×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SFLC Wants To Avoid Death by Code

timothy posted more than 3 years ago | from the me-too-me-too dept.

Government 247

foregather writes "The Software Freedom Law Center has released some independent research on the safety of software close to our hearts: that inside of implantable medical devices like pacemakers and insulin pumps. It turns out that nobody is minding the store at the regulatory level and patients and doctors are blocked from examining the source code keeping them alive. From the article: 'The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled. ... Despite the crucial importance of these devices and the absence of comprehensive federal oversight, medical device software is considered the exclusive property of its manufacturers, meaning neither patients nor their doctors are permitted to access their IMD's source code or test its security.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

247 comments

this is Surprising? (5, Insightful)

querky (1703040) | more than 3 years ago | (#32998094)

the software running your pacemaker is probably patented too!

Re:this is Surprising? (-1, Flamebait)

stonewallred (1465497) | more than 3 years ago | (#32998132)

and this is news, surprising or insightful how, exactly? The FDA is for making the pharma companies shit tons of money, not to safeguard the health of the American people. If they were, they would outlaw alcohol and legalize marijuana.

Re:this is Surprising? (3, Insightful)

JustinRLynn (831164) | more than 3 years ago | (#32998192)

They tried to outlaw alcohol once.. look where it got them. Sometimes the cure is worse than the disease.

Re:this is Surprising? (3, Insightful)

insertwackynamehere (891357) | more than 3 years ago | (#32998336)

It really kills me when someone is all for marijuana being legalized but thinks that banning alcohol is the second greatest idea in their head. I know frustrated potheads love to feed the whole "alcohol is more dangerous than weed" line over and over, but not everyone who drinks alcohol does so in a way that threatens their health. Someone who smokes weed everyday and turns every conversation into a "weed should be legalized" conversation is a lot more unhealthy than someone who drinks alcohol in moderation.

Re:this is Surprising? (1, Flamebait)

stonewallred (1465497) | more than 3 years ago | (#32998422)

I did not say it was a good idea to make alcohol illegal. I said if the FDA was concerned with keeping Americans safe from health risks they'd ban alcohol. And another funny from you two is that while I support the legalization of pot, I don't use it. And I know, without a doubt, alcohol is the most deadly drug we have. (BTW in college working towards a MA, aiming towards being a LPC or LSW specializing in substance abuse treatment). But like cigarettes, another nasty, deadly item, I indulge in both alcohol and tobacco way too much for my health. 2-3 packs a day and about a pint to a quart of everclear a night. The 190 proof at that. But thanks for the amateur psychoanalyzing, it was very humorous.

Re:this is Surprising? (0)

HubHikari (1217396) | more than 3 years ago | (#32998620)

And I know, without a doubt, alcohol is the most deadly drug we have.

Oh really. I would love to see the studies on THAT. Alcohol is only dangerous because we have stupid, stupid people who insist on drinking and {beating their family|driving|deciding to do really dumb shit}. Alcohol, in and of itself, is not dangerous when consumed in moderation. The same can be said of marijuana. However, drugs like crack and PCP are inherently dangerous due to the effects they have on the human body.

Enjoy your self-righteous asshattery.

Re:this is Surprising? (1)

LordLucless (582312) | more than 3 years ago | (#32998790)

SUM(DrunkDrivingDeaths) + SUM(AlcoholFueledDomesticViolenceDeaths) > SUM(ODedOnCrack)

Your using different criteria to evaluate danger. You're looking at each drug in a vacuum, he's looking at how society chooses to use each drug. And unless you know of some magical way to stop drunk driving and domestic violence, his perspective is a lot more realistic.

How are you alive? (4, Informative)

zooblethorpe (686757) | more than 3 years ago | (#32998780)

I'm not trolling or flaming at all here, I'm genuinely surprised.

about a pint to a quart of everclear a night

By my quick-and-dirty calculations:

  1. 1 qt = 946 ml
  2. @ 95% ABV = around 900 ml of pure alcohol (898.7 ml)
  3. 12 oz (bottle of beer) = 355 ml
  4. @ 5% ABV = around 18 ml of pure alcohol (17.744 ml)
  5. 1 qt everclear = 50 12-oz bottles of beer
  6. 1 pt everclear = 25 12-oz bottles of beer

I tend to feel rough after four or five beers. How is it you're drinking five to ten times that *a night* and still around to talk about it lucidly? I'd expect some serious delerium tremens in short order on that track...

Curious,

Re:How are you alive? (1)

h4rr4r (612664) | more than 3 years ago | (#32998812)

4 or 5 beers is rough? I don't drink 25, but it takes 4 or 5 to just feel it. 12 is a fun Friday night.

4 or 5 is what my girlfriend would call rough.

Re:How are you alive? (1)

zooblethorpe (686757) | more than 3 years ago | (#32998870)

I never claimed to be much of a drinker. :)

On a more sobering note, it's partly that my mom drank herself to death, and I'd rather not follow in her footsteps.

And as a side benefit, having a wuss tolerance is certainly cheaper!

Sláinte,

Re:How are you alive? (1)

zooblethorpe (686757) | more than 3 years ago | (#32998908)

I never claimed to be much of a drinker. :)

On a more sobering note, it's partly that my mom drank herself to death, and I'd rather not follow in her footsteps.

