Slashdot Mirror

An anonymous reader quotes a report from CNN: The U.S. Food and Drug Administration warned Tuesday against using plasma infusions from young blood donors to ward off the effects of normal aging as well as other more serious conditions. Plasma, the liquid portion of the blood, contains proteins that help clot blood. The infusions are promoted to treat a variety of conditions, including normal aging and memory loss as well as serious conditions such as dementia, multiple sclerosis, heart disease and post-traumatic stress disorder.

"There is no proven clinical benefit of infusion of plasma from young donors to cure, mitigate, treat, or prevent these conditions, and there are risks associated with the use of any plasma product," FDA Commissioner Dr. Scott Gottlieb wrote in a statement Tuesday. "The reported uses of these products should not be assumed to be safe or effective," he added, noting that the FDA "strongly" discourages consumers from using this therapy "outside of clinical trials under appropriate institutional review board and regulatory oversight." Gottlieb said that "a growing number of clinics" are offering plasma from young donors and similar therapies, though he did not name any in particular.

An anonymous reader quotes a report from The New York Times: The Food and Drug Administration on Monday warned 12 sellers of dietary supplements to stop claiming their products can cure diseases ranging from Alzheimer's to cancer to diabetes. At the same time, Dr. Scott Gottlieb, the agency's commissioner, suggested that Congress strengthen the F.D.A.'s authority over an estimated $40 billion industry, which sells as many as 80,000 kinds of powders and pills with little federal scrutiny. These products range from benign substances like vitamin C or fish oil to more risky mineral, herbal and botanical concoctions that can be fatal.

"People haven't wanted to touch this framework or address this space in, really, decades, and I think it's time we do it," Dr. Gottlieb said in an interview. He is particularly concerned about supplements that purport to cure diseases for which consumers should seek medical attention. "We know there are effective therapies that can help patients with Alzheimer's," he said. "But unproven supplements that claim to treat the disease but offer no benefits can prevent patients from seeking otherwise effective care." The companies included TEK Naturals, Pure Nootropics and Sovereign Laboratories. In a letter to TEK Naturals, the F.D.A. and the Federal Trade Commission chastised the company for marketing Mind Ignite as a product "clinically shown to help diseases of the brain such as Alzheimer's and even dementia."

An anonymous reader quotes a report from Popular Science: The Food & Drug Administration just announced that they had approved the aptly-named Xofluza, the first new antiviral drug in two decades, to help alleviate the symptoms of a flu infection. The reason Xofluza got a priority review from the FDA is that it works through a different mechanism than Tamiflu. Both are antivirals, meaning they prevent the replication of the virus, but they work at different stages in that process. First, a quick primer on how viruses infect you: a virus is basically a packet of genetic material that injects itself into a cell and hijacks the cell's normal replication machinery, forcing it to produce millions of copies of the virus. A protein called viral neuraminidase allows those copies to exit the cell and go infect new parts of your body. Most of our effective antivirals are neuraminidase inhibitors -- the virus can still replicate, but it's prevented from escaping.

Xofluza works by preventing the viral replication in the first place. It blocks viral polymerase, an enzyme that helps make copies of the invading genetic material. This doesn't necessarily make it better or more effective -- the FDA notes that early trials suggest it's about as effective as Tamiflu -- but as the FDA Commissioner Scott Gottlieb pointed out in a press release, "Having more treatment options that work in different ways to attack the virus is important because flu viruses can become resistant to antiviral drugs."

AmiMoJo shares a report from The Register: The U.S. Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants. The watchdog's alert this week comes after Irish medical device maker Medtronic said it will lock some of its equipment out of its software update service, meaning the hardware can't download and install new code from its servers. That may seem counterintuitive, however, it turns out security vulnerabilities in its technology that it had previously thought could only be exploited locally could actually be exploited via its software update network. Malicious updates could be pushed to Medtronic devices by hackers intercepting and tampering with the equipment's internet connections -- the machines would not verify they were actually downloading legit Medtronic firmware -- and so the biz has cut them off.

Calling a surge in teen use of e-cigarettes an epidemic, the head of the Food and Drug Administration says he is considering pulling all flavored e-cigarettes from the U.S. market. From a report: After years of declining U.S. smoking rates, sales of e-cigarettes have jumped in the past year, fueled in part by online startups selling vaporizers and nicotine-laced liquids. The most popular brand, Juul, sells refills with mango, cucumber and creme flavors. Each $4 pod contains as much nicotine as a pack of cigarettes. "The number of teenagers we believe are now using these products... has reached an epidemic proportion," said FDA Commissioner Scott Gottlieb, who is expected to announce new measures Wednesday to curb underage use. Dr. Gottlieb said he believes that certain flavors make the products appealing to teens. "The availability of e-cigarettes cannot come at the expense of addicting a new generation of youth onto nicotine, and it won't," he said in an interview. Alternative source, and official announcement.

An anonymous reader quotes a report from ABC News: The U.S. Food and Drug Administration has approved the first generic version of the EpiPen and EpiPen Jr auto injector for the emergency treatment of allergic reactions. The approval is part of the FDA's "longstanding commitment" to providing access to low-cost generic alternatives, FDA Commissioner Scott Gottlieb said in a statement. It is unclear how much the generic product -- manufactured by Teva Pharmaceuticals -- will cost. In August 2016, Mylan Pharmaceuticals was criticized for raising the price of a two-pack of EpiPens to $600. The price of two EpiPens was about $100 in 2009. The brand name version is by far the most popular epinephrine auto-injector on the market. "This approval means patients living with severe allergies who require constant access to life-saving epinephrine should have a lower-cost option, as well as another approved product to help protect against potential drug shortages," said FDA Commissioner Scott Gottlieb in a statement.

The U.S. Food and Drug Administration on Monday approved the first prescription drug derived from the marijuana plant, as a treatment for rare forms of epilepsy that primarily afflict children. From a report: The FDA said Monday that it cleared GW Pharmaceuticals's Epidiolex, also known as cannabidiol, to reduce seizures associated with forms of epilepsy known as Lennox-Gastaut syndrome and Dravet syndrome, in patients 2 years of age and older. Cannabidiol is derived from the cannabis plant, also known as marijuana. U.K.-based GW Pharmaceuticals says the solution, taken by mouth, is made from a proprietary strain of cannabis designed to maximize a therapeutic component while minimizing components that produce euphoria. GW Pharmaceuticals grows the plants in the U.K.

The FDA said Monday that the drug doesn't cause the high that comes from the chemical tetrahydrocannabinol, or THC, which is the main psychoactive component of marijuana. FDA officials also said the drug doesn't appear to have abuse potential, citing minimal reports of euphoria in patients who took the drug in clinical studies. Further reading: StatNews, The Guardian, and FDA.

The first photochromic contact lenses have been approved by the FDA. "A unique additive will automatically darken the lenses when they're exposed to bright light," reports Interesting Engineering, citing a FDA statement. "The lenses will clear up whenever they're back in normal or darker lighting conditions." From the report: "This contact lens is the first of its kind to incorporate the same technology that is used in eyeglasses that automatically darken in the sun," said Malvina Eydelman. Eydelman serves as director of the division of ophthalmic, and ear, nose and throat devices at the FDA's Center for Devices and Radiological Health. The FDA approved the technology after extensive trials and clinical studies. One study had 24 wearers use the contacts while driving in both daytime and nighttime settings. The FDA found that there were no problems with driving performance or issues with vision while wearing those contact lenses. In total, over 1,000 patients were involved in the various studies conducted by the FDA. According to current plans, these photochromic lenses should be available for those needing them by the first half of 2019.

The U.S. Food and Drug Administration (FDA) has just approved an AI-powered device that can be used by non-specialists to detect diabetic retinopathy in adults with diabetes. Engadget reports: Diabetic retinopathy occurs when the high levels of blood sugar in the bloodstream cause damage to your retina's blood vessels. It's the most common cause of vision loss, according to the FDA. The approval comes for a device called IDx-DR, a software program that uses an AI algorithm to analyze images of the eye that can be taken in a regular doctor's office with a special camera, the Topcon NW400. The photos are then uploaded to a server that runs IDx-DR, which can then tell the doctor if there is a more than mild level of diabetic retinopathy present. If not, it will advise a re-screen in 12 months. The device and software can be used by health care providers who don't normally provide eye care services. The FDA warns that you shouldn't be screened with the device if you have had laser treatment, eye surgery or injections, as well as those with other conditions, like persistent vision loss, blurred vision, floaters, previously diagnosed macular edema and more.

An anonymous reader quotes a report from NBC News: The Food and Drug Administration declared the popular herbal product kratom to be an opioid on Tuesday, opening a new front in its battle to get people to stop using it. New research shows kratom acts in the brain just as opioids do, FDA Commissioner Dr. Scott Gottlieb said in a statement. And he said the agency has documented 44 cases in which kratom at least helped kill people -- often otherwise healthy young people.

