Go to content Go to navigation Go to search

04/29/08 11:34 AM

Nothing is Compliant

Posted in by Walt Turnes

I was at the Microsoft Health and Life Sciences Developer Conference last week in Atlantic City, where I got the chance to listen to a good presentation from Les Jordan of Microsoft about 21 CFR Part 11 compliance. The talk centered around how Microsoft is trying to make dealing with the V Model more manageable for validated application as it pertains to applying security patches.

One interesting point that was made was that if there is a security patch available for a validated system, and that patch has not been applied to that system, then the system is not considered by the FDA to be compliant. However, full qualification tests must be run and documented while applying the patch, which takes time. The issue that this creates is that security patches are released frequently enough and validation testing takes long enough such that validated systems become a bit of a mess to manage.

So, what can be done about this? One important step that was discussed is this: since the part 11 requirements only cover patches that affect the validated part of the system, any security updates released for non-validated portions of the platform should be pushed immediately. For example, a printer driver update for a printer that will never be used by a web server machine can be applied without testing, since it does not affect the validated functionality of the system. However, this just makes the problem a little more manageable; it doesn’t eliminate it completely.

If a validated system is out of compliance in an unpatched state but also out of compliance when a patch is applied without formal testing, I’m of the opinion that a “patch first, test second” approach should be taken. True, this may break some application functionality, but I would much rather have a broken application than an insecure one handling my personal data. [This assumes that compliance is taken as a binary data point: compliant or not-compliant. If there are degrees of non-compliance, I may change my mind about this.]

Aside from that, the only other option I can think of is to throw more resources at patch validation so security updates can be rolled out quickly. But, as we all know, security is not a value-add, so the goal is typically to throw as little money at security services as possible so as not to lose customers or run afoul of the law.

1 Comments for Nothing is Compliant

Common criteria and FIPS certifications can work the same way. Software patches that may correct real vulnerabilities then throw the product out of the official evaluated configuration. Fortunately there are processes developing to handle assurance maintenance activities that can ease the process of patching vulnerabilities.

However, vendors, don’t abuse this by attempting to declare as ‘minor’ such changes as ‘we ported it from windows to linux’.


Scott Shorter    04/29/08 12:03 PM    #