R Software Risk Analysis

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

R Software Risk Analysis

Wait, Kristin
HI all,

I am with a NYS major trauma center and all programs that our employees/providers use must be vetted through the IT Department by way of a Risk Analysis.
Is there someone I would talk to about this?

I scoured your website and could not find a specific person.

Thank you so much
Kristin Wait
Albany, NY
----------------------------------------- CONFIDENTIALITY NOTICE: This email and any attachments may contain confidential information that is protected by law and is for the sole use of the individuals or entities to which it is addressed. If you are not the intended recipient, please notify the sender by replying to this email and destroying all copies of the communication and attachments. Further use, disclosure, copying, distribution of, or reliance upon the contents of this email and attachments is strictly prohibited. To contact Albany Medical Center, or for a copy of our privacy practices, please visit us on the Internet at www.amc.edu.

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

John Harrold
Hello Kristin,

Are you talking about risk analysis from the perspective of software
vulnerabilities?

John

On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <[hidden email]> wrote:

> HI all,
>
> I am with a NYS major trauma center and all programs that our
> employees/providers use must be vetted through the IT Department by way of
> a Risk Analysis.
> Is there someone I would talk to about this?
>
> I scoured your website and could not find a specific person.
>
> Thank you so much
> Kristin Wait
> Albany, NY
> ----------------------------------------- CONFIDENTIALITY NOTICE: This
> email and any attachments may contain confidential information that is
> protected by law and is for the sole use of the individuals or entities to
> which it is addressed. If you are not the intended recipient, please notify
> the sender by replying to this email and destroying all copies of the
> communication and attachments. Further use, disclosure, copying,
> distribution of, or reliance upon the contents of this email and
> attachments is strictly prohibited. To contact Albany Medical Center, or
> for a copy of our privacy practices, please visit us on the Internet at
> www.amc.edu.
>
>         [[alternative HTML version deleted]]
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>


--
John
:wq

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

Jeff Newmiller
In reply to this post by Wait, Kristin
R is open source software that is offered as-is, and many users of R utilize additional "contributed" packages which are developed and vetted independently of the R Core members. In addition, it is common for users of R to add minor functionality in the course of obtaining useful results, which are clearly out of scope for R Core or any CRAN package maintainers. You may be able to find consultants who will address your concerns for a fee, but AFAIK that is not a service offered by the authors and maintainers of R and CRAN.

https://cran.r-project.org/web/packages/policies.html

On June 18, 2020 9:58:50 AM PDT, "Wait, Kristin" <[hidden email]> wrote:

>HI all,
>
>I am with a NYS major trauma center and all programs that our
>employees/providers use must be vetted through the IT Department by way
>of a Risk Analysis.
>Is there someone I would talk to about this?
>
>I scoured your website and could not find a specific person.
>
>Thank you so much
>Kristin Wait
>Albany, NY
>----------------------------------------- CONFIDENTIALITY NOTICE: This
>email and any attachments may contain confidential information that is
>protected by law and is for the sole use of the individuals or entities
>to which it is addressed. If you are not the intended recipient, please
>notify the sender by replying to this email and destroying all copies
>of the communication and attachments. Further use, disclosure, copying,
>distribution of, or reliance upon the contents of this email and
>attachments is strictly prohibited. To contact Albany Medical Center,
>or for a copy of our privacy practices, please visit us on the Internet
>at www.amc.edu.
>
> [[alternative HTML version deleted]]
>
>______________________________________________
>[hidden email] mailing list -- To UNSUBSCRIBE and more, see
>https://stat.ethz.ch/mailman/listinfo/r-help
>PLEASE do read the posting guide
>http://www.R-project.org/posting-guide.html
>and provide commented, minimal, self-contained, reproducible code.

--
Sent from my phone. Please excuse my brevity.

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

David Winsemius
In reply to this post by John Harrold

On 6/18/20 3:41 PM, John Harrold wrote:
> Hello Kristin,
>
> Are you talking about risk analysis from the perspective of software
> vulnerabilities?


It appears that is exactly what is being asked. What is not clear is
whether the installation would be offered to persons or groups on the
network with no other security wrappers. R has never claimed to be
"web-safe". It offers access to system level commands and file system
manipulation that would probably compromise security arrangements.  In
fact, over the course of the last 12 years when I've been reading this
mailing list, there has never been a credible suggestion to offer R
applications to untrusted users. Quite the opposite. Naked R is surely
not going to pass any sort threat or risk scrutiny.