And as a side benefit, having a wuss tolerance is definitely cheaper!

Sláinte,

Re:How are you alive? (1)

CyDharttha (939997) | more than 3 years ago | (#32998932)

I used to drink a lot a have a great time with the night life. Now I have three kids and a more-than-full-time job. I'm lucky if I can get down two beers in a night.

Sigh!

Re:How are you alive? (1)

copponex (13876) | more than 3 years ago | (#32998968)

I've had my hard days, though not 25 or 50 cans of beer. However, when I worked in construction, I knew some guys who could buy a 24 pack and put it away all by themselves, every single night. I also knew some guys who could drink almost a handle of vodka by themselves. Those are the real alcoholics. Some of them never stopped drinking at all. Wake up, have a screwdriver. Carry a flask around at work. Drink more with lunch.

I'll never forget one of the guys turning yellow and his buddies dropped him off at the hospital, of course stopping on the way for one last pint. Two days later he was dead.

The worst I ever did was probably the night I drank 12 Trois Pistoles in a four hour session. I have not made that same mistake twice. The bill was almost as bad as the hangover.

Re:How are you alive? (0)

Anonymous Coward | more than 3 years ago | (#32999142)

My mother used to drink 1.5 to 3 quarts of (cheap) vodka per night. I guess it was 40-50% ABV or something. I remember, more than once, when she had been passed out with hardly detectable respiration and an unmeasurable pulse. She set the local hospital record with a BAC of .45 percent on one occasion.

She doesn't drink any more. Although she has quit many times during her lifetime. I think this time it's for good. And I can tell you, the permanent effect on her brain has not gone unnoticed by me.

Re:this is Surprising? (0)

Anonymous Coward | more than 3 years ago | (#32998814)

Doctor, heal thyself. But seriously, your alcohol intake is unhealthy - clearly beyond mere tolerance. You need to seek treatment now, not later. Not in a week, a month, a year. Now.

Re:this is Surprising? (0)

Anonymous Coward | more than 3 years ago | (#32998866)

I'm supposed to believe a guy with the name stonewallred who supports legalization of marijuana while doing copious amounts of other substances doesn't smoke pot.

Comon, let's be honest with each other here, you are high right now.

Re:this is Surprising? (4, Informative)

Anonymous Coward | more than 3 years ago | (#32999000)

But thanks for the amateur psychoanalyzing, it was very humorous.

Yeah, I guess a real psychoanalyst requires someone who...

...is a convicted burglar [slashdot.org] for multiple counts of grand larceny:

I was a thief when I was teen-ager. Not a grab and run, bust a glass thief either. I was a break in, and steal everything you had in the house, and bust your safe if you had one.

...is a major douchebag [slashdot.org]:

Eh, I got banned from the WoW forums on one account for calling the mods fucktard asshats who...well, you get the idea.

...is a douchebag AND a troll [slashdot.org]:

Whoever modded the above post troll is a fucking idiot whose mother is a cocksucking whore on a Glasgow street corner. If you fail to recognize a legitimate question, maybe you need to get the dick out of your mouth and the dildo from your ass and learn to read. That's the problem with handing moderation points to just anyone on /. Fucking morons get them too.

...is a white supremacist [slashdot.org]:

Niggers are different than me and need to be looked down upon, especially if the law prevents me from killing them on sight or at least putting them back in chains and out in the fields.

...is an attempted killer [slashdot.org] (thankfully only attempted):

Convicted of 1 B&E, 1 Burglary, 1 Armed robbery, 1 assault with a deadly weapon inflicting serious injury with intent to kill, Violating the federal Firearms Licensing Act, Possession of Stolen Government property, and an explosives charge for the hand grenades.

...believes mentally ill people should be put down [slashdot.org]:

If someone is a diagnosed pedophile, there is only one sure fired way to make sure they never do it again, a bullet through the head, or a more humane method if that is your preference.

...enjoys taking out his rage by beating up pedophiles [slashdot.org] while in prison:

We'd beat them [the pedophiles] down, the guards would beat them down, and they would not stop, could not stop more likely.

And the very best part is, this guy is a certified counselor [slashdot.org]! And he's PAID by your very own tax money!

I work as as a SAC II (substance abuse counselor) for pay, part-time and also am doing my internship at the same location. It's free work IMNSHO. The only reason I put up with it is because as soon as I finish my MA and get my license, I go full time with about a 95% pay raise, plus state government benefits, and will be able to do private assessments and counseling on the side for about a grand a week.

Hire your own stonewallred today! Limited offer! *Exclusions include non-whites, democratic party members, women, and educated persons.

I feel so inspired and humbled.

Re:this is Surprising? (1)

nedlohs (1335013) | more than 3 years ago | (#32999048)

So you never drive, since that amount of alcohol every night means you are always over the legal limit?

Or you are *really* obese, which I guess is pretty likely since you are consuming 150% to 300% of the normal human calorie intake just in everclear.

At usual rates you'll take 70 hours to get back to a legal BAC, but since there's less than 24 before you drink the next batch you must be excreting it in various additional ways.

