Michael Causey, Editor & Publisher, eDataIntegrityReport.com

From the Department of Mixed Messages comes an oddly-timed “transparency” news release from the FDA. I can’t quite figure out the logic behind choosing the week before Labor Day to tell the world you want to open up and apply tougher metrics on your performance?  Weren’t most of us at the beach or grilling on the deck that day?

Still, that’s just what the FDA did with an August 31, 2010, release touting its new “organizational performance management system” called FDA-TRACK. It promises to monitor FDA accountability and transparency and will monitor more than 100 FDA program offices through data from key performance measures established each year.

The data will be gathered monthly, analyzed and presented each quarter to FDA senior leadership.

“FDA-TRACK will bring the operations of this historically opaque Agency into the daylight and help us be even more responsive as we work to protect the public health,” said FDA Commissioner Margaret Hamburg, M.D.

According to the Agency, FDA-TRACK is designed to be informative, encourage accountability among the people who work at the FDA, and make that work more transparent. It gives managers and employees a new way to measure their effectiveness in meeting goals to protect the public health and provides a way for the public to monitor agency activities.

Adapted from several successful state and local performance management models, FDA-TRACK hopes to set the standard for open government at the federal level. The system monitors performance indicators in four categories:

Common Measures – Agency-wide measures applicable to each of more than 100 program offices and may focus on the agency’s most recent priorities.

Example: Increase the total number of employees who are trained in the Incident Command System, which helps the agency respond to emergencies.

Key Center Director Measures – Center-specific measures that are applicable to each Center and are central to the Center’s priorities and strategic goals.

Example: Increase the FDA’s technical guidance by increasing the number of technical publications drafted, which enables the Center to better prepare industry and consumers.

Program Measures – Program office-specific measures that are applicable to the office and reflect work important to the public and to the FDA’s mission.

Example: Monitor the percentage of 510(k) decisions meeting the 90-day Medical Device User Fee Act goal during a specific time period.

Key Projects – Program office-specific projects that are applicable to the office and important to the mission and objectives of the office. Performance for Key Projects is measured through achievement of the stated milestones within the project’s plan.

Example: The development of a new risk-based approach for evaluating safety, effectiveness, and quality of new animal drugs.

I’m not questioning the value of the initiative, just the timing.

Wouldn’t it have made more sense to unveil it this week, when we’re all back at our desks?

For more information:

FDA-TRACK: Agency-wide Program Performance

Department of Health and Human Services – New High-Value Data Sets and Tools

James Holler, Founder, Abidance Consulting

During World War II the allies had some major challenges. Among the strangest was that the use of English by the Americans and British had many things in common, but also had many things different. As a result, there were problems in coordination, logistics and security.

Fast forward to 2006 and remember the creation of the CIP 002-009 Standards by NERC with approval from FERC. There were, and are, many challenges of interpretive guidance as can be expected from an imperfect set of documents that catered to the lowest common denominator while simultaneously skimping on clarity for the entity players to understand.

What does CIP-002 thru CIP-009 have to do with COM-001 you might ask? Plenty…the rule in the IT world is that you have an islanded or closed network (LAN) if you cannot use telecommunication hubs (like commercial carriers or satellite) to connect multiple sister nodes (other LANs) to create what is referred to in the network world as a WAN (Wide Area Network).

Let’s take a look at the Standard and see if we can make sense of it.

Let’s look first at the purpose statement COM-001. It says: “Each Reliability Coordinator, Transmission Operator and Balancing Authority needs adequate and reliable telecommunications facilities internally and with others for the exchange of Interconnection and operating information necessary to maintain reliability”

Notice two things, “reliable telecommunications facilities internally” & “with others for the exchange of Interconnection and operating information.”

This implies that the following requirements must meet these needs to be considered “compliant.” So, let’s look a little more deeply into the requirements.

COM-001 Requirement 1 and Requirement 1.4 states:

R1 Each Reliability Coordinator, Transmission Operator and Balancing Authority shall provide adequate and reliable telecommunications facilities the exchange of Interconnection and operating information:

R1.4 Where applicable, these facilities shall be redundant and diversely routed.

