Sunday, December 30, 2012

Questcor Finds Profit for Acthar Drug, at $28,000 a Vial -

THE doctor was dumbfounded: a drug that used to cost $50 was now selling for $28,000 for a 5-milliliter vial.

The physician, Dr. Ladislas Lazaro IV, remembered occasionally prescribing this anti-inflammatory, named H.P. Acthar Gel, for gout back in the early 1990s. Then the drug seemed to fade from view. Dr. Lazaro had all but forgotten about it, until a sales representative from a company called Questcor Pharmaceuticals appeared at his office and suggested that he try it for various rheumatologic conditions.

"I've never seen anything like this," Dr. Lazaro, a rheumatologist in Lafayette, La., says of the price increase.

How the price of this drug rose so far, so fast is a story for these troubled times in American health care — a tale of aggressive marketing, questionable medicine and, not least, out-of-control costs. At the center of it is Questcor, which turned the once-obscure Acthar into a hugely profitable wonder drug and itself into one of Wall Street's highest fliers.

At least until recently, that is. Now some doctors, insurance companies and investors are beginning to have doubts about whether the drug is really any better than much cheaper alternatives. Short-sellers have written scathing criticisms of the company, questioning its marketing tactics and predicting that its shareholders are highly vulnerable.

 That Acthar is even a potential blockbuster is a remarkable turn of events, considering that the drug was developed in the 1950s by a division of Armour & Company, the meatpacking company that once ruled the Union Stock Yards of Chicago. As in the 1950s, Acthar is still extracted from the pituitary glands of slaughtered pigs — essentially a byproduct of the meatpacking industry.

The most important use of Acthar has been to treat infantile spasms, also known as West syndrome, a rare, sometimes fatal epileptic disorder that generally strikes before the age of 1.

For several years, Questcor, which is based in Anaheim, lost money on Acthar because the drug's market was so small. In 2007, it raised the price overnight, to more than $23,000 a vial, from $1,650, bringing the cost of a typical course of treatment for infantile spasms to above $100,000. It said it needed the high price to keep the drug on the market.

"We have this drug at a very high price right now because, really, our principal market is infantile spasms," Don M. Bailey, Questcor's chief executive, told analysts in 2009. "And we only have about 800 patients a year. It's a very, very small — tiny — market."

Companies often charge stratospheric prices for drugs for rare diseases — known as orphan drugs — and Acthar's price is not as high as some. Society generally tolerates those costs to encourage drug companies to develop crucial, possibly lifesaving drugs for these often neglected diseases.

But Questcor did almost no research or development to bring Acthar to market, merely buying the rights to the drug from its previous owner for $100,000 in 2001. And while the manufacturing of Acthar is complex, it accounts for only about 1 cent of every dollar that Questcor charges for the drug.

Moreover, the tiny "orphan" market soon became much bigger. Before long, Questcor began marketing the drug for multiple sclerosisnephrotic syndrome and rheumatologic conditions, even though there is little evidence that Acthar is more effective for those other conditions than alternatives that are far cheaper. And the company did so without being required to prove that the drug actually works. That is because Acthar was approved for use in 1952, before the Food and Drug Administration required clinical trials to show a drug is effective for a particular disease. Acthar is essentially grandfathered in.

Today, only about 10 percent of the drug's sales are for infantile spasms. The new uses, Mr. Bailey has told analysts, represent multibillion-dollar opportunities for Acthar and Questcor, its sole maker.

The results have been beyond even the company's wildest dreams. Sales of Acthar, which accounts for essentially all of Questcor's sales, totaled nearly $350 million in the first nine months this year, up 145 percent from the period a year earlier. In the same period, Questcor's earnings per share nearly tripled, to $2.12. In the five years after the big Acthar price increase in August 2007, Questcor shares rose from around 60 cents to about $50, in one of the best performances of any stock in any industry.

But in September, the shares plummeted after Aetna, the big insurer, said it would no longer pay for Acthar, except to treat infantile spasms, because of lack of evidence the drug worked for other diseases. The stock now trades at $26.93.

Peter Wickersham, senior vice president for cost of care at Prime Therapeutics, a pharmacy benefits manager that has found the drug is possibly being overused, says the huge increase in Acthar's price for patients "just invites the type of scrutiny that it's received."

Questcor, meanwhile, has disclosed that the United States attorney's office in Philadelphia is investigating its marketing practices. The company hasn't been accused of wrongdoing.

Mr. Bailey, Questcor's C.E.O., defends his company's practices. He says that when Questcor raised Acthar's price, it did not initially intend to market the drug for other uses. It simply responded to demand. "Nobody predicted this," he said. "Nobody."

He also says that Questcor isn't competing with low-price alternatives, but that it is marketing the drug as a treatment when those alternatives fail. Used that way — for instance, as a last chance to avert kidney failure — insurers are still paying for the drug at least 85 percent of the time, he says.

Still, given that Questcor is now pursuing billion-dollar opportunities far beyond the treatment of infantile spasms, is the high, orphan-drug price still justified?

"We could lower the price and make less money," Mr. Bailey says, "and then we would be sued by our shareholders."

Whatever the case, one group of shareholders has done pretty well for itself. Over the last two years, as the company's share price mainly soared, Questcor insiders have sold more than $100 million of stock.