Re:this is Surprising? (0)

Anonymous Coward | more than 3 years ago | (#32999180)

So you never drive, since that amount of alcohol every night means you are always over the legal limit?

What makes you think stonewallred is particularly concerned with the law [anonymouse.org]?

Re:this is Surprising? (0)

Anonymous Coward | more than 3 years ago | (#32998672)

Kind of like the person who wants to force motorcyclists to wear helmets but doesn't want to be ticketed for not wearing their seat belt in a vehicle.

Re:this is Surprising? (1)

ooshna (1654125) | more than 3 years ago | (#32998748)

Not everyone who drinks alcohol over does it and causes harm to ones self or others, but there have been alot more families ruined by drunk drivers and a lot more organs that have failed b/c of alcohol than from marijuana. Even heavy smokers are much less dangerous than heavy drinker. No I don't believe smoking weed is much less of a health hazard as a lot of smokers will try to tell you but when it comes to a lesser of two evils I think the scales are tipped very very far in marijuana's favor.

Re:this is Surprising? (0)

Anonymous Coward | more than 3 years ago | (#32999148)

Physically unhealthy? Prove it.

So what (5, Insightful)

clarkkent09 (1104833) | more than 3 years ago | (#32998136)

Does a government agency examine the source code which keeps airliners in the air, cars on the road, nuclear plants from blowing up etc etc? If the government is going to evaluate and approve every important piece of code line by line we will pretty soon run out of programmers. But then, chip designs will have to be evaluated too because they can fail as well. Next, mechanical designs, engines, turbines, reactors, better make sure that the government is stocked with experts in all those fields too.

After all, nothing can possibly be safe until it is certified as such by the government. Just ask hundreds of thousands of people who died while the drugs that could have saved them were waiting for the FDA approval. They are pretty safe now.

Re:So what (0)

Anonymous Coward | more than 3 years ago | (#32998198)

we will pretty soon run out of programmers

Large numbers of programmers are out of work; they would disagree with you on the "pretty soon" aspect of your bold claim

Re:So what (1)

Dahamma (304068) | more than 3 years ago | (#32998518)

Much larger number of programmers are gainfully employed, and there are thousands of openings for software engineers in the SF Bay Area alone. Does anyone really want the ones who can't get hired reviewing mission critical code anyway?

Re:So what (4, Insightful)

QuantumG (50515) | more than 3 years ago | (#32998202)

I think you miss the point. You should be able to examine the code in the pacemaker inside you - or hire an expert to do so.

Re:So what (1)

clarkkent09 (1104833) | more than 3 years ago | (#32998400)

That's not really what the summary says when it complains that "[FDA] is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled". But even so, where do you draw the line. What is the principle involved here: that you should be able to examine the software (and presumably hardware?) design of any device that has impact on your survival? If so, that opensources a huge number of products which may be the point, seeing that this comes from something called "Software Freedom Law Center".

Re:So what (1)

QuantumG (50515) | more than 3 years ago | (#32998442)

However much a reasonable person agrees should be. Note that most reasonable people don't consider RMS a reasonable person, so it's somewhere between pacemakers and text editors.

Re:So what (1)

PopeRatzo (965947) | more than 3 years ago | (#32998590)

What is the principle involved here: that you should be able to examine the software (and presumably hardware?) design of any device that has impact on your survival?

Of course. You, and your doctor, and any agency that is allowing that product to be sold for a particular therapeutic purpose should be able to examine the software (and hardware ) design of any device that is sold specifically for a medical purpose.

Re:So what (0)

Anonymous Coward | more than 3 years ago | (#32999146)

Disclaimer: I consult for a medical device company.

I do not have any idea how anyone could expect to review all of the code associated with any medical device. That combined with the fact that a large part of the value of these companies comes from the code.

Open sourcing the code cuts the value of trying to build medical devices to begin with, which does not seem very positive longer term.

Re:So what (0)

Anonymous Coward | more than 3 years ago | (#32999214)

I actually code these things for a living and my company would be pretty embarrassed if people found our secret flying game we put in.

Re:So what (0, Troll)

cosm (1072588) | more than 3 years ago | (#32998274)

I agree with you, partly. Hardware that is literally the only thing keeping you alive should be subject to some regulation. I don't think code-reviews by bureaucrats is a good option, but perhaps independent third parties would be a start. If your heart stopped tomorrow, would you feel comfortable with your pulse being driven by some opcodes a small team put together with no oversight? Other examples of this are like the FDA, the FAA, and other agencies that monitor products / services that have the potential to end life. I am not saying they are perfect, but taking in cases of life and death, you need a bit of regulation sometimes to keep big business from getting greedy and disregarding human life.

Yes, agencies like the FDA have become bureaucratic clusterfucks of non-progression and end up doing more damage than good. This is relatively true. But this can be fixed, by voting looking at representatives voting records, voicing your opinion to congressmen, and spreading the word to everybody you know, kicking these moneysuckling asshats out. If we all take a lackadaisical position towards government participation, you cannot expect it to get any better.

Re:So what (4, Insightful)

PopeRatzo (965947) | more than 3 years ago | (#32998650)

I don't think code-reviews by bureaucrats is a good option

Of course not, but presumably the reviews would be done by programmers and analysts who would then report to the FDA.

