Category Archives: Technology


Can I make your pacemaker software run faster?

I recently read an article on the Free Software Foundation’s Website entitled “Regulatory compliance is no reason to lock up users” The author states that “Medical devices are (theoretically) programmed to a high standard of safety, and careless modification could cause great harm. Medical device manufacturers want to Tivo-ize their devices so that only they can upgrade the software on them. They claim that this is necessary for compliance with FDA regulations.”

The FDA gives manufacturers the freedom to choose what software to use in medical devices. But with this freedom comes responsibly. The Agency does not require or favor the use of commercial over free software in medical devices.  However, the Quality System Regulation (21CFR§820) does require that Medical Devices automated with computer software be subject to design controls.

FDA’s Guidance on Software Validation states that “where the software is developed by someone other than the device manufacturer (e.g., off-the-shelf software) …the party with regulatory responsibility (i.e., the device manufacturer) needs to assess the adequacy of the off-the-shelf software developer’s activities and determine what additional efforts are needed to establish that the software is validated for the device manufacturer’s intended use.”

The difficulty with Free Software is that it falls into software quality limbo.  After all there is no vendor to audit, or documented evidence that a quality system exists and was followed in the design and testing of the Free Software.

I know that auditing Off the Shelf Software vendors can be hard enough (I tried to audit Microsoft once), but in general you can perform an audit of your software provider to assess the quality systems they have established and to ensure that they are following their quality system. Whom do you audit for your open source code?

Nevertheless, this does not purge the use of Free Software in devices. It does put the burden for proving and documenting that the software meets the intended squarely on the shoulders of the Device Manufacturer. The level of diligence required for Free Software is not unlike that of Custom Software. The cost of the Open source Software (free) may offset the cost of this additional compliance burden, but that is a business decision each manufacturer must make.

Free Software has a place in our industry. You want to run your HTTP server on Apache, go ahead (after you have assessed the impact on you compliance program), but I would not recommend using open source software in Medical Devices.

Device Software is one area where reliability and safety should always come before speed.

After all making a pacemaker run faster is not always a good thing.


I Lost the Cure for the Common Cold!

By Daniel R. Matlis 

It’s 3:00 AM and your newborn baby wakes up crying. You want to go back to sleep, but his circadian rhythm is set for Beijing, not Philadelphia, and he is wide awake.So you get a cup of coffee, turn on your laptop and start to do some work. In a moment of inspiration, you discover the cure for the common cold. It’s all there on the screen right in front of your eyes and then your baby kicks, the coffee spills on your laptop and, just like that, the cure is gone. Who do you call?

Monday, at the Corporate Computing Show in NY, I met the people for the job. DriveSavers Data Recovery is a company that recovers data from crashed and damaged media. They have been doing this for over 20 years and when James Bond looses the data in his laptop he doesn’t call Q. Instead he deals with Kelly Chessen, Data Crisis Counselor DriveSavers (Yes, Sean Connery is a client).

With the prospect of irretrievable information loss, many of the callers with whom Chessen deals are as distraught. The emotional trauma associated with the loss of critical data can be disruptive both at work and at home.

Chessen came to DriveSavers with a background in psychology that serves her well in her dealings with often-frantic customers. She worked with a suicide prevention hotline for more than five years, including one year as the manager and trainer. This is exactly the kind of training I want the person on the other end of the line to have under these circumstances.

In addition to the soft skills, DriveSavers has technical skills and facilities to back them up. They have recovered data from drives that have been damaged, dropped, deleted, burnt, crushed and drowned in the Amazon River. The company has a success rate of over 90%, and recovers data in as little as 24 hours from all operating systems and storage media including hard drives, disk arrays, floppies, CD-ROM, DVD, removable cartridges and digital camera media. They have they own calls 100 clean room, and if they work on your drive, the manufacturer’s warranty is still good, although I’m not sure that a drive full of Amazon River water is covered.

So the next time your husband, wife, son, daughter, dog, cat or self spill a cup of coffee on your laptop containing the cure for the common cold, or the therapeutic area you are working on, don’t sweat it, lay on the couch and call the Data Shrink.


Are Post-it Notes Security's Worst Enemy?

