I saw a talk about medical device security (or lack thereof) at the Eleventh Hope a few weekends ago. Very scary. They started off with a story about patients in a hospital who became horribly addicted to morphine because they were able to hack the machine from resources found online (http://www.massdevice.com/hospital-patient-hacks-his-own-mor...). Go on Shodan and search for medical devices and terminology (e.g. "radiology") and you'll see the state of things. Sensitive machinery exposed on the open internet. A lot of medical devices have hardcoded passwords that are used for remote operations by technicians.

Open sourcing this code would do a lot to mitigate these issues.

You most certainly don't want people to be able to modify safety critical code within a pacemaker.

What most developers don't realise is the level of engineering strictness that goes into anything safety-related. The rules and regulations related to anything that affects the human body is in a different league than what most developers are familiar with.

What is a problem here, is that the design (not the code) apparently did not take into account any messaging security, relying on obscurity as its only defence.

If the code was open-sourced, don't expect to find lots of buffer overflow attack vectors, or simple things like that. Its the design of the system as a whole at fault, and that is already open.

Medical devices such as these are not black boxes to the people that certify them, everything is open to them, source included. Having worked in that sort of area, I trust the systems that are in place.

We hear a lot about how digital obsolescence is a growing problem, and almost all of it refers to not being able to access your old family photos and movies, or maybe old documents and spreadsheets. But what happens when your pacemaker is obsolete, the source code is long lost, and no-one knows how to update it?

Is this problem being addressed in any real way? 50 years in the future some of today's devices may still be operating in peoples' bodies, and it seems hard to believe that anyone would still have the knowledge and/or tools to upgrade them. And surely it's quite a big deal to open someone up to replace the hardware every 5 years?

Does anyone know if at least the FDA is allowed to review the source code for pacemakers? Or is it a complete blackbox? Personally I would be appalled if even the FDA is not allowed to.

Another really good talk about the topic, "freedon in my heart" by Karen Sandler:

https://www.youtube.com/watch?v=5XDTQLa3NjE

It's mentioned in the article.

Obligatory talk on that topic from the 32C3:

"Unpatchable - Living with a vulnerable implanted device"

https://media.ccc.de/v/32c3-7273-unpatchable

Please people.... before you comment on this thread, please inform yourself on what safety critical software is really like.

There is a lot of uninformed discussion in here currently.

https://en.wikipedia.org/wiki/Life-critical_system

Sure this is about pacemakers, but cant we say something similar about the rest of our body?

I agree, I want to contribute to FOSS medical devices.

By extension should every device I own require me to have access to the source code and output data?

Not a rhetorical question.

How about when I'm flying an airplane; I'm also putting my life in the hands of people that wrote the code that controls it and I have to trust that the plane won't shut itself down mid-flight because of faulty code. Should a similar argument be made here?

Can the mods change the link to https://backchannel.com/our-medical-data-must-become-free-f6..., since this is the full version of the story?

Sounds like they could do with a law similar to the freedom of information ones for software of this type. Without that device manufacturers are not going to want to publish as competitors could copy it and some people may sue over perceived errors.

I am imagining that young folks have Library Anxiety, and old folks have "Google Anxiety".

Ask any question and you will find an answer. Any question you have, no matter how banal or left-field. What is the weather? Is my grandson a lesbian? How do I eat pizza in Italy?

Where is the biography section? How do I understand the Dewey Decimal System? What is in the Special Collections, and what are the hours -- and do I need an appointment? The computers are down... is there a way I can search for books offline without randomly roaming the stacks?

I want to inspect the blueprints of every building I walk into and know the sourcing and composition of all the structural components as well. For my life depends on these things to be true and properly constructed.

Very soon we would have FBI and NSA requiring these pacemakers to have a kill switch to kill whoever they don't like.

10 be dumb 20 goto 10

you're all idiots.

"I wanna feel what code is. I know you can show me!"

Philosophy -

She doesn't know the code that's running on machines inside her body.

I don't even know the code that's running my heart.

And yet, I trust it.

> “You’re pulling data from my cardiac device that I paid for, implanted inside my body, the most intimate piece of technology anyone can have, and yet I’m devoid of access to the device? That moved me to my core,” he says. “That’s just not right.”

I'm sure she must have signed a user license agreement of some kind upon buying the device. So she shouldn't have to complain.

Reasons to NOT open up the code: 1> Loss of competitive advantage 2> Open source is not necessarily any safer (heartbleed bug ... ) 3> If software for the pacemaker is allowed to be updated like that on a computer, someone will update it with buggy software that can cause adverse side effects. Who owns the liability in that case?