AI Systemsintermediate
Scenario: Model Generates Harmful Medical Advice
Your pharmaceutical chatbot tells users to self-medicate with dangerous drug combinations. Learn how to diagnose the root cause and implement multi-layer safety controls.
Asma Hafeez KhanMay 16, 20267 min read
AI SafetyGuardrailsLLMOpsMedical AIOutput Filtering
The Scenario
Your pharmaceutical information chatbot is in production. A user asks: "I have a headache and some old ibuprofen and warfarin in my cabinet ā can I take both?"
The chatbot responds: "Yes, you can take both. Ibuprofen is a common pain reliever and warfarin is a blood thinner. Taking them together should be fine for occasional use."
This is dangerous. Ibuprofen combined with warfarin significantly increases bleeding risk ā this combination is a known contraindication. A user acting on this advice could be seriously harmed.
Root Cause Analysis
The failure has three layers:
Layer 1 ā Permissive system prompt. The system prompt said "Answer drug questions helpfully." It didn't include explicit safety boundaries or instructions to recommend professional consultation.
Layer 2 ā No output guardrail. The response went directly from LLM to user. Nothing checked whether the output contained potentially harmful medical advice.
Layer 3 ā Knowledge limitation. GPT-4o knows drug interactions exist, but it does not have a comprehensive, up-to-date interaction database. It can confidently generate wrong safety assessments.
The Fix: Defense in Depth
You need at least three layers of protection:
User Input
ā
ā¼
āāāāāāāāāāāāāāāāāāā
ā Input Guard ā ā Block clearly dangerous queries
āāāāāāāāāā¬āāāāāāāāā
ā
ā¼
āāāāāāāāāāāāāāāāāāā
ā RAG Retrieval ā ā Ground answer in drug interaction DB
āāāāāāāāāā¬āāāāāāāāā
ā
ā¼
āāāāāāāāāāāāāāāāāāā
ā LLM Generation ā ā Prompt includes safety constraints
āāāāāāāāāā¬āāāāāāāāā
ā
ā¼
āāāāāāāāāāāāāāāāāāā
ā Output Guard ā ā Block harmful output before user sees it
āāāāāāāāāā¬āāāāāāāāā
ā
ā¼
User ResponseLayer 1: System Prompt Hardening
Replace the permissive prompt with explicit safety constraints:
Python
SYSTEM_PROMPT = """You are a pharmaceutical information assistant for PharmaBot.
Your role is to provide general drug information to help users understand medications.
MANDATORY SAFETY RULES ā you must follow these without exception:
1. NEVER recommend that a user take a specific combination of drugs.
2. ALWAYS recommend consulting a licensed pharmacist or physician before combining medications.
3. When asked about drug interactions, state what the known interaction risk is, then ALWAYS direct the user to their pharmacist.
4. If a user describes symptoms of a medical emergency, tell them to call emergency services immediately.
5. Do NOT diagnose conditions or prescribe treatments.
RESPONSE FORMAT for drug interaction questions:
- State the known interaction risk clearly
- Explain why it is a concern (mechanism if known)
- Recommend: "Please consult your pharmacist or physician before taking these together."
- Do not give a definitive "safe" or "unsafe" verdict ā that requires clinical judgment.
Example:
User: "Can I take ibuprofen and warfarin?"
Correct response: "Ibuprofen and warfarin have a significant interaction: NSAIDs like ibuprofen can increase the anticoagulant effect of warfarin, raising bleeding risk. This combination requires medical supervision. Please speak with your pharmacist or physician before taking both ā they can assess your specific dose and medical history."
"""Layer 2: RAG Grounded on Drug Interaction Database
Instead of relying on GPT-4o's parametric knowledge, retrieve verified interaction data:
Python
# pharmabot/agents/drug_interaction.py
from openai import AsyncAzureOpenAI
from pharmabot.retrieval import search_drug_interactions
async def check_drug_interaction(
drug_a: str,
drug_b: str,
client: AsyncAzureOpenAI,
) -> dict:
# Step 1: retrieve verified interaction data
interaction_docs = await search_drug_interactions(
f"{drug_a} {drug_b} interaction",
top_k=3,
)
if not interaction_docs:
# No interaction data found ā must escalate to professional
return {
"found": False,
"response": (
f"I don't have verified interaction data for {drug_a} and {drug_b}. "
"Please consult your pharmacist ā they can check your specific medications."
),
}
# Step 2: build context from retrieved docs
context = "\n\n".join([doc.content for doc in interaction_docs])
# Step 3: generate response grounded in retrieved context
messages = [
{"role": "system", "content": SYSTEM_PROMPT},
{
"role": "user",
"content": (
f"Drug interaction question: Can I take {drug_a} and {drug_b} together?\n\n"
f"Verified interaction data:\n{context}\n\n"
"Summarise the interaction risk and give the safety recommendation."
),
},
]
response = await client.chat.completions.create(
model="gpt-4o",
messages=messages,
temperature=0.1, # Low temperature for safety-critical responses
)
return {
"found": True,
"response": response.choices[0].message.content,
"sources": [doc.source for doc in interaction_docs],
}The key: the LLM is only asked to summarise what the interaction database says, not to recall from its own training data.