THE story of Questcor's wonder drug begins in Rochester, Minn. It was there, at the Mayo Clinic, that Dr. Philip S. Hench spent more than 20 years searching for what he called Substance X.

Dr. Hench, a rheumatologist, hypothesized that the body could make a compound that stilled the immune system's attacks on the joints of people with rheumatoid arthritis.

It turned out that another Mayo researcher, Dr. Edward C. Kendall, had isolated six hormones made by the adrenals, the small glands atop the kidneys that are chiefly responsible for releasing stress hormones. When a few patients were injected with one of the hormones in 1948, their symptoms subsided.

But that hormone, now known as cortisone, was then hard to synthesize. So Dr. Hench thought of injecting another substance that would stimulate the body to produce its own cortisone and othersteroid hormones. That substance was adrenocorticotropic hormone, or ACTH, which is made by the pituitary gland.

Dr. Hench obtained some ACTH from the Armour meatpacking company, which was extracting it from pigs as part of an effort to develop markets for leftover animal parts. (Its big success was Dial soap, introduced in 1948.)

When ACTH was injected into the first arthritis patient in February 1949, the results were as good as with cortisone, spurring a huge spike in demand for animal glands. By 1950, thousands of patients, not only those with arthritis but also those with gout, lupusulcerative colitis and many other diseases, had been treated with either cortisone or ACTH.

That year, Dr. Hench, Dr. Kendall and a third scientist were awarded the Nobel Prize in medicine.

In 1952, Armour won approval from the F.D.A. for H.P. Acthar Gel, or "highly purified" ACTH mixed with gelatin (another animal byproduct) to make it last longer in the body and require fewer injections. The label said the drug could be used to treat about 50 diseases.

But by the 1980s, drug companies had learned to synthesize steroids like prednisone, and those became the treatment of choice. In 1995, when the F.D.A. found numerous quality control problems at the factory manufacturing Acthar, the drug's owner at the time, Rhône-Poulenc Rorer, decided to discontinue the product rather than invest in manufacturing improvements.

That decision provoked an outcry from some patient groups and pediatric neurologists, who said the drug was the best treatment for infantile spasms. So Rhône-Poulenc, which became Aventis after a merger, continued to make a limited supply that was rationed to treat only infantile spasms or severe flare-ups of multiple sclerosis. With Aventis losing several million dollars a year on the drug, on sales of only about a half-million dollars, the company looked for a way out.

It sold the drug in 2001 to Questcor for $100,000 as well as a 1 percent royalty on annual sales over $10 million. At the time, Questcor, formed by a merger of two small companies in 1999, was losing money and looking for drugs to market. With help from Aventis, Questcor set up its own, somewhat more modern manufacturing through a contractor on Prince Edward Island, Canada.

Questcor immediately raised the price of Acthar to $700 a vial, from $40, and the price rose gradually after that. By the end of 2006, Acthar sales were about $12 million a year, but the company was still losing money.

In May 2007, James L. Fares, left as chief executive and was replaced, initially on an interim basis, by Mr. Bailey, who had joined the board a year earlier. A mechanical engineer by training, Mr. Bailey had retired in 2000 from a 10-year run as chief executive of Comarco, a military contractor and telecommunications concern.

Three months later, Questcor announced the huge price jump, aimed at repositioning Acthar as a specialty drug. The move prompted protests from parents and pediatric neurologists.

"It made us so sick to the stomach — just the fact that something like that could happen overnight with a drug my child needed to live," says Christina Culver of Colorado Springs. "It's just like someone saying, 'I'm going to charge you for oxygen now.' "

Ms. Culver's son Tyler was in the hospital, being treated for infantile spasms, just as the price increase hit. Tyler was due to leave the hospital, and Ms. Culver and her husband, Randy, were to continue the injections at home. Then the Culvers' insurer, Blue Cross Blue Shield, refused to pay the new high price. After a storm of publicity, the insurer backed down.

Questcor, however, hasn't, and has continued to raise the price, now at more than $28,400 a vial. Insurers generally pay for Acthar because it is considered the best treatment for infantile spasms. They also tend to pay for other approved uses if cheaper drugs have been tried first. And Questcor has carefully executed the orphan-drug playbook. Patients who cannot pay are given the drug free. The company helps with insurance co-payments, to make sure that a patient's inability to make a co-payment doesn't stand in the way of the drug being used and the insurer paying $28,000 a vial.

In other words, Questcor shifts the cost onto insurance companies while staving off consumer protests. It has a staff of 30 people who do nothing but work on insurance reimbursements — about one staff member for each of the roughly 30 prescriptions it gets in a typical day for all uses.

Questcor executives argue that with the free drug program and the ample supply, patients have better access to Acthar now than when it was cheaper and often in short supply.

"We believe we've been good stewards of this product," Mr. Bailey says.

Dr. Lawrence Brown, a neurologist at the Children's Hospital of Philadelphia and the president of the Child Neurology Foundation, says of Questcor: "They have gone out of their way to help every kid who needs the medicine to get it quickly and efficiently."

This year, the foundation awarded its first corporate citizenship award to Questcor. Dr. Brown says Questcor's donations — the amount has not been disclosed — to the foundation didn't influence the award.

