

Open-source medical devices: When code can kill or cure  - mwilcox
http://www.economist.com/node/21556098?fsrc=scn/tw_ec/when_code_can_kill_or_cure

======
david_shaw
I work primarily in the field of healthcare information security.

Although this article does go a little bit into the realm of hyperbole--as HN
commenter 'excuse-me' pointed out, not every single aspect of medical
equipment is even remotely capable of interfering with patients--there is a
serious security risk with networked devices that most people do not
understand.

The article pointed out the McAfee research on insulin pumps. Yes, these
devices were hacked and could potentially kill a patient. This was a complex
application attack, that while serious and _certainly_ something that should
be addressed, has a very high level of sophistication. For example, if one was
trying to kill a patient, they would need physical (or very-close networked
access) to the device. At that point, is it easier to write exploit code or
simply kill someone? These are morbid thoughts, but it's also a requirement to
think of the actual use case. _Please_ keep in mind that I'm not trying to
understate the seriousness of these findings, or others like them: we
_absolutely_ need to step up security in the healthcare field. It's a mess,
and frankly makes me feel uncomfortable every time I'm in a hospital.

But let's talk about things that are even simpler than the insulin pump
attack. When I send engineers on-site to hospitals, we need to specifically
_exclude_ BioMed network devices, as well as anything that's connected to a
patient (even through a couple of hops) for even simple network scans (nmap,
etc). Why? Because even just running a contemporary port scan has a tendency
to overflow device state tables/networking stacks and crash the device. Let me
reiterate: just _scanning_ the device, without any security checks or attacks,
can take a device offline.

You might think that devices such as these are protected from attackers by
other security controls; that if someone has networked access to an internal
network, that it's game over anyway. Well, yes and no. Part of the problem in
healthcare information security is that hospitals and healthcare providers
have thought almost exclusively about the _physical_ security of their
facilities for far too long. Sure, there are security guards in place, but how
does that help when the Emergency Room "guest wifi" is bridged to the internal
network? What about when there are live Ethernet ports in visiting rooms or,
again, the ER? These are real problems that we're trying to find and resolve,
but it's more of an industry-wide change of vision than a couple of holes we
need to plug. Even the security of the internal network itself is generally a
disaster (missing patches, unorganized security departments, etc). It's our
job to resolve these issues, and although I'm just a _little_ biased, it's not
super hard to do on a _hospital-by-hospital basis_. It gets a lot tougher when
we're talking about a pan-industrial change.

Which is where, in the U.S., the government steps in. HIPAA compliance forces
these checks to be done on a regular basis--although the tendency for
hospitals to save money by getting a "checkbox compliance" scan from an
automated vendor instead of having a real team of security engineers conduct
analysis is still very strong. HIPAA is focused mainly around protecting
electronic protected health information (PHI), but the HITECH Act and
"meaningful use" allows healthcare organizations to actually _receive_ money
from the government for staying in compliance while using ePHI (instead of
paper records) for a large percentage of their health records.

We've got a long way to go, but the healthcare industry is steadily improving.
That said, don't be too quick to discard remarks about the security of
hospitals and your medical data: right now, a complete medical record is worth
more on the black market than a credit card number. Keep that in mind next
time you see Windows NT machines while getting your annual check-up.

~~~
impendia
> a complete medical record is worth more on the black market than a credit
> card number.

Whoa! I had no idea. Why are complete medical records valuable on the black
market?

~~~
david_shaw
I think the reasoning behind this is that credit card numbers have a very low
life expectancy after they are leaked. One or two fraudulent charges, and the
CC# is generally cancelled.

Medical records, however, usually include full personal details (address
history, medical history, SSN, phone numbers, etc.) and by definition can't be
changed. Therefore, should someone access this data, there is a whole range of
fraud and identity theft that can be executed. Most people don't have credit
monitoring services, and it's way easier to _take out_ a fraudulent credit
card and rack up charges that will never be detected (until some of the bills
go through or the credit card defaults) than it is to use a legitimate one.

So, it's not the medical data _per se_ , except maybe blackmail or insurance
fraud (not common), but more generic identity theft. PHI is basically
someone's whole identity in a file!

~~~
impendia
Ah, I see. Makes sense. Thank you!

------
HeyLaughingBoy
_"My dream", says Dave Arney, a researcher on the project, "is that a hospital
will eventually be able to print out an infusion pump using a rapid
prototyping machine, download open-source software to it and have a device
running within hours."_

What can I say; dare to dream. Because that's what this is - a dream.

Print out a pump? OK. Was the 3D printer's performance to all relevant specs
validated? Were the materials it uses approved and inspected along with their
certificates to be sure the pump was being made from the material the designer
specified? Was the material stored properly before use and was the pump it
printed tested to ensure that it met all its requirements?

The software is probably easier to handle, surprisingly. The FDA probably
wouldn't care that it was open source, but would the OSS developers be willing
to follow a validated process, document that they are following the process,
submit to random audits of that process being followed?

Who handles customer complaints? FDA requires that a Medical Device
manufacturer have a procedure to record and respond to customer complaints and
comments in a timely fashion. If a physician notices that every morning at
8:00AM the pump puts out an additional 5%, who will log that concern and
investigate it. If it requires a recall, how do you even recall something you
can't track since people are just printing the pumps out as they need them.

The Medical Device industry is screaming for innovation and I hate to be a
party pooper, but this is a dream. And unfortunately, it will remain a dream
for very good, common sense reasons.

