Home / All Post

Friday, 21 March 2008

Princess Health and Who Was Responsible for the Purity of Baxter International's Heparin?. Princessiccia

Princess Health and Who Was Responsible for the Purity of Baxter International's Heparin?. Princessiccia

Add Comment
We have posted several times, most recently here and here, about the tragic case of suddenly allergenic heparin. Although heparin, an intravenous biologic anti-coagulant, has been in use for over 70 years, serious allergic reactions to it had heretofore been rare. Starting late last year, hundreds of such reactions, and now 21 deaths were reported in the US after intravenous heparin infusions.

All the heparin related to these events was made by Baxter International. We then learned that although the heparin carried the Baxter label, it was not really made by Baxter. In fact, the company had outsourced production of the active ingredient to a long, and ultimately mysterious supply chain. Baxter got the active ingredient from a US company, Scientific Protein Laboratories LLC, which in turn obtained it from a factory in China operated by Changzhou SPL, which in turn was owned by Scientific Protein Laboratories and by Changzhou Techpool Pharmaceutical Co. Changzhou SPL, in turn, got it from several consolidators or wholesalers, who in turn got it from numerous small, unidentified "workshops," which seemed to produce the product in often primitive and unsanitary conditions. None of the stops in the Chinese supply chain had apparently been inspected by the US Food and Drug Administration nor its Chinese counterpart. Most recently, we found out that the Baxter International labelled heparin was contaminated with over-sulfated chondroitin sulfate, a substance not found in nature, but which mimics heparin according to the simple laboratory tests used in the Chinese facilities to check incoming heparin. (See post here.)

It is not clear whether Baxter International or Scientific Protein Laboratories had inspected most of the steps in the supply chain, or even knew what went on there. The Baxter and Scientific Protein Laboratories CEOs did not seem aware of where they got the heparin on which the Baxter International label was eventually affixed. But one report in the New York Times alleged that Scientific Protein Laboratories would not pay enough for heparin to satisfy any sources other than the small "workshops."

By the end of this week, it became clear that the counterfeit ingredient was added to the heparin in China. Per Bloomberg,



The contamination was present in the powdered raw heparin purchased by Scientific Protein's plant in China, said Robert Rhoades, a pharmaceutical consultant with Becker & Associates in Washington, speaking for Scientific Protein. The company was unaware of the contamination at the time because it wasn't detected in tests Scientific Protein conducted on the powder provided by suppliers, he said.

Scientific Protein purchased raw heparin from consolidators and refined it further before sending it to Baxter, which uses the ingredient to make the finished drug, Rhoades said. The consolidators obtained the ingredients from workshops in China, he said.

The contaminant 'was very likely introduced at the workshop or consolidator level,' Norbert Riedel, Baxter's corporate vice president and chief scientific officer, has said.


Nonetheless, a number of experts suggested that there was reason not be complacent about drugs made in China. A Washington Post article noted that it was well known that Chinese manufacturers were liable to supply dodgy drugs,



Although the contaminated heparin is the largest and highest-profile instance of tainted prescription drugs made in China, it is not the first. In the late 1990s, a spike in deaths associated with the intravenous antibiotic gentamicin was linked to China-based Long March Pharmaceuticals. Although no definitive link was ever established, tests by German researchers later found a wide range in quality and effectiveness in what were supposed to be uniform dosages of the drug, leading them to write that 'it was assumed' the deaths 'were related to faulty manufacture.'

The Post quoted former US Food and Drug Administration (FDA) official William Hubbard,



The history of some of these developing countries in terms of substituting or counterfeiting concerns is a long and well-documented one....

USA Today quoted former FDA Commissioner David Kessler saying that



the news shouldn't come as a surprise: China is 'as close to an unregulated environment as you can get.' In fact, it's a lot like the USA was in 1906, he says �'that's why we developed an FDA.'

Furthermore, one expert argued that Baxter International was ultimately responsible for the drug that it sold, per the Chicago Tribune,



The presence of a foreign ingredient raises new questions about Baxter's oversight because a lack of record-keeping at the China plant makes it more difficult for Baxter and government inspectors to trace the origin of the raw material for Baxter's product.

'Where are the controls here? What is the process here?' asked Carl Nielsen, who was the FDA's director of import operations and policy before leaving the agency to form a consulting firm in 2005.

'Ultimately, Baxter is the most responsible' for monitoring the quality of products that move through the company's pipeline, Nielsen said.


