When Code Can Kill or Cure

Medical technology: Applying the “open source” model to the design of medical devices promises to increase safety and spur innovation

Medical devices are a wonder of the modern age, but as these devices become more capable they also become more complex. More than half the medical devices sold in America rely on software. SMART pumps deliver drugs perfectly dosed for individual patients and pacemakers keep people alive by ensuring that blood is pumped smoothly around their bodies. The software in a pacemaker may require over 80,000 lines of code, a drug-infusion pump 170,000 lines and an MRI scanner more than 7 million lines.

When the software fails in these medical devices, the consequences can be far more serious than rebooting your PC. In the 1980s a bug in the software of Therac-25 radiotherapy machines caused a massive overdose of radiation to be delivered to several patients, killing at least 5 patients. The FDA has linked problems with drug-infusion pumps to nearly 20,000 serious injuries and over 700 deaths between 2005 and 2009.

In addition to these accidental malfunctions, wireless and networked medical devices are also vulnerable to attacks by malicious hackers. The software used in the vast majority of medical devices is closed and proprietary. This prevents commercial rivals from copying each other’s code or checking for potential patent infringements and making it harder for security researchers to expose flaws.

Some academics now want to reinvent the medical-device industry from the ground up, using open-source techniques. Here the source code is freely shared and can be viewed and modified by anyone who wants to see how it works or build and improved version of it.

The Generic Infusion Pump project, a joint effort between the University of Pennsylvania and the FDA, is taking these troublesome devices back to basics. The researchers began not by building a device or writing code but by imagining everything that could possibly go wrong with a drug-infusion pump. By working together on an open-source platform, manufacturers can build safer products for everyone, while still retaining the ability to add extra features to differentiate themselves from their rivals.

Open-source devices are found at the cutting edge of medical science. An open-source surgical robot called Raven, designed at the University of Washington in Seattle, provides an affordable platform for researchers around the world to experiment with new techniques and technologies for robotic surgery.

All these open-source systems address very different problems in medical science, but they have one thing in common: all are currently prohibited for use on live human patients. To be used in a clinical setting, open-source devices must first undergo the same expensive and lengthy FDA approval processes as any other medical device. FDA regulations do not yet require software to be analysed for bugs, but they do insist on a rigorous paper trail detailing its development.

The FDA is gradually embracing openness. The Medical Device Plug-and-Play Interoperability Program is a $10m initiative funded by the National Institutes of Health with the support of the FDA. It is currently working to set open standards for interconnecting devices from different manufacturers. This would mean that, say, a blood-pressure cuff could instruct a drug pump to stop delivering medication if it sensed that a patient was suffering an adverse reaction.

Along with this open-source initiative is the Medical Device Co-ordination Framework being developed by John Hatcliff at Kansas State University. Its aim is to build an open-source hardware platform including elements common to many medical devices, such as displays, buttons, processors and network interfaces, and the software to run them. Eventually, these medical devices might evolve into collections of specialised (and possibly proprietary) accessories, with the primary computing and safety features managed by an open-source hub. The FDA is currently working with Dr Hatcliff to develop processes for creating and validating safety-critical medical apps.

In the meantime, America’s National Institute of Standards and Technology has just recommended that a single agency, probably the FDA, should be responsible for approving and tracking cybersecurity in medical devices.

Such changes cannot happen too soon. “When a plane falls out of the sky, people notice,” says Dr Fu. “But when one or two people are hurt by a medical device, or even if hundreds are hurt in different parts of the country, nobody notices.” With more complex devices, more active hackers and more inquisitive patients, opening up the hidden heart of medical technology makes a great deal of sense.

Read the full article here http://www.economist.com/node/21556098