STILL, the price remains a sticking point.

At Children's National Medical Center in Washington, "we've been instructed not to hospitalize a child with spasms unless the authorization has been procured to pay for it," said Dr. Phillip L. Pearl, chief of child neurology. In practice, however, no child has been turned away.

Dr. Shaun Hussain of Mattel Children's Hospital in Los Angeles said that the studies showing Acthar to be better than far cheaper steroids used too low a dose of steroids.

At his hospital, he reported at a medical meeting this month, 18 of 30 babies were successfully treated with two weeks' worth of a high-dose oral steroid. Only the 12 who did not respond were switched to Acthar, with five of them successfully treated.

Given that the steroids cost $200 for each baby, compared with about $125,000 for Acthar, the approach saved more than $2 million. "We have to look at the cost to the health care system," Dr. Hussain said.

Mr. Bailey says the new price was set to make the company viable based solely on sales for infantile spasms. Executives assumed at the time that the high price would preclude other uses.

But to Questcor's surprise, he says, some prescriptions continued to trickle in to treat the periodic flare-ups that plague people with multiple sclerosis.

So Questcor began hiring sales representatives to promote the drug for that use. Then it hired a sales force to promote the drug as a treatment for nephrotic syndrome, a kidney injury that can lead to kidney failure. In June, it began selling to rheumatologists.

For all these diseases, there are cheaper alternatives. Oral prednisone, which might be used for some rheumatological diseases, can cost $10 a month. Intravenous steroids, used to treat multiple sclerosis flares, cost several hundred dollars.

Because Acthar was approved for these conditions decades ago, Questcor has not had to do large clinical trials to show that the drug works. It has paid for some small studies, mainly by individual doctors, who then publish a paper that the sales force can present to doctors.

The study that justified calling on rheumatologists involved five patients with rare conditions, all of them treated by a single doctor. All the patients had much improvement on Acthar after failing to benefit from more standard therapies, the doctor, Todd Levine, said in a Questcor conference call.

Still, it appears that at least a couple of small studies that may have raised questions about the drug have been suspended.

"From my standpoint it just didn't work," said Dr. Sungchun Lee, a Phoenix nephrologist who stopped a small study testing Acthar as a treatment for nephrotic syndrome. "I think they were O.K. with me stopping because we weren't getting the results," he said.

Another study that was terminated sought to determine whether multiple sclerosis patients who did not have a good response to steroids should be treated with either another round of steroids or with Acthar. The study was halted midway through "to analyze data," according to the summary of the trial on the federal clinical trial database.

A negative result could have jeopardized already growing sales for multiple sclerosis. The company says the trial fell hopelessly behind its goal in recruiting patients.

Given the scarce data, and the high price, most doctors do not use Acthar for multiple sclerosis, nephrotic syndrome or rheumatology.

"It's absurd," says Dr. Douglas R. Jeffery, a multiple sclerosis specialist in Advance, N.C. "There's never a clinical setting where I can justify spending $23,000 to treat an M.S. relapse."

But some doctors say Acthar can be effective in cases that are not well treated by steroids. They say that there is emerging evidence that Acthar does more than just stimulate the body to produce its own steroids.

"It really looks like the ACTH does bring something different to the table that standard steroids don't," said Dr. Ben W. Thrower, director of the multiple sclerosis institute at the Shepherd Center, a hospital in Atlanta. Dr. Thrower, who is a paid speaker for Questcor, said his institute had tried Acthar for about 60 of its 3,000 patients, ones who did not respond to steroid treatment. Acthar made the symptoms subside in about half of them.

GIVEN Acthar's price, Questcor does not need many prescriptions to make a good business. A course of treatment for nephrotic syndrome can run $250,000, while a shorter treatment for a multiple sclerosis relapse typically costs $40,000.

Questcor sales representatives who are lucky enough or skillful enough to have a big prescriber in their territory can reap bonuses of $50,000 a quarter, according to former employees of the company.

Executives are paid well, too. In 2009, Mr. Bailey hired his daughter Kirsten Fereday as director of business analytics and evaluation, a job that paid $275,000 in cash and stock last year.

Mr. Bailey and Steve Cartt, Questcor's chief operating officer, say the company's marketing has been aboveboard and that the company is now starting to sponsor more studies. "This wasn't possible until the drug was financially viable," Mr. Bailey said.

Patients report mixed results. Sharon Keller of Austin, Tex., who has nephrotic syndrome, tried Acthar after two other drugs had not worked. But she stopped, she says, because side effects including mood swings and weight gain were "much worse than I'd ever experienced."

"I almost had to fight with my doctor not to push it on me," Ms. Keller, 59, says. She says her insurer was charged $130,000 for her drug, including a vial she did not use. "I have a Cadillac in my refrigerator," she says of that leftover vial.

ONE big uncertainty hanging over Questcor is competition. As an old drug without patent protection, Acthar would seem to be a sitting duck for generic rivals. And other versions of ACTH have been sold in the past.

Yet Questcor is now arguing that its studies show that Acthar, despite the "highly purified" in its name, actually contains other substances from the pig pituitary glands that account for some of its effectiveness. The company does not intend to say what those other ingredients are, thus making it extremely hard for a generic company to copy Acthar.

