numbers and in more significant capacities, a population for which 'binary blobs' are inside their bodies, not their laptops. Some of them don't like this.
Re:Is it worth it? (Score:4, Insightful)
But then, the refusal itself could be construed as indication that something is wrong with the device, because otherwise, why hide the data?
Re:This is illegal under HIPAA. (Score:5, Insightful)
Re:If the data is being "wirelessly" transmitted.. (Score:5, Insightful)
If it's encrypted, then this would give them access to both the cyphertext and cleartext of the data, which is the essentials of what you need to reverse engineer the cryptography.
Now ideally, the control and reporting cryptography would use different keys, but there is only so much code you can fit into a small embeddable medical devices, and it's likely they are the same code, if not the same key pair.
In this case, it's reasonable to not give samples of both sets of data out to prevent reverse engineering of the control channel which could then be used on someone else's implanted medical device.
Re:Is it worth it? (Score:4, Insightful)
Re:Is it worth it? (Score:5, Insightful)
You would think that you would have a right to any data produced by your body or devices used in keeping it alive and it would be available to at least you or your doctor
You already have a right to all of your medical records. I don't understand how this data is not a "medical record."
Re:Is it worth it? (Score:4, Insightful)
"Oh, you own the implant, but the software is licensed. Make sure you keep up your license payments and come in for your monthly compliance review or we'll use the remote kill switch."
Re:It would be illegal under HIPAA to give it out (Score:5, Insightful)
If the information is common to everyone with the same implant is it, by definition, not personally identifiable or private health information. Disclosing the existence of patient Q to patient R, or visa versa, would be a violation. But merely telling either of both of them independently that they have their implant set to "Mode B" is not, just as telling patient Q that he has a heart rate of 79 is not a violation if patient R happens to also have a heart rate of 79.
Also, even if there is some private data that needs to be hidden, it's entirely possible to design a crypto system that's secure against known-plaintext attacks. Almost are modern crypto systems are; you'd have to do something dumb to not get that feature from any common crypto library.
Re:Is it worth it? (Score:5, Insightful)
You don't get to peek inside your machine to see for yourself it's a good one, just like the airline will not let you take a wrech to the jet engine or even kick the plane's tires.
I have one of these devices [bostonscientific.com] since last year after my (4th) heart attack. I am also a physician, so I would understand the data. But honestly I don't see the need. When I go get checked up, the Boston Scientific staff are more than happy to explain anything I ask - and I do ask some detailed questions. I am quite sure that the device and its software are proprietary and also trade secrets of the company.
But there's another reason: Honestly one shouldn't go around tinkering or "hacking" an implanted device. They come with limited battery life - most of which is covered by warranty (if my battery runs out before 10 years I get the device replaced and the procedure paid for by the company, anywhere in the world). Radio signals require energy, asking the device to read its cache requires energy, and the manufacturer would be put in a position where it might have to cover a warranty on a battery that didn't fail because of design, but because of tinkering. They can hardly say "no" and let the patient die. That, and of course what if the "hacker" manages to mistakenly change the machine's settings so it's firing inappropriately, draining the battery within days, or better yet firing and triggering a lethal arrhythmia. The company would be blamed (at least initially) for a "faulty" device. It's bad business, and I understand it.
I really don't feel like playing with my implant. I really don't feel like paying for someone else who wants to play with their implants, in the form of increased costs because the company has to set more aside for liability. I selected my device after both research into the company, the model, and this type of device as a whole. And my cardiologist's opinion. And a 2nd opinion. You can look at the statistics for the device, compiled in a scientific manner, and compare it to other devices, and that's it.
Re:Patient Bill of rights.... (Score:5, Insightful)
This anecdote is not so that I can say I am an old cantankerous fart, it it to illustrate that even though people have rights to information, the ones that hold the information feel compelled not to give it up. THis is true with software, medical data, music... I don;t know where this attitude comes from.
Emboldening mine. I know where the attitude originates, and so doe Sid Meier...
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
- Commissioner Pravin Lal, Alpha Centauri
Re:You also have the right to *not* be a dick. (Score:5, Insightful)
Odd, I was thinking about the same thing. Except that it's the receptionist who needs that speech, not the poster. The poster wanted nothing more than that the reception spend literally a couple of minutes getting what he had a clearly documented right to have. Three cheers for the poster! If more people would refuse to put up with bureaucratic bullshit, the world would be a much better place. I hope his son grows up to be just like him.
This is a nonstory (Score:4, Insightful)
Disclosure: I am a doctor, and I work with patients with pacemakers on a frequent basis.
If he wants a raw printout of the data generated, he should make an appointment, stop by his cardiologist's office, and ask the cardiologist. I've been asked a few times by curious patients to see the readouts. I always show it to them, give them the clinical interpretation of the data, and let them keep it if they want. Most don't; it's several hundred small pages of gibberish to an untrained eye, linked together like the old dot matrix printer pages.
If he feels uncomfortable with having a machine in his body that he can't check out himself every second of every day, he can ask to have it turned off ("turned off" being simplistic) or for a surgeon to remove it. [Insert belief system here] didn't give him the pacemaker growing in him when he was born - he can choose to use it as designed or choose not to use it, which is a valid choice. There are real potential harms to widely propogating machines that could decrypt the data; the exact same machines allow us to reprogram the device, including settings that could harm or kill the patient. The encryption IS the security on implantable, reprogrammable medical devices; password, 2 step authorization or the like is not possible due to the existence of medical emergencies in which prompt access by medical personnel not normally involved in his care to the input and output of the device can mean the difference between life and death.
Re:Is it worth it? (Score:4, Insightful)
this airplane doesn't collect very intimate details about me while I sit in it.
Playing the devil's advocate, there's not really anything intimate about your heart rate and the shape of your QRS complexes. It's not really "personally identifiable information", unlike say your name, DOB, passport number, destination, seat number, who you are travelling with, all your previous travel history and your credit card number kept by the airline, for example.
Re:Is it worth it? (Score:4, Insightful)