My suggestion would be to investigate various wrappers for R such as
Rstudio or the Microsoft re-worked version of what used to be Revolution
R. They have lawyers and offer "enterprise solutions" and would
presumably be able to speak to some sort of security analysis.  Whether
either of those approaches would provide the level of security needed by
a healthcare organization would be an interesting question. Perhaps yopu
can report back after completing your investigation?


--

David.

>
> John
>
> On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <[hidden email]> wrote:
>
>> HI all,
>>
>> I am with a NYS major trauma center and all programs that our
>> employees/providers use must be vetted through the IT Department by way of
>> a Risk Analysis.
>> Is there someone I would talk to about this?
>>
>> I scoured your website and could not find a specific person.
>>
>> Thank you so much
>> Kristin Wait
>> Albany, NY
>> ----------------------------------------- CONFIDENTIALITY NOTICE: This
>> email and any attachments may contain confidential information that is
>> protected by law and is for the sole use of the individuals or entities to
>> which it is addressed. If you are not the intended recipient, please notify
>> the sender by replying to this email and destroying all copies of the
>> communication and attachments. Further use, disclosure, copying,
>> distribution of, or reliance upon the contents of this email and
>> attachments is strictly prohibited. To contact Albany Medical Center, or
>> for a copy of our privacy practices, please visit us on the Internet at
>> www.amc.edu.
>>
>>          [[alternative HTML version deleted]]
>>
>> ______________________________________________
>> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide
>> http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.
>>
>

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

John Harrold
I work in Pharma and we use R in all the companies I've worked for. They
are really paranoid and it's used in regulated environments as well with
patient data. So there should be something they can do.

Kristin: I can put you in touch with vendors who do our regulated work in R
if you're interested.

On Thu, Jun 18, 2020 at 4:45 PM David Winsemius <[hidden email]>
wrote:

>
> On 6/18/20 3:41 PM, John Harrold wrote:
> > Hello Kristin,
> >
> > Are you talking about risk analysis from the perspective of software
> > vulnerabilities?
>
>
> It appears that is exactly what is being asked. What is not clear is
> whether the installation would be offered to persons or groups on the
> network with no other security wrappers. R has never claimed to be
> "web-safe". It offers access to system level commands and file system
> manipulation that would probably compromise security arrangements.  In
> fact, over the course of the last 12 years when I've been reading this
> mailing list, there has never been a credible suggestion to offer R
> applications to untrusted users. Quite the opposite. Naked R is surely
> not going to pass any sort threat or risk scrutiny.
>
>
> My suggestion would be to investigate various wrappers for R such as
> Rstudio or the Microsoft re-worked version of what used to be Revolution
> R. They have lawyers and offer "enterprise solutions" and would
> presumably be able to speak to some sort of security analysis.  Whether
> either of those approaches would provide the level of security needed by
> a healthcare organization would be an interesting question. Perhaps yopu
> can report back after completing your investigation?
>
>
> --
>
> David.
>
> >
> > John
> >
> > On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <[hidden email]> wrote:
> >
> >> HI all,
> >>
> >> I am with a NYS major trauma center and all programs that our
> >> employees/providers use must be vetted through the IT Department by way
> of
> >> a Risk Analysis.
> >> Is there someone I would talk to about this?
> >>
> >> I scoured your website and could not find a specific person.
> >>
> >> Thank you so much
> >> Kristin Wait
> >> Albany, NY
> >> ----------------------------------------- CONFIDENTIALITY NOTICE: This
> >> email and any attachments may contain confidential information that is
> >> protected by law and is for the sole use of the individuals or entities
> to
> >> which it is addressed. If you are not the intended recipient, please
> notify
> >> the sender by replying to this email and destroying all copies of the
> >> communication and attachments. Further use, disclosure, copying,
> >> distribution of, or reliance upon the contents of this email and
> >> attachments is strictly prohibited. To contact Albany Medical Center, or
> >> for a copy of our privacy practices, please visit us on the Internet at
> >> www.amc.edu.
> >>
> >>          [[alternative HTML version deleted]]
> >>
> >> ______________________________________________
> >> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> >> https://stat.ethz.ch/mailman/listinfo/r-help
> >> PLEASE do read the posting guide
> >> http://www.R-project.org/posting-guide.html
> >> and provide commented, minimal, self-contained, reproducible code.
> >>
> >
>


--
John
:wq

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: R Software Risk Analysis

Richard M. Heiberger
In reply to this post by David Winsemius
You should start by reading
R: Regulatory Compliance and Validation Issues: A guidance document
for the use of R in regulated clinical trial environments.
https://www.r-project.org/doc/R-FDA.pdf

The official link to that file is at the R home page https://www.r-project.org/
In the left column, click on Certification.