"Taken in total, the scientific evidence we've evaluated about kratom provides a clear picture of the biologic effect of this substance," Gottlieb wrote. "Kratom should not be used to treat medical conditions, nor should it be used as an alternative to prescription opioids. There is no evidence to indicate that kratom is safe or effective for any medical use." The FDA released detailed accounts of several of the deaths. The victims often had mixed kratom with other substances, including chemicals taken out of inhalers and found in over-the-counter cold and flu drugs.

An anonymous reader quotes a report from NBC News: The Food and Drug Administration declared the popular herbal product kratom to be an opioid on Tuesday, opening a new front in its battle to get people to stop using it. New research shows kratom acts in the brain just as opioids do, FDA Commissioner Dr. Scott Gottlieb said in a statement. And he said the agency has documented 44 cases in which kratom at least helped kill people -- often otherwise healthy young people.

"Taken in total, the scientific evidence we've evaluated about kratom provides a clear picture of the biologic effect of this substance," Gottlieb wrote. "Kratom should not be used to treat medical conditions, nor should it be used as an alternative to prescription opioids. There is no evidence to indicate that kratom is safe or effective for any medical use." The FDA released detailed accounts of several of the deaths. The victims often had mixed kratom with other substances, including chemicals taken out of inhalers and found in over-the-counter cold and flu drugs.

schwit1 shares a report from ScienceAlert: In a historic move, the Food and Drug Administration on Tuesday approved a pioneering gene therapy for a rare form of childhood blindness, the first such treatment cleared in the United States for an inherited disease. The approval signals a new era for gene therapy, a field that struggled for decades to overcome devastating setbacks but now is pushing forward in an effort to develop treatments for haemophilia, sickle-cell anaemia, and an array of other genetic diseases. Yet the products, should they reach patients, are likely to cost as much as $1 million for both eyes.

An anonymous reader quotes a report from The New York Times (Warning: source may be paywalled; alternative source): For the first time, the Food and Drug Administration has approved a digital pill -- a medication embedded with a sensor that can tell doctors whether, and when, patients take their medicine. The approval, announced late on Monday, marks a significant advance in the growing field of digital devices designed to monitor medicine-taking and to address the expensive, longstanding problem that millions of patients do not take drugs as prescribed. Experts estimate that so-called nonadherence or noncompliance to medication costs about $100 billion a year, much of it because patients get sicker and need additional treatment or hospitalization. Patients who agree to take the digital medication, a version of the antipsychotic Abilify, can sign consent forms allowing their doctors and up to four other people, including family members, to receive electronic data showing the date and time pills are ingested. A smartphone app will let them block recipients anytime they change their mind. Although voluntary, the technology is still likely to prompt questions about privacy and whether patients might feel pressure to take medication in a form their doctors can monitor.

An anonymous reader quotes a report from Ars Technica: The manufacturer of EpiPen devices failed to address known malfunctions in its epinephrine auto-injectors even as hundreds of customer complaints rolled in and failures were linked to deaths, according to the Food and Drug Administration. The damning allegations came to light today when the FDA posted a warning letter it sent September 5 to the manufacturer, Meridian Medical Technologies, Inc. The company (which is owned by Pfizer) produces EpiPens for Mylan, which owns the devices and is notorious for dramatically raising prices by more than 400 percent in recent years. The auto-injectors are designed to be used during life-threatening allergic reactions to provide a quick shot of epinephrine. If they fail to fire, people experiencing a reaction can die or suffer serious illnesses. According to the FDA, that's exactly what happened for hundreds of customers. In the letter, the agency wrote: "In fact, your own data show that you received hundreds of complaints that your EpiPen products failed to operate during life-threatening emergencies, including some situations in which patients subsequently died."

The agency goes on to lambast Meridian Medical for failing to investigate problems with the devices, recall bad batches, and follow-up on problems found. For instance, a customer made a complaint in April 2016 that an EpiPen failed. When Meridian disassembled the device, it found a deformed component that led to the problem -- the exact same defect it had found in February when another unit failed.

An anonymous reader quotes a report from NPR: The Food and Drug Administration on Wednesday announced what the agency calls a "historic action" -- the first approval of a cell-based gene therapy in the United States. The FDA approved Kymriah, which scientists refer to as a "living drug" because it involves using genetically modified immune cells from patients to attack their cancer. The drug was approved to treat children and young adults suffering from acute lymphoblastic leukemia, a cancer of blood and bone marrow that is the most common childhood cancer in the United States. About 3,100 patients who are 20 and younger are diagnosed with ALL each year. The treatment involves removing immune system cells known as T cells from each patient and genetically modifying the cells in the laboratory to attack and kill leukemia cells. The genetically modified cells are then infused back into patients. It's also known as CAR-T cell therapy.

The treatment, which is also called CTL109, produced remission within three months in 83 percent of 63 pediatric and young adult patients. The patients had failed to respond to standard treatments or had suffered relapses. Based on those results, an FDA advisory panel recommended the approval in July. The treatment does carry risks, however, including a dangerous overreaction by the immune system known as cytokine-release syndrome. As a result, the FDA is requiring strong warnings.

chicksdaddy quotes a report from The Security Ledger: The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company's devices as "adulterated," in violation of the U.S. Federal Food, Drug and Cosmetic Act, the Security Ledger reports. In a damning warning letter, the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death. St. Jude Medical, which is now wholly owned by the firm Abbott, learned of serious and exploitable security holes in the company's "high voltage and peripheral devices" in an April, 2014 "third party assessment" commissioned by the company. But St. Jude "failed to accurately incorporate the findings of that assessment" in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a "hardcoded universal unlock code" for the company's implantable, high voltage devices. The report casts doubt on a defamation lawsuit St. Jude filed against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude products, including Merlin@home. The MedSec report on St. Judes technology was released in conjunction with a report by the investment firm Muddy Waters Research, which specializes in taking "short" positions on firms. At the time, MedSec said that the security of the company's medical devices and support software was "grossly inadequate compared with other leading manufacturers," and represents "unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients." St. Judes has called the MedSec allegations false, but it now appears that the company had heard similar warnings raised by its own third-party security auditor more than a year prior.

An anonymous reader quotes a report from Ars Technica: In decades of research, scientists have found only one medical condition that's clearly and effectively treated with testosterone supplements: pathological hypogonadism -- that's low testosterone levels due to disease of the hypothalamus, pituitary gland, or testes. In a series of placebo-controlled, randomized trials, researchers tracked the effect of testosterone on the cognition, bone health, anemia, and cardiovascular health of 788 men for a year. All the men were aged 65 or older and had low testosterone levels that couldn't be explained by anything other than age. The results, reported Tuesday in JAMA and JAMA Internal Medicine, offer mixed results. Among the 493 in the trial who also had age-related memory declines, testosterone didn't have any effect on memory or cognitive abilities. In the study, 247 got testosterone and 246 got a placebo. But for cardiovascular health, there was an effect -- a bad one. Over the year, plaque buildup in the coronary artery -- which is a risk factor for heart disease -- increased in 73 men on testosterone compared with 65 on placebo. However, other studies have found mixed results on this. Longer, bigger trials will be needed to sort out the risks. In the anemia study, testosterone did seem to improve iron levels in men with mild anemia. The bone health study also showed that testosterone could improve bone density. However, it's unclear if those benefits outweigh the possible cardiovascular risks. And other drugs may be more effective at treating anemia and improving bone mass than testosterone.

Last year in November, the Federal Trade Commission issued an enforcement policy statement that requires over-the-counter (OTC) homeopathic drugs and product makers to disclose in their advertisement and labeling that there is no evidence that homeopathic products are effective. At around the same time the FTC issued the statement, the Food and Drug Administration was investigating homeopathic teething gels and tablets, which may have been improperly diluted, thus causing serious harm to infants. The FDA investigated 10 infant deaths and more than 400 reports of seizures, fever, and vomiting and confirmed Friday that belladonna, also known as deadly nightshade, was the prime suspect. When the FDA notified the products' maker, Hyland's, the company would not agree to recall the products. Ars Technica reports: Hyland's has been defensive since the FDA first opened the investigation last September. In an October press release, the company referred to agency's warnings as a source of "confusion" and assured consumers that the products are safe and effective. Still, the company discontinued distribution in the U.S. The National Center for Homeopathy, which has ties with Hyland's, slammed the FDA, calling the agency's warnings "arbitrary and capricious." In an "action alert," the organization went on to suggest that warning was prompted by "groups interested in seeing homeopathy destroyed" and led to "fear mongering" by the media. As before, the FDA is urging parents to avoid the homeopathic teething products and toss any already purchased. The FDA does not evaluate or approve the homeopathic products, which have no proven health benefit. Belladonna is an active ingredient in those products, but is supposed to be heavily diluted. Homeopaths belief that ailments and diseases can be cured by trace amounts or "memories" of toxic substances that mimic or cause similar symptoms. Homeopathy is a pseudoscience that has been squarely debunked, offering no more than a placebo effect. In its announcement Friday, the FDA said it had found inconsistent amounts of belladonna in Hyland's products. Some of the amounts were "far exceeding" what was intended.

