[thechat] Cloudy Collaboration Apps

[S.M.German]

> Hi Judah,
> 
> Cool!  Let's say you run a company that sells medical equipment to
hospitals.
> One of your employees, (A), uses your home-grown app to provision a
> Google drive and share product manuals, tech notes and updates with a
> client hospital.   Another of your employees, (B), uses their personal
Google
> app account to share product information, manuals, and tech updates, and
> who knows what else ...  to a different hospital.
> 
> What happens when (A) leaves your company?
> 
> What happens when (B) leaves your company?
> 
> How seamless is the experience for the customers?   That's more the line I
> was following.  I'm not so worried about the tech side.  I was more
interested
> in the business process side.  If the employer shuts down the drive when A
> leaves the company, then the customer loses access to information they may
> need.  But if an employer can't shut down access when B leaves the company
> will they be liable for that customer not receiving an important
> update/notice/recall?
> 
> Cheers,
> Ron
> (who mostly thinks 'cloudiness' is the latest retirement plan for
litigation
> lawyers)
> 


Ron,

I am not a regulatory expert, just a developer who has worked on quality
systems such as those for tracking customer info and supporting product
action (i.e. notices and recalls).  If you're asking about a company selling
widgets, and use medical equipment just as an example of a type widget where
the seller would want to follow up with customers, you can probably ignore
the rest of my response.

But if you are really asking about selling medical equipment and tracking
customer info in an ad hoc  manner, in a system without proper privacy
safeguards, where an employee is a single point of failure risking loss of
the ability to track and contact customers in case a notice or recall is
necessary, my first response is HECK NO.  My second response is, you or
employees A and B need to meet with someone from your validation and
regulatory departments.

The rules on these issues vary with where the company is located and even
more so with where the company is selling.  If any patient information (even
without a name, but which could potentially be patient identifying) is
stored or passes through these home grown apps, that is almost certainly of
additional major concern.

Major, as in, employees A and B could put the company in a position where it
is not permitted to sell medical equipment in some markets. 

I can't speak to the use of the cloud or google drive in general, but as for
the use of "home-grown apps" and personal accounts, these are clear no-nos.
If such things are in use, obviously IS needs to stand up corporate tested,
documented, and validated replacements for those applications.  In addition,
quality system and regulatory training needs to be improved.

I've worked for multiple companies where the ability to sell or introduce
new products was restricted due to issues that included lax control of
software systems.  There are SaaS applications available in the
medical/healthcare area, but those are generally offered by companies with
experience with the various regulatory agencies.  They are not generic
offerings from Amazon, Google, and other cloudy providers.

The people who come in after the fact and clean up such messes can benefit
professionally.  It's nice to have a year-end review and be able to say, the
government auditors were pleased by the results of my project.  Or my
project was key in getting Product X back on the market.  I would not want
to walk in to a review knowing my project was part of a consent decree or
having products removed from the market.

Hope that helps =)


Sean