On the surface these requirements appear to be straightforward, but after a number of audits by FERC and NERC staff, it is anything but.

Both of these requirements would better be defined as simply nebulous. What defines “adequate”? “Where applicable”? Who decides what is adequate and where applicable…NERC, FERC or the Registered Entity that is being audited?

The auditor is the sole determining factor in compliance or noncompliance with these requirements. If they get it wrong, as many of them do, then you don’t have a compliant facility from a reliability perspective.

What R1, when tied to R1.4, says as it relates to the purpose is that if you only have one communications trunk entering your network and then have it multiplexed out to your Primary Control Center (PCC) and your Backup Control Center (BCC), you are not in compliance.

Another problem is that of the definition of what constitutes a telecommunications facility. It means different things to a telephone company technician and to an IT technician.

FERC and NERC define these to be BOTH data and voice traffic. You cannot simply have two phone lines and expect to be compliant if you are also doing data traffic from the PCC and BCC as part of your operations. You will fail the audit on this alone and fines are more than a possibility, they are virtually guaranteed.

James Holler is founder of Abidance Consulting.

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

In the musical “Oliver!” based on Charles Dickens’ novel, a poor child draws the ire of his caretakers when, after a meager portion of food, he famously holds out his bowl and says, “Please, sir, I want some more.”

Consumer advocates and others would argue today that we don’t necessarily need more food  – but they would hold out their bowl for more food regulation, especially from the FDA.

It’s not as if we need reminders that there are some serious shortcomings when it comes to how some food manufacturers operate (and how the FDA regulates them), but a recall of more than 200 million eggs this week gives us one whether we’d like it or not.

There’s been growing pressure on the agency to tighten its regulation of food, and it is starting to look like proposed federal legislation is going to deliver just that.

Most Capitol Hill watchers are predicting the Food Safety Modernization Act will come to a vote after the Labor Day recess. It’s likely to pass, though there is some debate about a few proposed amendments including one that would ban outright the usage of BPA, the plastic lining found in cans and in other packaging. Some pundits say attaching the BPA ban would kill the whole bill.

The FSMA would give the FDA greater authority regulate food and place a greater legal burden on food manufacturers to be more transparent when it comes to how they control their product from conception to landing on your dining room table. In other words, food manufacturers would have a lot more quality control work on their, well, plate.

A timely summit last week featured representatives from the Pennsylvania Dept of Agriculture and Dept of Health as well as the Grocery Manufacturing Association.  Led by Dr. Rene Massengale, Associate Professor of Biotechnology, who heads Food Safety and Quality Assurance Academic program at Harrisburg University of Science and Technology, Dr Massengale said industry has generally reacted positively to the potential changes coming from Capitol Hill.

While industry is supportive in principle to the idea of increased food regulation, Dr. Massengale said there is some nervousness out there about what kind of regulations finally emerge from any new Congressional law. Another wrinkle: Some manufacturers of relatively lower risk items, say candy versus eggs, are saying to feds “leave us alone, we already do this well,” she says. Her event attracted representatives of companies and organizations participating in the food supply system including agricultural growers and producers, food processors, food distributors/wholesalers/ retailers and members of related trade associations, as well as middle and upper-level managers from small and medium-sized organizations and managers, directors or owners responsible for food safety and product quality, such as HACCP, QA/QC, and process control professionals.

So, is “more” on the way?

It’s beginning to look that way.  Watch this space in the coming months as track the FSMA’s progress on Capitol Hill.

For more information

Request “The New FDA Drive for Food Safety” paper here.

Blog:  http://foodsafetyquality.blogspot.com/

You can follow Dr. Massengale’s frequent updates on Twitter here:  http://twitter.com/RDMassengale

James Holler, Founder, Abidance Consulting

In Part 1 of this series, we touched on some ways to make it so difficult to pull off a hack-attack, that the perpetrator will most likely want to go somewhere else and try their attack.

In this section, we’re going to address testing, maintaining and other important items that deserve your attention.