The U.S. Food and Drug Administration warned on Monday that pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients' lives at risk, as hackers could remotely access the devices and change the heart rate, administer shocks, or quickly deplete the battery. Thankfully, St. Jude released a new software patch on the same day as the FDA warning to address these vulnerabilities. Motherboard reports: St. Jude Medical's implantable cardiac devices are put under the skin, in the upper chest area, and have insulated wires that go into the heart to help it beat properly, if it's too slow or too fast. They work together with the Merlin@home Transmitter, located in the patient's house, which sends the patient's data to their physician using the Merlin.net Patient Care Network. Hackers could have exploited the transmitter, the manufacturer confirmed. "[It] could (...) be used to modify programming commands to the implanted device," the FDA safety communication reads. In an emailed response to Motherboard, a St. Jude Medical representative noted that the company "has taken numerous measures to protect the security and safety of our devices," including the new patch, and the creation of a "cyber security medical advisory board." The company plans to implement additional updates in 2017, the email said. This warning comes a few days after Abbott Laboratories acquired St. Jude Medical, and four months after a group of experts at Miami-based cybersecurity company MedSec Holding published a paper explaining several vulnerabilities they found in St. Jude Medical's pacemakers and defibrillators. They made the announcement at the end of August 2016, together with investment house Muddy Waters Capital.

An anonymous reader quotes a report from The Verge: The U.S. Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they've entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device -- with potentially deadly results. First issued in draft form last January, this guidance is more than a year in the making. The 30-page document (PDF) encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable -- so they're largely without teeth. The FDA issued an earlier set of recommendations in October 2014 (PDF), which recommended ways for manufacturers to build cybersecurity protections into medical devices as they're being designed and developed. Today's guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur. Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don't have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug -- then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won't have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.

An anonymous reader quotes a report from The Verge: The U.S. Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they've entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device -- with potentially deadly results. First issued in draft form last January, this guidance is more than a year in the making. The 30-page document (PDF) encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable -- so they're largely without teeth. The FDA issued an earlier set of recommendations in October 2014 (PDF), which recommended ways for manufacturers to build cybersecurity protections into medical devices as they're being designed and developed. Today's guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur. Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don't have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug -- then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won't have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.

The Food and Drug Administration has ordered "antibacterial" ingredients to be removed from consumer soaps, citing a lack of evidence that they are effective in making soap work any better and that the industry has failed to prove they're safe. The banned chemicals include triclosan, triclocarban and 17 others (PDF) typically found in hand and body soaps. Companies have until late next year to remove the ingredients from their products, the FDA said. "Companies will no longer be able to market antibacterial washes with these ingredients because manufacturers did not demonstrate that the ingredients are both safe for long-term daily use and more effective than plain soap and water in preventing illness and the spread of certain infections," the FDA said in a statement. NBC News reports: "In 2013 FDA gave soapmakers a year to show that adding antibacterial chemicals did anything at all to help them kill germs. It made the rule final Friday. The FDA started asking about triclosan in 1978. Environmental groups and some members of Congress have been calling for limits on the use of triclosan. The Natural Resources Defense Council (NRDC) sued and the FDA agreed to do something about triclosan by 2016. There's no proof that triclosan is dangerous to people, but some animal studies suggest high doses can affect the way hormones work in the body. The proposed rule only affects hand soaps and body washes. Triclosan is often used in toothpaste and it's been shown to help kill germs that cause gum disease."

An anonymous reader quotes a report from TechCrunch: This past week, the U.S. Food and Drug Administration mandated testing for the Zika virus at all U.S. blood centers. That juices demand for Zika-testing technology, but one company that isn't welcome to provide it yet is Theranos. The beleaguered blood analysis startup has run afoul of the FDA, yet again, The Wall Street Journal reports (Warning: may be paywalled). Specifically, regulators found that in developing and testing a new Zika-diagnostic technology, Theranos failed to use proper patient safety protocols, the type approved by an institutional review board. Such protocols are critical in ensuring the ethical treatment of patients involved in studies, and their safety. Theranos had sought the same FDA authorization, but voluntarily withdrew its request once regulators called the startup out, this time, on the safety protocols issue.

An anonymous reader writes from a report via Bloomberg: The Food and Drug Administration cleared the first implant in the U.S. to treat heroin and opioid painkiller addictions. The product, Probuphine, may be used to treat addicts continuously for six months with the drug buprenorphine, according to a statement from the agency on Thursday. Titan Pharmaceuticals Inc. and partner Braeburn Pharmaceuticals are the two companies behind the implant and plan to bring it to the market just as Congress passed a bill aimed at addressing the opioid crisis. Buprenorphine differs from methadone in that it doesn't require a treatment program. Doctors can prescribe the implant to patients after they take a four-hour training program. The FDA rejected the implant in 2013 because the original dose that the companies proposed was too low to provide effective treatment. The companies decided to maintain the lower dose and attempt to gain approval by restricting use to patients who already were stable on such amounts. Meanwhile, employers are struggling to find workers who can pass a pre-employment drug test.

An anonymous reader quotes a report from Softpedia: The device in question is Merge Hemo, a complex medical equipment used to supervise heart catheterization procedures, during which doctors insert a catheter inside blood veins and arteries in order to diagnose various types of heart diseases. According to one such report filed by Merge Healthcare in February, Merge Hemo suffered a mysterious crash right in the middle of a heart procedure when the screen went black and doctors had to reboot their computer. Merge investigated the issue and later reported to the FDA that the problem occurred because of the antivirus software running on the doctors' computer. The antivirus was configured to scan for viruses every hour, and the scan started right in the middle of the procedure. Merge says the antivirus froze access to crucial data acquired during the heart catheterization. Unable to access real-time data, the app crashed spectacularly.

Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you'll find his answers to your old but not forgotten questions. Fu: I apologize for the year-long delay, but my queue has rather overflowed after part of my house collapsed. See slide #11 for more information on the delay.

Medical device security is a challenging area because it covers a rather large set of disciplines including software engineering, clinical care, patient safety, electrical engineering, human factors, physiology, regulatory affairs, cryptography, etc. There are a lot of well meaning security engineers who have not yet mastered the culture and principles of health care and medicine, and similarly there are a lot of well meaning medical device manufacturers who have not yet mastered the culture and principles of information security and privacy. I started out as a gopher handing out authentication tokens for a paperless medical record system at a hospital in the early 1990s, but in the last decade have focused my attention on security of embedded devices with application to health and wellness.

I huddled with graduate students from my SPQR Lab at Michigan, and we wrote up the following responses to the great questions. We were not able to answer every question, but readers can find years worth of in-depth technical papers on blog.secure-medicine.org and spqr.eecs.umich.edu/publications.php and thaw.org.



Cochlear Implants
by mcspoo

How secure are Cochlear implants and their processors? Any chance I'm going to hear the voice of God (without the tooth implant, ala Real Genius?)

Fu: Classic cochlear implants are mostly analog circuits with some external supporting software. However, newer implants on the drawing board are looking at how to enable audiologists to adjust implant settings remotely from the cloud. There are, of course, some significant security and privacy issues that need to be resolved. But there are also good reasons for remote access. Namely, patient's bodies change overtime and an audiologist must tune the implant settings manually today. Remote control may simplify the life for patients from a demographic that may have difficulty making office visits.

Cochlear implants are amazing little devices to enable profoundly deaf patients to partially restore hearing. See the cover of Biodesign: The Process of Innovating Medical Technologies by Zenios, Makower, Yock. Also see Ultra Low Power Bioelectronics by Rahul Sarpeshkar. Cochlear implants consist of two major pieces: (1) an implant in the skull that directly stimulates the auditory nerve, and (2) a less resource-constrained external device worn on the scalp. The external device clips onto the scalp with a magnet to keep the implant paired. Think of the implant as special circuitry to wirelessly deliver sound as electrical impulses. Think of the external device as the source of power, sound inputs, and control.

I met a relatively young flight attendant a few years ago who had a cochlear implant. He explained that one day he suffered a routine cold that got worse and caused a rare infection that destroyed his auditory nerve. He lost his hearing. The cochlear implant sufficiently restored his hearing such that he and I could have a normal conversation.

You can imagine the complex security and privacy questions that will need to be considered when future devices go all "Internet of Things" or "TerraSwarm."



PCA Pumps?
by Digital Ebola

Have you explored changing the dosages on drug pumps? Either through exploiting the device directly or by exploiting the database backend? I reference the Hospira pumps that run Linux, allowing one to telnet to them as root with no password authentication. Hospira did issue an update to that but since pumps are so numerous, I'm sure that many hospitals have been slow to update. Thanks!

