Fatal risk of software defects in implantable medical devices

Software vulnerabilities in life-sustaining medical devices such as pacemakers and infusion pumps pose a growing threat to public health, warns a new report published by the Software Freedom Law Center (SFLC).

“The findings of the paper are important to anyone who has a friend or loved one with a pacemaker or insulin pump”

Killed by Code: Software Transparency in Implantable Medical Devices, addresses the potentially fatal risk of source code defects in implantable medical devices and explores why patients, doctors and the public should insist that free and open source software be the standard approach.

"The findings of the paper are important to anyone who has a friend or loved one with a pacemaker or insulin pump," said the paper's author and SFLC General Counsel, Karen Sandler. "Clearly, we need mandatory, public, and broad safety review of code that runs these devices. At the very least, the U.S. Food and Drug Administration must require device manufacturers to submit software to the agency for review and safe keeping."

The Software Liability Nightmare

Millions of people with chronic heart conditions, epilepsy, diabetes, obesity, and even depression depend on Implantable Medical Devices (IMDs) for their lives but the software that enables the delivery of crucial treatment remains hidden from patients and their doctors. Despite strong evidence linking critical device failures to source code defects, software is considered the exclusive property of its manufacturers and is almost never reviewed preemptively by the regulators responsible for ensuring its safety.

In 2008, the Supreme Court of the United States eliminated the only consumer safeguard protecting patients from negligence on the part of device manufacturers by prohibiting people from seeking damages in product liability lawsuits. Today, people with chronic conditions that require IMD treatment are now faced with a stark choice: trust manufacturers entirely or risk their lives by opting against life-saving treatment.

Why Free and Open Source Software is Safer

The SFLC's paper proposes a new solution to the software liability nightmare confronting the medical device field: requiring manufacturers of IMDs to make source code auditable. Research indicates that software transparency would make the devices less vulnerable to malicious hackers and security breaches and the public less vulnerable to negligence by the corporations that sell them.

As a non-profit legal services organization for Free and Open Source (FOSS) software developers, part of the SFLC's mission is to promote the use of open, auditable source code in all computerized technology. Though the paper focuses specifically on the security and privacy risks of implantable medical devices, they are a microcosm of the wider software liability issues discussed in the paper. The argument for public access to source code of IMDs advanced in the paper can, and should be, extended to all the software people interact with everyday. The well-documented recent incidents of software malfunctions in voting booths, cars, commercial airlines, and financial markets are just the beginning of a problem that can only be solved through software transparency.