[thechat] Cloudy Collaboration Apps

Sat Jul 12 21:58:17 CDT 2014

> -----Original Message-----
> From: thechat-bounces at lists.evolt.org [mailto:thechat-
> bounces at lists.evolt.org] On Behalf Of S.M.German
> Sent: Saturday, July 12, 2014 10:46 PM
> To: 'The evolt.org social mailing list '
> Subject: Re: [thechat] Cloudy Collaboration Apps
> 
> > Hi Judah,
> >
> > Cool!  Let's say you run a company that sells medical equipment to
> hospitals.
> > One of your employees, (A), uses your home-grown app to provision a
> > Google drive and share product manuals, tech notes and updates with a
> > client hospital.   Another of your employees, (B), uses their personal
> Google
> > app account to share product information, manuals, and tech updates, and
> > who knows what else ...  to a different hospital.
> >
> > What happens when (A) leaves your company?
> >
> > What happens when (B) leaves your company?
> >
> > How seamless is the experience for the customers?   That's more the line
I
> > was following.  I'm not so worried about the tech side.  I was more
> interested
> > in the business process side.  If the employer shuts down the drive when
A
> > leaves the company, then the customer loses access to information they
> may
> > need.  But if an employer can't shut down access when B leaves the
> company
> > will they be liable for that customer not receiving an important
> > update/notice/recall?
> >
> > Cheers,
> > Ron
> > (who mostly thinks 'cloudiness' is the latest retirement plan for
> litigation
> > lawyers)
> >
> 
> 
> Ron,
> 
> I am not a regulatory expert, just a developer who has worked on quality
> systems such as those for tracking customer info and supporting product
> action (i.e. notices and recalls).  If you're asking about a company
selling
> widgets, and use medical equipment just as an example of a type widget
> where
> the seller would want to follow up with customers, you can probably ignore
> the rest of my response.
> 
> But if you are really asking about selling medical equipment and tracking
> customer info in an ad hoc  manner, in a system without proper privacy
> safeguards, where an employee is a single point of failure risking loss of
> the ability to track and contact customers in case a notice or recall is
> necessary, my first response is HECK NO.  My second response is, you or
> employees A and B need to meet with someone from your validation and
> regulatory departments.
> 
> The rules on these issues vary with where the company is located and even
> more so with where the company is selling.  If any patient information
(even
> without a name, but which could potentially be patient identifying) is
> stored or passes through these home grown apps, that is almost certainly
of
> additional major concern.
> 
> Major, as in, employees A and B could put the company in a position where
it
> is not permitted to sell medical equipment in some markets.
> 
> I can't speak to the use of the cloud or google drive in general, but as
for
> the use of "home-grown apps" and personal accounts, these are clear no-
> nos.
> If such things are in use, obviously IS needs to stand up corporate
tested,
> documented, and validated replacements for those applications.  In
addition,
> quality system and regulatory training needs to be improved.
> 
> I've worked for multiple companies where the ability to sell or introduce
> new products was restricted due to issues that included lax control of
> software systems.  There are SaaS applications available in the
> medical/healthcare area, but those are generally offered by companies with
> experience with the various regulatory agencies.  They are not generic
> offerings from Amazon, Google, and other cloudy providers.
> 
> The people who come in after the fact and clean up such messes can benefit
> professionally.  It's nice to have a year-end review and be able to say,
the
> government auditors were pleased by the results of my project.  Or my
> project was key in getting Product X back on the market.  I would not want
> to walk in to a review knowing my project was part of a consent decree or
> having products removed from the market.
> 
> Hope that helps =)
> 
> 
> Sean
> 

(PS, I'll add I'm in the US, but worked with medical products sold worldwide
included the EU and Japan.)

(PPS, you can lead your regulatory department on this, but you cannot get
ahead of them.  They almost certainly will resist.  SaaS and cloudy apps
will require changes to how applications are validated and documented and
likely to how users are trained as well.  Change can be hard to sell,
especially if some of the folks who have to do extra work for the change are
not the people who benefit directly from the change.  But that does not mean
validation, documentation, and training become optional.)