RISKS-LIST: Risks-Forum Digest Monday 18 January 2021 Volume 32 : Issue 45
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/32.45>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Bursts of acceleration in Tesla vehicles caused by drivers mistaking
accelerators for brakes, feds conclude (Ian Duncan)
Riot in the Capitol is a nightmare scenario for cybersecurity professionals
(Tonya Riley)
Post-Riot, the Capitol Hill IT Staff Faces a Security Mess (WiReD)
The Parler API was open without authentication. One or more third parties
have done full downloads (Ars Technica)
ESS voting machine company sends threats (Andrew Appel)
IPhone12 will stop your implantable defibrillator (Medicalxpress.com)
IRS rushes to fix error that sent millions of stimulus payments to wrong
bank accounts (Michelle Singletary)
Lack of Tiny Parts Disrupts Auto Factories Worldwide (NYTimes)
Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes (NYTimes)
Bug wipes UK arrest records (Tom Van Vleck)
Risks of DNS encryption: NSA warns enterprises to beware of third-party DNS
resolvers (Ars Technica)
Company name could lead to security xss attack (IBTimes)
How Amazon Sidewalk Works -- and Why You May Want to Turn It Off (WiReD)
What to expect for the 2021 workplace (WashPost)
In-Garage Delivery: Amazon Key (Amazon.com)
AI algorithm over 70% accurate at guessing a person's political orientation
(techxplore.com)
Detection of Hardware Trojans Using Controlled Short-Term Aging
(NYU Tandon School of Engineering)
Unique study incorporates fluid dynamics and more to evaluate, enhance
future implants (PHYS.ORG)
Risk Management and Two-Dose Vaccines (Rob Slade)
Different kinds of security (Rob Slade)
Hacker Locks Internet-Connected Chastity Cage (Larry Werring)
Re: Scope of Russian Hacking Far Exceeds Initial Fears (Larry Werring)
Re: Voting Systems: The Cherry and the Cream (3daygoaty)
Re: One Minute Left": Hockey, CoVID-19 ...vs hacking (Stephen Fierbaugh,
Chris Drew, Stephen Fierbaugh)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 9 Jan 2021 18:00:44 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Bursts of acceleration in Tesla vehicles caused by drivers
mistaking accelerators for brakes, feds conclude (Ian Duncan)
Ian Duncan, *The Washington Post*, 8 Jan 2021
Dozens of incidents involving Teslas unexpectedly accelerating and crashing were the fault of drivers, not a defect with the electric vehicles, the
federal car safety agency concluded Friday.
https://www.washingtonpost.com/transportation/2021/01/08/tesla-brakes/
[Doesn't speak well of Tesla owners' driving skills...]
------------------------------
Date: Tue, 12 Jan 2021 11:19:09 PST
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Riot in the Capitol is a nightmare scenario for cybersecurity
professionals (Tonya Riley)
Tonya Riley, *The Washington Post, 7 Jan 2021
Riot in the Capitol is a nightmare scenario for cybersecurity professionals
Lawmakers and congressional staff were ushered into secure locations as a
mob backing President Trump violently stormed the U.S. Capitol in hopes of overturning the election he lost.
The assault -- which only temporarily delayed the certification of president-elect Joe Biden's win -- left many unanswered questions about security at the Capitol, including its cybersecurity. The quick evacuation left computers and other device unattended as the mob ransacked offices.
------------------------------
Date: Sun, 10 Jan 2021 00:23:17 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Post-Riot, the Capitol Hill IT Staff Faces a Security Mess (WiReD)
Wednesday's insurrection could have exposed congressional data and devices
in ways that have yet to be appreciated. [...]