Fu: Pumps for medicine are amazing. Most people who have visited a hospital or seen a TV show should be aware of the plain old IV drip of saline solution to hydrate patients by gravity. It gets more interesting when a computer-controlled pump takes over from gravity. There are all sorts of pumps ranging from bed-side pumps to implantable pumps.

A PCA pump is short for a patient-controlled analgesia. I believe this question is referring to a bed-side pump rather than an implant. For instance, a patient may receive a PCA pump to deliver controlled pain medication such as morphine. Typical user interfaces consist of a "more please" button that delivers a bolus of drug via an IV.

A number of researchers have analyzed the attack surfaces for insulin infusion pumps, a special kind of externally worn pump for diabetics. Several faculty have done outstanding work in this space several years ago, and more recently a number of smart blackhat researchers have demonstrated the problems in ways more easily understandable by the general public. I think it's fair to say that manufacturers initially underestimated the importance of security requirements engineering during the early concept phases of product engineering. That said, the manufacturers are doing some amazing engineering. There is a game of catch-up, but I am optimistic that the manufacturers will improve by following the new U.S. FDA guidance on cybersecurityin good faith. Some manufacturers apparently have been thinking about security for a while. For instance, members of the insulin pump team at Medtronic recently were issued a medical device security patent filed way back in 2007!

Now on to the real question: what about the backdoor of the pump? No one likes to advertise the unsavory backdoors built into products---some by design and some by accident. It's out of sight, out of mind. On old CAT scans, you'll sometimes even find an "lp" Unix account enabled without a password. I don't know about this particular pump in question, but I would not be surprised if there are some ports left open for debugging or communication with online drug libraries. You will likely find some interesting traffic, perhaps not cryptographically protected, if you listen to the network. If you do find a problem, please be responsible and patient. Finding a vulnerability in a web browser is significantly different from finding a vulnerability in a medical device. The direct consequences on patients must be taken into account, and security researchers not collaborating with a physician are likely skating on thin ice. I recommend that researchers notify the FDA so that they may communicate the problem to the manufacturer. Call up the FDA people listed on the FDA cybersecurity guidance. Or file a MedWatch 3500 report. It once took a year for FDA to process one of my security reports; they are somewhat understaffed. FDA has tens of thousands of employees, but only about two of them focus on security. So be patient. They are good people doing the best they can with their scare resources. Remember, your U.S. readers elected the people who set the budget.



Clinical Data Systems
by DeathGrippe

Most clinics, hospitals, insurance companies and dental offices are extensively computerized and networked. Based on your experience, how often are these systems compromised?

Fu: I find a good rule of thumb to measure security of a clinical environment: count the number of Windows XP boxes. Why? Because these devices are more vulnerable to run-of-the-mill, conventional malware. At one large hospital, medical devices based on Windows XP were re-infected about every 12 days if the box is not protected. With "bandaid" approaches like firewalls and anti-virus, the devices can last longer before re-infection. Alas, you can't make good wine out of bad grapes. Windows XP lacks meaningful security requirements. Microsoft learned its lessons, and has improved the security requirements and approaches over the years. Microsoft ended all support for XP on April 8th of this year.

That said, Linux ain't no picnic either. All operating systems have risks and benefits. I believe the root of the problem is that software security lifecycles for consumer grade operating systems do not align well with the product lifecycles of medical devices. Medical devices need to remain safe and effective for a very long time.



What can I do if I have one?
by AmiMoJo

Say I have an implant that could be hacked, what can I do to protect myself? Are any vendors more reputable than others when it comes to security? Is tinfoil effective? Should I demand my doctor replaces known vulnerable equipment?

Fu: I think patients can take comfort in knowing that FDA has written meaningful guidance on cybersecurity that is likely a game changer for manufacturing. Also, I find that engineers at most medical device manufactures sincerely want to improve the security of their products. This positive attitude is unlike what one will find in adversarial industries like electronic voting where it's more common to see manufacturer denial of risks rather than mitigation risks. I've seen some large medical device manufacturers vendors organize security teams composed of dozens of employees across engineering, sales, marketing, you name it, the whole company. They are beginning to understand that information security and privacy has to become part of the corporate culture if the products make use of modern communication and computer technology.

On the other hand, I don't think you'll ever find a hack-proof computer---whether it be a laptop, smart fridge, or medical device. I used to believe that a computer buried in concrete was secure, until I buried one in the concrete foundation of my house and powered it up wirelessly. You could also go to your car dealer and replace your car with a crash-proof car after you run into a tree. You might get funny looks. A manufacturer cannot eliminate risk, but it can be smart about minimizing risk. For instance, one of the best ways to minimize security risk is to have meaningful security requirements during the concept phase of device engineering. The requirements won't prevent security problems, but lack of security requirements will prevent the product from having meaningful security down the line. One can argue that it's a lot cheaper to engineer security from the start rather than to retrofit, but that argument is no longer necessary since draft FDA guidance on cybersecurity is abundantly clear on expectations for security risk management during the manufacture of new devices.

If I were prescribed a medical device, I would accept it. Why? Anything with a computer is hackable by some adversary. So worrying about whether an implant can being hacked does not help answer the basic question: how to balance risk. If you are prescribed a medical device, then likely your doctor determined that you have a significant, predisposed risk. For instance, you might have a significant risk of sudden cardiac arrest. In general, you are much safer with a device than without.



Re:Start-ups
by Anonymous Coward

How good is malwaresoftware and the WattsUpDoc system at finding something potentially harmful on a device?

Fu: WattsUpDoc is a system that detects malware by analyzing patterns in the power outlet. It's basically a phase shift on the AC power line caused by reactive power and varying loads of the connected computer. The details get hairy and are written for the experts, so I'd refer you to the scientific paper. The beauty is that no software changes are required for the device being monitored (e.g., medical devices).

We published our report on WattsUpDoc at the USENIX HealthTech workshop. There is also a related paper on detecting web browser activity from the power lines. The performance surprised me: 95% accuracy for known malware, and 85% accuracy for previously unknown malware (unlabeled samples of a malware infection that were not in the training set). It works well because medical devices tend to do a small number of different things when working normally. We can detect the deviation.



Should the local IT team have full control over a system
by Joe_Dragon

Should the local IT team have full control over any system in place / should vendors be forced to let systems have AV and OS updates installed on them with out delays?

Fu: Hi Joe the Dragon. I shall call you Trogdor This is a good question, but it technically is a leading question because computing systems created by medical device manufacturers force the IT team to choose between bad and worse. In a more ideal world, we wouldn't need to worry about viruses in the first place. So let me go on a tangent for a moment. Buffer overflows? Maybe that medical device should not be written in C. SQL injection error? Maybe you shouldn't be running a web server with an embedded database inside a life-critical medical device in the first place. The IT folks catch a lot of blame ranging from breaches to clinician complaints of mucking up the clinical workflow. There's some truth to that, but realize that the IT folks are stuck with what they can buy or make.

Ok, now your question: Do you give IT the keys? I'm not gonna be tricked into answering that one. It depends. I think the most effective organizational structures are ones where the clinical safety teams and the IT security teams learn to speak each others' languages. The manufacturers need to be forthcoming about offering regular security updates for underlying 3rd party software if they make the business choice to use COTS software. Hey, COTS software is cheap for a reason. The best situation is when the leaders of these teams do not hesitate to call each other. That said, the most secure system might also be the most unsafe. The most safe system might be the least secure. There are cases where one might forgo security because a safety issue trumps. What if you lock out access to a hypothetical pacemaker after three failed password attempts? Probably not a good idea if you think for a moment. A secure system that cannot deliver care is neither safe nor effective. Striking the balance is tricky.

I have a long rant on software updates (NSFW).



Safer Programming Language
by Anonymous Coward

The C programming language is most often used for embedded devices. The language is poorly specified. Compilers sometimes have issues, and programmers find a zillion creative ways to make mistakes. MISRA C and its enforcement is a bag of hurt in the absence of certified tools. Has there been any work to define a more safe/sane programming language for embedded devices?

Fu: Yes, but it's certainly hard to find in the medical device community. My colleagues from aviation software safety brag about their safer languages and practices, and I do think it's a good idea for the medical device community to borrow ideas from avionics. However, there are a couple roadblocks.

First, there's a crapton of legacy software out there. Try this experiment: walk into the C suite (not the programming language, the corporate suite), then declare that you need to stop product development for 9 months in order to convert to architectures that have better security properties. I know of only one company that did this (hint, it's an automotive company).