Testing

Once you have fixed all of the issues, you need to test everything to make sure it works the way it is supposed to. You must first create benchmarks in which you are testing against. Just to run a test for the sake of running a test is futile. Once the benchmark(s) have been set, you are ready to test:

• Run port scans to ensure only required ports and services are open and/or running
• Firewalls detect intrusions
• Switches and routers have only active administrator accounts
• Passwords adhere to compliance requirements etc

Be sure to document your test procedure(s) step-by-step as well as the test results. Note if the outcome of the test was expected or not. If there is anything that fails during your testing, you need to fix those issues and retest. Don’t skimp on testing…hackers are not forgiving and just like in dodge ball, there are no “do-overs”.

Maintaining

Once you have tested everything and are assured that your organization is where they need to be, you now need to create and maintain a testing program. Don’t try creating a maintenance program prior to everything being tested, as you will surely be making changes to the maintenance program, making are previous efforts null. Your maintenance program needs to have firm dates / times set for scheduled maintenance. You need to have multiple maintenance programs set up such as:

• Patch management
• Password management
• Network account management
• System management
• Applications management
• Operating system management
• Security administration etc

By setting up multiple maintenance programs you are able to create “silo’s” for each area and assign personnel who are responsible for each of these areas. This allows for a better view should there be a failure in any of these areas…and makes it easier to see where the failure occurred and to fix the area faster.

Worth Considering

There are a few tricks that you can implement on your network that will make a hacker think twice about trying anything. The more difficult you make it for the hacker to attack, the more likely it is that they will go somewhere else to attack. As someone who has spent the better part of the past quarter of a century protecting companies against attackers, I have listed a few neat tricks you can implement:

Honey Pots

A honey pot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers. These honey pots can be used to track and in some cases trap and report a hacker.

Trace Routing

Having the attacker’s IP is all well and good, but what can you do with it? The answer is, a lot more! It’s not enough to have the address, you also need to know where the attacker’s connections are coming from. You may have used automated trace routing tools before, but do you know how they work?

Go back to MSDOS and type tracert *type IP address/hostname here*

Now, what happens is, the Trace route will show you all the computers in between you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the hacker’s ISP company. It’ll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is.

Reverse DNS Query

This is probably the most effective way of running a trace on somebody. If ever you’re in a chat room and you see someone saying that they’ve “hacked into a satellite orbiting the Earth, and are taking pictures of your house right now”, ignore them because that’s just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what state/city etc.) someone resides, although it’s actually almost impossible to find an EXACT geographical location without actually breaking into your ISP’s head office and running off with the safe.

To run an rDNS query, simply go back to MS-DOS and type netstat and hit return. Any active connections will resolve to hostnames rather than a numerical format.

DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP address….which is why we can enter “www.hotmail.com” and get the website to come up, instead of having to actually remember Hotmail’s IP address and enter that instead.

Well, reverse DNS, of course, translates the IP address into a hostname (i.e., in letters and words instead of numbers, because sometimes the hacker will employ various methods to stop netstat from picking up a correct hostname).

While we’ve given you a very high level look at what needs to be done to better protect yourself from a hack attack, we believe it represents the best place to start in understanding what you need to do.

James Holler is founder of Abidance Consulting.

Mark Mansour, Partner, Bryan Cave, LLP

Device Industry Begins Preparation for Excise Tax as Some Call for Repeal
Although the excise tax on medical devices that was part of the health reform bill does not take effect until 2013, members of the device industry have already begun preparing for its imposition, and have indicated that they will continue to call for the repeal or revision of the tax. Some reports are indicating that one of the primary issues associated with the tax will be the determination by the Treasury Department regarding which products and transactions will ultimately be subject to the tax. Industry groups, including the Medical Device Manufacturers Association, have indicated that they will be focusing their efforts in the near future on persuading members of Congress to repeal the tax.

FDA May Further Modify Advisory Panel Voting Processes
FDA officials have indicated that the agency is considering making additional changes to the voting processes of its advisory panels following the announcement earlier this year that panels would no longer use “up-or-down” votes for approval of products. The agency has indicated that it is considering allowing for greater discussion on panel members’ reasoning behind their voting decisions.