Given the scope of the intrusion, Coleman and others say that it's important
to assume that any device could have been compromised and remediate the
breach with that scale and scope in mind. But he and others emphasize that rather than replacing every device and cable in the entire congressional
orbit, constant vigilance and an “assume breach”
mentality will be the best defense going forward. The Economic Development Administration took an ill-advised maximalist approach after a 2011
compromise, launching a massive campaign <
https://arstechnica.com/information-technology/2013/07/us-agency-baffled-by-modern-technology-destroys-mice-to-get-rid-of-viruses/>
to physically destroy all of its digital equipment, including desktop computers, printers, cameras, mice, and keyboards -- most of which were uninfected. The effort concluded only when the agency ran out of money for
the project.
Congress needn't take an action so dramatic as that. But it also must acknowledge how exposed Wednesday's incident has left it.
https://www.wired.com/story/capitol-riot-security-congress-trump-mob-clean-up/
Every cable? And if they ran out of money to destroy things, what was left
to *buy* things?
------------------------------
Date: Tue, 12 Jan 2021 09:35:30 -0700
From: "Bob Gezelter" <
gezelter@rlgsc.com>
Subject: The Parler API was open without authentication. One or more third
parties have done full downloads (Ars Technica)
It is important to design APIs so that they are reasonably secure. It is reported that the Parler API was open (e.g. did not require authentication). Further more, the geo-tagging inherent in JPEG was provided on public
images. Reportedly, the entire contents of Parler's database have been accessed by at least one third party.
I guess that the individuals who implemented Parler were not well-read on
web security issues, and were not familiar with the OWASP guidance on the subject.
The full articles can be found at:
https://arstechnica.com/information-technology/2021/01/parlers-amateur-coding-could-come-back-to-haunt-capitol-hill-rioters/
------------------------------
Date: Tue, 12 Jan 2021 18:08:42 PST
From: Peter Neumann <
neumann@csl.sri.com>
Subject: ESS voting machine company sends threats (Andrew Appel)
Andrew Appel <
appel@princeton.edu> has another RISKS-relevant article on freedom-to-tinker:
https://freedom-to-tinker.com/2021/01/11/ess-voting-machine-company-sends-threats/
ESS voting machine company sends threats, 11 Jan 2021
For over 15 years, election security experts and election integrity
advocates have been communicating to their state and local election
officials the dangers of touch-screen voting machines. The danger is simple:
if fraudulent software is installed in the voting machine, it can steal
votes in a way that a recount wouldn't be able to detect or correct. That
was true of the paperless touchscreens of the 2000s, and it's still true of
the ballot-marking devices (BMDs) and *all-in-one* machines such as the ES&S ExpressVote XL voting machine ( [
https://www.cs.princeton.edu/~appel/papers/bmd-insecure.pdf | see section 8
of this paper ] *). This analysis is based on the characteristics of the technology itself, and doesn't require any conspiracy theories about who
owns the voting-machine company.
In contrast, if an optical-scan voting machine was suspected to be hacked,
the recount can assure an election outcome reflects the will of the voters, because the recount examines the very sheets of paper that the voters marked with a pen. In late 2020, many states were glad they used optical-scan
voting machines with paper ballots: the recounts could demonstrate
conclusively that the election results were legitimate, regardless of what software might have been installed in the voting machines or who owned the voting-machine companies. In fact, the vast majority of the states use optical-scan voting machines with hand-marked paper ballots, and in 2020 we
saw clearly why that's a good thing.
In November and December 2020, certain conspiracy theorists made
unsupportable claims about the ownership of Dominion Voting Systems, which manufactured the voting machines used in Georgia. [
https://www.cnn.com/2021/01/08/politics/dominion-voting-defamation-lawsuit/index.html
Dominion has sued for defamation
[For example, PGN suggests looking at this WashPost item:
https://www.washingtonpost.com/politics/dominion-sues-pro-trump-lawyer-sidney-powell-seeking-more-than-13-billion/2021/01/08/ebe5dbe0-5106-11eb-b96e-0e54447b23a1_story.html
]
Dominion is the manufacturer of voting machines used in many states. Its
rival, Election Systems and Software (ES&S), has an even bigger share of the market.