Yet Baxter International executives have not exactly been jumping forward to claim responsibility. In a letter, again to the Chicago Tribune, Peter J Arduini, President, Medication Delivery, for Baxter International seemed to be deflecting responsibility towards Scientific Protein Laboratories and the FDA, while asserting Baxter did all it could do.

Regarding the issue of active pharmaceutical ingredient that originated in China, Baxter's API supplier for heparin is in fact a Wisconsin-based company, Scientific Protein Laboratories, with whom Baxter and its predecessor in this business has worked for more than 30 years. SPL had been procuring heparin raw material from China for more than 10 years and opened a location in Changzhou, China, in 2004. Baxter worked with the U.S. Food and Drug Administration to obtain the appropriate approvals to work with this facility. For the API we receive from SPL, and for the API we receive from all our suppliers, Baxter performs quality testing of all incoming materials above and beyond what's required, to ensure that incoming API is what our suppliers claim it to be. Unfortunately, as the FDA has said, the problematic heparin API could not have been detected by the testing required of and done by any heparin manufacturer.
Previously Baxter International's CEO, Robert L Parkinson Jr, had dodged responsibility for the supply chain that provided the heparin to Scientific Protein Research's Changzhou facility, as we posted here, and as originally reported in the Chicago Tribune,

Baxter International Inc. does not monitor its supply chain to the extent that it would know that a supplier in China was never inspected before it began shipment of the blood-thinning drug heparin, which is linked to more than 300 illnesses in the U.S., the company's chief executive said Wednesday.

Baxter contracted with a Wisconsin supplier, Scientific Protein Laboratories, and not with that company's Chinese affiliate, Baxter CEO Robert Parkinson said Wednesday in his first interview since the heparin problems surfaced.

'It's not unusual for us not to know that the FDA hasn't inspected a supplier to a supplier,' Parkinson said.


Yet if Baxter International is not responsible for the production of drugs that carry its name, who is? If Baxter International's executives are not responsible for how the drugs it sells are manufactured, who should be?

In an ironic juxtaposition, a small and little noticed news item last week declared that Robert Parkinson received $16,600,000 in compensation in 2007, a 30.5% increase from 2006. In fact, the company's 2008 proxy statement suggests even greater total compensation in 2007, $17,580,718. And Mr Arduini's 2007 compensation was reported to be $2,438,642.

The usual justification for compensation at this level is the brilliance of and great responsibilities borne by the executives who receive it. But, if Baxter International's executives will not take responsibility for their products and how they are made, what again is the justification for paying them the big bucks?

So the case of the contaminated heparin becomes another reason to question the imperial nature of the current leadership of health care organizations.
Princess Health and BLOGSCAN - Labor Union Helps to Market Lipitor. Princessiccia

Princess Health and BLOGSCAN - Labor Union Helps to Market Lipitor. Princessiccia

Add Comment
In the Health Beat Blog, Maggie Mahar discussed how a branch of a labor union, the International Association of EMTS and Paramedics, an affiliate of The National Association of Government Employees (IAEP/SEIU), has been helping to market Lipitor (atorvastatin, by Pfizer Inc). I am not sure I have heard of previous cases of labor unions enlisted in stealth marketing efforts by pharmaceutical companies. Ms Mahar so far has not been able to elicit a coherent explanation from the union. Thanks to Dr Alicia Fernandez for blowing the whistle on this on. This also has been re-posted on the GoozNews blog. Although I have not previously heard of a case in which a labor union was helping to market a drug manufactured by a big pharmaceutical company, this is but one of many, many examples we have seen of reputable organizations taken in directions at odds with their missions by leaders with their own agendas.

Wednesday, 19 March 2008

Princess Health and Fake Heparin, then Sick and Dead Patients. Princessiccia

Princess Health and Fake Heparin, then Sick and Dead Patients. Princessiccia

Add Comment
We have posted several times, most recently here, about the tragic case of suddenly allergenic heparin. Although heparin, an intravenous biologic anti-coagulant, has been in use for over 70 years, serious allergic reactions to it had heretofore been rare. Starting late last year, hundreds of such reactions, and now 21 deaths were reported in the US after intravenous heparin infusions. All the heparin related to these events was made by Baxter International.