By Daniel R. Matlis

In his recent InformationWeek article entitled “Let The UBS Trial Be A Warning To You” Mitch Wagner covers the trial against a former UBS employee charged with hacking the company’s networks. The article also addresses some of the embarrassing failures in UBS’s security and disaster preparedness.

According to testimony from a UBS IT manager, some 40 systems administrators at the company shared the same ‘root’ password to login. There they had free rein to install software or make any changes they wished. It was not unusual for systems administrators to get up from their desks and wander off while still logged in as ‘root’.

It is a fact that companies often spend millions implementing the latest and greatest security technology. The rationale is that technology will keep us secure.

The reality is that the best security technology is not worth a dime if people find a way around it. People must me trained and reminded of proper security procedure. For example don’t share passwords, it’s like giving your ATM card and PIN to anyone who asks, delete default passwords, remember Oracle’s Scott/Tiger and most everyone else’s Admin/Admin.

But in my experience, Post-it® notes are security’s worst enemy.  I cannot tell you how many times I walk up to someone’s desk and stuck to the monitor is a Post-it® notes with a list of system names and their respective passwords.

The path to security begins with people. Let’s not confiscate all Post-it® notes in the company. Instead, let’s train our people on proper security procedures.

Post-it® is a trademark of 3M


BearingPoint Joins SAFE’s Vendor Partner Program

By Daniel R. Matlis

BearingPoint announced today that it will provide services to help pharmaceutical and healthcare organizations implement SAFE (“Signatures and Authentication For Everyone”)

SAFE is a network of recognized trusted healthcare professionals and an identity management standard and associated operating rules that deliver unique identity keys for regulatory compliant and legally enforceable digital signatures.

SAFE is designed for the purpose of simplifying, securing, and streamlining business-to-business and business-to-regulator information exchange. The SAFE standard consists of policies, procedures, guidelines, technical specifications and a legal and liability risk management framework for ensuring the validity of the electronic signatures used for information exchange and electronic submissions to regulators.

The SAFE standard promotes interoperability and integration among researchers, vendors, regulators, clinicians and other pharmaceutical and healthcare stakeholders.  It provides a secure, enforceable, and regulatory compliant way to verify the identities of parties involved in business-to-business and business-to-regulator electronic transactions.

As one of the world’s largest management and technology consulting firms, BearingPoint will add significant momentum to the SAFE initiative. After all, if there is one thing big consulting firms can do it’s to sell technology.


FDA Task Force Report Recommends e-Pedigree in Distribution and Addresses RFID Issues

by Daniel R. Matlis

In a long awaited move, the FDA announced on Friday June 9th, that it will fully implement regulations related to the Prescription Drug Marketing Act of 1987, which requires drug distributors to provide documentation of the chain of custody of drug products — “pedigree” — throughout the distribution system.

Consistent with recommendations from the FDA Counterfeit Drug Task Force, the agency also announced that its enforcement of the pedigree regulations will focus on products most susceptible to counterfeiting and diversion.

FDA also announced the availability of a Draft Compliance Policy Guide for public comment describing this enforcement approach. By providing guidance on the types of drugs that are currently of greatest concern to FDA, the agency intends to give wholesale distributors a better idea on where and how to focus their initial energies to come into complete compliance with the regulations (21 CFR Part 203) for all the prescription drugs they distribute.

Additional subjects discussed in the Task Force’s report include the following key issues related to electronic track-and-trace that are in need of resolution:

  • Technical aspects of the mass serialization of marketed drugs by assigning a unique identifier or serial number to each drug package as the initial step in development of track and trace technology.
  • Importance of a nationwide universal drug pedigree with uniform information in preference to state laws imposing different pedigree requirements.
  • Protection of consumer privacy to prevent unauthorized disclosure of information stored in RFID tags when RFID-tagged drug products are dispensed to consumers.
  • Consumer education about RFID and the labeling of RFID-tagged drug products, to disclose to consumers when they are receiving RFID-tagged products and to inform consumers of the benefits of RFID technology and how consumers’ privacy is being protected.

The FDA has been busy providing guidance and direction on these important topics, now its time for the industry to move implementation into high gear.