"Coca-Cola is not going to tell you what Coke contains, either," Mr. Bailey says.

Whether such an argument will work remains to be seen. Even if it does, competitors could still sell other forms of ACTH. Novartis, which sells a synthetic version called Synacthen in Europe, has applied for a United States trademark, a sign that the drug might be brought to this country.

A small Maryland company, Cerium Pharmaceuticals, recently won orphan-drug designation from the F.D.A. for Synacthen to be used to treat infantile spasms. But that does not necessarily mean that Cerium has the rights to the drug or intends to market it.

Cerium is run by Gregg Lapointe, a former Questcor board member. He declined to comment for this article.

Still, Synacthen, or other versions of ACTH, might have to go through lengthy trials before being approved, and would have to be approved for one disease at a time.

So there is at least a chance that Questcor might maintain its high-priced dominance for a long time. In the meantime, the company plans to systematically expand the marketing of the drug to treat other diseases, starting with those already on the label.

Given that Acthar has many potential uses, Mr. Bailey says, Questcor sees no reason to come up with other drugs. The company has been buying back its stock, helping to underpin the price, and recently said it would start paying a dividend.

"We'll take it where it goes," Mr. Bailey says of Acthar. "It's taken us to places we never expected."

Saturday, December 29, 2012

How a Simple Smartphone Can Turn Your Car, Home, or Medical Device into a Deadly Weapon | Vanity Fair

Last October at Melbourne's grand Intercontinental Hotel scores of technophiles watched a researcher for IOActive, a Seattle-based computer-security firm, demonstrate an ingenious new way to kill someone—a method that one can imagine providing a sensational plot twist in an episode of Homeland.

The IOActive researcher, a man named Barnaby Jack, was so worried about the implications of his work that he intentionally obscured many of the details in his presentation. As a further precaution, he asked the attendees not to take any pictures—a tough request in a crowd full of smartphones and laptops.

Jack's work concerned pacemakers and implantable cardioverter-defibrillators (I.C.D.'s). More than three million American heart patients carry around these small, computerized devices, which monitor their heartbeat and deliver jolts of electricity to stabilize it when needed. To check and adjust these devices, many doctors use wand-like wireless programmers that they wave a few inches above patients' chests—a straightforward and seemingly safe procedure. But now, with a custom-built transmitter, Jack had discovered how to signal an I.C.D. from 30 feet away. It reacted as if the signal were in fact coming from the manufacturer's official I.C.D. programmer. Instructed by the counterfeit signal, the I.C.D. suddenly spat out 830 volts—an instantly lethal zap. Had the device been connected to an actual human heart, the fatal episode would likely have been blamed on a malfunction.

Let's face it: Barnaby Jack is a man who is quite literally looking for trouble. This is a guy who had demonstrated the year before how he could wirelessly direct an implantable insulin pump to deliver a lethal dose. The year before that, he hacked an ATM to make it spray out bills like a slot machine. But trouble-making is what he's paid to do at IOActive, and in that role he has developed a particular respect for the looming power of smartphones. Terrorists have already used cell phones to kill people in the crudest possible way: detonating explosives in Iraq and Afghanistan. But smartphones bring a new elegance to the endeavor and will bring new possibilities for mayhem into the most mundane areas of life.

The day is not far off, Jack says, when the manipulation of medical devices, for which he had needed to build special equipment, will be done routinely and remotely by punching keys on a smartphone. Indeed, in just a few minutes of online searching, I was able to find a dozen ventures developing smartphone apps for medical devices: pacemakers, defibrillators, cochlear implants, insulin pumps, cardiovascular monitors, artificial pancreases, and all the other electronic marvels doctors now are inserting into human bodies.

To engineers, the advantages are clear. Smartphones can relay patients' data to hospital computers in a continuous stream. Doctors can alter treatment regimens remotely, instead of making patients come in for a visit. If something goes wrong, medical professionals can be alerted immediately and the devices can be rapidly adjusted over the air. Unfortunately, though, the disadvantages are equally obvious to people like Barnaby Jack: doctors will not be the only people dialing in. A smartphone links patients' bodies and doctors' computers, which in turn are connected to the Internet, which in turn is connected to any smartphone anywhere. The new devices could put the management of an individual's internal organs, in the hands of every hacker, online scammer, and digital vandal on Earth.

I asked Jack if he thought anyone would actually use smartphones to try to fiddle with other people's pacemakers, or change the dosage of their medications, or compromise their eyesight, or take control of their prosthetic limbs, or raise the volume of their hearing aids to a paralyzing shriek. Will this become a tempting new way to settle a score or hurry up an inheritance? He said, "Has there ever been a box connected to the Internet that people haven't tried to break into?" He had a point: a few years ago, anonymous vandals inserted flashing animated images into an Epilepsy Foundation online forum, triggering migraines and seizure-like reactions in some unfortunate people who came across them. (The vandals were never found.) Jack was reluctant to go into detail about what he thinks the future may hold. "I'm not comfortable trying to predict exact scenarios," he said. But then he added, calm as a State Department spokesman, "I can say that I wouldn't want to discover a virus in my insulin pump."