When a drug is evaluated for it's safety and effectiveness, it's not "bureaucrats" that are doing the evaluation, it's doctors and pharmacologists and public health specialists.

When you throw a word like "bureaucrats" around, you make it sound like some clerk from the DMV is going to be doing the evaluation.

Yes, agencies like the FDA have become bureaucratic clusterfucks of non-progression and end up doing more damage than good.

Only because the lobbyists who have become the ones writing the regulations prefer it that way. The answer is certainly not to "fix" the bureaucracy by making them even more ineffective. Anyone who tries to reduce the argument to "less government" is trying to do exactly that. I know that's not what you're doing, of course, but there are people who have been misled into believing that the solution to any problem is "less government". However, there are very few examples where deregulation has made a situation better for anyone but a very few.

Re:So what (4, Informative)

paeanblack (191171) | more than 3 years ago | (#32998882)

Hardware that is literally the only thing keeping you alive should be subject to some regulation. I don't think code-reviews by bureaucrats is a good option, but perhaps independent third parties would be a start.

Given that basically all such devices have been reviewed by Underwriter Laboratories or an equivalent OSHA recognized testing lab already, I don't see what needs to change.

Despite all the flaws of the US tort system, it does provide a strong financial incentive for things like pacemakers to be designed robustly. And yes, the code also gets reviewed.

It may surprise people, but the system being proposed is already in place and it works pretty well.

Re:So what (1)

mirix (1649853) | more than 3 years ago | (#32998370)

Mission critical things (life support, nuclear core monitors, etc) sure as fuck should have an independent code review.

Re:So what (1)

meerling (1487879) | more than 3 years ago | (#32998408)

Whether or not the government looks at / approves of the code, it should be available to both the medical profession and those who's bodies it's being implanted in. As far as I'm concerned, the moment a piece of hardware is placed in my body, it totally freaking belongs to ME, just like the rest of my organs.

Re:So what (1)

XanC (644172) | more than 3 years ago | (#32998522)

You don't have to have the device installed at all, you know. You're the one who needs a service from them.

Re:So what (1, Funny)

Anonymous Coward | more than 3 years ago | (#32998674)

The source code in most medical devices like pacemakers is almost meaningless without a complete description of the custom hardware that runs it. Although this whole discussion is pointless since no company that bothers to go through the process of making an implantable (and FDA approved) medical device is going to give you any detailed information about the hardware or software (at least not until it's been obsolete for a few decades).

As for ownership, the device belongs to you once it's implanted, but it's the warranty that matters. Most devices interface external equipment and strict operating procedures that your Doctor or a Field Engineer is trained to use. Access or manipulate the device in a way outside of the approved method may disable therapy (usually the response to most error) or at worst brick your device. Do you really want to try hacking something that you need to live as it's keeping you alive?

Disclaimer
IDHFIMD = I design hardware for implantable medical devices

Re:So what (1)

demonlapin (527802) | more than 3 years ago | (#32998804)

Seriously. I can't imagine that Guidant or Medtronic is dying to hand out their custom code for rhythm detection that works for years on end while consuming less power than a sneezing amoeba.

Re:So what (1)

stonewallred (1465497) | more than 3 years ago | (#32998458)

Problem is that most of the stuff you listed, if it breaks and causes a death, the manufacturer and owner/operator can be held liable and sued. IIRC, most implantable medical devices are shielded from tort claims.

Re:So what (4, Interesting)

wiredlogic (135348) | more than 3 years ago | (#32998508)

In the case of avionics, there are rigorous design and testing standards for electronics, software, and mechanical hardware that are mandated by the FAA. Passing them is part of the certification process. This task can be handled in house or by third parties that specialize in that task. The medical industry should largely be applying the same principles.

Re:So what (4, Informative)

Achra (846023) | more than 3 years ago | (#32999028)

In the case of avionics, there are rigorous design and testing standards for electronics, software, and mechanical hardware that are mandated by the FAA. Passing them is part of the certification process. This task can be handled in house or by third parties that specialize in that task. The medical industry should largely be applying the same principles.

EXACTLY. First informed post I've read on this story. I've made a career out of working on medical devices of all levels of concern (yes, including a heart pump) and the V&V process is basically as the parent states. There is a fairly rigorous validation process which is performed on the device (over the course of months to years, depending on complexity of the product and level of concern). These things aren't exactly shuffled out the door like Microsoft shuffles out a new OS (yes, I've worked there too). There is a LOT of diligence involved in receiving 510k clearance on a new device.

Re:So what (1)

AHuxley (892839) | more than 3 years ago | (#32998566)

Clark most of the world has tried to move beyond tombstone technology.
Why wait for enough tombstones for the technology to get fixed?
That seems to work well for airliners, trains and nuclear plants.
Cars seem to need some help too.
Drug approval is a given in the US, the idea because its a chip they can have a free pass seems great in the short term, but will catch up with many.
Who will pay for new devices for a generational fault? Better to at least have some outside on average that just trusting the short term profit motive.

