Would you put your life in the hands of a programmer who doesn’t let you or the doctor see their code? Although it sounds like something out of a science fiction work, it’s a question many patients are facing as medical devices become more advanced.
Mary Moe is a self-proclaimed cyborg. At 33 she found that she was on the verge of having heart failure. The solution, was to have a pacemaker installed in her body. At first it worked fine, however a glitch in the code caused the device to cut her heartrate in half as she was climbing stairs. It took her doctors months to realize the software caused the mishap.
Unlike pharmaceuticals which are in the open for the public to view (via patents), software typically is walled off due to concerns over competitors copying the systems. Instead, most corporations label the inner workings of their code a trade secret. While patents require the owner to disclose how their inventions work, trade secrets revolve around strict confidentiality.
The Digital Millennium Copyright Act (aka the Napster law) is what keeps people from accessing the code in most software. The law was passed in the 1998 to reduce piracy by making it illegal for anyone to bypass copy protection.
Originally it was used to protect the copy and content in music/movies/games, however the law is now used to prevent users and security researchers from gaining insights into the inner workings of the software to which they are connected. In some cases very connected.
Fortunately, progress is being made in this space. The Harvard Law School recently pushed the Library of Congress to modify the laws so that researchers could examine the code of motor vehicles, machines intended to be used by general consumers, and medical devices, for legitimate security research needs.
The amendments also make it legal for patients to have access to essential data stored within the devices (e.g., glucose spikes, heart rate drops), without needing to visit a doctor or hospital. The next stage however, and an important one, is providing not only the opportunity for transparency but feedback from users before the logic running their life-and-death devices is updated. As Mary Moe puts it, “I want to know what code is running inside my body. If someone wants to alter that code, I want to make an informed decision.”
While being able to audit code is a step forward, securing internet-connected medical devices is a pretty difficult challenge. Deloitte uses the example of a politician being assassinated by having his pacemaker hacked. According to their report, the FDA has been aware of security vulnerabilities in medical devices since 2013. Many of those vulnerabilities came about from manufactures not maintaining the code in legacy devices.
As healthcare continues to advance, one of the biggest considerations doctors and patients need to remember is that treatment plans should be written with these issues in mind.