Apparently, ES&S must think that amongst all that confusion, the time is
right to send threatening Cease & Desist letters to the legitimate critics
of their ExpressVote XL voting machine. Their lawyers sent [
https://freedom-to-tinker.com/2021-01-04-cease-and-desist-letter-to-smart-elections-0029787725-1/
| this letter ] to the leaders of [
https://smartelections.us/ | SMART Elections ] , a journalism+advocacy organization in New York State who have been communicating to the New York State Board of Elections, explaining to
the Board why it's a bad idea to use the ExpressVote XL in New York (or in
any state).
ES&S's lawyers claim that certain facts (which they call *accusations*) are *false, defamatory, and disparaging*, namely: that the ``ExpressVote XL can add, delete, or change the votes on individual ballots'', that the
ExpressVote XL will ``deteriorate our security and our ability to have confidence in our elections,'' and that it is a ``bad voting machine.''
Well, let me explain it for you. The ExpressVote XL, if hacked, can add, delete, or change votes on individual ballots -- and no voting machine is immune from hacking. That's why optical-scan voting machines are the way to
go, because they can't change what's printed on the ballot. And let me
explain some more: The ExpressVote XL, if adopted, will deteriorate our security and our ability to have confidence in our elections, and indeed it
is a bad voting machine. And expensive, too!
It's been clearly explained in the peer-reviewed literature how touch-screen voting machines -- even the ones like the XL that print out paper ballots -- can (if hacked) alter votes; and how most voters won't notice; and how even
if some voters do notice, there's no way to correct the election result. And it's been explained why machines like the ExpressVote XL are particularly insecure -- as I said, [
https://www.cs.princeton.edu/~appel/papers/bmd-insecure.pdf | see section 8
of this paper ] *.
And it's pretty clear that the folks at SMART Elections are aware of these scientific studies, and are basing their journalism and advocacy on good science.
I'll summarize here what's explained in the paper: how the ExpressVote XL,
if hacked, can change votes. If the machine is hacked, the software can do whatever the hacker has programmed, but the hacker can't change the
hardware. The hardware includes a thermal printer that can make black marks (i.e., print text or barcodes or whatever) on the paper, but the hardware
can't erase marks. Therefore you might think the ExpressVote XL, even if hacked, couldn't alter votes. But consider this: suppose there are 15
contests on the ballot; suppose the voter makes choices for all 13 contests
and chooses not to vote for State Senator. Then what the legitimate software does is, in the line for State Senator, print NO SELECTION MADE. But the
hacked software could simply leave that line blank -- then, when the voter
has reviewed the ballot (or not bothered to), the ballot card is pulled past the printhead into the ballot box, and the printhead (under control of
hacked software) can print in a vote for Candidate Smith. Few voters will be worried that the line is blank rather than filled in with NO SELECTION MADE.
You might think, ``OK, the ExpressVote XL can fill in undervotes, that's
bad, but it can't change votes.'' But it can! Here is the mechanism:
Suppose the voter makes choices in all 15 contests, and chooses Jones for
State Senator. The hacked software can print a ballot card with only 14 contests, and leave blank spaces for State Senator. Then, after the voter reviews the ballot card behind glass, the card moves past the printhead into the ballot box. At this time the hacked software can print the hacker's
choice (Smith) for State Senator. If most humans were really good at
checking their printout line-by-line with what they marked on the
touchscreen, this wouldn't succeed because the voter would notice the
missing line, but voters are only human.
More details and explanation are in
https://www.cs.princeton.edu/~appel/papers/bmd-insecure.pdf
------------------------------
Date: Sun, 10 Jan 2021 10:04:05 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: IPhone12 will stop your implantable defibrillator
(Medicalxpress.com)
https://medicalxpress.com/news/2021-01-iphone12-implantable-defibrillator.html
"In a recent paper in the journal Heart Rhythm, doctors describe how they turned off the potentially life-saving cardiac defibrillator function of an implanted Medtronic device simply by holding an iPhone 12 near it. The
authors had nothing personal against Medtronic, or for that matter, against
the new iPhone. The main reason they singled the phone out here was because
it is compatible with some of the most advanced new technologies available
for various magnetic-based communications and charging."