Re:So what (1)

rcamans (252182) | more than 3 years ago | (#32998726)

Wait a minute. Did he just say airliners are fixed for known safety issues?
I call BS on this one.
Most airplanes are full of foam plastic walls and flamable seating, an old problem airplane manufacturers refuse to fix.
Many similar issues exist.

Not just government (2, Interesting)

weston (16146) | more than 3 years ago | (#32998580)

Does a government agency examine...

How about the other entities mentioned in the summary (let alone TFA) -- patients and, more importantly, *doctors*? If not them -- who should review them?

After all, nothing can possibly be safe until it is certified as such by the government. Just ask hundreds of thousands of people who died while the drugs that could have saved them were waiting for the FDA approval. They are pretty safe now.

FDA approval works roughly about as well as "self-regulation" works, since the FDA more or less reviews studies provided by the industry.

Though it's worth noting this is probably at the upper bound of effectiveness of self-regulation, since under the FDA they're actually required to submit something that can convincingly pass for a study in order to receive approval.

Just the facts, ma'am (1)

westlake (615356) | more than 3 years ago | (#32998588)

Just ask hundreds of thousands of people who died while the drugs that could have saved them were waiting for the FDA approval.

What is your source for these numbers?

I think you'll find that the experimental protocol at best simply extends the life of the terminally ill patient for some few weeks or months. It is not a miracle cure - it is an investment in the future.

39% of lung cancer cases are diagnosed after the cancer has already metastasized (distant stage). The corresponding 5-year relative lung cancer survival rate [is] 2.15% Lung Cancer Survival Rate Based on Stage [emedtv.com]

 

Re:Just the facts, ma'am (1)

clarkkent09 (1104833) | more than 3 years ago | (#32999006)

the source is easy, just look at the number of drugs that are claimed to save thousands of lives per year and multiply by several years they spent waiting for approval

Re:So what (1)

cellurl (906920) | more than 3 years ago | (#32998606)

You are correct, voting machines are a far cry from pace-makers. As I have said before, insurance keeps products safe, not legislation. If the rate-response pacemaker (oops thats a MedTronics trade secret...) fails, the company will go bankrupt. Problem solved.

Thanks clarkkent for such a well thought out response.

Re:So what (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#32998708)

Did you completely miss the point of what the SFLC wants? Generally(somebody could probably dig up an exception somewhere) the free software types are not looking for a "Ministry of software" to enforce their aims. They are looking to secure the four freedoms for themselves and other software users and creators(and, on a cultural level, they tend to want most people to be at least a touch of both, rather than just "consumers").

Medical devices are already blackbox tested for function, the SFLC presumably wants for private citizens to be able to inspect code that is life critical to them, if they wish to do so. They(arguably quite rightly) see the fact that such things tend to be hidden behind a thicket of secrecy, and sometimes state enforced patents, as a bad thing.

I'm not sure how you jump from there to a bunch of drivel about the menace of a "ministry of testing everything" nanny state...

Re:So what (1)

demonlapin (527802) | more than 3 years ago | (#32998852)

These guys put together custom code and hardware that will run for years at a time on a single battery. It's hard to do at all and incredibly hard to do well. Not unreasonably, they are not excited about sharing that code with anyone outside the organization.

Re:So what (1)

neonsignal (890658) | more than 3 years ago | (#32999104)

To be fair, black box testing is the foundation of device testing in the health field. And for simple devices it is exactly what you want: making sure that the outcomes are as specified.

However, as any engineer knows, for complex devices there can be innumerable states, and no test can achieve good coverage of these states. So it is appropriate to vet the internals of these complex devices.

Just because companies wish to keep these details as trade secrets does not mean that it is in the public interest. At the very least, there should be third parties involved in checking the design and implementation, even if these details are not made public. If it is good enough for the gaming industry, it is good enough for the health industry.

Why? (1)

Dunbal (464142) | more than 3 years ago | (#32998142)

The devices themselves are rigorously tested in clinical trials. If they pass those tests, what more do you want?

Re:Why? (1)

Meshach (578918) | more than 3 years ago | (#32998164)

Even more so how many doctors or patients are going to have the knowledge to "examine the source code" and tell whether it is working properly?

Re:Why? (2, Insightful)

julesh (229690) | more than 3 years ago | (#32998212)

Even more so how many doctors or patients are going to have the knowledge to "examine the source code" and tell whether it is working properly?

It only takes one or two to achieve useful results.

Re:Why? (1)

Spiked_Three (626260) | more than 3 years ago | (#32998244)

Well said.

I've got one of these things - a result of conductive systems failure (CSF) - it means the top half can't talk to the bottom half to coordinate/synchronize pumps.
In a way, I whole heartedly (pun intended) agree with your statement - but then I start to think - Windows 95 probably could have passed a clinical trial - and then came the hackers.
So, I got this thing in my chest that keeps me alive, can be communicated with via an electromagnet, and has anyone ever really considered what would happen if a hacker tried to hack it? I seriously doubt it. I'd bet $100 the password is the default from the factory (yes it has a digital communications protocol via the elctro-magnet).
Now the real question - do I feel safer from obscurity, or safer knowing that the source code is available for anyone to look at and hack?
Please keep the code locked up as tight as possible! The ratio of mal-intended hackers to good-intentioned source code reviewers is about 19238719273918273 to 1.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#32998290)

Why would someone want to spend the time to hack into your heart device?