Second, the universities are at fault. I once asked a senior engineer at a medical device manufacturer why they wrote in C and assembly for their implantable medical device firmware. The engineer explained, that's who they can hire! The universities produce the graduates, and we are not training them sufficiently for trustworthy computing. When we teach students C and C++, we are handing them loaded weapons. Many of the students are talented and can respect the unchecked power of C and assembly. It's especially good for high performance systems and hand-optimized inner loop code. However, if we want to see improvements in choices of programming languages, universities need to produce engineers who understand the risks of different programming languages. No one language is perfect for every situation. I highly recommend reading Prof. John Knight's book on Fundamentals of Dependable Computing for Software Engineers to learn about how to match the programming language to the risks.



What to do when security is unfixable?
by Anonymous Coward

Seeing the abysmal state of computer security, even basic computer reliability expectations (which Dijkstra already noted, years ago), it's no surprise that embedded systems are no better. Simply because you usually don't see them and are thus less likely to notice just how poorly and insecurely the software is done. So how do we convince these people in the medical apparatus industry to leave well alone with the networking and wireless and bells and whistles, and simply deliver us machinery that does what it does, keep us alive, and not also surf the 'web for cat videos, or leave the door open for someone to come along with the latest exploit kit? Why do these things have to be connected at all?

Fu: A couple responses. A lot of medical devices are not networked in the sense of our home computers on the Internet. Many are connected with sneakernet. Yet the malware still can get in. Sleep labs are notorious for malware because patients bring in USB sticks of music, plus unwanted bonus material. I know one large medical device that was offline, but got infected by Conficker during the split second that the vendor temporarily enabled the Internet connection to download a software update. Sad.

Keep in mind that manufacturers create products because they think they can sell them. If consumers did not express interest in questionably secure products, then we'd see better security. If insurance rates were tied to cybersecurity hygiene, we'd see security economics at work. Unfortunately, security and privacy are out of sight and out of mind as you point out. For instance, hospitals often demand the bells and whistles. I witnessed one physician checking Gmail and the web on a medical records system during surgery. I didn't have a chance to explain the risks of drive-by downloads as he was occupied teaching a young resident how to catheterize the anesthetized patient. I know another hospital system where they let radiologists check email on the medical devices because staff wanted access to email, and there wasn't enough desk space for a second computer.

I have a set of slides on wireless where I make the argument that wireless is like bacon. People think it makes everything taste better. Wireless communication and network connections do serve an important role, but one needs to make a case-by-case judgement for each device. I like the concept of wireless to reduce infection rates during surgical implantations of defibrillators and pacemakers. About 1-2% of implantations result in major complications such as infection, and about 1% of these cases are fatal. Wireless does introduce security risks. While the security architectures can be greatly improved, I'd rather be insecurely alive than securely dead from an infection.



Medical device security vs. Open standards?
by Anonymous Coward

In the ever increasing world of consumerized technology (Apps, smartphones, smarter cars etc.), how do you see medical device security staying relevant and cutting edge while maintaining adequate security? More and more people can and probably will ask "why can't I use with my ?". For instance,could a secure, but open interface be created for Insulin pumps which would allow an end-user app to aggregate multiple data sources into a better snapshot of that person, while still being secure and protected from hijacking by a 3rd party?

Fu: I agree that the natives will get restless if they perceive security as a problem rather than a solution. However, consumers have become accustomed to crap in a hurry during the 1990s transition from postcards to hyperconnected electronic communication. I think it will be difficult to create magic walled gardens or magic interfaces that "add" security because security is not a product, it's a property and a process. I see three areas where one can improve the trustworthiness of medical device software: early concept phases, post market surveillance, and all the fun stuff between (design, implementation, testing, verification, validation, etc.). There's a significant security focus on the implementation and finding bugs, but by that time much of the fate is sealed by the requirements engineering. I think more time should be spent at the concept phase on hazard analysis, risk management, etc. so that implementations are less likely to have security problems. Then spend time on post-market surveillance so you can measure the shifting effectiveness of the security mechanisms as the threats evolve.

Today, the worries are mostly conventional malware slowing down medical devices or causing malfunctions. We've begun to see signs of nation state threats, and we should use our time carefully as threats rarely decrease in severity.

I'd encourage computer science students to work for a medical device manufacturer or FDA rather than the latest Silicon Valley startup. The problems will be interesting and will bring great personal satisfaction. For creative students who enjoy writing and open ended problem solving in health care, apply to graduate schools that carry out medical device security research! Best wishes.

Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you'll find his answers to your old but not forgotten questions. Fu: I apologize for the year-long delay, but my queue has rather overflowed after part of my house collapsed. See slide #11 for more information on the delay.

Medical device security is a challenging area because it covers a rather large set of disciplines including software engineering, clinical care, patient safety, electrical engineering, human factors, physiology, regulatory affairs, cryptography, etc. There are a lot of well meaning security engineers who have not yet mastered the culture and principles of health care and medicine, and similarly there are a lot of well meaning medical device manufacturers who have not yet mastered the culture and principles of information security and privacy. I started out as a gopher handing out authentication tokens for a paperless medical record system at a hospital in the early 1990s, but in the last decade have focused my attention on security of embedded devices with application to health and wellness.

I huddled with graduate students from my SPQR Lab at Michigan, and we wrote up the following responses to the great questions. We were not able to answer every question, but readers can find years worth of in-depth technical papers on blog.secure-medicine.org and spqr.eecs.umich.edu/publications.php and thaw.org.



Cochlear Implants
by mcspoo

How secure are Cochlear implants and their processors? Any chance I'm going to hear the voice of God (without the tooth implant, ala Real Genius?)

Fu: Classic cochlear implants are mostly analog circuits with some external supporting software. However, newer implants on the drawing board are looking at how to enable audiologists to adjust implant settings remotely from the cloud. There are, of course, some significant security and privacy issues that need to be resolved. But there are also good reasons for remote access. Namely, patient's bodies change overtime and an audiologist must tune the implant settings manually today. Remote control may simplify the life for patients from a demographic that may have difficulty making office visits.

Cochlear implants are amazing little devices to enable profoundly deaf patients to partially restore hearing. See the cover of Biodesign: The Process of Innovating Medical Technologies by Zenios, Makower, Yock. Also see Ultra Low Power Bioelectronics by Rahul Sarpeshkar. Cochlear implants consist of two major pieces: (1) an implant in the skull that directly stimulates the auditory nerve, and (2) a less resource-constrained external device worn on the scalp. The external device clips onto the scalp with a magnet to keep the implant paired. Think of the implant as special circuitry to wirelessly deliver sound as electrical impulses. Think of the external device as the source of power, sound inputs, and control.

I met a relatively young flight attendant a few years ago who had a cochlear implant. He explained that one day he suffered a routine cold that got worse and caused a rare infection that destroyed his auditory nerve. He lost his hearing. The cochlear implant sufficiently restored his hearing such that he and I could have a normal conversation.

You can imagine the complex security and privacy questions that will need to be considered when future devices go all "Internet of Things" or "TerraSwarm."



PCA Pumps?
by Digital Ebola

Have you explored changing the dosages on drug pumps? Either through exploiting the device directly or by exploiting the database backend? I reference the Hospira pumps that run Linux, allowing one to telnet to them as root with no password authentication. Hospira did issue an update to that but since pumps are so numerous, I'm sure that many hospitals have been slow to update. Thanks!

Fu: Pumps for medicine are amazing. Most people who have visited a hospital or seen a TV show should be aware of the plain old IV drip of saline solution to hydrate patients by gravity. It gets more interesting when a computer-controlled pump takes over from gravity. There are all sorts of pumps ranging from bed-side pumps to implantable pumps.

A PCA pump is short for a patient-controlled analgesia. I believe this question is referring to a bed-side pump rather than an implant. For instance, a patient may receive a PCA pump to deliver controlled pain medication such as morphine. Typical user interfaces consist of a "more please" button that delivers a bolus of drug via an IV.

A number of researchers have analyzed the attack surfaces for insulin infusion pumps, a special kind of externally worn pump for diabetics. Several faculty have done outstanding work in this space several years ago, and more recently a number of smart blackhat researchers have demonstrated the problems in ways more easily understandable by the general public. I think it's fair to say that manufacturers initially underestimated the importance of security requirements engineering during the early concept phases of product engineering. That said, the manufacturers are doing some amazing engineering. There is a game of catch-up, but I am optimistic that the manufacturers will improve by following the new U.S. FDA guidance on cybersecurityin good faith. Some manufacturers apparently have been thinking about security for a while. For instance, members of the insulin pump team at Medtronic recently were issued a medical device security patent filed way back in 2007!

Now on to the real question: what about the backdoor of the pump? No one likes to advertise the unsavory backdoors built into products---some by design and some by accident. It's out of sight, out of mind. On old CAT scans, you'll sometimes even find an "lp" Unix account enabled without a password. I don't know about this particular pump in question, but I would not be surprised if there are some ports left open for debugging or communication with online drug libraries. You will likely find some interesting traffic, perhaps not cryptographically protected, if you listen to the network. If you do find a problem, please be responsible and patient. Finding a vulnerability in a web browser is significantly different from finding a vulnerability in a medical device. The direct consequences on patients must be taken into account, and security researchers not collaborating with a physician are likely skating on thin ice. I recommend that researchers notify the FDA so that they may communicate the problem to the manufacturer. Call up the FDA people listed on the FDA cybersecurity guidance. Or file a MedWatch 3500 report. It once took a year for FDA to process one of my security reports; they are somewhat understaffed. FDA has tens of thousands of employees, but only about two of them focus on security. So be patient. They are good people doing the best they can with their scare resources. Remember, your U.S. readers elected the people who set the budget.