Regulatory Notices – FDA Seeks Comments

The FDA has announced that it is seeking comments on the use of rapid response surveys to obtain data on safety information to support quick-turnaround decision-making about potential safety problems or risk management solutions when the agency must quickly determine whether or not a problem with a biologic, drug, or medical device impacts the public health. Comments are due by October 5, 2010. More information is available here.

The FDA has also announced that it has submitted a proposed collection of information regarding premarket notification for medical devices to OMB for review and clearance. Comments on the collection of information are due September 10, 2010. More information is available here.

FDA to Co-Host Meeting on Pediatric Cardiovascular Device Development
The FDA has announced that it will co-host a public workshop, in conjunction with the National Institutes of Health (NIH), and with support from the American Academy of Pediatrics (AAP), the American College of Cardiology (ACC), and the Society for Cardiovascular Angiography and Interventions (SCAI), entitled “Optimizing Clinical Trial Design for the Development of Pediatric Cardiovascular Devices.” The topic to be discussed is pediatric cardiovascular device development. The workshop will be held on September 30, 2010, from 8 a.m. to 5:30 p.m. in San Francisco, California. More information is available here.

Mark Mansour is a partner in the firm, Bryan Cave, LLP

James Holler, Founder, Abidance Consulting

Part 1 of a 2-part series

First, let me start with the bad news: There is no absolute way to prevent an internal or external hack-attack. With that said, there are some things that you can do that will make it so difficult to pull off a hack-attack, that the perpetrator will most likely want to go somewhere else and try their attack.

Now, there is an old saying, “cleanliness is next to Godliness.” I am sure you have all heard that line at some time in your life. This saying holds true in the security world. If your network is in total shambles (DAT files not updated, Service Packs are so far behind your need an abacus to determine how many versions behind you are, etc.) and your Intrusion Detection System (IDS) is monitored by humans only during business hours, then you have a “dirty” network that needs to either be cleaned, or as my mom used to tell me…let’s just burn your room and start over, it will be easier that way. If your network/server room looks as if a spaghetti factory has blown up, get it cleaned up by rewiring it using tags on each line so you know where each of the cables is assigned.

The first thing you need to understand in preparing to get your network in top form is to not only determine what is wrong with it, but to also be open to criticism from experts. Put away the ego (one of the top reasons why networks are in shambles to begin with) so that you can listen and learn from your internal experts or external consultants – you hired them, now listen to them.

In Part 1, we’ll look at network discovery issues, vulnerability assessments, and discuss ways to fix some of these challenges.

Network Discovery

Before you can determine what’s wrong with your network, you must first know what your network looks like. You will want to conduct a thorough network discovery since you are going to need to know not only what devices are on your network, but also where they are. Please don’t think that you are going to run a piece of software that will show you everything. If you have a wireless or dial-up modem hanging off of your network and the power button is off, you may never discover it. You may need to do a physical inspection of your entire facility…look up in the ceiling…those pesky tiles can support the weight of a modem and even an old sandwich from 4 years ago. I personally use an iPaq handheld device that is capable of “sniffing” out these modems, even when they are turned off. Now that you have a true and correct picture of your network, you will need to conduct a vulnerability assessment to determine what areas are weak and are in need of attention.

Vulnerability Assessment

To ensure that there are no “cover-ups” by your staff, it is recommended that you have an outside consulting firm come in and conduct the assessment for you. Depending on the size of your organization, the fee’s for this could be $15k to $30k or more. The final report to be delivered should be comprehensive in nature. Be sure to ask for sample reports prior to awarding a contract or project to anyone. There are areas that must be looked at closely. Make sure whoever you assign the project to gives you a list of the services they are going to run. My only word of caution here is that you do not allow a penetration attack be made against your Primary Domain Controller (PDC). Once the assessment is completed, make sure that you not only address the issues, but fix the issues.

