Éireann Leverett, the security wizard who's joining OPEN&Change

I’ve met Éireann for the first time a couple of months ago, during LOTE5 in Brussels. I mostly remember him for knowing probably all brand new, absurd Twitter accounts, and being able to quote quite a lot of their content.

Then I have learned a bit more - and the more unveiled, the more impressive it got. There is a great reason for us to team up and work on the challenge together: Hacking, internet security, and medical devices. He knows a lot about that stuff.

Éireann with his friend, Dr. Marie Moe started investigating the security of pacemakers - as Marie’s life actually depends on a little instrument that generates each of her heartbeats. And runs on a proprietary code. This means she has to implicitly trust the programmers, and despite her and Eireann’s years of assessing devices for security holes, they wouldn’t normally be “allowed” to investigate the security of such devices.

This implies how little a regular customer of similar devices is informed about the ways they work, what protocols and tools they use, where their data is stored, etc. It has everything to do with person’s safety - and still, companies keep most of the key information secret from the users, making them more vulnerable.

I suggest you watch this great video from 32C3, where Marie and Éireann tell about their journey.

Obviously, the issue of safety transcends this case and applies to a whole range of tools that increasingly improve our quality of life and longevity. The security flaws are potentially causing exactly the opposite, making for a health/life hazard. There are concerns about privacy too, where your medical data flows around the world to companies that may or may not be taking measures to protect it.

But that’s not all - Éireann works also as an advisor for European Network for Cyber Security (ENISA), has founded http://www.concinnity-risks.com/, and works as a Senior Risk Researcher at Cambridge Centre for Risk Studies. He is loosely affiliated with I Am The Cavalry, a cyber security movement, whose motto is “Safer. Sooner. Together.”

He contributes to our OPENandChange application vast expertise in the security of medical devices, and embedded devices. He will be helping DIY makers, programmers, and engineers with training on how to build safer code, and what standards they will want to comply with to produce products for different markets. He’s also offering insight into vulnerability research and standards-based research, contributing safety and transparency knowledge to this huge, open swarm OPENandChange wants to become. Lastly, he loves the idea of preparing a consumer training and equipping people who rely on medical devices with knowledge and clear questions they can ask about their own devices.

Finally, Éireann has just been announced an Open Web Fellow for Privacy International and he will be taking the word out about our idea while advocating for open cyberspace.

MedDevice FAQs?

Wow, this is great news indeed. Welcome @Eireann_Leverett !

I was at that talk at 32C3. It was a real eye opener. It’s all very good and well to make fun of the Internet of Things: my favourite is the Twitter account Internet of Shit (https://twitter.com/internetofshit), that churns out a sad/hilarious/scary gallery of smart diaphragms, Internet-connected pet feeders that starved your cat to near-death because the server went down (“It’s literally just a timer! WHY does it have to be online? Oh, right, so that they can show me cat food ads”), and keyboards that predict your next keystroke and leak all your keylogs all over the Net.

But when you are running that stuff inside your body, that’s where it gets a lot less funny.

I love this idea:

preparing a consumer training and equipping people who rely on medical devices with knowledge and clear questions they can ask about their own devices.

A sort of FAQs, of checklist, if I understand correctly. Does it make sense to try and prototype this at one of the Open&Change events in the fall?

Love the activist touch to medical care

Thanks Natalia and Eireann for reporting on this. I had read Marie’s story a while ago on the internet and was impressed by the humility with which she had approached medical security. After all, she rightly stated that the benefits of having the pacemaker far outweigh the risk - which is why probably many patients are looking away or de-prioritizing this.

I’m also reminded of @Rune’s story where an upgraded medical care also needs an alliance between patients/consumers and researchers (he’s arguing for more system availability for cheap, effective medical tech).

Hmmm, it’s an interesting and complex issue.

I’m not sure to what extent @Eireann Leverett ‘s claims are sustainable (missing data). The regulations (IEC 60601) requires thorough documentation of the safety. Anyone knowing the certification process of medical devices will know how much paperwork it takes. This documentation effectively renders the device sort of ‘opensource’. It’s accessible to 3’rd parties (regulating bodies etc). Clinical trials of safety has been carried out. Scientific publications (open source) and probably patents (open source) will have been published. Risk assessment  documentation occupies entire folders. The costs to the company forces developers to do their very best (in theory). Yes, it’s not open source to the regular customer, but what would it serve?. Afterall it takes an expert to understand. Regulations are born to protect the consumer, but they are resource expensive meaning that devices become excessively expensive in confrontation with production price. (Maybe now regulation monsters have grown to feed lawyers and bureaucrats )

Honestly, would you dare to hack a pacemaker or implant one that was running opensouce version 42-beta last edited by someone with an obfuscated name ?