~~~
ktizo
I cannot think of a single objection you have raised that is to do with 3d
printing rather than to do with quality control and process tracking, and
quality control can be made far easier with 3d printing as you can change
production as soon as a fault is discovered, so you don't end up with a
warehouse full of a million faulty pumps.

And tracking could be achieved by embedding rfids mid-print without a problem.

~~~
HeyLaughingBoy
The problem isn't with the 3D printing itself, it's with an end user (the
hospital) that doesn't have manufacturing skill and 21CFR knowledge printing
off a medical device. It's a nice idea, but the FDA would have a change a huge
amount before something like this has a ghost of a chance.

~~~
ktizo
There is always the rest of the world, and given they are already using it for
bone replacement - <http://www.bbc.co.uk/news/technology-16907104> \- I don't
see what the issue is for pumps.

[edit] Also, remember that the end users at this stage are medical geeks of a
level of educational qualification that would put the vast amount of people
working in software to shame. Some of these people are already making _organ
printers_. I'm sure they can work out medical good practices for in-house
manufactured parts and get it approved in most of the world, especially when
the full benefits of custom parts as fast as possible becomes apparent.

------
ef4
I think it's interesting that reporters are still using the Therac-25 as their
go-to example of medical software harming people.

I'm pleasantly surprised that we haven't had a bunch of more spectacular
examples since then.

------
WiseWeasel
These guys at the Generic Infusion Pump project should partner with vTitan and
put up a Kickstarter page for a cheap infusion pump with open source software
(or maybe vTitan could do it themselves), if it's the type of device people
might buy directly. Many in need would love to sponsor this type of advance
while securing early access for themselves, since they are so acutely aware of
the device's value.

~~~
excuse-me
And, their funders, their pets and everyone their funders know will be sued
into poverty as soon as it's announced.

I met a company that was going to make a powered wheelchair. At the moment
your choice is a manual chair or a big heavy expensive and complex mobility
scooter - like you see fat/lazy people using in Walmart.

Their product was a smart power assist that gave you an automatic extra push
on kerbs, ramps etc but could be cheaply bolted onto an existing manual chair.
It had sensors that measured the force you were pushing with, the chair angle,
speed etc, along with modern brushless DC motors and laptop batteries.

Then they hit FDA. There is no FDA approval class for accelerometers - nobody
has ever made a medical device using accelerometers so not only would they
need their device tested and approved they would need to prove "equivalency"
for a mems accelerometer. Apparently General Relativity and Mach's principle
isn't enough for the FDA.

They did propose simply opensourcing the design for anyone to build but were
told that if anyone did build one they would be essentially in the same legal
position as publishing instructions for making illegal drugs!

In the FDA's eyes telling someone how to make an affordable electric
wheelchair = running an meth lab.

~~~
WiseWeasel
I could certainly see the FDA obstructing _novel_ products without
prohibitively expensive studies, but wouldn't it be significantly cheaper to
demonstrate equivalence to existing devices?

~~~
HeyLaughingBoy
Yes, it would. Problem is that "significantly cheaper" means it costs $1
million instead of $5 million.

~~~
WiseWeasel
$1M+ might be in the realm of the attainable for a Kickstarter project,
assuming the device has a sufficiently wide usage. The estimated cost of
approval would need to be included in the funding goal.

[If the same studies might be used to seek approval in several countries at
once, then it might make such an approach to funding medical devices more
attainable for the size of their market. The missing piece of the puzzle seems
to be an affordable method for conducting studies to get medical devices
approved.

It seems like the industry is highly vertical, with difficult access to
financing and compliance infrastructure. This might be an opportunity for a
service provider to come in, establish a selection process for clients,
partner with universities around the world to conduct studies to the
specifications of US FDA, and its EU, Canada, Japan, etc. equivalents'
approval, and help store and file the needed paperwork in exchange for a cut
of sales.

Maybe it's also time for the UN to create a world body for standards of
approval of medical technology which all these nations should recognize; or
maybe ISO should take that role.]

------
excuse-me
The situation in the US is insane. Yes there are systems, like radiotherapy
machines or pacemakers, that need to be developed and tested to Nasa like
specs

But the FDA take the approach that anything medical is life threatening. It's
as if the FAA demanded avionics approval for the point of sale machine in the
McDonalds at the airport

You cannot use a camera on a microscope in the US for medical purposes, there
is no approval and there won't be because the first company to do so has to
prove beyond all doubt every concept of the camera, computer and display
operation. Not just of their specific device - you have to prove that a camera
is equivalent to an eye in basic principles. Then once you have done that
every other maker can come on your coat tales.

That's why in europe your cervical smear test will go through an automated
scanner which uses state of the art image processing to examine every single
cell - and quickly enough that the entire population (or at least the half
with a cervix) can be screened.

In the US it will be looked at for 5mins with 50year old eyes with a 30year
old microscope by a doctor who will then guess (sorry use his years of
experience) to decide.

Strange really - I don't imagine the FAA would accept an aircraft maker saying
that they don't use CFD tools or computers but old Billy has a certificate
saying he went to engineering school and so can estimate the load in a carbon
fibre turbine blade by eye.

~~~
sien
Have a look at the FDA Guidance for pre-market solutions, they categorise
device into 3 levels, major, moderate and minor.

The minor level is for software that is unlikely that serious injury or death
will result from the software:

[http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidanc...](http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm089543.htm#6)

~~~
excuse-me
IIRC anything that is a `therapeutic outcome` (?) is automatically the life-
or-death class

So a computer screen that display a result the doctor relies on must be a
medical grade screen