Fixing The Issues

When you do get the final report, there are going to be a lot of errors that need to be fixed. Don’t worry; the “bark” of the report is much worse than the “bite”. Depending on how bad your network was when the assessment was conducted, you may have a few pages of issues to as much as a thousand pages of issues – one assessment we did a few years back yielded almost 7,000 pages (a government agency…need I say more). When you are reading your final report, one of the first questions you need to ask yourself is, “Where do I begin”? Not to worry, your security staff/consultants should prioritize what needs to be done and at what point in the project does it need to be done. The point at which a certain task is completed is very important since everything has a logical order of semblance to it…you wouldn’t put the seats in a car before you laid down the carpet. Your staff and/or consultants should know this and be able to build out a project plan with a scope of work, keeping you (the stakeholder) in the loop at all times. Never be afraid to ask questions or challenge something if you feel it isn’t the right thing to do or you don’t understand why something is or isn’t being done.

To save time and money, you have to look at all of the different compliance issues you have to deal with (NERC, EPA, OSHA etc) and cross-walk your efforts to all of these compliance requirements. Doing this will ultimately save yourself time and money by not overlapping efforts.

Next time, we’ll look at testing, maintaining, and some other important issues that merit your attention.

James Holler is founder of Abidance Consulting.

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Weighing patient safety against encouraging medical innovation is no easy task. The FDA has been struggling with it off and on, mostly on, since its creation in 1906 (yes, I had to look it up). It took very gross meat and a crusading Upton Sinclair to force the FDA’s very existence. Hopefully we won’t need anything so dire to effect some positive change this time around.

Over the past decade most critics have said the agency has been too understaffed to effectively regulate the F(ood)and D(rugs) of its name. When it comes to assessing its medical device activity, it’s a bit tougher to analyze. But that just might get a little bit easier. Last week the FDA unveiled two big evaluations containing recommendations that address three key objectives of the agency’s public health mission as it relates to medical devices – foster device innovation, create a more predictable regulatory environment, and enhance device safety.

The Center for Devices and Radiological Health (CDRH) assessment consists of two preliminary reports. The first focuses on ways to strengthen and clarify a premarket review process called the 510(k) program for medical devices that do not need to undergo a full premarket approval review. The second evaluates CDRH’s use of science in decision-making, with an eye toward adapting to new scientific information, while maintaining regulatory predictability necessary for innovation.

The two documents overlap in several places and cross-reference information. Both are available here.

“Having FDA 510(k) clearance is a big milestone, one which further validates” a company’s products, notes WellDoc CEO Ryan Sysko. He’s just been through the 510(k) approval process with a happy outcome (approval in July).

“We found the FDA to be very open and willing to talk, willing to offer guidance,” Sysko says. His advice to other young companies is “first thing, call the FDA, talk about your product and what it is trying to accomplish, and get a sense of the regulatory climate.”

Make sure the FDA understands your technology or product so they can better understand how doctors and patients use it, stresses Sysko. Also it important to put quality system programs in place early on and have strong employee training programs, Sysko adds. “It is absolutely critical to show the FDA your good work, too” he emphasizes. FDA on audits wants to see SOPs, document control, training records, among other items, and you’d better be ready to demonstrate it.

Back to what the FDA did last week.

CDRH established two staff committees on these issues in late 2009 as part of its 2010 strategic plan. The committees collected and reviewed input from public meetings, open dockets, data analyses, and input from CDRH staff over the course of several months to prepare the complementary evaluations.

We’ve heard from some medical device firms that scream bloody murder (off the record, of course) about how cumbersome and counter-intuitive the FDA’s 510k system has been. Even the agency admits that “concerns have been raised both inside and outside of the FDA about whether the current 510(k) program achieves its goals of making safe and effective devices available to the public while fostering innovation. Concerns about the program have centered on whether it allows devices to enter the market without sufficient safety and effectiveness evidence and whether a lack of predictability, consistency, and transparency is hindering device development.”

In other words, the FDA seems to understand that the system is broken. Is this a fix? Most say it is a good start, if nothing else. “The challenge the FDA will face is how do we take what’s being accomplished with technology while ensuring patient safety,” Sysko says, noting it’s obviously easier for Apple or Google to launch a new innovation than it is for medical device companies.