We then learned that although the heparin carried the Baxter label, it was not really made by Baxter. In fact, the company had outsourced production of the active ingredient to a long, and ultimately mysterious supply chain. Baxter got the active ingredient from a US company, Scientific Protein Laboratories LLC, which in turn obtained it from a factory in China operated by Changzhou SPL, which in turn was owned by Scientific Protein Laboratories and by Changzhou Techpool Pharmaceutical Co. Changzhou SPL, in turn, got it from several consolidators or wholesalers, who in turn got it from numerous small, unidentified "workshops," which seemed to produce the product in often primitive and unsanitary conditions. None of the stops in the Chinese supply chain had apparently been inspected by the US Food and Drug Administration nor its Chinese counterpart.

It is not clear whether Baxter International or Scientific Protein Laboratories had inspected most of the steps in the supply chain, or even knew what went on there. The Baxter and Scientific Protein Laboratories CEOs did not seem aware of where they got the heparin on which the Baxter International label was eventually affixed. But one report in the New York Times alleged that Scientific Protein Laboratories would not pay enough for heparin to satisfy any sources other than the small "workshops."

Now the US FDA just reported it identified a contaminant in the heparin that may be responsible for the adverse reactions. This has already been reported today by many media outlets, but I will quote Bloomberg since its article makes the main points most concisely,


Baxter International Inc.'s blood thinner heparin, linked to deaths and allergic reactions, was contaminated with a less-expensive ingredient derived from animal cartilage, U.S. regulators said.

The contaminant, over-sulfated chondroitin sulfate, isn't approved for use in medicine, said Janet Woodcock, the head of the Food and Drug Administration's drug division, in a conference call today with reporters. Regulators are investigating whether the substance was intentionally or accidentally added to raw heparin from China.

'It does not appear to have come straight from the pig,' Woodcock said of the contaminant. 'It doesn't appear to be a natural contaminant that got in there. We don't know how it was introduced or why.'

Adding the contaminant to raw heparin, the active ingredient in the finished product, would have been cheaper than using pure raw heparin, according to the FDA. The agency didn't know how much money would be saved by its use, Woodcock said.

Chondroitin sulfate is taken orally as a dietary supplement to treat joint pain. The over-sulfated version found in the heparin was chemically modified to act like heparin, Woodcock said.

Over-sulfated chondroitin sulfate is generated in laboratories for experimental purposes, said Siobhan DeLancey, an FDA spokeswoman, in an interview. It is chemically altered to add additional sulfates, she said.

Two percent to 50 percent of the contaminated raw heparin samples tested by the FDA were made up of over-sulfated chondroitin sulfate, Woodcock said.


So it now appears, although it is not yet proven that the adverse reactions and deaths were caused not by a trace contaminant derived from a sloppy, primitive, and unsanitary manufacturing process, but from a bulk counterfeit ingredient deliberately introduced because it was cheaper than heparin, yet would fool purchasers into thinking it was heparin.

Thus we see what happens when US health care leaders were happy to put their prestigious logo on a drug whose source was unknown to them, presumably just to save some money. By obviously failing to exert rigorous oversight over how the drug which carried their company's name was produced, they not only allowed sloppy, primitive and unsanitary manufacturing practices, but apparently were easily snookered by counterfeiters who substituted a likely toxic ingredient for the real thing.

This was putting profits before patients. And the results were very bad for patients.

Baxter claims to apply
its expertise in medical devices, pharmaceuticals and biotechnology to make a meaningful difference in patients' lives.

However, rather than its expertise, its sloppy and uncaring leadership seemed to leave some of its patients' lives meaningfully worse.

This case is a glaring demonstration of why we need a new set of leaders of our health care organizations, and a new corporate culture within these organizations. Otherwise, failing to understand the health care context, and failing to put patients before profits will yield more sick and dead patients.
Princess Health and The wages of complacency in defining "Medical Informatics" as a specialty. Princessiccia

Princess Health and The wages of complacency in defining "Medical Informatics" as a specialty. Princessiccia

Add Comment
Over recent months I�ve been exploring roles back in applied HIT, having been a CMIO (Medical Director of IT, now called "Chief Medical Informatics Officer") in decidedly applied settings in the �olden days� a decade ago.

One common feature of the conversations I�ve had was that I�ve left these interviews with a sense of unease and annoyance, but was unclear why. It is only recently that I�ve been able to identify a common theme.

Imagine a seasoned neurosurgeon, interviewing for department chair, in the following interview scenario:


Candidate: I�m here interviewing for chair of the department of neurosurgery.