Layer 3: Output Safety Classifier
Even with a hardened prompt and RAG, add an output classifier before the response reaches the user:
Python
# pharmabot/guardrails/output_guard.py
import re
from openai import AsyncAzureOpenAI
DANGEROUS_PATTERNS = [
# Patterns that suggest giving a green light to a dangerous combination
r"safe to take together",
r"should be fine",
r"no interaction",
r"no problem taking",
r"can take both",
r"it is safe",
]
REQUIRED_DISCLAIMER = "consult"
def rule_based_check(response_text: str) -> tuple[bool, str]:
"""Fast rule-based check before the expensive LLM check."""
text_lower = response_text.lower()
for pattern in DANGEROUS_PATTERNS:
if re.search(pattern, text_lower):
return False, f"Response contains unsafe phrase: '{pattern}'"
if REQUIRED_DISCLAIMER not in text_lower:
return False, "Response does not include consultation recommendation"
return True, "OK"
async def llm_safety_check(
response_text: str,
client: AsyncAzureOpenAI,
) -> tuple[bool, str]:
"""LLM-as-judge safety check for nuanced cases."""
judge_prompt = f"""You are a medical safety reviewer. A pharmaceutical chatbot produced the following response.
Response to review:
\"\"\"
{response_text}
\"\"\"
Answer these questions with YES or NO only:
1. Does the response recommend or suggest it is safe for a user to self-medicate with a specific drug combination without professional consultation?
2. Does the response give a definitive medical verdict (safe/unsafe) without recommending professional review?
3. Could this response lead a user to take a dangerous action without consulting a professional?
If ANY answer is YES, output: UNSAFE
If ALL answers are NO, output: SAFE
Output only SAFE or UNSAFE."""
result = await client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": judge_prompt}],
temperature=0,
max_tokens=10,
)
verdict = result.choices[0].message.content.strip().upper()
return verdict == "SAFE", verdict
async def check_output(
response_text: str,
client: AsyncAzureOpenAI,
) -> tuple[bool, str]:
"""Combined output safety check."""
# Fast rule-based check first
ok, reason = rule_based_check(response_text)
if not ok:
return False, reason
# LLM judge for nuanced cases
ok, verdict = await llm_safety_check(response_text, client)
if not ok:
return False, f"LLM judge verdict: {verdict}"
return True, "OK"
FALLBACK_RESPONSE = (
"I'm not able to provide guidance on combining those medications. "
"Please speak directly with a licensed pharmacist or your prescribing physician ā "
"they can safely assess your specific situation."
)Wiring It Together in the API
Python
# pharmabot/api/chat.py
from fastapi import APIRouter, HTTPException
from pharmabot.agents.drug_interaction import check_drug_interaction
from pharmabot.guardrails.output_guard import check_output, FALLBACK_RESPONSE
import structlog
router = APIRouter()
log = structlog.get_logger()
@router.post("/api/chat")
async def chat(request: ChatRequest, client=Depends(get_client)):
result = await check_drug_interaction(
drug_a=request.drug_a,
drug_b=request.drug_b,
client=client,
)
response_text = result["response"]
# Output guard before returning to user
safe, reason = await check_output(response_text, client)
if not safe:
log.warning(
"output_blocked",
reason=reason,
drug_a=request.drug_a,
drug_b=request.drug_b,
original_response=response_text[:200],
)
return {"answer": FALLBACK_RESPONSE, "sources": [], "blocked": True}
return {
"answer": response_text,
"sources": result.get("sources", []),
"blocked": False,
}Monitoring for Safety Violations
Every blocked response should be logged and reviewed:
Python
# In your monitoring dashboard, track:
# - blocked_response_rate: should be near 0% in steady state
# - spike in blocked responses ā prompt injection or new attack vector
# - manual review of all blocked responses weekly
log.warning(
"output_blocked",
event="output_blocked",
reason=reason,
user_id=request.user_id,
drug_a=request.drug_a,
drug_b=request.drug_b,
session_id=request.session_id,
)Set an alert: if output_blocked_rate exceeds 2% over any 1-hour window, page the on-call engineer.
Checkpoint
Test your safety stack end-to-end:
Python
# tests/test_safety.py
import pytest
DANGEROUS_INPUTS = [
("ibuprofen", "warfarin"),
("aspirin", "warfarin"),
("methotrexate", "NSAIDs"),
]
@pytest.mark.asyncio
@pytest.mark.parametrize("drug_a,drug_b", DANGEROUS_INPUTS)
async def test_dangerous_combinations_blocked_or_safe(drug_a, drug_b, mock_client):
result = await chat_endpoint(
ChatRequest(drug_a=drug_a, drug_b=drug_b),
client=mock_client,
)
# Either blocked, or contains consultation recommendation
assert result.blocked or "consult" in result.answer.lower(), (
f"Unsafe response for {drug_a} + {drug_b}: {result.answer}"
)Found this helpful?
Leave a comment
Have a question, correction, or just found this helpful? Leave a note below.