Clinical Data Systems
by DeathGrippe

Most clinics, hospitals, insurance companies and dental offices are extensively computerized and networked. Based on your experience, how often are these systems compromised?

Fu: I find a good rule of thumb to measure security of a clinical environment: count the number of Windows XP boxes. Why? Because these devices are more vulnerable to run-of-the-mill, conventional malware. At one large hospital, medical devices based on Windows XP were re-infected about every 12 days if the box is not protected. With "bandaid" approaches like firewalls and anti-virus, the devices can last longer before re-infection. Alas, you can't make good wine out of bad grapes. Windows XP lacks meaningful security requirements. Microsoft learned its lessons, and has improved the security requirements and approaches over the years. Microsoft ended all support for XP on April 8th of this year.

That said, Linux ain't no picnic either. All operating systems have risks and benefits. I believe the root of the problem is that software security lifecycles for consumer grade operating systems do not align well with the product lifecycles of medical devices. Medical devices need to remain safe and effective for a very long time.



What can I do if I have one?
by AmiMoJo

Say I have an implant that could be hacked, what can I do to protect myself? Are any vendors more reputable than others when it comes to security? Is tinfoil effective? Should I demand my doctor replaces known vulnerable equipment?

Fu: I think patients can take comfort in knowing that FDA has written meaningful guidance on cybersecurity that is likely a game changer for manufacturing. Also, I find that engineers at most medical device manufactures sincerely want to improve the security of their products. This positive attitude is unlike what one will find in adversarial industries like electronic voting where it's more common to see manufacturer denial of risks rather than mitigation risks. I've seen some large medical device manufacturers vendors organize security teams composed of dozens of employees across engineering, sales, marketing, you name it, the whole company. They are beginning to understand that information security and privacy has to become part of the corporate culture if the products make use of modern communication and computer technology.

On the other hand, I don't think you'll ever find a hack-proof computer---whether it be a laptop, smart fridge, or medical device. I used to believe that a computer buried in concrete was secure, until I buried one in the concrete foundation of my house and powered it up wirelessly. You could also go to your car dealer and replace your car with a crash-proof car after you run into a tree. You might get funny looks. A manufacturer cannot eliminate risk, but it can be smart about minimizing risk. For instance, one of the best ways to minimize security risk is to have meaningful security requirements during the concept phase of device engineering. The requirements won't prevent security problems, but lack of security requirements will prevent the product from having meaningful security down the line. One can argue that it's a lot cheaper to engineer security from the start rather than to retrofit, but that argument is no longer necessary since draft FDA guidance on cybersecurity is abundantly clear on expectations for security risk management during the manufacture of new devices.

If I were prescribed a medical device, I would accept it. Why? Anything with a computer is hackable by some adversary. So worrying about whether an implant can being hacked does not help answer the basic question: how to balance risk. If you are prescribed a medical device, then likely your doctor determined that you have a significant, predisposed risk. For instance, you might have a significant risk of sudden cardiac arrest. In general, you are much safer with a device than without.



Re:Start-ups
by Anonymous Coward

How good is malwaresoftware and the WattsUpDoc system at finding something potentially harmful on a device?

Fu: WattsUpDoc is a system that detects malware by analyzing patterns in the power outlet. It's basically a phase shift on the AC power line caused by reactive power and varying loads of the connected computer. The details get hairy and are written for the experts, so I'd refer you to the scientific paper. The beauty is that no software changes are required for the device being monitored (e.g., medical devices).

We published our report on WattsUpDoc at the USENIX HealthTech workshop. There is also a related paper on detecting web browser activity from the power lines. The performance surprised me: 95% accuracy for known malware, and 85% accuracy for previously unknown malware (unlabeled samples of a malware infection that were not in the training set). It works well because medical devices tend to do a small number of different things when working normally. We can detect the deviation.



Should the local IT team have full control over a system
by Joe_Dragon

Should the local IT team have full control over any system in place / should vendors be forced to let systems have AV and OS updates installed on them with out delays?

Fu: Hi Joe the Dragon. I shall call you Trogdor This is a good question, but it technically is a leading question because computing systems created by medical device manufacturers force the IT team to choose between bad and worse. In a more ideal world, we wouldn't need to worry about viruses in the first place. So let me go on a tangent for a moment. Buffer overflows? Maybe that medical device should not be written in C. SQL injection error? Maybe you shouldn't be running a web server with an embedded database inside a life-critical medical device in the first place. The IT folks catch a lot of blame ranging from breaches to clinician complaints of mucking up the clinical workflow. There's some truth to that, but realize that the IT folks are stuck with what they can buy or make.

Ok, now your question: Do you give IT the keys? I'm not gonna be tricked into answering that one. It depends. I think the most effective organizational structures are ones where the clinical safety teams and the IT security teams learn to speak each others' languages. The manufacturers need to be forthcoming about offering regular security updates for underlying 3rd party software if they make the business choice to use COTS software. Hey, COTS software is cheap for a reason. The best situation is when the leaders of these teams do not hesitate to call each other. That said, the most secure system might also be the most unsafe. The most safe system might be the least secure. There are cases where one might forgo security because a safety issue trumps. What if you lock out access to a hypothetical pacemaker after three failed password attempts? Probably not a good idea if you think for a moment. A secure system that cannot deliver care is neither safe nor effective. Striking the balance is tricky.

I have a long rant on software updates (NSFW).



Safer Programming Language
by Anonymous Coward

The C programming language is most often used for embedded devices. The language is poorly specified. Compilers sometimes have issues, and programmers find a zillion creative ways to make mistakes. MISRA C and its enforcement is a bag of hurt in the absence of certified tools. Has there been any work to define a more safe/sane programming language for embedded devices?

Fu: Yes, but it's certainly hard to find in the medical device community. My colleagues from aviation software safety brag about their safer languages and practices, and I do think it's a good idea for the medical device community to borrow ideas from avionics. However, there are a couple roadblocks.

First, there's a crapton of legacy software out there. Try this experiment: walk into the C suite (not the programming language, the corporate suite), then declare that you need to stop product development for 9 months in order to convert to architectures that have better security properties. I know of only one company that did this (hint, it's an automotive company).

Second, the universities are at fault. I once asked a senior engineer at a medical device manufacturer why they wrote in C and assembly for their implantable medical device firmware. The engineer explained, that's who they can hire! The universities produce the graduates, and we are not training them sufficiently for trustworthy computing. When we teach students C and C++, we are handing them loaded weapons. Many of the students are talented and can respect the unchecked power of C and assembly. It's especially good for high performance systems and hand-optimized inner loop code. However, if we want to see improvements in choices of programming languages, universities need to produce engineers who understand the risks of different programming languages. No one language is perfect for every situation. I highly recommend reading Prof. John Knight's book on Fundamentals of Dependable Computing for Software Engineers to learn about how to match the programming language to the risks.



What to do when security is unfixable?
by Anonymous Coward

Seeing the abysmal state of computer security, even basic computer reliability expectations (which Dijkstra already noted, years ago), it's no surprise that embedded systems are no better. Simply because you usually don't see them and are thus less likely to notice just how poorly and insecurely the software is done. So how do we convince these people in the medical apparatus industry to leave well alone with the networking and wireless and bells and whistles, and simply deliver us machinery that does what it does, keep us alive, and not also surf the 'web for cat videos, or leave the door open for someone to come along with the latest exploit kit? Why do these things have to be connected at all?

Fu: A couple responses. A lot of medical devices are not networked in the sense of our home computers on the Internet. Many are connected with sneakernet. Yet the malware still can get in. Sleep labs are notorious for malware because patients bring in USB sticks of music, plus unwanted bonus material. I know one large medical device that was offline, but got infected by Conficker during the split second that the vendor temporarily enabled the Internet connection to download a software update. Sad.

Keep in mind that manufacturers create products because they think they can sell them. If consumers did not express interest in questionably secure products, then we'd see better security. If insurance rates were tied to cybersecurity hygiene, we'd see security economics at work. Unfortunately, security and privacy are out of sight and out of mind as you point out. For instance, hospitals often demand the bells and whistles. I witnessed one physician checking Gmail and the web on a medical records system during surgery. I didn't have a chance to explain the risks of drive-by downloads as he was occupied teaching a young resident how to catheterize the anesthetized patient. I know another hospital system where they let radiologists check email on the medical devices because staff wanted access to email, and there wasn't enough desk space for a second computer.