If they wanted to harm/kill you there are much easier ways to go about it that doesn't involve getting an electromagnet and reprogramming your device.

Re:Why? (2, Insightful)

Spiked_Three (626260) | more than 3 years ago | (#32998352)

Really? Let's hear your prosecution for a case of murder by hacking an implantable device? Even if someone was smart enough to look into the device to see it had been hacked, there would be no evidence of who did it. Pick an important enough target, ie Dick Cheney, and you have a perfect untraceable murder.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#32998552)

good going, you just got added to a list somewhere.

Re:Why? (3, Interesting)

julesh (229690) | more than 3 years ago | (#32998250)

The devices themselves are rigorously tested in clinical trials. If they pass those tests, what more do you want?

Software errors can (and in fact are most likely to) result in pathological behaviour in unusual circumstances. Example. [wikipedia.org] "The failure only occurred when a particular nonstandard sequence of keystrokes was entered on the VT-100 terminal which controlled the PDP-11 computer: an "X" to (erroneously) select 25MV photon mode followed by "cursor up", "E" to (correctly) select 25 MeV Electron mode, then "Enter", all within eight seconds. This sequence of keystrokes was improbable, and so the problem did not occur very often [i.e. not in any clinical trials] and went unnoticed for a long time." An independent source-code audit could have saved three lives in that case.

Re:Why? (2, Insightful)

Shinobi (19308) | more than 3 years ago | (#32998416)

A source code audit would not necessarily have found it. Like with so many other obscure faults, most likely, you'd have to go through a full trial and error on an actually running system, since you do not always know beforehand if the error is introduced by the specific source code, the compiler or anything else.

Re:Why? (4, Insightful)

vux984 (928602) | more than 3 years ago | (#32998846)

An independent source-code audit could have saved three lives in that case.

=Could have= saved 3 lives.

Would have cost 10s of thousands? millions?

Pretty much every time someone on the planet dies of accidental causes there is some procedure or process that "could" have saved them.

Life just isn't that safe. And I'd rather not spend every dime of the gdp trying to make it as safe as possible.

When people die its tragic. If its something simple to fix, we fix it. But lets not lay guilt trip down every time anybody dies. Life is dangerous and it wouldn't be worth living if we made it safe, because the only way it will ever be safe is if we lock everyone up in straight jackets in padded rooms.

Re:Why? (1)

drsmithy (35869) | more than 3 years ago | (#32999004)

An independent source-code audit could have saved three lives in that case.

What evidence do you have that an independent code audit would have had any more chance of catching the error than an internal code audit ?

Re:Why? (1)

msauve (701917) | more than 3 years ago | (#32998278)

And if you have a bad ticker, are you going to refuse a pacemaker because they won't release the source code?

Maybe the folks at the SFLC should consider building an Arduino based pacemaker, then they can write their own GPL licensed software. They can invest the money to get it FDA approved, too. But, I suspect what they really want is to force others who have already made that considerable investment to disclose their work for all others to see.

Re:Why? (1)

tuttleturtle42 (1234802) | more than 3 years ago | (#32998664)

I want medical devices to run code which has been proven. It can be done, even if it takes a lot of time and effort. Life and death situations are the only ones which make sense to go through proving code for, but it makes sense in those situations.

Re:Why? (3, Insightful)

demonlapin (527802) | more than 3 years ago | (#32998962)

Most of these devices don't spend all that long on the market. They keep getting better, having new features and lower power consumption. Proving the code would slow the pace of advancement. Irony of medical advances: an imperfect device that kills a few people may in fact be (from a public-health POV) better than a perfect device that takes an additional two years to develop.

Stay away from Windows CE (4, Funny)

Anonymous Coward | more than 3 years ago | (#32998168)

One of the July 2010 updates bluescreened my 81-year-old dad.

The hospital backed out the update but they had to reboot him in safe mode and go up the back door.

 

HeartHacks (1)

cosm (1072588) | more than 3 years ago | (#32998190)

This seems similar to other highly proprietary hardware platforms that vendors keep locked down, either for market dominance, or for *security*. Breathalyzers, police radar guns, ATMs, hearing aids, etc, etc.

On the other side of things, imagine the scandal of somebody with a pacemaker installed for the purpose of athletic advantage, perhaps at the Olympics. Can you say heart hack? The winning line-up of the hacked-pacemaker 500, by embedded OS of choice:

1. DSL (Damn Small Linux), lightweight, fast, and simple
2. OSX, clean, stable, and reliable
3. Windows, DNF (H_RESULT 0x41414141 HEART_EXPLODED)

Re:HeartHacks (2, Insightful)

JustOK (667959) | more than 3 years ago | (#32998398)

OSX: soon to be ad supported, will only beat during approved activities, phones home with details about your liver.