FDA makes some effort to defend itself, specifically CDRH, in its announcement. “CDRH uses science to guide its regulation of medical devices across the total product lifecycle,” notes the agency release. “At any stage of that lifecycle, new, unfamiliar or unexpected scientific information may arise that warrants a change in the FDA’s thinking, expectations, and actions.” CDRH says it is trying to find the right balance between the ability to adapt its approach as new science emerges and to provide predictable regulatory pathways.

“Taken together, these preliminary reports show a smarter FDA – an agency that recognizes both sides of our mission to protect and promote public health,” said CDRH Director Jeffrey Shuren, M.D. “The agency is ready to make necessary improvements to support device innovation while assuring patients receive safe and effective devices.

“Even with our significant outreach, it’s important to remember that these recommendations are preliminary,” said Shuren. “CDRH opened another public docket to receive additional comments on both reports. We will make a decision on which recommendations to adopt only after a thorough review of additional comments.”

While the agency has a prime directive to protect patient safety, it doesn’t want to slow or even destroy a medical device that’s ready to roll and ready to help patients. But the agency has often been accused of slowing innovation to the detriment of patient safety. It’s a balancing act, to be sure, and we should at the minimum give the FDA for addressing this and trying to come up with a good solution.

Selected recommendations and the key public health objectives they address include:

Fostering Device Innovation

• The 510(k) report recommends major improvements to the regulatory pathway for lower-risk novel devices that cannot be cleared through 510(k) but which do not warrant the more rigorous premarket approval review applied to higher-risk devices. The report calls for major reforms in the implementation of this process – called the de novo classification process. The recommendations include streamlining the process and clarification of CDRH’s expectations for submissions that undergo this type of review.

• The science report recommends that CDRH make better use of scientific experts outside of the agency by developing a web-based network of external experts using social media technology. This network would help CDRH staff leverage outside knowledge without serving in an advisory capacity.

Enhancing Regulatory Predictability

• The 510(k) report recommends that CDRH develop a guidance document defining a subset of moderate-risk (Class II) devices, called Class IIb, for which clinical or manufacturing data typically would be necessary to support a substantial equivalence determination. This guidance document would help clarify what information submitters should include in their 510(k) submissions so that they can plan accordingly. In addition, this would also help the center’s review staff obtain the type and level of evidence necessary to make well-supported decisions without as much need for time-consuming follow-up requests for information.

• The science report recommends use of a standardized “Notice to Industry” letter that would generally be issued as a “Level 1 – Immediately in Effect” guidance document to quickly communicate when CDRH has changed its premarket regulatory expectations due to scientific information that has emerged about a certain device type. CDRH currently communicates this kind of information through individual interactions during the review process, which can lead to delays. These letters would provide greater clarity to affected manufacturers, in a timelier manner, about CDRH’s expectations with respect to a particular group of devices.

Improving Patient Safety

• The 510(k) report recommends that CDRH consider revising regulations to explicitly require 510(k) submitters to provide a summary of all scientific information known or that the submitter should reasonably know regarding the safety and effectiveness of the device under review. This is not required now for 510(k) submissions and, as a result, relevant information may not be included in an initial submission. This summary would help CDRH review staff to more efficiently make decisions, and potentially avoid extensive follow-up inquiries and questions.

• The 510(k) report recommends that CDRH develop a guidance document that clarifies when a device should not be used as a predicate, such as when the device has been removed from the market because of safety concerns. The report also recommends that the center consider issuing a regulation that would clarify the circumstances under which the center would exercise its authority to rescind a 510(k) clearance to remove an unsafe device from the market and preclude its use as a predicate and also consider whether additional authority is needed.

• Both reports recommend that CDRH build upon public databases to include meaningful, up-to-date information that supports good decision making and promotes the safe use of devices. This could be accomplished by improving the current 510(k) database so that it includes summaries of FDA review decisions, current labeling and photos. In addition, the science report recommends that CDRH build upon the existing transparency website to provide more immediate information on how devices are regulated.