I have a set of slides on wireless where I make the argument that wireless is like bacon. People think it makes everything taste better. Wireless communication and network connections do serve an important role, but one needs to make a case-by-case judgement for each device. I like the concept of wireless to reduce infection rates during surgical implantations of defibrillators and pacemakers. About 1-2% of implantations result in major complications such as infection, and about 1% of these cases are fatal. Wireless does introduce security risks. While the security architectures can be greatly improved, I'd rather be insecurely alive than securely dead from an infection.



Medical device security vs. Open standards?
by Anonymous Coward

In the ever increasing world of consumerized technology (Apps, smartphones, smarter cars etc.), how do you see medical device security staying relevant and cutting edge while maintaining adequate security? More and more people can and probably will ask "why can't I use with my ?". For instance,could a secure, but open interface be created for Insulin pumps which would allow an end-user app to aggregate multiple data sources into a better snapshot of that person, while still being secure and protected from hijacking by a 3rd party?

Fu: I agree that the natives will get restless if they perceive security as a problem rather than a solution. However, consumers have become accustomed to crap in a hurry during the 1990s transition from postcards to hyperconnected electronic communication. I think it will be difficult to create magic walled gardens or magic interfaces that "add" security because security is not a product, it's a property and a process. I see three areas where one can improve the trustworthiness of medical device software: early concept phases, post market surveillance, and all the fun stuff between (design, implementation, testing, verification, validation, etc.). There's a significant security focus on the implementation and finding bugs, but by that time much of the fate is sealed by the requirements engineering. I think more time should be spent at the concept phase on hazard analysis, risk management, etc. so that implementations are less likely to have security problems. Then spend time on post-market surveillance so you can measure the shifting effectiveness of the security mechanisms as the threats evolve.

Today, the worries are mostly conventional malware slowing down medical devices or causing malfunctions. We've begun to see signs of nation state threats, and we should use our time carefully as threats rarely decrease in severity.

I'd encourage computer science students to work for a medical device manufacturer or FDA rather than the latest Silicon Valley startup. The problems will be interesting and will bring great personal satisfaction. For creative students who enjoy writing and open ended problem solving in health care, apply to graduate schools that carry out medical device security research! Best wishes.

chicksdaddy writes "The Security Ledger reports that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," asks device makers seeking FDA approval of medical devices to disclose any "risks identified and controls in place to mitigate those risks" in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run. While the guidance does not have the force of a mandate, it does put medical device makers on notice that FDA approval of their device will hinge on a consideration of cyber risks alongside other kinds of issues that may affect the functioning of the device. Among other things, medical device makers are asked to avoid worst-practices like 'hardcoded' passwords and use strong (multi-factor) authentication to restrict access to devices. Device makers are also urged to restrict software and firmware updates to authenticated (signed) code and to secure inbound and outbound communications and data transfers.

chicksdaddy writes "The Security Ledger reports that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," asks device makers seeking FDA approval of medical devices to disclose any "risks identified and controls in place to mitigate those risks" in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run. While the guidance does not have the force of a mandate, it does put medical device makers on notice that FDA approval of their device will hinge on a consideration of cyber risks alongside other kinds of issues that may affect the functioning of the device. Among other things, medical device makers are asked to avoid worst-practices like 'hardcoded' passwords and use strong (multi-factor) authentication to restrict access to devices. Device makers are also urged to restrict software and firmware updates to authenticated (signed) code and to secure inbound and outbound communications and data transfers.

An anonymous reader writes: Fresh research out of the UNC Gillings and JHU Bloomberg schools of public health shows industrial farm workers are carrying livestock-associated, multidrug-resistant staph into local communities for weeks at a time. "Among the [22 people tested], 10 workers carried antibiotic-resistant strains of the bacteria in their noses for up to four days. Another six workers were intermittent carriers of the bacteria. The 10 workers found to carry the bacteria persistently had strains associated with livestock that were resistant to multiple drugs, and one also carried MRSA. Three more of the workers tested positive for strains of S. aureus that were not resistant to antibiotics. So in total, 86 percent of the workers in the study carried the S. aureus bacteria, compared with about one-third of the population at large, according to the Centers for Disease Control and Prevention." This problem has grown since its last mention on Slashdot. Unfortunately, massive industrial lobbying continues to neuter government action.

necro81 writes: "The FDA today approved the Luke prosthetic arm for sale. The Luke Arm, created by Dean Kamen's DEKA R&D Corp., was a project initiated by DARPA to develop a prosthetic arm for wounded warriors more advanced than those previously available. The Arm can be configured for below-the-elbow, above-the-elbow, and shoulder-level amputees. The full arm has 10 powered degrees of freedom and has the look and weight of the arm it replaces. Through trials by DEKA and the Dept. of Veterans Affairs, the Arm has been used by dozens of amputees for a total of many thousands of hours. Commercialization is still pending."

Hugh Pickens DOT Com writes "Suzanne Koven, a primary-care doctor at Massachusetts General Hospital in Boston, writes in the New Yorker that the FDA has currently approved four drugs that will help patients lose weight but few primary-care physicians will prescribe them. Qsymia and Belviq work by suppressing appetite and by increasing metabolism, and by other mechanisms that are not yet fully understood. 'But I've never prescribed diet drugs, and few doctors in my primary-care practice have, either,' writes Koven and the problem is that, while specialists who study obesity view it as a chronic but treatable disease, primary-care physicians are not fully convinced that they should be treating obesity at all. The inauspicious history of diet drugs no doubt contributes to doctors' reluctance to prescribe them. In the nineteen-forties, when doctors began prescribing amphetamines for weight loss, rates of addiction soared. But in addition, George Bray thinks that socioeconomic factors play into physicians' lack of enthusiasm for treating obesity because obesity is, disproportionately, a disease of poverty. Because of this association, many erroneously see obesity as more of a social condition than a medical one, a condition that simply requires people to try harder. Louis Aronne likens the current attitude toward obesity to the prevailing attitude toward mental illness years ago and remembers, during his medical training, seeing psychotic patients warehoused and sedated, treated as less than human. 'What the hell was I thinking when I didn't do anything to help them? How wrong could I have been?' Specialists are now developing programs to aid primary-care physicians in treating obesity more aggressively and effectively but first primary-care physicians will have to want to treat it. 'Whether you call it a disease or not is not so germane,' says Lee M. Kaplan. 'The root problem is that whatever you call it, nobody's taking it seriously enough.'"

Hugh Pickens DOT Com writes "Bloomberg reports that 23andMe Inc., the Google-backed DNA analysis company, has been told by US regulators to halt sales of its main product, the Saliva Collection Kit and Personal Genome Service, or PGS that tells users whether they carry a disease, are at risk of a disease and would respond to a drug because the kit is being sold without FDA's marketing clearance or approval. 'FDA is concerned about the public health consequences of inaccurate results from the PGS device,' says the agency. 'The main purpose of compliance with FDA's regulatory requirements is to ensure that the tests work.' 23andMe was founded six years ago by Anne Wojcicki, who recently separated from her husband, Google co-founder Sergey Brin. The FDA decided in 2010 that services claiming to evaluate a customer's risk of disease must be cleared by regulators if the companies sell directly to consumers. Most FDA-cleared genetic tests are for a single disease while 23andMe's would be the first to test for multiple conditions. 23andMe submitted FDA applications in July and September of 2012 for the least stringent of two types of medical device reviews but the FDA said the company failed to address 'the issues described during previous interactions'."

chicksdaddy writes "In an important move, the U.S. Food & Drug Administration (FDA) has released final guidance to mobile application developers that are creating medical applications to run on mobile devices. Some applications, it said, will be treated with the same scrutiny as traditional medical devices. The agency said on Monday that, while it doesn't see the need to vet 'the majority of mobile apps,' because they pose 'minimal risk to consumers,' it will exercise oversight of mobile medical applications that are accessories to regulated medical devices, or that transform a mobile device into a regulated medical device. In those cases, the FDA said that mobile applications will be assessed 'using the same regulatory standards and risk-based approach that the agency applies to other medical device.' The line between a mere 'app' and a 'medical device' is fuzzy. The FDA said it will look to the 'intended use of a mobile app' when determining whether it meets the definition of a medical 'device.' The Agency may study the labeling or advertising claims used to market it, or statements by the device maker and its representatives. In general, 'when the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment or prevention of disease, or it is intended to affect the structure of any function of the body of man, the mobile app is a device.'"

alphadogg writes "Medical device makers should take new steps to protect their products from malware and cyberattacks or face the possibility that U.S. Food and Drug Administration won't approve their devices for use, the FDA said. The FDA issued new cybersecurity recommendations for medical devices on Thursday, following reports that some devices have been compromised. Recent vulnerabilities involving Philips fetal monitors and in Oracle software used in body fluid analysis machines are among the incidents that prompted the FDA to issue the recommendations."

alphadogg writes "Medical device makers should take new steps to protect their products from malware and cyberattacks or face the possibility that U.S. Food and Drug Administration won't approve their devices for use, the FDA said. The FDA issued new cybersecurity recommendations for medical devices on Thursday, following reports that some devices have been compromised. Recent vulnerabilities involving Philips fetal monitors and in Oracle software used in body fluid analysis machines are among the incidents that prompted the FDA to issue the recommendations."

chicksdaddy writes "The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 'Medical Device Security' will teach graduate students in UMich's Electrical Engineering and Computer Science program 'the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.' The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the U.S. Food and Drug Administration reported that software failures were the root cause of a quarter of all medical device recalls (PDF)."