Re:HeartHacks (2, Insightful)

JamesP (688957) | more than 3 years ago | (#32998414)

No

WIth the exception of ATMs (and some radar guns) I wouldn't even bother with an OS

And that's GOOD. I DON'T want anything more complex than a couple (ok, 100) of lines of code in my pacemaker, thank you very much

It doesn't NEED to be more complex than that, and it SHOULDN'T

Re:HeartHacks (0, Flamebait)

segin (883667) | more than 3 years ago | (#32998996)

If you think that 100 or so odd lines of code can cover every single scenario and manage your heart in every possible conceivable case, you deserve the effects of a situation those 100 or so odd lines of code aren't prepared for.

If that situation leaves you dead, all the better, stupidity should be a capital offense anyways.

Re:HeartHacks (2, Informative)

demonlapin (527802) | more than 3 years ago | (#32999110)

It needs to be a great deal more complex if you want to do something more than just be alive.

Adaptable rates? You'll need a motion-detection routine in order to speed the heart up so that people can enjoy even the mildest exercise.

Pacing only when needed, not when it's not? You'll need more code to identify when a beat has occurred within the correct time interval.

How about automatic defibrillators? Those are the devices that will shock a heart back into a normal rhythm, which is far more than a regular pacemaker can do; of course, in order to do that, they have to be able to analyze an EKG in real time and get it right - and that takes code.

Same as in the pilot seat (4, Informative)

chaim79 (898507) | more than 3 years ago | (#32998208)

I work for a company does full life-cycle development and verification of safety-critical software, the main areas we work in are aircraft instrumentation, smart munitions, and medical equipment (including pacemakers). The amount of testing and verification that goes into these software categories often exceed the development cost, and at every level it is documented and traced. What on earth do Doctors think they will see in the source code? We do verification, peer review, tracing, etc. what would an MD find that a room full of software, system, and QA engineers wouldn't? About the only thing that they would be able to look at and have a hope in understanding is criteria for taking action, and that is in the requirements and should be reviewed at that level, not at the code level.

Next thing they know Pilots will demand the ability to review the code for their cockpit management system and soldiers the ability to review the code for their Anti-Tank rockets!

Re:Same as in the pilot seat (1)

mirix (1649853) | more than 3 years ago | (#32998320)

So you do what people want the FDA to do, but are unable to. Not sure what you're getting at.

They want a third party (the FDA) to review code on the manufacturers device to make sure there are no hidden bugs. No one said they want random MD's to do code review.

Re:Same as in the pilot seat (0)

Anonymous Coward | more than 3 years ago | (#32998418)

I know it's unpopular on /. to read the article before commenting, but not even reading the summary is a new low:

doctors are blocked from examining the source code

...and from the article:

doctors are [not] permitted to access their IMD's source code

Re:Same as in the pilot seat (0)

mirix (1649853) | more than 3 years ago | (#32998482)

that's just fluff, i read this part:

The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled.

Re:Same as in the pilot seat (3, Funny)

segin (883667) | more than 3 years ago | (#32999038)

Oh, so because a few employees within a company (and maybe a closely related partner) have looked over the source, it's "peer reviewed"? Peer review means that EVERYONE can examine the source, including people you have never met nor have even heard their names. It means that people you absolutely hate can review your source, not just a few of your employees that have no qualms about lying and saying it's all good just to keep their jobs.

In other words, your source code has had as much legitimate peer review as my dick has, and since I'm a Slashdotter, any claims of sexual activity on my part are instantly dubious by that simple fact alone.

Re:Same as in the pilot seat (2, Funny)

rcw-home (122017) | more than 3 years ago | (#32999080)

The amount of testing and verification that goes into these software categories often exceed the development cost

That puts the testing quality roughly somewhere between most video games and Windows.

Reliability certification is needed (1)

cjonslashdot (904508) | more than 3 years ago | (#32998266)

For safety-critical software, there indeed should be a required certification regime for reliability. In the security field there is, for example, the Common Criteria. Security is one aspect of reliability (not the other way around). For too long, we have lived without any way of knowing how much effort has been put into making a system reliable. For a phone app this might not matter, but for a pacemaker it does matter.

Re:Reliability certification is needed (2, Interesting)

htdrifter (1392761) | more than 3 years ago | (#32999030)

The FDA requirements on software are strict. There are requirements for coding practices, testing, QA, etc. Inspectors show up, without notice, to check for compliance.
The code reviews are very thorough and require a manager and at least two other programmers.
All code has to be instrumented and scripts written to force execution of all code.
The output traces from instrumentation have to be fully documented. Everything that happens is documented.

They require the source code with all changes documented, test scripts, fully documented code intstrumentation output, full QA test documentation, etc. All these things must be signed by the programmer, reviewers and managers.

All this goes to the FDA along with a system for testing. They review the code, test the system and call with questions.
The FDA is interested in suggestions on improvements to the process.

That process adds a lot to the development time and cost for a project.
It can't guarantee perfection but they take a very good shot at it.

It is not a big deal (1)

KevMar (471257) | more than 3 years ago | (#32998302)

If they properly test the device, the everything should be covered.

I think the FDA does need to realize there is a software component. For no other reason then to require a full recertification of the devise every time the firmware changes. The risk I see is that an item gets certified and then bugs get introduced later if future firmware updates.

The FDA should also be notified of any bugs uncovered in existing firmware. Put the responsibility of deciding if an item needs recalled our of the hands of the company. I think there are other measures that can be put in place without requiring manufacturers to open source the code.

