From: Steve Raymond [sraymond@phtcorp.com]
Sent: Wednesday, June 09, 2004 3:40 PM
To: 'FDAdockets@oc.fda.gov'
Cc: Richard LaFleur; Gerry Meyer
Subject: Comment for FDA Docket Number 2004N0133

> Comment for FDA Docket Number 2004N0133 concerning potential changes to
> Part 11.
> 
> Section 11.300 concerning controls for identification codes/passwords
> requires "Ensuring that identification code and password issuances are
> periodically checked, recalled, or revised...
> 
> In our experience in clinical trials the most common method of addressing
> this requirement is to compel periodic changing of passwords  This
> practice conforms to the FDA Guidance "Computerized Systems Used in
> Clinical Trials" section V. A. 4. statement:  "Passwords ... should be
> changed at established intervals."  While changing a password seems to be
> a reasonable way to address the possibility over time that a password
> could become compromised, in practice we have observed that the task of
> remembering multiple changing passwords, as might be required of a study
> coordinator conducting several eClinical trials, is difficult.  Users of
> electronic systems in our opinion regularly resort to writing down their
> passwords or to reliance on a simple and predictable scheme for adapting
> passwords at each forced change.  Such schemes would not offer much of an
> impediment to guessing a present password were a past password to be
> learned by an interloper.  Furthermore, we believe users at a site who
> trust each other frequently share passwords in order to share workloads.
> Obviously such practices run  counter to the intent of Section 11.300 to
> ensure the security and integrity of electronic signatures based upon
> identification codes in combination with passwords
> 
> We believe that FDA should consider a clarification of 11.300(b)
> specifically to mention the option of continuous use of a password
> (Forever Password)  that is periodically "checked" for integrity, but not
> changed.  Such "checks" could include presenting a comprehensive listing
> of actions on electronic records performed under the password and/or a
> "last login" listing to the password holder each time they use the system.
> In the way that a credit card company uses transaction summaries so that
> card holders can review charges prior to payment, such a process for
> checking integrity has precedence for inspiring confidence and
> "non-repudiation".  The chief benefit is that when a user knows his or her
> particular password can last "forever" if it is NOT compromised, he or she
> will identify with it (like a signature) and will invest in thinking up a
> good password.  We believe also that users will work to keep such a valued
> password from being disclosed even to trusted colleagues in order to avoid
> the work of changing it.  While we believe in the security of a Forever
> Password, it may be that periodic recall is working in some instances as
> well.  We believe FDA should clarify that either approach, properly
> executed, is acceptable. 
> 
> Stephen A. Raymond, PhD
> Chief Scientific Officer and Founder
> 
Richard LaFleur
Director of Quality Compliance

Gerald F. Meyer
Regulatory Consultant (Former Acting Director CDER)

> PHT Corporation
> 500 Rutherford Ave.
> Charlestown, MA  02129
> 617 973 1610 (Voice)  617 549 1229 (Mobile)
> 617 973 1611 (FAX)
> sraymond@phtcorp.com