CIO: Well, you have an interesting background and have done many varied things. Were you aware that it�s important to be able to bring doctors into consensus? Tell us about how you intend to do that. Have you ever brought doctors into consensus?

IT project leader: How would you deal with pharma detail people? I don�t see that on your resume.

Finance: Billing is important. From your background, I�m not sure you understand billing. Tell us about your experience in that area.

Other doc: How would you go about treating meningitis? Can you actually do that? Have you ever done an LP?



While the scenario is absurdist, in effect I believe it summarizes metaphorically what I�ve been experiencing.

The hospital interviews I�ve been having are unlike anything I experienced in seeking clinical roles. They have even been a significant step down from some of the difficult ones I�ve had in pharma, where at least there is an understanding that holding an MD/Informatics title means the person understands something about biomedical research and computing.

In other words, I find that the designation of having studied Medical Informatics seems to confer no �fides� on a leadership role in applied Health IT (HIT) in hospitals. I�ve found myself interrogated about abilities and accomplishments in HIT as if �Medical Informatics� was being parsed as �Hsfapfwllerw�, i.e., meaningless, and as if past accomplishments were imagined or exaggerated. I find line items on a resume that say �led difficult HIT projects, managed staff, managed budgets� seem to mean little or are negated under the umbrella of the �Medical Informatics� title.

I find myself being asked frivolous questions on fundamental issues to which my reply really should be:

�Have you actually read my resume? Do you know what medical informatics is, and have you bothered to look before this interview?�

I�ve been preached to and patronized about HIT project issues by IT personnel and other non-clinical personnel, based upon what they seem to have read in their throwaway journals (e.g. �Advance for Health Information Executives�), as if I didn�t know anything about the area; as if IT staff were the clinical IT experts and I, an intern.

Another common finding is that materials I provide both pre- and post-interview on Medical Informatics (e.g., web links to my sites) are largely ignored, as I track my web sites by IP and can see from where they�re being read - or not.

Interviews of seasoned professionals in well-understood domains should not be like this. In my role interviewing doctoral-level faculty candidates for my college, we never, for example, asked them or challenged them if they understood basic tenets of information/library science, as if they were undergraduates. To do so would have been both unthinkable and alienating. Instead, we sought to have candidates tell us about their specific areas of expertise and how that could fit our needs. The assumption was that by being invited, we understood they were a competent professional.

Yet in medical informatics I�ve started to dread interviews, due to the absurdist scenario above, the need to present myself as someone who "gets it" regarding HIT, and the need to provide remedial education in an interview setting to confused people.

The weaknesses in societal understanding of the term �Medical Informatics�, therefore, are unhelpful to people who�ve expended the time and treasure acquiring the credentials and who wish to work in applied HIT.

This phenomenon impairs the ability of the Medical Informatics profession to contribute to and steer HIT in the service of medicine, and to help healthcare organizations avoid commonplace, expensive errors regarding clinical IT projects they can ill afford.

I am assuming this phenomenon is not just part of a larger phenomenon of dumbing-down in healthcare, of cost-cutting and institutionalized mediocrity.

This really needs to change.

-- SS

Tuesday, 18 March 2008

Princess Health and The Peril to Leaders "Who Accept Their Own Myth". Princessiccia

Princess Health and The Peril to Leaders "Who Accept Their Own Myth". Princessiccia

Add Comment
In the Washington Post, E J Dionne wrote about the recent collapse of the sub-prime mortgage market, and near collapse of at least one prominent investment banking firm, but what he wrote was also highly relevant to how US health care currently operates (I realize that some of Dionne's opinions may have an ideological slant, but I believe the point goes beyond the usual left/right dichotomy).


Never do I want to hear again from my conservative friends about how brilliant capitalists are, how much they deserve their seven-figure salaries and how government should keep its hands off the private economy.

The Wall Street titans have turned into a bunch of welfare clients. They are desperate to be bailed out by government from their own incompetence, and from the deregulatory regime for which they lobbied so hard. They have lost "confidence" in each other, you see, because none of these oh-so-wise captains of the universe have any idea what kinds of devalued securities sit in one another's portfolios.

So they have stopped investing. The biggest, most respected investment firms threaten to come crashing down.

But if this near meltdown of capitalism doesn't encourage a lot of people to question the principles they have carried in their heads for the past three decades or so, nothing will.