[Monty Solomon noted another take:
Medical study suggests iPhone 12 with MagSafe can deactivate pacemakers
https://9to5mac.com/2021/01/11/iphone-12-magsafe-deactivates-pacemakers/
PGN]
------------------------------
Date: Sat, 9 Jan 2021 18:02:51 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: IRS rushes to fix error that sent millions of stimulus payments to
wrong bank accounts (Michelle Singletary)
Michelle Singletary, *The Washington Post*, 8 Jan 2021
https://www.washingtonpost.com/business/2021/01/08/irs-tax-preparer-stimulus-error/
------------------------------
Date: Thu, 14 Jan 2021 12:27:52 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Lack of Tiny Parts Disrupts Auto Factories Worldwide (NYTimes)
Carmakers can't buy the semiconductors they need because home electronics
are taking all the supply.
https://www.nytimes.com/2021/01/13/business/auto-factories-semiconductor-chips.html
[The Internet of Things is becoming the Internet of Ca-chings? PGN]
------------------------------
Date: Wed, 13 Jan 2021 00:12:55 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes
(NYTimes)
https://www.nytimes.com/2021/01/12/technology/bitcoin-passwords-wallets-fortunes.html
The risk? History repeating itself.
------------------------------
Date: Sun, 17 Jan 2021 03:20:47 -0800
From: Tom Van Vleck <
thvv@multicians.org>
Subject: Bug wipes UK arrest records
Software bug wipes out over 150,000 UK arrest records including fingerprints and DNA data.
------------------------------
Date: Sat, 16 Jan 2021 08:59:40 -0800
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Risks of DNS encryption: NSA warns enterprises to beware of
third-party DNS resolvers (Ars Technica)
https://arstechnica.com/information-technology/2021/01/the-nsa-warns-enterprises-to-beware-of-third-party-dns-resolvers/
------------------------------
Date: Sun, 17 Jan 2021 03:16:20 -0800
From: Tom Van Vleck <
thvv@multicians.org>
Subject: Company name could lead to security xss attack
Someone named his company
" " > [or perhaps even `" " >']
https://www.ibtimes.sg/british-company-forced-change-name-it-could-be-used-cross-site-scripting-hack-53148
------------------------------
Date: Wed, 13 Jan 2021 23:44:43 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: How Amazon Sidewalk Works -- and Why You May Want to Turn It Off
(WiReD)
The white paper points out the steps that Amazon has taken to make this as private and secure as possible, including a variety of cryptographic
algorithms and those three levels of encryption: It shouldn't be possible
for other people to spy on your network or suddenly gain access to your
smart thermostat. Everything should happen seamlessly behind the scenes, in theory.
All that said, it really comes down to how much you trust Amazon -- the
company that seems keen to collect as much data as possible about you,
shares Ring camera information with law enforcement agencies, and which
hasn't always protected sensitive user data quite as robustly as it might
have done. The company has also said it might share Sidewalk data with third-party developers further down the line, and you know where that kind
of data sharing tends to lead.
If you end up deciding that Amazon Sidewalk isn't for you, you need to take action: It's on by default, once the software update has hit your devices
(it's also on by default for users setting up an Amazon-powered smart home
for the first time.) If you want to turn it off, you need to open up the
Alexa app on your phone, and go to More, Settings, Account Settings, and
Amazon Sidewalk.
https://www.wired.com/story/how-amazon-sidewalk-works/
------------------------------
Date: Sun, 10 Jan 2021 02:13:55 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: What to expect for the 2021 workplace (WashPost)
Video chats will get smarter -- and, potentially, creepier -- thanks to artificial intelligence.
If 2020 was the year video conferencing truly went mainstream, 2021 could be the year it gets smarter. Some of the largest platforms will begin using artificial intelligence to recognize and track certain gestures participants make, automate to-do items and help manage the challenges of workers split between work and home.