That takes you to the page that offers the Compliance paper and a
paper on the R Development cycle.

Rich

On Thu, Jun 18, 2020 at 7:46 PM David Winsemius <[hidden email]> wrote:

>
>
> On 6/18/20 3:41 PM, John Harrold wrote:
> > Hello Kristin,
> >
> > Are you talking about risk analysis from the perspective of software
> > vulnerabilities?
>
>
> It appears that is exactly what is being asked. What is not clear is
> whether the installation would be offered to persons or groups on the
> network with no other security wrappers. R has never claimed to be
> "web-safe". It offers access to system level commands and file system
> manipulation that would probably compromise security arrangements.  In
> fact, over the course of the last 12 years when I've been reading this
> mailing list, there has never been a credible suggestion to offer R
> applications to untrusted users. Quite the opposite. Naked R is surely
> not going to pass any sort threat or risk scrutiny.
>
>
> My suggestion would be to investigate various wrappers for R such as
> Rstudio or the Microsoft re-worked version of what used to be Revolution
> R. They have lawyers and offer "enterprise solutions" and would
> presumably be able to speak to some sort of security analysis.  Whether
> either of those approaches would provide the level of security needed by
> a healthcare organization would be an interesting question. Perhaps yopu
> can report back after completing your investigation?
>
>
> --
>
> David.
>
> >
> > John
> >
> > On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <[hidden email]> wrote:
> >
> >> HI all,
> >>
> >> I am with a NYS major trauma center and all programs that our
> >> employees/providers use must be vetted through the IT Department by way of
> >> a Risk Analysis.
> >> Is there someone I would talk to about this?
> >>
> >> I scoured your website and could not find a specific person.
> >>
> >> Thank you so much
> >> Kristin Wait
> >> Albany, NY
> >> ----------------------------------------- CONFIDENTIALITY NOTICE: This
> >> email and any attachments may contain confidential information that is
> >> protected by law and is for the sole use of the individuals or entities to
> >> which it is addressed. If you are not the intended recipient, please notify
> >> the sender by replying to this email and destroying all copies of the
> >> communication and attachments. Further use, disclosure, copying,
> >> distribution of, or reliance upon the contents of this email and
> >> attachments is strictly prohibited. To contact Albany Medical Center, or
> >> for a copy of our privacy practices, please visit us on the Internet at
> >> www.amc.edu.
> >>
> >>          [[alternative HTML version deleted]]
> >>
> >> ______________________________________________
> >> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> >> https://stat.ethz.ch/mailman/listinfo/r-help
> >> PLEASE do read the posting guide
> >> http://www.R-project.org/posting-guide.html
> >> and provide commented, minimal, self-contained, reproducible code.
> >>
> >
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: R Software Risk Analysis

Bert Gunter-2
As others have noted, R's vulnerabilities depend on the environments in
which it is used. Perhaps the other issue is whether any downloaded R
software could be problematic, perhaps due to malware. R's core
functionality is, I'm sure fine. For the 20,000 or so packages on CRAN and
elsewhere -- ?? One would have to probaby check the security on CRAN's (or
others') servers for that. My ignorant expectation is that the most such
university associated servers are quite secure.