We had already learned the hard way -- in the crash of 1929 and the Depression that followed -- that capitalism is quite capable of running off the rails. Franklin Roosevelt's New Deal was a response to the failure of the geniuses of finance (and their defenders in the economics profession) to realize what was happening or to fix it in time.

As the economist John Kenneth Galbraith noted of the era leading up to the Depression, "The threat to men of great dignity, privilege and pretense is not from the radicals they revile; it is from accepting their own myth. Exposure to reality remains the nemesis of the great -- a little understood thing."

But in the enthusiasm for deregulation that took root in the late 1970s, flowered in the Reagan era and reached its apogee in the second Bush years, we forgot the lesson that government needs to keep a careful watch on what capitalists do. Of course, some deregulation can be salutary, and the market system is, on balance, a wondrous instrument -- when it works. But the free market is just that: an instrument, not a principle.


In the last 20 years, for-profit health care corporations seem to have turned their leaders into imperial CEOs. Their organizational cultures have been turned into cults of personality extolling the wisdom of their fearless leaders. Such brilliant leaders of course deserved equally brilliant compensation. So there have been plenty of CEOs of for-profit health care corporations who have had seven-figure-plus compensation. But sometimes, that compensation seemed not very proportional to their competence. (Remember the examples of the "brilliant" former CEO of UnitedHealth, or the former CEO of Pfizer Inc.)

Furthermore, the leaders of not-for-profit health care organizations have also become objects of personality cults, which suggested that they too deserved lavish, often seven-figure salaries and to live the high life at the expense of organizations whose missions are ostensibly to treat disease and reduce suffering, and/or to train students and pursue science. (See our latest example of the leaders of the University of Texas Southwestern Medical Center.)

We have often suggested that leaders who are more focused on their own wealth, power, and privilege may not be good at improving patient care, or advancing academic medicine.

So let us quote Galbraith again, and remember what he said applies well to leaders of health care organizations.

The threat to men of great dignity, privilege and pretense is not from the radicals they revile; it is from accepting their own myth. Exposure to reality remains the nemesis of the great -- a little understood thing.
Far too many leaders of health care have accepted their own myth. Thus it is likely that all too soon, some important part of the health care system will come crashing down like Bear Stearns unless health care professionals and patients can shred these myths in time.

A big hat tip to Dr Peter Rost on the Question Authority Blog.

Monday, 17 March 2008

Princess Health and Living the High Life in Academic Medical Center Leadership. Princessiccia

Princess Health and Living the High Life in Academic Medical Center Leadership. Princessiccia

Add Comment
We had posted awhile back about how a not-for-profit, state supported academic medical center, University of Texas- Southwestern Medical Center, had created an "A list" of local notables who were to be given special treatment, including enhanced access to physicians. This seemed to imply some slippage from the institution's mission (see post here). It turned out that the practice may not be unique, but neither is is universal (see this post).

The local television station that uncovered this practice, "CBS 11," has been keeping an eye on the medical center. Late last year it found out its top officials had quite a taste for expensive wine.


Top state officials at the University of Texas Southwestern Medical Center in Dallas spent tens of thousands of dollars in donations on luxury wines from prestigious New York wine merchants.

A CBS 11 News investigation of charges to the university's credit cards found that President, Dr. Kern Wildenthal, and his right hand assistant, Vice President, Cyndi Bassel, spent more than $125,000 on wine.

A UT Southwestern spokesman says the state healthcare institution purchased the wine with money from unrestricted donations and not tax funds. John Walls explained the wine expenses in a written statement, 'The purchases from New York dealers were for hard-to-find wines not readily available in local retail shops, which were especially appropriate for individual commemorative gifts and special recognition events.'

The TV station's reporters also found that the Medical Center was using restricted donated funds to wine and dine its top executives, although the funds were meant for very different purposes.

Upon his death in 1986, [Jesse] Brittain left his life savings of more than $390,000 to UT Southwestern. Brittain's endowment agreement specified that the money was to be used 'for the sole purpose of enhancing the business operation of UT Southwestern giving priority to the professional development of personnel in the business operation, including training courses, books, seminars, etc.'

Instead,

CBS 11's hidden camera was there to record how the state university has been using money from the Jesse Brittain Memorial Fund.

The family of the late donor says the money was intended to help train employees and not for what CBS 11's investigation found.

The undercover video captured an annual holiday party held for a select group of the university's business administrators.