Dupple sends this quote from MIT's Technology Review: "Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed."

New submitter daleallan writes "Triclosan, which is widely used in consumer handsoaps, toothpaste, clothes, carpets and trash bags, impairs muscle function in animal studies, say researchers at UC Davis (abstract). It slows swimming in fish and reduces muscle strength in mice. It may even impair the ability of heart muscle cells to contract. The chemical is in everyone's home and pervasive in the environment, the lead researcher says. One million pounds of Triclosan is produced in the U.S. annually and it's found in waterways, fish, dolphins, human urine, blood and breast milk. The researchers say their findings 'Call for a dramatic reduction in use.' It's in my Colgate Total toothpaste, and in fact, preventing gingivitis is the only use that may be worthwhile, although this makes me think twice about continuing to brush with it." This isn't the first time Triclosan has been in the news over safety concerns.

Hugh Pickens writes "The Washington Times reports that the Food and Drug Administration may soon permit Americans to obtain some drugs used to treat conditions such as high blood pressure and diabetes without obtaining a prescription. They may allow patients to diagnose their ailments by answering questions online or at a pharmacy kiosk in order to buy current prescription-only drugs for conditions such as high cholesterol, certain infections, migraine headaches, asthma or allergies. Some pharmacists embrace the notion that they should be able to dole out medication for patients' chronic conditions without making them go through a doctor. 'This could eliminate the need for a physician visit for certain meds that may have been prescription prior to this change,' said Ronna Hauser, vice president of policy and regulatory affairs for the National Community Pharmacists Association. 'However, there may be circumstances when a patient might need a physician visit and diagnosis and original prescription to start therapy but could continue on that therapy with pharmacist refill authorization capabilities.'" (Read more, below.) Hugh Pickens continues: "Medical providers at public hearings to obtain input on a new paradigm urge caution, saying the government should not try to cut health care costs by cutting out doctors. 'Patients rely on physicians to provide sound diagnosis and treatment information and to help them meet their unique health needs,' says Peter W. Carmel, President of the American Medical Association. 'Expanding many prescription medications to OTC interferes with that important relationship without offering any real benefits to improve patients' health or reduce their costs.'" Other countries seem to do fine with pharmacists being closer to the front line of medicine recommendations; why couldn't the U.S.?"

this_boat_is_real writes "There's growing concern over how pharmaceutical companies use social media and the Internet to market their products. Last November, the US Food and Drug Administration held a hearing on the topic, and many were worried over how marketing mediums such as Twitter — which has a 140-character limit on text — can sufficiently disclose drug risks." Here's the FDA's announcement about last year's hearings, which includes links to an archive of presentations as well as a video record of the meeting.

Anonymusing writes "The FDA has announced an investigation into the safety and legality of alcoholic beverages containing caffeine. As a Wall Street Journal blog reports, two major beer companies, MillerCoors and Anheuser-Busch, stopped producing caffeinated alcoholic drinks last year after reports surfaced of increased negative effects compared to caffeine-free alcohol. CNN notes that, according to FDA rules, 'food additives require premarket approval based on data demonstrating safety submitted to the agency' — and caffeine is a food additive. The 26 targeted beverage makers have 30 days to respond."

Anonymusing writes "The FDA has announced an investigation into the safety and legality of alcoholic beverages containing caffeine. As a Wall Street Journal blog reports, two major beer companies, MillerCoors and Anheuser-Busch, stopped producing caffeinated alcoholic drinks last year after reports surfaced of increased negative effects compared to caffeine-free alcohol. CNN notes that, according to FDA rules, 'food additives require premarket approval based on data demonstrating safety submitted to the agency' — and caffeine is a food additive. The 26 targeted beverage makers have 30 days to respond."

jeffb (2.718) writes "As the LA Times reports, 206 patients receiving CT scans at Cedar Sinai hospital received up to eight times the X-ray exposure doctors intended. (The FDA alert gives details about the doses involved.) A misunderstanding over an 'embedded default setting' appears to have led to the error, which occurred when the hospital 'began using a new protocol for a specialized type of scan used to diagnose strokes. Doctors believed it would provide them more useful data to analyze disruptions in the flow of blood to brain tissue.' Human-computer interaction classes from the late 1980s onward have pounded home the lesson of the Therac-25, the usability issues of which led to multiple deaths. Will we ever learn enough to make these errors truly uncommittable?"

Hugh Pickens writes "The FDA has advised consumers to stop using Matrixx Initiatives' Zicam Cold Remedy nasal gel marketed over-the-counter as a cold remedy because it is associated with the loss of sense of smell (anosmia) that may be long-lasting or permanent. The FDA says about 130 consumers have reported a loss of smell after using the homeopathic cure containing zinc, an ingredient scientists say may damage nerves in the nose needed for smell and health officials say they have asked Matrixx executives to turn over more than 800 consumer complaints concerning lost smell that the company has on file. 'Loss of the sense of smell is potentially life-threatening and may be permanent,' said Dr. Charles Lee. 'People without the sense of smell may not be able to detect life-dangerous situations, such as gas leaks or something burning in the house.' The FDA said the remedy was never formally approved because it is part of a small group of remedies known as homeopathic products that are not required to undergo federal review before launching. The global market for homeopathic drugs is about $200 million per year, according to the American Association of Homeopathic Pharmacists. Matrixx has settled hundreds of lawsuits connected with Zicam in recent years, but says it 'will seek a meeting with the FDA to vigorously defend its scientific data, developed during more than 10 years of experience with the products, demonstrating their safety.'"

SoyChemist writes "Scientists from Korea and the Czech Republic have discovered new drugs that can counteract the chemical overload caused by nerve gas. All of the experimental medications belong to a family of chemicals called oximes. Those molecules reactivate the enzyme that is damaged by the chemical weapons. Last year, the FDA approved the first combined atropine and oxime auto-injector for use by emergency personnel. Israel has been providing them to their citizens since the first Gulf War."

shewfig writes "The US Food and Drug Administration is considering redefining 'chocolate' to allow substitution of vegetable oil ($0.70/lb.) for cocoa butter ($2.30/lb.), and whey protein for dry whole milk. There are already standard terms to differentiate these products from chocolate, such as 'chocolatey' and 'chocolate-flavored.' The change was requested by the industry group Chocolate Manufacturers of America. Leading the resistance to this change is high-end chocolate maker Guittard, with significant grass-roots support from the Candyblog. The FDA is taking consumer comments until April 25. Here is the FDA page on the proposed change, which oddly enough does not say what the proposed change is."

shewfig writes "The US Food and Drug Administration is considering redefining 'chocolate' to allow substitution of vegetable oil ($0.70/lb.) for cocoa butter ($2.30/lb.), and whey protein for dry whole milk. There are already standard terms to differentiate these products from chocolate, such as 'chocolatey' and 'chocolate-flavored.' The change was requested by the industry group Chocolate Manufacturers of America. Leading the resistance to this change is high-end chocolate maker Guittard, with significant grass-roots support from the Candyblog. The FDA is taking consumer comments until April 25. Here is the FDA page on the proposed change, which oddly enough does not say what the proposed change is."

ZZeta writes "Following up on the Swedish study on cell phone cancer risk, the FDA released a statement today questioning its reliability. From the statement: 'These facts along with the lack of an established mechanism of action and supporting animal data makes the Hardell et al's finding difficult to interpret.' Also available several links to other studies."

tessellation writes "Environmentalist Robert F. Kennedy Jr. has just published a review of evidence for the link between thimerosal (a mercury-based preservative added to vaccines until 2003) and the autism epidemic. It also details attempts by the FDA and CDC to protect the drug industry from litigation by producing favorable results rather than objective studies: '"Four current studies are taking place to rule out the proposed link between autism and thimerosal," Dr. Gordon Douglas, then-director of strategic planning for vaccine research at the National Institutes of Health, assured a Princeton University gathering in May 2001. "In order to undo the harmful effects of research claiming to link the [measles] vaccine to an elevated risk of autism, we need to conduct and publicize additional studies to assure parents of safety." Douglas formerly served as president of vaccinations for Merck, where he ignored warnings about thimerosal's risks." How often are studies successfully altered by funding agencies to conceal negative results?"