With that said, if the FDA did start looking at the source code, that would not be a bad thing.

This affects more than medical devices (1)

grandpa-geek (981017) | more than 3 years ago | (#32998428)

I have no doubt that the same issues that affect critical medical devices also affect automobile "drive-by-wire" systems like the Toyota runaway accelerator problem. Those systems need to be subject to inspection and validation by independent experts in the relevant hardware/software technology. And if there are problems, the hardware and software need to be even more thoroughly inspected.

Huh? (2, Insightful)

jmactacular (1755734) | more than 3 years ago | (#32998476)

"patients and doctors are blocked from examining the source code"

huh? are either qualified to do so?

Re:Huh? (1)

AHuxley (892839) | more than 3 years ago | (#32998612)

They can hire someone who can before the device is put in.
Then make a selection from the devices on the market and at least know the software is "not faulty", all things been equal.
Hardware may advance or fail, but software can be reviewed.

Someone needs to write a country music song.... (2, Funny)

coastal984 (847795) | more than 3 years ago | (#32998598)

....with the line "She hacked into my heart and crashed me."

Proprietary pacemaker code excerpt (4, Funny)

turing_m (1030530) | more than 3 years ago | (#32998678)

// max_int should be enough for anyone
for(i = 0; i < max_int;i++){
  sleep(1);
  beat_heart();
}

// printf("hi!!!!!\n")

Re:Proprietary pacemaker code excerpt (0)

Anonymous Coward | more than 3 years ago | (#32998756)

Although you are joking, it is a good example of why a code audit could prove useful. In this case there is simply no need for a loop condition and it only increases the risk of an overflow. Bugs like that could be avoided.

Re:Proprietary pacemaker code excerpt (1)

maxume (22995) | more than 3 years ago | (#32998760)

You are missing out on how exciting some pacemakers are; if your heart rate gets too high, they start beeping at you.

Open Source pacemakers (1, Funny)

BitZtream (692029) | more than 3 years ago | (#32998752)

Sure, go ahead, implant one in your chest.

They'd be an awesome life. Knowing the device in your chest is buggy and will have 'updates' released every time the developer makes a commit to the revision control system. Knowing that your entire life depends on a guy who is doing it because he can shout 'OMG FOSS FOR LIFE FUCK THE MAN I'M SAVING THE WORLD'.

Knowing your life depends on developers who only care about the code they write and how it fits their needs.

You'll have 45 buttons on your pacemaker that let you control all the different ways you can stimulate and control your heart. Most of them will return 'not yet implemented', 3 of them will result in a core dump of pacemakerd, 10 of them a PANIC reboot, another 2 cause it to just go silent and halt, and the developer threw in an Easter egg that makes you piss your pants if you hear a penguin.

If you're lucky, you'll get a group of devs that doesn't have 2 or 3 in it that throw temper tantrums on semi-regular basis and threaten to fork it while not putting any effort into the project.

And to top it ALL off, If you complain to anyone about it, the response you'll get is:

You have the source, fix it yourself.

Let me tell you how quick I would be to jump on that train. To tie my life to someone who really doesn't get affected in anyway when his/her software kills me and has no real reason to put any effort into ensuring it doesn't.

The OSS world still doesn't get why companies avoid OSS software, what the fuck makes you think anyone with a 3rd of a brain wants their life to depend on OSS.

I use OSS constantly, there are some great accomplishments. Large portions of my life depend on OSS, but you will probably never find OSS in controlling any thing that my actual life depends on.

I prefer to live, not prove how awesome OSS isn't for every situation.

OPEN SOURCE IS NOT INHERENTLY BETTER, STOP PRETENDING IT IS. You guys REALLY need some perspective. Or just stop letting timothy have access to post to the front page.

Re:Open Source pacemakers (2, Insightful)

matria (157464) | more than 3 years ago | (#32998832)

Or maybe you might learn what "open source" is. It is not necessarily free. It is not necessarily part-time. It merely means that the source code is available. Such a long bout of rabid typing for such a small amount of understanding.

Re:Open Source pacemakers (0)

Anonymous Coward | more than 3 years ago | (#32998872)

Umm.... the article argued that the source code in the pace makers does not match to a sufficient quality of code testing and that open-sourcing the code would go to great lengths to remedy that. Or did I miss the part where it instructs you how to automatically flash your pacemaker every weak?

Obvious, troll is obvious.

open source (0)

Anonymous Coward | more than 3 years ago | (#32998766)

Perhaps someone should explain to them the benefits of open source surgery.

NEVADA GAMING COMMISSION has the code to slots gam (4, Interesting)

Joe The Dragon (967727) | more than 3 years ago | (#32999040)

NEVADA GAMING COMMISSION has the code to slots games so why can't the FDA get the code to med systems?

Aww, Thufir... (1)

BlueStrat (756137) | more than 3 years ago | (#32999126)

"...neither patients nor their doctors are permitted to access their IMD's source code or test its security.'"

"Aww Thufir, don't feel badly...everyone gets a heart-plug here..."

Let's hope any vulnerabilities aren't wirelessly-exploitable!

Strat

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...