The state officials gathered in a luxurious penthouse dining room on the University's North Campus. It is a rarified atmosphere with a half million dollar collection of sleek tables designed by the internationally recognized Spanish architect Santiago Calatrava and a breathtaking night vista of twinkling lights on the Dallas skyline.

A white jacketed chef carved slices of herb crusted sirloin from a $450 side of beef. A waiter strolled through the party serving risotto crab cakes that cost $316 and artichoke hearts filled with goat cheese that cost $316.

Tables of silver serving trays filled with specialty appetizers were decorated with large gingerbread houses.

Partygoers bellied up to an open bar where more than $1000 worth of drinks were served.

The party that CBS 11 found in full swing is one of three annual holiday parties that have been paid for with more than $15,000 from the Jesse Brittain Memorial Fund.

In general,


CBS 11's review of financial records obtained under the Public Information Act indicates that more than $40,000 was spent on meals and refreshments which were paid for with money from Brittain's Memorial Fund over the past two years.

Finally, CBS 11 documented how the Medical Center CEO was living high on the hog supported by tax-exempt donations.


Dr. Kern Wildenthal, the President of the University of Texas Southwestern Medical Center in Dallas, spent tens of thousands of donors' dollars on European trips, meals at five star restaurants, parties and expensive gifts, according to CBS 11's review of the state university's records.

CBS 11 uncovered more than $500,000 in expenses charged over the past two years to credit cards issued to Wildenthal and Cynthia Bassel, UTSW's Executive Vice President for External Relations. Financial records obtained under the Public Information Act indicate that most of the expenses were paid for with money that was donated to the medical institution.

The Southwestern Medical Foundation, the university's fundraising arm, paid for the bulk of the credit card expenses including:
--$533 for a donor dinner at a five star restaurant at the Hotel Meurice in Paris, France, for Wildenthal, his wife Margaret, British opera singer Robert Lloyd and his spouse and Andre Dunstetter, a Parisian social figure with ties to Dallas.
--$783 for Wildenthal's two most recent annual memberships in Mosimann's Dining Club, an exclusive restaurant in London.
--$459 for collectible Woodland Eagle dinnerware, including a platter and four mugs from Crow's Nest Trading Company, for two donors in April of 2007.
--$13,000 for tulip arrangements sent to donors for Valentine's Day over the past two years. A note on the 2007 order instructs the florist to deliver a half-dozen of the arrangements to Wildenthal's home.
etc, etc, etc

Also,


Both Wildenthal and Bassel have charged thousands of dollars to the credit cards for memberships in social and civic organizations. CBS 11's review found that donors' money from the Southwestern Medical Foundation was used to pay for Wildenthal's 2007 membership dues in the Dallas Symphony ($3500); Dallas Museum of Art ($5000); Nasher Sculpture Garden ($5000); British North American Committee ($6000); Dallas Women's Club ($850); and the SMU Town and Gown Club ($140).

As we noted earlier, the UT Southwestern mission statement is [with italics added for emphasis]:


* To improve health care in our community, Texas, our nation, and the world through innovation and education.
* To educate the next generation of leaders in patient care, biomedical science and disease prevention.
* To conduct high-impact, internationally recognized research.
* To deliver patient care that brings UT Southwestern's scientific advances to the bedside � focusing on quality, safety and service.

Somehow, I don't see anything about fancy wines, opulent dinners, and luxurious trips for the top leaders.

Once again, it appears that the leaders of large health care organizations fancy themselves different from you and me. They seem to feel entitled to membership in the power elite, to lead the high life (and not the version from a Miller beer commercial) while leading organizations that are supposed to focus instead on the community and to bring quality care to all patients' bedsides. I have no objection to good pay for people who work hard on behalf of the mission. But it is unseemly for leaders of not-for-profit health care organizations to live like minor nobility while so many health care needs remain unmet.

By the way, it may not be that what the University of Texas - Southwestern Medical Center was doing is unusual. In a summary of the case just published in the Nonprofit Quarterly, Rick Cohen wrote,


As studies from the General Accounting Office and the Congressional Research Service show, these nonprofit indulgences are frequently standard operating practice. The hospital has dismissed all criticisms by pointing out that UT Southwestern�s fundraising and expenditure patterns are right in line with nonprofit hospital practices nationally, including the proportion and nature of expenditures on fundraising including gifts for donors. They further suggest that donors to the UT Southwestern foundation fundraising arm know full well that their donations�classified as unrestricted�will be used for expenses that aren�t particularly focused on medical care or research, but for the CEO�s club memberships, upscale dinners and gifts for donors and bigwigs, and flower arrangements sent to the CEO�s home. Therein may be the real issue, not that UT Southwestern is behaving out of the norm, but that it is exactly within the mainstream of big nonprofit hospitals. And no one seems all that put out, because this is what is expected of big corporate institutions, for-profit, nonprofit, hospitals, universities, corporations, it really doesn�t matter all that much.

