Your pacemaker should be running open source software

Using embedded medical technology, such as a pacemaker, defibrillator, or insulin pump? What's running inside is a complete mystery

Opinion Software Freedom Conservancy's (SFC) Executive Director Karen Sandler was last year awarded an honorary doctorate by Belgium's Katholieke Universiteit Leuven for her work for open source and software freedom.

There was only one problem. Her heart was beating strangely, and she couldn't get the data out of her implanted pacemaker/defibrillator proprietary software to find out what was going on.

She was forced to make a life-or-death decision that would have been much easier were it not for proprietary software being the only option for heart devices. Sandler ended up going, and all went well. It easily could have gone terribly wrong.

You see, Sandler has a heart condition, Hypertrophic Cardiomyopathy (HCM). It's a condition that generally has no discernible symptoms unless it kills you. A serious thing.

This time, however, she had a symptom, an irregular heartbeat, that was getting worse. Clearly, the first thing to do was pull the data from the device so that her cardiologist would have more data for the treatment.

One of the reasons why people get these devices is so they and their doctor can track their condition. So it was easy right? Wrong.

Remember, this runs proprietary software. It turned out that no one but a company representative could pull data from it. And, no one - and I mean no one - was available who could get the information.

This is not a rare problem. Sandler, aka the cyborg lawyer, has been following the use of proprietary software in medical devices for years. It's an ugly picture.

All Implantable Medical Devices (IMDs)- and I mean all - run proprietary software. Why is this a problem? Can't you trust them?

As Sandler has told me, "All software has bugs, and all software is vulnerable." On average, according to the Software Engineering Institute, there is one bug for every 100 lines of software and that pacemaker in your chest? It has about 70,000 lines of code.

"Free and open software tends to be better and safer over time," observed Sandler. Proprietary software is a black box. Unless you're the manufacturer, you have no idea what's actually in the code, or, as Sandler found out in this latest episode, how to get data out of the device if you're not a company representative.

Don't think, by the way, that this is some kind of theoretical problem. It's not. In 2017, MedSec, a medical technology security company, found that Abbott Laboratories' St Jude Medical defibrillators could be remotely attacked by hackers. As a result, the US Food and Drug Administration (FDA), issued a recall of of 465,000 of these devices.

At about the same time, Johnson & Johnson admitted one of its insulin pumps had a security vulnerability, which could be exploited to overdose diabetics with insulin.

On top of that, the FBI warns that unpatched medical devices run on outdated software with known security problems and that the devices often lack adequate security features. In addition, the manufacturer's default configurations are often easily exploitable, and the devices themselves aren't designed with security in mind. Their makers assume, foolishly, that medical devices aren't exposed to security threats.

On TV shows, people have been killed by someone hacking their IMDs. That's not far-fetched. Indeed, it may have already happened. How would we ever know? A proof of concept for hacking a medcial devices was shown off at RSA previously.

It's not just people, like Sandler, that are open source and security savvy, who worry about these issues. Former US VP Dick Cheney had his defibrillator's wireless feature disabled to prevent hacking attempts in 2017.

How would an attacker know that you have an IMD? Well, it turns out that besides being proprietary, they're chatty devices. They're often broadcasting remotely without any real security.

That's a real problem. It's bad enough that wireless key fobs can be hacked so someone can start your car, I don't need anyone revving up my pacemaker, thank you very much.

So, before you volunteer to have Elon Musk's brain-computer Neuralink interface implanted in your head, you may want to think long and hard about your decision. Besides the Physicians Committee of Responsible Medicine (PCRM)'s warning of the company's invasiveness and rushed actions in animal testing, the code itself is a riddle wrapped in a mystery inside an enigma.

Sandler is understandably "not comfortable with the idea of having proprietary software literally screwed into her heart." Who would be?

For years, she's tried to get the medical device industry to open up its code with little success. All we can do is support her in this struggle.

As she wrote, "The ways we rely on our software are not theoretical. They pervade every aspect of our lives, and we must make our decisions carefully — knowing that there will be immediate and long-term consequences of those choices." ®

More about


Send us news

Other stories you might like