Bert Gunter

"The trouble with having an open mind is that people keep coming along and
sticking things into it."
-- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )


On Thu, Jun 18, 2020 at 5:27 PM Richard M. Heiberger <[hidden email]> wrote:

> You should start by reading
> R: Regulatory Compliance and Validation Issues: A guidance document
> for the use of R in regulated clinical trial environments.
> https://www.r-project.org/doc/R-FDA.pdf
>
> The official link to that file is at the R home page
> https://www.r-project.org/
> In the left column, click on Certification.
>
> That takes you to the page that offers the Compliance paper and a
> paper on the R Development cycle.
>
> Rich
>
> On Thu, Jun 18, 2020 at 7:46 PM David Winsemius <[hidden email]>
> wrote:
> >
> >
> > On 6/18/20 3:41 PM, John Harrold wrote:
> > > Hello Kristin,
> > >
> > > Are you talking about risk analysis from the perspective of software
> > > vulnerabilities?
> >
> >
> > It appears that is exactly what is being asked. What is not clear is
> > whether the installation would be offered to persons or groups on the
> > network with no other security wrappers. R has never claimed to be
> > "web-safe". It offers access to system level commands and file system
> > manipulation that would probably compromise security arrangements.  In
> > fact, over the course of the last 12 years when I've been reading this
> > mailing list, there has never been a credible suggestion to offer R
> > applications to untrusted users. Quite the opposite. Naked R is surely
> > not going to pass any sort threat or risk scrutiny.
> >
> >
> > My suggestion would be to investigate various wrappers for R such as
> > Rstudio or the Microsoft re-worked version of what used to be Revolution
> > R. They have lawyers and offer "enterprise solutions" and would
> > presumably be able to speak to some sort of security analysis.  Whether
> > either of those approaches would provide the level of security needed by
> > a healthcare organization would be an interesting question. Perhaps yopu
> > can report back after completing your investigation?
> >
> >
> > --
> >
> > David.
> >
> > >
> > > John
> > >
> > > On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <[hidden email]> wrote:
> > >
> > >> HI all,
> > >>
> > >> I am with a NYS major trauma center and all programs that our
> > >> employees/providers use must be vetted through the IT Department by
> way of
> > >> a Risk Analysis.
> > >> Is there someone I would talk to about this?
> > >>
> > >> I scoured your website and could not find a specific person.
> > >>
> > >> Thank you so much
> > >> Kristin Wait
> > >> Albany, NY
> > >> ----------------------------------------- CONFIDENTIALITY NOTICE: This
> > >> email and any attachments may contain confidential information that is
> > >> protected by law and is for the sole use of the individuals or
> entities to
> > >> which it is addressed. If you are not the intended recipient, please
> notify
> > >> the sender by replying to this email and destroying all copies of the
> > >> communication and attachments. Further use, disclosure, copying,
> > >> distribution of, or reliance upon the contents of this email and
> > >> attachments is strictly prohibited. To contact Albany Medical Center,
> or
> > >> for a copy of our privacy practices, please visit us on the Internet
> at
> > >> www.amc.edu.
> > >>
> > >>          [[alternative HTML version deleted]]
> > >>
> > >> ______________________________________________
> > >> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> > >> https://stat.ethz.ch/mailman/listinfo/r-help
> > >> PLEASE do read the posting guide
> > >> http://www.R-project.org/posting-guide.html
> > >> and provide commented, minimal, self-contained, reproducible code.
> > >>
> > >
> >
> > ______________________________________________
> > [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> > https://stat.ethz.ch/mailman/listinfo/r-help
> > PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> > and provide commented, minimal, self-contained, reproducible code.
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

Richard O'Keefe-2
In reply to this post by Wait, Kristin
Just as a matter of curiosity, what are some of the programs
that have already been vetted, what methods were used, and
how long did the vetting take?

As the R guidance points out, R was not designed for
creating or updating medical records, so it should be
treated the same way as say LibreOffice Calc or Matlab.

On Fri, 19 Jun 2020 at 10:21, Wait, Kristin <[hidden email]> wrote:

> HI all,
>
> I am with a NYS major trauma center and all programs that our
> employees/providers use must be vetted through the IT Department by way of
> a Risk Analysis.
> Is there someone I would talk to about this?
>
> I scoured your website and could not find a specific person.
>
> Thank you so much
> Kristin Wait
> Albany, NY
> ----------------------------------------- CONFIDENTIALITY NOTICE: This
> email and any attachments may contain confidential information that is
> protected by law and is for the sole use of the individuals or entities to
> which it is addressed. If you are not the intended recipient, please notify
> the sender by replying to this email and destroying all copies of the
> communication and attachments. Further use, disclosure, copying,
> distribution of, or reliance upon the contents of this email and
> attachments is strictly prohibited. To contact Albany Medical Center, or
> for a copy of our privacy practices, please visit us on the Internet at
> www.amc.edu.
>
>         [[alternative HTML version deleted]]
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

Bert Gunter-2
Ummm...Except that Matlab is proprietary and for profit, not open source.
Did you perhaps mean Octave?