So it would surprise me not at all to find out that many executives of many academic medical centers and teaching hospitals are similarly living the high life. This, of course, goes along with many discussions on Health Care Renewal of health care leaders who seem to put their pocketbooks ahead of their patients. If this is as widespread as Rick Cohen and I think it is, why are we wondering why health care is increasingly expensive and inaccessible, while its quality declines, and health care professionals get ever more disgruntled?

Friday, 14 March 2008

Princess Health and Hacking an ICD - A Dual Medical Informatics/Ham Radio Perspective. Princessiccia

Princess Health and Hacking an ICD - A Dual Medical Informatics/Ham Radio Perspective. Princessiccia

Add Comment
Roy Poses wrote at "Hacking an ICD" that:

An ICD is a device whose correct operation is critical for the health and safety of patients in whom it is implanted. One would think that the managers responsible for the design of such devices would have pushed to make sure that the operation of such devices could not be hacked or accidentally altered in ways that could put patients' health and lives at risk.

Indeed.

It is probably not well known that in addition to being a Medical Informaticist, I am also a ham radio enthusiast, licensed at the Extra class. I know more about electronics than most physicians - and most IT people in hospitals to boot, although that often didn't matter in the dysfunctional world of hospitals and health IT.

As a medical informaticist and ham radio operator, I am concerned by the possibility of long(er) range hacking of implantable medical devices than that accomplished by researchers recently.

Apparently ICD's use a frequency of about 175 kHz for data communications. 175 kHz is in a band known as longwave. For comparison and orientation, the bottom of the familiar medium wave band -- a.k.a. ordinary AM radio-- is 520 kHz.

(An aside for those interested: shortwave starts at about 1,800 kHz or 1.8 MHz and extends to about 30,000 kHz or 30 MHz, and is called "shortwave" for historical reasons; the actual wavelengths are appx. 160 meters to 10 meters. These wavelengths were considered "short", comparatively speaking, in the early days of radio. The shortwaves have the property, under proper conditions, of being refracted back to earth by the earth's ionosphere and can be reflected by the earth itself. This allows the waves to do "multiple hops" and propagate over great distances far in excess of line-of-sight, even around the world. Hence the ability of ham radio enthusiasts to talk to people all over the world on the shortwave bands allocated to them.)

When I was 13 years old I built a one-transistor transmitter on a cigar box from a plan by Heathkit that transmitted low power morse code at a frequency of about 550 kHz. It ran off a few AA batteries and used a short wire as an antenna. It was easily receivable on a radio across the house.

The first cordless phones ca. early 1980s, wireless baby monitors, and other devices operated at about 1,700 kHz, just above the AM radio band. They were very low power devices with short antennas relative to wavelength (~175 meters) but were usable at dozens of feet from their base units.

Using an antenna, say, the size of a CB whip (properly loaded electrically to resonate at 175 kHz, not very efficient but usable), or even better, a directional loop antenna, plus a transmitter of 5 or 10 or, perhaps, 100 watts of power (not very hard to build), and using a sensitive receiver designed for those frequencies (my $150 retail Grundig Yacht Boy is an example, http://www.eham.net/reviews/detail/816) with modifications and a suitable low-noise receiving antenna, would potentially extend the range of communications with RF-controlled implantable devices.

Not to miles with any type of portable equipment, I should add, due to efficiency issues with very short antennas (relative to wavelength) and the low power of the ICD's transmitter, but tens of feet might be possible. Throw in digital signal processing on the hacker's receiver, which is available via common, cheap, off-the-shelf DSP chips and algorithms, and even more range would be likely. You would be surprised at what a DSP-equipped and/or computer-enhanced receiver can pull out of the "ether" even under extremely poor signal conditions.