More interesting. Is there some documentation that opensource software is more reliable compared to proprietary code with a relevant approvals? The opensource development or hacking is extreme programming where bugs gets fixed, new ones introduced and iterative improvements are taking place. Unless you believe in afterlife I don’t think you would accept being beta tester of your pacemaker.

Non life-critical medical devices (low hazard) could be open source, when failures will cause little or no damage. Especially those not being provided by the health service.

P.S. I think CE marking the waterdispenser is a lot easier than getting approval for a medical device and there is no comparison.

Bottom line @Alberto

It would be a great idea to develop a FAQ or rather a book of knowledge/best practice for OpenSource Medical Devices.

Please let it be based upon evidence and legal references

Nice points

I can’t really answer your question “Is there some documentation that opensource software is more reliable compared to proprietary code with a relevant approvals?” as I am not aware of applicable metrics that do this with little/no room for interpretation. It would be interesting what @Eireann Leverett can provide in those terms.

As for " Honestly, would you dare to hack a pacemaker or implant one that was running opensouce version 42-beta last edited by someone with an obfuscated name ?": Well who decides that Windows Millenium or Windows 8 is not beta anymore, and what are the programmer’s names? Not sure, but couldn’t you beta-test in a dummy, an animal, or even a human (in a less sensitive location) before you declare it a finished product?

Of course I agree that such probing questions need to be asked, and you can’t expect to automagically transport some (but not other) features of one field into another field with a very different history etc. and expect to be able to predict the outcome.

However, regulations have a tendency of accumulating and not always for the right reasons, so critical questions from outsiders are in place, particularly in the medical field I would say. Also there is the issue of possibly not being able to support the current complexity of the domain in the longer term.

Lastly, I think work in the techno-medical-regulatory domain may help overcome indifference towards the consequences of technological choices, as illustrated in Alberto’s comment.

Some real issues here

@Natalia_Skoczylas and @Eireann_Leverett I guess we need your opinion here. In this comment above Rune raises some real points on IEC 60601 and issues of trust with technology.

Some references

First off, let me apologise for the long delay. I have been truly buried in work, and my life got heavily disrupted by personal matters for a couple months.

@rune

I think we have some miscommunication here. I’m not suggesting open source is more reliable, or the only way to go with medical devices. However, there is an issue of transparency of the code to the patient, that has ‘similar’ issues to the issues of open source.

On your other points though, you rightly note that there is a lot of safety and regulation around medical devices. However, we still know that user input issues pervade the safety of medical devices. For examples, see the paper Preventing Medication Errors by  P Aspden, J Wolcott, J L Bootman, L R Cronenwett:, or any of a number of papers by Harold Thimbleby. The paper Killed by Code written by Sandler et al, also details many case studies that you might be interested in. Getting back to the point about safety regulation, I don’t believe that safety regulation takes security into account as regularly. This istarting to happen, but very slowly. This is why the paper “Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses” is so powerful. They took an FDA certified device, and showed it was possible to make it operate unsafely after some security analysis.

There are many more things we might discuss about regulation, such as the FDA’s limited resources for looking at the code of the devices. However, there are some good things too, such as the MAUDE database. MAUDE - Manufacturer and User Facility Device Experience

By making this database available, we can search for adverse events and study this in an evidence based approach, as you rightly request. I’m not here to inflate the claims, and honestly I prefer to let Marie do the talking about these subject because her patient viewpoint is balanced and essential. However, I’m happy to provide more reading and evidence, when time permits.

“FDA’s limited resources for looking at the code of the devices”

@Nadia at one point was proposing to look into a community-run certification scheme for the code in medical devices, vaguely inspired from http://www.peertopatent.org/ . It could be one of the projects in OpenAndChange!

Finding the ideal solution

What I make of this is that it’s not about choosing between the open source or current proprietary code/technology approach. It’s clear to me that both do things well and other things wrong and that an ideal situation lies somewhere in between.

I find it is recurring when the open tech/science ideas meet traditional ideas that the discussion is seldom held around the question: how can the different approaches learn from each other, in order to implement a better solution? Rather, it is usually about what approach is the best as is. Result: boring discussion and no real progress.

How can we get to a situation where this conversation is not about an ideal solution, but about finding an ideal solution?

Ping @Alberto

@Eireann_Leverett

@trythis

@Rune