Bert Gunter

"The trouble with having an open mind is that people keep coming along and
sticking things into it."
-- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )


On Thu, Jun 18, 2020 at 6:31 PM Richard O'Keefe <[hidden email]> wrote:

> Just as a matter of curiosity, what are some of the programs
> that have already been vetted, what methods were used, and
> how long did the vetting take?
>
> As the R guidance points out, R was not designed for
> creating or updating medical records, so it should be
> treated the same way as say LibreOffice Calc or Matlab.
>
> On Fri, 19 Jun 2020 at 10:21, Wait, Kristin <[hidden email]> wrote:
>
> > HI all,
> >
> > I am with a NYS major trauma center and all programs that our
> > employees/providers use must be vetted through the IT Department by way
> of
> > a Risk Analysis.
> > Is there someone I would talk to about this?
> >
> > I scoured your website and could not find a specific person.
> >
> > Thank you so much
> > Kristin Wait
> > Albany, NY
> > ----------------------------------------- CONFIDENTIALITY NOTICE: This
> > email and any attachments may contain confidential information that is
> > protected by law and is for the sole use of the individuals or entities
> to
> > which it is addressed. If you are not the intended recipient, please
> notify
> > the sender by replying to this email and destroying all copies of the
> > communication and attachments. Further use, disclosure, copying,
> > distribution of, or reliance upon the contents of this email and
> > attachments is strictly prohibited. To contact Albany Medical Center, or
> > for a copy of our privacy practices, please visit us on the Internet at
> > www.amc.edu.
> >
> >         [[alternative HTML version deleted]]
> >
> > ______________________________________________
> > [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> > https://stat.ethz.ch/mailman/listinfo/r-help
> > PLEASE do read the posting guide
> > http://www.R-project.org/posting-guide.html
> > and provide commented, minimal, self-contained, reproducible code.
> >
>
>         [[alternative HTML version deleted]]
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

Richard O'Keefe-2
No, it was precisely my *point* that Matlab is proprietary.
The medical researchers I knew a few years ago refused to use
R on the grounds that the international agencies they dealt
with all used SAS, which is proprietary.  So I am wondering
if "ALL programs that our employees/PROVIDERS use" includes
things like Windows, Excel, SAS, Matlab, Oracle, DB2, ..."
and if so how the IT department could credibly vet them.

On Fri, 19 Jun 2020 at 14:17, Bert Gunter <[hidden email]> wrote:

> Ummm...Except that Matlab is proprietary and for profit, not open source.
> Did you perhaps mean Octave?
>
> Bert Gunter
>
> "The trouble with having an open mind is that people keep coming along and
> sticking things into it."
> -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )
>
>
> On Thu, Jun 18, 2020 at 6:31 PM Richard O'Keefe <[hidden email]> wrote:
>
>> Just as a matter of curiosity, what are some of the programs
>> that have already been vetted, what methods were used, and
>> how long did the vetting take?
>>
>> As the R guidance points out, R was not designed for
>> creating or updating medical records, so it should be
>> treated the same way as say LibreOffice Calc or Matlab.
>>
>> On Fri, 19 Jun 2020 at 10:21, Wait, Kristin <[hidden email]> wrote:
>>
>> > HI all,
>> >
>> > I am with a NYS major trauma center and all programs that our
>> > employees/providers use must be vetted through the IT Department by way
>> of
>> > a Risk Analysis.
>> > Is there someone I would talk to about this?
>> >
>> > I scoured your website and could not find a specific person.
>> >
>> > Thank you so much
>> > Kristin Wait
>> > Albany, NY
>> > ----------------------------------------- CONFIDENTIALITY NOTICE: This
>> > email and any attachments may contain confidential information that is
>> > protected by law and is for the sole use of the individuals or entities
>> to
>> > which it is addressed. If you are not the intended recipient, please
>> notify
>> > the sender by replying to this email and destroying all copies of the
>> > communication and attachments. Further use, disclosure, copying,
>> > distribution of, or reliance upon the contents of this email and
>> > attachments is strictly prohibited. To contact Albany Medical Center, or
>> > for a copy of our privacy practices, please visit us on the Internet at
>> > www.amc.edu.
>> >
>> >         [[alternative HTML version deleted]]
>> >
>> > ______________________________________________
>> > [hidden email] mailing list -- To UNSUBSCRIBE and more, see
>> > https://stat.ethz.ch/mailman/listinfo/r-help
>> > PLEASE do read the posting guide
>> > http://www.R-project.org/posting-guide.html
>> > and provide commented, minimal, self-contained, reproducible code.
>> >
>>
>>         [[alternative HTML version deleted]]
>>
>> ______________________________________________
>> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide
>> http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.
>>
>