One wonders if any ICD's transmitter and receiver are encrypted in any way - apparently the devices tested were not. My car FOB is, although even those can be hacked (e.g., "Prius Security System Cracked", http://www.treehugger.com/files/2007/08/a_talk_given_at.php):

A talk given at the computer security conference, CRYPTO 2007, explained how the key-fob system installed on the Toyota Prius has been cracked. The KeeLoq auto anti-theft cipher is used in common devices made by Microchip Technology Inc, which are also used by Chrysler, Daewoo, Fiat, General Motors, Honda, Volvo, Volkswagen, and Jaguar. The attack requires that the thief gets within range of your RFID keyfob, in order to break the encryption. This could mean stealing your keys, or just sitting next to you in a cafe with a laptop. The cipher used in these devices is 64 bit, which has always been theoretically possible to break, but has now been shown to be breakable in about an hour. This is important, because the shorter the amount of time required with the key, the more likely this attack is to become used outside of a research lab.

May I add that while encryption is not foolproof, lack of encryption seems the work of fools.

On a somewhat unrelated note, you can buy a wrist watch that picks up time-setting signals from an atomic clock via station WWVB, Fort Collins, Colorado (http://en.wikipedia.org/wiki/WWVB) at long wave frequency 60 Khz for $30. I have one and in Philadelphia, it works well.

Some hams bounce signals off the moon for earth-moon-earth communications. They use high power, high gain antennas, and very low noise receivers. It works quite well.

Never underestimate what can be done at RF.

On one (predictable) industry response:

Medtronic's Rob Clark said the company's devices had carried such telemetry for 30 years with no reported problems. 'This is a very low-risk event for patients that have these devices,' Clark said in a telephone interview."

It would have been just a bit harder to hack a computerized device 30 or 20 or even 10 years ago. When kids can buy a laptop with computing power exceeding that of the Cray supercomputer for $500 and crack into, say, the Pentagon's systems, we are indeed living in different times.

Dr. Poses also wrote that:

The most charitable explanation for why they [the manufacturers] did not think to [engineer ICD's to be exceptionally hacker-proof] is that they really did not understand the clinical context in which this device would be used.


I think a better explanation is that the manufacturers' management has little imagination and underestimate the capabilities of people much smarter and more creative than themselves (e.g., tech-savvy kids). It would not surprise me to find engineering memos warning management that more safeguards needed to be incorporated, only to be asked "What's the ROI?"

The bottom line is: manufacturers might need to work a little harder when they deploy wireless devices, as hacking of gadgets and computerized equipment such as cell phones seems to be an increasingly common pastime for today's youth. (It's too bad ham radio is itself losing numbers as the previous generation ages and dies out.) The internet itself is used to spread techniques and malicious code among hackers.

One can imagine the consequences of a malicious RF device hacker or smart-but-delinquent kid in, say, a crowded shopping mall.

Finally, ham radio experimenters worldwide are not unfamiliar with longwave experimentation. Note in particular the bolded statement below:

With no Amateur Radio low-frequency [longwave -ed.] allocation in North America, stations operating under FCC Part 5 Experimental licenses in the US or under special experimental authorizations in Canada nonetheless continue to research the nether regions of the radio spectrum. By and large, LF experimentation is occurring in the vicinity of 136 kHz--typically 135.7 to 137.8 kHz--where amateur allocations already exist elsewhere in the world. The FCC rejected the ARRL's 1998 petition for LF allocations at 135.7 to 137.8 kHz and 160 to 190 kHz, however, after electric utilities objected that ham radio transmissions might interfere with power line carrier (PLC) signals used to control the power grid.

"Most of the new LF activity of Part 5 licensees has been in the shared 137 kHz amateur allocation available in some parts of the world," says low-frequency experimenter Laurence Howell, KL1X/5. "Although not in the Amateur Radio Service, these Part 5 experimental stations continue to add to our knowledge on propagation and engineering."

The holder of Part 5 Experimental license WD2XDW, Howell who's also GM4DMA, previously operated LF from Alaska. He's since relocated to Oklahoma, and has now resumed his LF work on 137.7752 and 137.7756 kHz. Already he's reporting some spectacular success, despite antenna limitations. On October 28, New Zealand LFer Mike McAlevey, ZL4OL, copied WD2XDW's 137 kHz carrier "bursts" over a path of more than 13,000 km (8000 miles).


The take-away message is that:

  • In biomedicine, the most meticulous resilience engineering is never a bad idea.

When drug and device manufacturers understand this fully, perhaps we will no longer have incidents of bad health informatics that can kill.

-- SS
Subscribe to: Comments (Atom)