Zoom Video Communications, for instance, announced a *smart gallery* feature
it plans to roll out in June 2021 that will use cameras to make multiple
people in the same on-site conference room appear as separate, equal-sized windows on their live-stream video. Those working from home will see the individual faces of each colleague rather than just a view of the whole conference room, an effort to visually shrink the differences between remote and in-person workers.
``We want to maintain the democratization of Zoom, and have everyone on
the same level when people come back to the office,'' said Oded Gal, Zoom's chief product officer.
Cisco Systems, meanwhile, will launch *gesture recognition* early next year using artificial intelligence to recognize specific movements -- clapping, raised hands, a thumbs up, or thumbs down. For large virtual meetings with hundreds of attendees, it could help gauge reactions to an idea without requiring attendees to answer a survey or click on-screen emoji.
Asked if recognizing facial expressions like smiles, frowns or eye rolls in
a video call might be next, Cisco Senior Vice President Jeetu Patel said addressing privacy concerns has to come first. Even collecting anonymous
data might make people uneasy, he said. ``This is much more of a privacy
and comfort issue than it is a technology issue. It's just a matter of what
is going to be acceptable.''
Microsoft Teams, meanwhile, added a new feature late this year that uses AI
to recognize what tasks participants agreed to complete during a meeting and send them reminders afterward, as well as create searchable meeting transcripts.
``It will follow up with me with *action items* that I agreed to,'' Jared Spataro, corporate vice president for Microsoft 365, said in an interview.
``A lot of things that people are thinking `Yeah, someday that will be
reality' are actually already in the product.'' Microsoft has also filed a patent for a system that could use sensors, cameras and software to examine body language, expressions and participant contributions to come up with an *overall quality score* for how the meeting went. But Spataro said,
``Neither research nor patents is a good predictor of product pipeline.
We're always looking at all those types of things.''
https://www.washingtonpost.com/road-to-recovery/2021/01/03/rtr-officetrends/
Potentially?
------------------------------
Date: Thu, 14 Jan 2021 23:54:05 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: In-Garage Delivery: Amazon Key (Amazon.com)
What is Key by Amazon In-Garage Delivery?
Key by Amazon In-Garage Delivery is a secure, convenient way to receive
Amazon packages inside your garage. It helps prevent package theft and
provides protection from potentially damaging weather like heat and
rain. Key by Amazon is also contactless, because theres no interaction
between you and the delivery associate, or contact between the associate and the garage door.
Key In-Garage Delivery requires a compatible Smart Garage Hub or Wifi Garage Door Opener to enable authorized delivery associates to leave Amazon
packages inside your garage.
https://www.amazon.com/b?node=21222091011&ref=kfg_surl_key
------------------------------
Date: Fri, 15 Jan 2021 10:53:57 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: AI algorithm over 70% accurate at guessing a person's political
orientation (techxplore.com)
https://techxplore.com/news/2021-01-ai-algorithm-accurate-person-political.html
"A team of researchers at Stanford University has developed an AI algorithm that proved to be slightly over 70% accurate at guessing a person's
political affiliation after studying a single photograph. In their paper published in the journal Scientific Reports, the group describes building
and testing their algorithm and how well it worked."
See "Facial recognition technology can expose political orientation from naturalistic facial images," for a detailed discussion of image
classification and algorithm operation.
https://www.nature.com/articles/s41598-020-79310-1
"The researchers were not able to pin down exactly what sorts of facial characteristics their system correlated with political affiliation, but they did find some trends -- head orientation and emotional expression, for
example, appeared to provide some clues."
Political profiling based on facial recognition can guide campaign
advertising, appeals for donations, personnel recruiting, etc. Given a polarized electorate, the algorithm might assist identification of
persuadable voters to tip a close election.
Correlate this algorithm's predictive capabilities with an interpretation of the brain's amygdala, as explored by political neuroscientists [1] using
fMRI to estimate political inclinations, to yield artificially intelligent phrenology.