Smartphones taking control of medical devices: the tabloid headlines write themselves. But medical devices represent only one early and obvious target of opportunity. Major power and telephone grids have long been controlled by computer networks, but now similar systems are embedded in such mundane objects as electric meters, alarm clocks, home refrigerators and thermostats, video cameras, bathroom scales, and Christmas-tree lights—all of which are, or soon will be, accessible remotely. Every automobile on the market today has scores of built-in computers, many of which can be accessed from outside the vehicle. Not only are new homes connected to the Internet but their appliances are too. "Start your coffee machine with a text message!" says a video for Electric Imp, a device created by former Gmail and iPhone employees, whose stated goal is to "apply [Internet connectivity] to any device in the world." Even children's toys have Internet addresses: for instance, you can buy an add-on wi-fi kit for your Lego robot. The spread of networking technology into every aspect of life is sometimes called "the Internet of Things."

The embrace of a new technology by ordinary people leads inevitably to its embrace by people of malign intent. Up to now, the stakes when it comes to Internet crime have been largely financial and reputational—online crooks steal money and identities but rarely can inflict physical harm. The new wave of embedded devices promises to make crime much more personal.

Consider the automobile. Surely nobody involved in the 2000 Bridgestone/Firestone scandal—a series of deadly rollovers in Ford Explorers, linked to disintegrating tires—realized that they were laying the groundwork for a possible new form of crime: carjacking-by-tire. In the aftermath of the accidents, Congress quickly toughened tire-safety regulations. Since 2007, every new car in the United States has been equipped with a tire-pressure-monitoring system, or T.P.M.S. Electronic sensors in the wheels report tire problems to an onboard computer, which flashes a warning icon on the dashboard.

By itself, the T.P.M.S. represents no great leap. Modern cars are one of the most obvious examples of the Internet of Things. It is a rare new vehicle today that contains fewer than 100 of the computers, called electronic control units, which direct and monitor every aspect of the vehicle. When drivers screech to a sudden stop, for instance, sensors in the wheels detect the slowdown and send the information to an E.C.U. If one wheel is rotating more slowly than the others—an indicator of brake lock—the E.C.U. overrides the brake and the accelerator, preventing the skid. Even as it fights the skid, the computer reaches into the seatbelt controls, tightening the straps to prevent passengers from slipping under them in case of an accident. The software for these complex, overlapping functions is formidable: as much as 100 million lines of computer code. (By contrast, Boeing's new 787 Dreamliner makes do with about 18 million lines of code.)

Many of these functions can be activated from outside. Door locks are opened by radio pulses from key fobs. G.P.S. systems are upgraded by special C.D.'s. Ignitions can be disabled by remote-controlled "immobilizers" in case of theft or repossession. Cars increasingly offer "telematics" services, such as OnStar (from General Motors), BMW Assist, MyFord Touch, and Lexus Link, that remotely diagnose engine problems, disable stolen cars, transmit text messages and phone calls, and open doors for drivers who have locked themselves out. As cars grow more sophisticated, their owners will, like computer owners, receive routine, annoying updates for the code that runs these features; Tesla, the electric-vehicle manufacturer, announced the planet's first over-the-air car-software patch in September. A security-research team from InterTrust Technologies, a company that makes protected computer systems for businesses, describes today's automobiles as full-time residents of cyberspace, scarcely distinguishable from "any other computational node, P.C., tablet, or smartphone."

The tire-pressure-monitoring system is an example. As a rule, it consists of four battery-operated sensors, one attached to the base of each tire valve. The sensors "wake up" when the wheels begin rotating. Typically, they send out minute-by-minute reports—the digital equivalent of messages like "I'm the right front tire; my pressure is 35 p.s.i."—to an E.C.U. To make sure the E.C.U. knows which tire is reporting, each sensor includes an identification number with its report. The ID is specific to that one tire. In 2010, researchers from Rutgers and the University of South Carolina discovered that they could read a tire's ID from as far away as 130 feet. This means that every car tire is, in effect, a homing device and that people 130 feet from an automobile can talk to it through its tires.

Schrader Electronics, the biggest T.P.M.S. manufacturer, publicly scoffed at the Rutgers–South Carolina report. Tracking cars by tire, it said, is "not only impractical but nearly impossible." T.P.M.S. systems, it maintained, are reliable and safe.

This is the kind of statement that security analysts regard as an invitation. A year after Schrader's sneering response, researchers from the University of Washington and the University of California–San Diego were able to "spoof" (fake) the signals from a tire-pressure E.C.U. by hacking an adjacent but entirely different system—the OnStar-type network that monitors the T.P.M.S. for roadside assistance. In a scenario from a techno-thriller, the researchers called the cell phone built into the car network with a message supposedly sent from the tires. "It told the car that the tires had 10 p.s.i. when they in fact had 30 p.s.i.," team co-leader Tadayoshi Kohno told me—a message equivalent to "Stop the car immediately." He added, "In theory, you could reprogram the car while it is parked, then initiate the program with a transmitter by the freeway. The car drives by, you call the transmitter with your smartphone, it sends the initiation code—bang! The car locks up at 70 miles per hour. You've crashed their car without touching it."