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: [External Email] R Software Risk Analysis

Christopher W. Ryan
In reply to this post by Wait, Kristin
I use R every day with pretty sensitive data in my county health
department. Of course, this is for manipulation and analysis of data
pulled from their sources, not for interacting directly with, or
updating, patient records in any clinically operational sense. As others
have said, the structure and security of the overall computing
environment is what matters most.

--Chris Ryan

Wait, Kristin wrote:

> HI all,
>
> I am with a NYS major trauma center and all programs that our employees/providers use must be vetted through the IT Department by way of a Risk Analysis.
> Is there someone I would talk to about this?
>
> I scoured your website and could not find a specific person.
>
> Thank you so much
> Kristin Wait
> Albany, NY
> ----------------------------------------- CONFIDENTIALITY NOTICE: This email and any attachments may contain confidential information that is protected by law and is for the sole use of the individuals or entities to which it is addressed. If you are not the intended recipient, please notify the sender by replying to this email and destroying all copies of the communication and attachments. Further use, disclosure, copying, distribution of, or reliance upon the contents of this email and attachments is strictly prohibited. To contact Albany Medical Center, or for a copy of our privacy practices, please visit us on the Internet at www.amc.edu.
>
> [[alternative HTML version deleted]]
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

Helmut Schütz
In reply to this post by Richard O'Keefe-2
Dear all,

any (!) software used in regulated environments has to be validated.
Regrettably is is a misconception by many working in the pharmaceutical
industry that only studies evaluated by SAS are accepted by the FDA.
See this one-pager https://www.fda.gov/media/109552/download and a
presentation by the FDA's Paul Schuette at the useR! 2016
(https://channel9.msdn.com/Events/useR-international-R-User-conference/useR2016/Using-R-in-a-regulatory-environment-FDA-experiences).
Note that the FDA itself uses R in modeling & simulation.

Contrary to proprietary (off-the-shelf, commercial, you name it)
software – where only a black box validation (aka, rubbish in, rubbish
out) is possible – open source SW allows – in principle – a white box
validation is possible.

Relying on proprietary SW is not necessarily a good idea ("We payed a
lot, hence, it will work.") Stephen Senn once told me (given, a good
while ago) that after an update of SAS, the Welch-test for unequal group
sizes / variances collapsed into the simple t-test. He called up SAS and
got the coder on the line. He inspected the source and after a couple of
minutes replied "Hey, you are right. We screwed up." It took SAS half a
year to roll out a corrective patch. What about clinicial studies
evaluated in the meantime?

We published a couple of papers in a specific field comparing software
(doi:10.1208/s12248-014-9661-0, doi:10.1208/s12248-014-9704-6,
doi:10.1208/s12248-020-0427-6). It turned out that one of the commercial
[sic] SWs tested was seriously flawed. Consequences: Dozens of approved
drugs taken off the market. The glitch in the software was _partly_
corrected in 2014 and the vendor stopped marketing it in 2019.

Just by two cents
Helmut

--
Ing. Helmut Schütz
BEBAC – Consultancy Services for
Bioequivalence and Bioavailability Studies
Neubaugasse 36/11
1070 Vienna, Austria
T +43 1 2311746
M +43 699 10792458
E [hidden email]
W https://bebac.at/
C https://bebac.at/Contact.htm
F https://forum.bebac.at/

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

John Harrold
I think the question of validation is very different from the risk analysis
referenced in the subject line.

On the subject of  the FDA accepting open source software. Personally I've
done two sBLA submissions where simulation results were essential aspects
of the filings. Both were approved and during the filings we included both
the results from R as well as the R code (as requested by the FDA).