For more information:
CDRH Preliminary Internal Evaluations

CDRH Device Approvals and Clearances: 510(k) Clearances

James Holler, Founder, Abidance Consulting

Complying with the NERC CIP requirements is expected to be a major expense for power producers and the like in the coming years. To date, companies have spent tens of millions of dollars to formally document and test the support for internal control assertions required by CIP and maintaining this documentation will continue to be costly beyond the first round of documentation.

Let’s take a look at some of the most important components of a good NERC CIP compliance program:

Automate The Testing & Reporting Of All Of The Technical Controls

An important concern for power producers is finding a cost-effective method of documenting, storing, and analyzing CIP control assessment work. Management is also looking to meet all the technical requirements spelled out in the requirements. In the first year, many companies have elected to use spreadsheets to tackle CIP documentation because they are familiar with the tool. Moreover, some companies prefer to use spreadsheets because the CIP requirements are still evolving.

Spreadsheets have significant limitations that will increase compliance risks. In addition, depending on spreadsheets for CIP documentation may prevent companies from improving their compliance process and risk management capabilities. In the first year of CIP compliance efforts, many internal auditors and project consultants have advised power producers to use their existing spreadsheet software to document compliance efforts. There is no way that these tools are sufficient to document all relevant accounts, account assertions, risks, controls, and deficiencies. The only way to truly document everything is to automate the process.

Use File Integrity Checks To Assure Your Systems Are In A Desired State

It is very difficult to compromise a system without altering a system file, so file integrity checkers are important. A file integrity checker computes a checksum for every guarded file and stores it. At a later time you can compute a checksum again and test the current value against the stored value to determine if the file has been modified. Some lesser quality file integrity checkers use a 32 bit CRC (Cyclic Redundancy Check). Attackers have demonstrated the ability to modify a file in ways that the CRC checksum could not detect, so stronger checksums known as cryptographic hashes are recommended.

One of the challenges in using a file integrity checker is the false positive problem. When you update files or apply system patches this changes the file. Creating the initial database of signatures is easy; keeping it up to date is much harder. However, even if you only run the checker once (when you first install the system) this can still be very valuable. If you are ever concerned that the system was compromised you can run the checker again to determine which files have or have not been modified.

The other challenge with a file integrity checker is that you have to have a pristine system when you create the first reference database, otherwise you may be creating cryptographic hashes of a compromised system while feeling warm and fuzzy that you are implementing good security. It is also very important that you store the reference database offline or an attacker may be able to compromise the system and hide their tracks by modifying the reference database.

Test System Configurations Against External & Internal Policies

Testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Testing also provides an objective, independent view of the configurations to allow the facility to understand the risks in the implementation of the configurations. Test techniques include, but are not limited to, the process of executing a configuration with the intent of finding “bugs”.

Testing can also be stated as the process of validating and verifying that the configurations:

• meets the business and technical requirements that guided its design and development;
• works as expected; and
• can be implemented with the same characteristics.

Testing, depending on the testing method employed, can be implemented at any time in the development process. However, most of the test effort occurs after the requirements have been defined and the coding process has been completed. As such, the methodology of the test is governed by the configuration methodology adopted.

Testing can never completely identify all the defects within your configurations. Instead, it furnishes a criticism or comparison that compares the state and behavior of the configurations against principles or mechanisms by which someone might recognize a problem. These principals or mechanisms may include (but are not limited to) specifications, contracts, comparable products, past versions of the same product, inferences about intended or expected purpose, user or customer expectations, relevant standards, applicable laws, or other criteria.

A study conducted by NIST in 2002 reports that bugs cost the U.S. economy $59.5 billion annually. More than a third of this cost could be avoided if better testing was performed.

A primary purpose for testing is to detect configuration failures so that defects may be discovered and corrected. This is a non-trivial pursuit. Testing cannot establish that configurations functions properly under all conditions but can only establish that they do not function properly under specific conditions. The scope of testing often includes examination of configurations as well as execution of those configurations in various environments and conditions: does it do what it is supposed to do and do what it needs to do.