Systematically probing a "moderately priced late-model sedan with the standard options," the Washington–San Diego researchers decided to see what else they could do. They took control of the vehicle by contacting the hands-free system through the built-in cellphone and playing a special audio file. They compromised the hands-free microphone and recorded conversations in the car as it moved. They reprogrammed a mechanics' diagnostic computer to let them take over the sedan's operation remotely, at a time of their choosing. They used Bluetooth signals to start cars that were parked, locked, and alarmed. They did all this with instructions sent from a smartphone.

There was nothing to stop them. "Except for medical devices," Stuart McClure, chief technical officer of the anti-virus company McAfee, told me, "nobody regulates any of this stuff." And medical devices are regulated for safety, not security. Because government isn't wielding a cudgel, security is entirely up to the manufacturers. In McClure's view, "maybe 90 percent" of the vendors don't see security as critical. The same thing was true of computer-software companies, he pointed out. Not until credit-card numbers by the millions began to be stolen did they begin to pay attention. "We live in a reactive society," McClure went on, "and something bad has to happen before we take problems seriously. Only when these embedded computers start to kill a few people—one death won't do it—will we take it seriously."

It is a commonplace that most murders occur at home, which leads (solely for the purposes of illustration) to my own. My wife is an architect, so when we recently built a house we built one to her design. Late last spring, we moved in, hauling boxes as workers hurried to finish the last details. One day I walked into the basement to find the plumber peering in puzzlement at a device installed next to the circuit breakers. It was a white, lozenge-shaped object with a small L.E.D. panel on its face that showed a "dotted quad"—an Internet address in the form of four numbers separated by periods. "What's that?" asked the plumber. "It looks like your house is connected to the Internet."

I didn't know. The contractor didn't know, either. Nor did the cable guy or the house-alarm guy. After a few phone calls, I learned that our electric company had installed the mystery box to monitor the new solar panels on the roof. Our house—or at least our roof—was part of the Internet of Things.

The white lozenge, it turned out, was part of a "smart meter," one of the most common among a wave of new devices that will, developers hope, produce the domestic dream of a "smart home." In smart homes, residents can control their lighting, heating, air-conditioning, fire and burglar alarms, lawn sprinklers, and kitchen appliances with the touch of a button. Increasingly, that button is on a computer or smartphone. These systems can help make homes more convenient, energy efficient, and safe. They are also a point of entry for online intruders—no different, really, from an open window or an unlocked door.

Computer-security researchers are focusing attention on smart meters in part because utilities have been installing them by the millions. (The Obama stimulus bill provided $4.5 billion for "smart grid" projects; the European Union has mandated a switch-over to smart meters by 2022.) Instead of learning about energy consumption inside a home or building from meter readers in white vans, electric companies now know about power usage in real time, from streaming data provided over the Internet, letting them avoid the cascading failures that lead to blackouts. Utilities talk up the environmental benefits of smart meters—no more wasted power! Utilities are quieter about "remote disconnect"—the possibility, created by smart meters, of cutting power to nonpaying customers with the flick of a switch or the punch of a phone key.

Because smart meters register every tiny up and down in energy use, they are, in effect, monitoring every activity in the home. By studying three homes' smart-meter records, researchers at the University of Massachusetts were able to deduce not only how many people were in each dwelling at any given time but also when they were using their computers, coffee machines, and toasters. Incredibly, Kohno's group at the University of Washington was able to use tiny fluctuations in power usage to figure out exactly what movies people were watching on their TVs. (The play of imagery on the monitor creates a unique fingerprint of electromagnetic interference that can be matched to a database of such fingerprints.)

Like the computer on my home-office desk, the smart-meter computer in my basement is vulnerable to viruses, worms, and other Internet perils. As long ago as 2009, Mike Davis of IOActive was able to infect smart meters with virus-like code. The infected meters could then spread the malware to other, nearby meters. In theory, smart-meter viruses could black out entire neighborhoods at a stroke. They could also ripple back and infect the central controls at utility companies. Because those utility networks are usually decades old, they often lack basic security features, such as firewalls and anti-virus protection. "If I'm a bad guy, I'll wait till there's a major snowstorm or heat wave," said McClure. "Then kill the heat or A/C." Under such circumstances, he observed, "the elderly die very easily."

For average homeowners like me, smart meters are almost as invisible as their risks. We're much more aware of the new temperature, security, and lighting controls operated by smartphones or tablets. (In September, the big real-estate developer Taylor Morrison announced a nationwide rollout of "interactive home" that include front-door video monitoring, whole-house Internet audio integrated with iTunes, and remotely programmable lighting and appliances.) Just around the corner, according to tech analysts, are refrigerators that alert families when they've run out of milk, ovens that can be turned on from the office, counters that double as video displays for recipes, videos, or Skype chats, and sensors that detect when residents are ill or hurt and that automatically call 911.

In the rush to put computers into everything, neither manufacturers nor consumers think about the possible threats. "I would be shocked if a random parent at Toys R Us picked up a toy with a wireless connection and thought, I wonder if there are any security problems here." Kohno said to me. As he has himself demonstrated, children's Erector Sets with Web cams can be taken over remotely and used for surveillance. Kohno added, "I just hope you can't use them to turn on the broiler and set the house on fire." It was meant as joking hyperbole. But you won't need an Erector Set to physically turn on the broiler. Smartphone apps will do that for you. And when that's done—what the heck—you can kill the power, disable the fire alarm, suppress the call to 911, and for good measure start the car and leave it running in the garage.