[1] "A Neurology of the Conservative-Liberal Dimension of Political
Ideology, Part 4: Neuroimaging Studies" from
https://neuro.psychiatryonline.org/doi/full/10.1176/appi.neuropsych.16030051
------------------------------
Date: Thu, 14 Jan 2021 13:57:46 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Detection of Hardware Trojans Using Controlled Short-Term Aging
(NYU Tandon School of Engineering)
The project builds upon on-going research, funded by a $1.3 million grant
from the Office of Naval Research, to create algorithms for detecting
Trojans -- deliberate flaws inserted into chips during fabrication -- based
on the short term aging phenomena in transistors.
It will focus on this physical phenomenon of short-term aging as a route to detecting hardware Trojans. The efficacy of short-term aging-based hardware Trojan detection has been demonstrated through simulations on integrated circuits (ICs) with several types of hardware Trojans through stochastic perturbations injected into the simulation studies. This DURIP project seeks
to demonstrate hardware Trojan detection in actual physical ICs.
https://engineering.nyu.edu/news/detection-hardware-trojans-using-controlled-short-term-aging
------------------------------
Date: Thu, 14 Jan 2021 11:15:50 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Unique study incorporates fluid dynamics and more to evaluate,
enhance future implants (PHYS.ORG)
https://phys.org/news/2021-01-unique-incorporates-fluid-dynamics-future.html
"Rice University engineers hope to make life better for those with
replacement joints by modeling how artificial hips are likely to rub them
the wrong way."
Knee, hip, and shoulder replacements are performed routinely, especially for
an aging population. Arthroplasty is the medical procedure orthopedic
surgeons apply for joint replacement.
"Rates of Total Joint Replacement in the United States: Future Projections
to 2020--2040 Using the National Inpatient Sample"
https://www.jrheum.org/content/early/2019/04/09/jrheum.170990 estimates 498K total hip arthroplasty and 1.06M total knee arthroplasty procedures in 2020 within the US. The essay projects a 2-3X multiplier for each by 2040.
The FDA's product classification website (type in 'knee' or 'hip' to see an extended list) (
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/PCDSimpleSearch.cfm,
A culled list (filtered for implants -- partial and total -- and inspected
to possess non-null TPLC medical device report records) reveals 24 separate product codes for hip replacements and 20 for knee replacements. Each
product code represents manufactured devices consisting of various plastics, metals, or a combination of these materials.
Given the product code count above, and the Patient Problem counts given
below, an estimate of diminished quality of life from hip arthroplasty can
be calculated assuming there's at least 1 manufactured product per product code.
1085 * 24 = 47740 patient problems/5 years = 9548 patient problems per year
or 9,548/498,000 = ~2% of all arthroplasty procedures in 2020 are estimated
to experience post-operative negative quality of life impact: infection,
pain, dislocations, etc. A similar method can be applied to estimate knee replacement quality of life impacts.
Given the implantation growth rate projection, this number is likely to
double or triple by 2040 without significant improvements in prosthetic
device and patient arthroplasty treatment life cycles.