On Fri, Jun 19, 2020 at 8:41 AM Helmut Schütz <[hidden email]>
wrote:

> Dear all,
>
> any (!) software used in regulated environments has to be validated.
> Regrettably is is a misconception by many working in the pharmaceutical
> industry that only studies evaluated by SAS are accepted by the FDA.
> See this one-pager https://www.fda.gov/media/109552/download and a
> presentation by the FDA's Paul Schuette at the useR! 2016
> (
> https://channel9.msdn.com/Events/useR-international-R-User-conference/useR2016/Using-R-in-a-regulatory-environment-FDA-experiences
> ).
> Note that the FDA itself uses R in modeling & simulation.
>
> Contrary to proprietary (off-the-shelf, commercial, you name it)
> software – where only a black box validation (aka, rubbish in, rubbish
> out) is possible – open source SW allows – in principle – a white box
> validation is possible.
>
> Relying on proprietary SW is not necessarily a good idea ("We payed a
> lot, hence, it will work.") Stephen Senn once told me (given, a good
> while ago) that after an update of SAS, the Welch-test for unequal group
> sizes / variances collapsed into the simple t-test. He called up SAS and
> got the coder on the line. He inspected the source and after a couple of
> minutes replied "Hey, you are right. We screwed up." It took SAS half a
> year to roll out a corrective patch. What about clinicial studies
> evaluated in the meantime?
>
> We published a couple of papers in a specific field comparing software
> (doi:10.1208/s12248-014-9661-0, doi:10.1208/s12248-014-9704-6,
> doi:10.1208/s12248-020-0427-6). It turned out that one of the commercial
> [sic] SWs tested was seriously flawed. Consequences: Dozens of approved
> drugs taken off the market. The glitch in the software was _partly_
> corrected in 2014 and the vendor stopped marketing it in 2019.
>
> Just by two cents
> Helmut
>
> --
> Ing. Helmut Schütz
> BEBAC – Consultancy Services for
> Bioequivalence and Bioavailability Studies
> Neubaugasse 36/11
> 1070 Vienna, Austria
> T +43 1 2311746
> M +43 699 10792458
> E [hidden email]
> W https://bebac.at/
> C https://bebac.at/Contact.htm
> F https://forum.bebac.at/
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>


--
John
:wq

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: R Software Risk Analysis

R help mailing list-2
In reply to this post by Helmut Schütz
Hi All,

We need to get clarification from Kristin as to what kinds of issues are raised in the context of a risk analysis from her IT people.

Since Kristin's wording indicated:

  "...all programs that our employees/providers use must be vetted through the IT Department by way of a Risk Analysis."

that tells me that the risk analysis is *not* in reference to a software validation in the FDA sense of regulated clinical trials, not to mention that such validation is entirely on the end user, and not on the software publisher, in either case.

To reference various FDA related materials, such as the current R FDA guidance document and the 2015 FDA statistical software clarifying statement are not likely to be helpful here, and I say that as one of the co-authors of the R FDA document, along with Frank Harrell, Tony Rossini and Ian Francis.

The general use by all employees context that Kristin references also suggests that one of the commercial vendors of R may or may not be helpful here either, unless they specifically provide consulting services and/or documentation to support their implementation of R and how it would conform to Kristin's IT department requirements, and not for use in an FDA-like trials setting.

For a general IT risk analysis, there is likely to be some kind of check-list or form that is required, and it will likely have questions such as:

1. Can R access operating system level commands - Yes

2. Can R access a local or remote file system, to create/read/delete files and folders - Yes

3. Can R access the internet to read remote locations and download files from servers - Yes

4. Can R alter operating system environment variables - Yes

5. Does the R installer require Administrative level privileges - Yes, with some qualifications, depending upon the platform

6. Does R provide end user documentation - Yes

and so forth.

There may be requirements set by Kristin's IT department where such characteristics will eliminate R from consideration, albeit, many commercial and open source applications would also have similar functionality.

It may simply be a matter of her IT people understanding whether R provides or does not provide certain functionality, so that they know how it will perform in their environment, and what, if any, additional security measures may be required or need to be adjusted to enable required functionality.

Thus, in the absence of more detail from Kristin as to what is specifically required, it is hard to know how to respond, within the context here, of a community based support list, and within the R community at large, where we all volunteer our time.

Regards,

Marc Schwartz

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.