There are so many areas that can be addressed for automating that it would take dozens of pages for them all to be discussed. This blog was intended to give you a start on what you need to do if you truly want to ensure total CIP compliance.

James Holler is founder of Abidance Consulting.

Mark Mansour, Partner, Bryan Cave, LLP

Amid continuing debate about the timing and shape of the Senate’s food safety bill (the House passed a version in July 2009), comes a new issue that affects companies in the food, drug, device and cosmetic industries.

Several months ago, FDA Deputy Chief Counsel for Litigation Eric Blumberg told industry representatives at the FDLI Annual Conference that the agency is prepared to dust off the three-decade-old “Park Doctrine” to augment FDA’s continuing efforts to ratchet up its enforcement profile. The doctrine stems from the United States Supreme Court’s decision in United States v. Park, 421 U.S. 658 (1975). In principle, it allows the government to pursue misdemeanor charges against a corporate officer for alleged violations of the Federal Food, Drug, and Cosmetic Act, regardless of whether the officer is aware of the existence of a violation, as long as the officer holds a position of responsibility so that that individual could have initiated preventive or corrective action and, for whatever reason, failed to do so.

Park represents a strict liability standard, so no warning letter is required. FDA need only request that the Department of Justice file charges based on FDA’s conclusion that an officer is guilty of misconduct, which is effectively defined as failing to know what FDA believes one should have known. In sum, what an executive does not know can be more than harmful.

The scale of punishment for misdemeanors ranges from one year in prison and/or a maximum fine of $100,000 for each count, ranging to much higher where injury or death are involved. Courts can impose mandatory prison sentences, and if FDA believes a substantial risk of injury or death is involved, judges can increase the length of prison sentences.

At a time when corporate resources are stretched, the entire spectrum of regulatory compliance issues has become every bit as critical for senior management and counsel as the other bet-the-company issues that confront each company on a day-to-day basis.

Mark Mansour is a partner in the firm, Bryan Cave, LLP

Mark Mansour, Partner, Bryan Cave, LLP

FDA Extends Comment Period for Proposed Neurological Device Regulations
The FDA has announced that it is reopening until September 7, 2010, the comment period for the proposed rule and guidance published in the Federal Register of April 5, 2010 (75 FR 17093). The document proposed to amend certain neurological and physical medicine device regulations to establish special controls for these class II devices and to exempt some of these devices from premarket notification requirements. More information is available here and here.

Device Industry Calls for Closer Coordination Between FDA, CMS
Members of the device industry are calling for closer coordination between FDA and CMS related to the competitive bidding process. Stakeholders have said that the two agencies sometimes send mixed messages, due to their different approaches to devices, and particularly for sophisticated therapy products for home use, with CMS focused on pricing and the FDA focused on support services and safety issues, including labeling and training. Members of industry have indicated that they hope that new FDA guidelines on home-use devices will make certain that suppliers ensure that training and support are provided as part of their bids.

FDA Weighs New Approach to Regulation of DTC Genetic Tests
In the wake of a recent GAO report finding that direct-to-consumer genetic tests are providing inaccurate results to the public, the FDA has indicated that it is considering an approach to regulating the tests that would increase oversight without creating heavy reporting burdens on individual companies. The agency’s potential approach, as currently envisioned, would not require the developers of certain diagnostics to submit data on their individual diagnostics, if a manufacturer had previously provided information on the overall indication of the diagnostic to the FDA.

Pharmacies Calling for Removal of Reimportation Amendment from Food Safety Bill
Pharmacies are ramping up their efforts to encourage lawmakers to remove an amendment to the food safety legislation, offered by senator Byron Dorgan, that would allow for the reimportation of drugs from Canada and Mexico into the United States. Pharmacies are stating that the safety of such drugs cannot be ensured and that the use of reimportation means that individuals would not be consulting with a pharmacist at the time that they obtain the drug. Some are speculating that the amendment, which Dorgan also attempted to introduce in the health reform legislation, could prevent the passage of the overall bill, and are thus encouraging its removal.

Mark Mansour is a partner in the firm, Bryan Cave, LLP