For product code JDH (Device: prosthesis, hip, hemi-, trunnion-bearing, femoral, metal/polyacetal, Regulation Description: Hip joint femoral
(hemi-hip) trunnion-bearing metal/polyacetal cemented prosthesis), the FDA's Total Product Life Cycle tool (
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=4638) aggregates the following Top-10 Device Problems and Patient Problems (linked
to medical device reports) between 01JAN2016 and 31DEC2020 (in CSV format):
Device Problems,MDRs with this Device Problem,Events in those MDRs
Insufficient Information,387,387
Adverse Event Without Identified Device or Use Problem,177,177
Device Dislodged or Dislocated,121,121
Break,71,71
Fracture,65,65
Loose or Intermittent Connection,36,36
Appropriate Term/Code Not Available,31,31
Unintended Movement,22,22
Unstable,14,14
Loosening of Implant Not Related to Bone-Ingrowth,12,12
Migration or Expulsion of Device,10,10
The Top-10 Patient Problems attributed to this product code in CSV format
are:
Patient Problems,MDRs with this Patient Problem,Events in those MDRs Injury,532,532
Unspecified Infection,125,125
Pain,88,88
Joint Dislocation,78,78
No Code Available,60,60
No Information,50,50
Bone Fracture(s),50,50
No Known Impact Or Consequence To Patient,40,40
No Consequences Or Impact To Patient,32,32
Failure of Implant,30,30
------------------------------
Date: Tue, 12 Jan 2021 12:15:56 -0800
From: Rob Slade <
rmslade@shaw.ca>
Subject: Risk Management and Two-Dose Vaccines
Now that vaccines have started to roll out, we have a new risk management lesson from them. Most of the vaccines that have been approved so far are two-dose vaccines. With the rush to get vaccines into people in the most expeditious manner, there is now a new controversy. Do you give as many
people as possible one dose of the vaccine, or do you hold back doses so
that there will be a guaranteed supply for those who need a second shot?
First, let's look at the mechanics of what is going on with the two-dose vaccines. (There are some one dose vaccines coming, but they seem to be at least a month away from approval, so we've got some time to discuss this.)
The first shot, in a two-dose series, is often referred to as a primer shot.
It is delivering some material to the body to alert the immune system to something it should be paying attention to. Most often this is some kind of protein that is foreign to the human body. The Pfizer and Moderna vaccines
are kind of interesting in that they contain messenger RNA (mRNA) that makes our bodies produce the protein spikes that are on the coronavirus. Having produced these proteins (without ever having encountered the actual virus),
our bodies then produce antibodies that identify and attack these proteins.
The idea is that, by the time we actually encounter some coronavirus, our bodies are primed and ready to attack the actual virus. (Given the trials
that have gone on, and the data collected, the idea seems to be correct.)
With many two-dose vaccines, the second dose, sometimes known as a booster shot, as opposed to the initial primer shot, is often just more of the same. (Both the Pfizer and Moderna vaccines are of this type.) In past studies of vaccines, it seems to be that, in the case of many vaccines, a second shot
of the same material does two things. The first is that it increases the protective effectiveness of the vaccine, by boosting the immune response
that we produce. The second is that it increases the duration over time
that the body is able to produce this response, thus conferring protection
over a longer period. For example, after a single shot the body may produce
an effective immune response for a period of four months. After a second
shot, that might be increased to two years. (At this point we don't have
good data about duration in regard to the Pfizer and Moderna vaccines, since they haven't existed for more than a few months, but we assume they will
follow a similar pattern.)
The increase in duration is, of course, a benefit. But, in the midst of a pandemic, and particularly in the midst of huge second and third wave
surges, it is the increase in effectiveness that sets up the possible controversy. Do you leave some people only partly protected, so that you
can partly protect others?
Since this is risk management, we again have to note probabilities and uncertainties and the fact that none of this is quantum. Protection isn't absolute, and it doesn't turn on and off. In particular, protection doesn't turn on instantly, and takes time to develop. And it also takes time to go away again.
In a two-dose vaccine regime, you receive an initial primer shot. That does not mean you can now safely go to bars and insurrection mobs without being
at risk of getting CoVID-19. It will take some time for your body to
develop any kind of immune response. After three weeks or so, you may have about 80% protection. Note that this isn't 100% protection. You can still
get infected if you encounter someone who is infectious. But you are less likely to become infected.
(Actually, even though it might sound low, 80% is pretty good for a vaccine. The flu vaccines that we get every year are only about 50% effective. That, and the effects of herd immunity when almost everyone gets the vaccine,
means far fewer cases of the flu, and fewer deaths, and less time lost to sickness, and less impact on the economy, and so even a 50% effective
vaccine is a very good thing.)
At this point, two things may be happening. Your body may (and probably is) still increasing its protection, even without any further intervention.
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)