Today, of course, these threats are remote. Only experts like Kohno can digitally hijack a house. But it is the nature of software to get easier to use and more widely available. Creating the first Internet worm required months of work in the late 1980s by a brilliant computer-science student, Robert T. Morris, who is now a professor at M.I.T. Today "virus construction kits" are readily downloadable on the Web, intended for teenaged miscreants with little programming ability. The expertise and time required for this type of vandalism have steadily declined. As a result, Internet threats have steadily risen. As I researched this article, every single computer-security expert I spoke with said they expected precisely the same pattern—obscure and rare to common and ubiquitous—to hold for the Internet of Things.

More than 1.5 million external defibrillators—flat, plastic devices that deliver shocks to people in cardiac arrest—have been installed in American offices, malls, airports, restaurants, hotels, stadiums, schools, health clubs, and, of course, hospital wards. (Usually bright red or yellow, they are typically mounted in boxes that look a bit like big fire alarms.) A.E.D.'s, as they are called, administer shocks through two pads taped to patients' chests that also monitor their heartbeats. Many have the ability to simultaneously call 911 when they are used. A.E.D.'s are, in fact, computers, and most of them are updated with Windows-based software on a U.S.B. stick.

Last year, Kevin Fu of the University of Massachusetts and five other researchers decided to find out whether an A.E.D. could be hacked. They discovered four separate methods for subverting the apparatus, two of which would allow the A.E.D.'s to be used as a portal for taking over nearby hospital computers.

In a way, Fu told me, using A.E.D.'s to hijack hospital computers was "irrelevant," because computers are often already compromised by other means. Critically important devices like the fetal monitors for women with high-risk pregnancies can be so burdened with malware they no longer function. "I remember one computer in a radiology room that was absolutely riddled with viruses because the surgeons and nurses checked their e-mail on it," Fu said. "And it was the computer that ran the radiology equipment." Why didn't people check e-mail on a separate computer? "They said there wasn't enough room on the table for two machines," he said.

Even when staffers aren't careless, hospital-security problems can be difficult to fix. Medical manufacturers, Fu said, frequently will not allow hospitals to modify their software—even just to add anti-virus protection—because they fear that the changes would have to be reviewed by the U.S. Food and Drug Administration, a complex and expensive process. The fear is wholly justified; according to the F.D.A., most medical-device software problems are linked to updates, patches, and revisions.

Hospital equipment like external defibrillators and fetal monitors can at least be picked up, taken apart, or carted away. Implanted devices—equipment surgically implanted into the body—are vastly more difficult to remove but not all that much harder to attack.

You don't even have to know anything about medical devices' software to attack them remotely, Fu says. You simply have to call them repeatedly, waking them up so many times that they exhaust their batteries—a medical version of the online "denial of service" attack, in which botnets overwhelm Web sites with millions of phony messages. On a more complex level, pacemaker-subverter Barnaby Jack has been developing Electric Feel, software that scans for medical devices in crowds, compromising all within range. Although Jack emphasizes that Electric Feel "was created for research purposes, in the wrong hands it could have deadly consequences." (A General Accounting Office report noted in August that Uncle Sam had never systematically analyzed medical devices for their hackability, and recommended that the F.D.A. take action.)

Some 20 million Americans today carry implanted medical devices of some kind. As the population ages, that number will only grow, as will the percentage of those devices that are accessible by smartphone. So will the number of connected smart homes. Possibly people will own versions of Google's driverless car, in which all navigation is controlled by computers and sensors—devices that a hacker with a smartphone can adjust with satisfactorily grim results. If Ridley Scott, say, were to attempt a remake of Dial M for Murder, I'm not sure he'd know where to begin.

"In 10 years," Kohno told me, "computers will be everywhere we look, and they'll all have wireless. Will you be able to compromise someone's insulin pump through their car? Will you be able to induce seizures by subverting their house lights? Will you be able to run these exploits by cell phone? What's possible? It's more like 'What won't be possible?'"

A Circus of Pain -


It was a cool fall day, but the sun seemed extremely bright as the young man helped guide nine circus elephants to their new pens. Even though the man was wearing sunglasses, the morning sun reflecting off the metal equipment felt like a knife cutting into his right eye. His head throbbed behind the eye, and an occasional tear rolled down his cheek. When the animals were finally secured, he returned to his trailer. ''O.K., I do need a doctor,'' he said to his girlfriend. His hand was cupped over the side of his face. ''Right now.''


Ken Orvidas

It was the worst headache of his life, the 25-year-old patient told the doctor in the emergency room of Highland Hospital in Rochester. It started five days earlier when the circus was in Connecticut. At first it wasn't a big deal. He would take a couple of aspirin, and it would disappear. But when the medicine wore off, the headache was still there. In fact, each time it seemed just a little worse. That morning, when he got out of bed, the pain was unbearable. He took aspirin, Advil, Tylenol. Nothing put a dent in it.The pain was sharp and on the right. It felt as if someone were slamming a door inside his head. He'd had the occasional headache but never something like this.

He didn't smoke, rarely drank and took no medications. He had no recent head trauma, though he was head-butted by a zebra a few years ago. That hurt — it broke his glasses — but not this much. His mother had migraines, and perhaps that's what this was. Maybe, the doctor said, though a week was a long time for a migraine.


For doctors, a description of a headache as the worst is a red flag. We worry about headaches described as the first (for someone who doesn't have headaches) or the worst (for someone who does) or those that are ''cursed'' by the presence of other symptoms like weakness or confusion. He didn't have other symptoms, but the doctor was concerned because he called it the worst.


The doctor ordered a painkiller and blood tests to look for signs of infection or inflammation. She also ordered a CT scan of the head to look for a tumor or evidence of blood. The blood tests were normal. The CT was not.

Within the brain, there are compartments where spinal fluid is made. The fluid then circulates around the brain and spinal cord and is reabsorbed. Two of these compartments, known as the lateral ventricles, are usually mirror images of each other. But in this patient, the ventricle on the right, where his headache was located, was much larger than the one on the left. That suggested there might be a blockage in the circulation of the spinal fluid on the right side, which was causing pressure to build.That could certainly cause a headache — and permanent damage if not addressed quickly.


A slide from the CT scan of the patient's head.
Even before the E.R. doctor saw the CT scan, she called neurology for help in figuring out this patient's terrible headache. The neurology resident examined the patient and his CT scan, but it wasn't clear to him how the pieces fit together. If the asymmetry were caused by an obstruction, the patient should have symptoms associated with increased brain pressure — like nausea — but he didn't. The resident knew that he didn't have enough data to make a diagnosis. Watching the patient over time would give him more. If there was a blockage in his brain, he should begin to feel nauseated and weak. If he didn't, it was very unlikely that the asymmetry reflected a blockage. The patient was admitted to the hospital, where nurses were to examine him every four hours to look for any change.


Overnight the headache became worse, despite the use of several powerful painkillers. By morning the patient was exhausted from the pain and nearly incoherent from the narcotics. He never, however, developed symptoms of increased pressure in his brain.The neurologist speculated that this was a migraine and recommended he go home and follow up as an outpatient.

The neurosurgeons weren't so sure there wasn't an obstruction.The patient's worsening pain was worrisome. They recommended an M.R.I. If there was a change in the size of the ventricle, when compared with the CT, they could drill a small hole into his skull and relieve the pressure.


Dr. Bilal Ahmed, the internist taking over the patient's care that morning, first heard about the new patient from his team of residents outside the patient's door. They told him that he was a young circus worker who had been hit in the head by a zebra, had an abnormal CT and was probably going to surgery later in the day.

As they stood there, a nurse hurried out of the patient's room. ''He's got a rash,'' she told the doctors. The team went into the room, and Dr. Ahmed glanced at the patient now hidden beneath a pile of blankets. He introduced himself to the patient's girlfriend. As she started to speak, Dr. Ahmed held a finger to his lips. ''Don't say anything,'' he told her. ''I want to see for myself.''

''May I look?'' he asked the young man. A matted head of dark curls slowly emerged from beneath the mound of blankets. The patient sat up slowly, blinking in the dim light. His right eyelid was swollen and drooped drunkenly over the pupil so that only the lower ridge of the greenish brown iris was visible. The right side of his forehead was red, as if he had a sunburn on that half of his face. And there was a sprinkling of bumps over his eye and forehead.

Was this zoster? Dr. Ahmed wondered out loud. He touched the reddened skin around the lesions.The young man winced.That part of his forehead had been intensely sensitive ever since this headache started.


Herpes zoster — or shingles — is the re-emergence of the herpes virus that causes chickenpox. The word ''shingles'' comes from the Latin ''cingulum,'' which means ''belt'' or ''girdle''; the rash of herpes zoster often appears in a band, usually on the trunk or chest. When a chickenpox infection resolves, the virus takes refuge in branches of the nerves just outside the spinal cord, where it usually resides for decades. Sometimes the virus re-emerges, but the reasons are unclear. Most of these outbreaks are painful but not dangerous — except when the virus emerges in the nerves near the eyes.


Dr. Ahmed called the neurosurgeon. Was there a link between this patient's shingles and the asymmetric ventricles? No, he was told. If this guy has shingles — and it sounded as if he did — then the asymmetry was probably something he was born with.The M.R.I., done later that day, confirmed that there was no obstruction. In the meantime, the patient was started on an antiviral medication. Despite the treatment, his vision began to blur. The bumps on his face, which led to the diagnosis, had spread to his eye as well. Two years later, his vision is still impaired on that side.


In this case, as in so many, time is a powerful and frequently undervalued diagnostic tool. The rash appeared days after the symptoms began; that is common in zoster. But without the telltale rash, there was only the pain and the abnormal CT, and that led his doctors to worry that his pain was the result of pressure building up in his brain. A truism in medicine is that when we hear hoof beats we should think of ordinary horses as the cause rather than the rare zebra. In this case, time revealed that what looked likely to be zebra — an obstruction on the right side of the brain — was actually the everyday horse of herpes zoster.