Thursday, September 3, 2009

Why the Fed.Gov simply cannot develop drugs efficiently

There is a fascinating thread over at Meghan McArdle's place, where she's more or less debating John Holbo on whether the Fed.Gov could - in theory at least - develop new pharmaceuticals as efficiently as the private sector. It's well worth your time, and as always with McArdle, she'll make you think of 17 things you never thought you should think of.

But the discussion is theoretical. The answer, for those who want to cheat and get the answer first, is this:

In theory, the Fed.Gov could indeed develop new drugs more efficiently than Big Pharma. But remember: in theory, there's no difference between theory and practice. In practice, this is not true.

Let me tell you why, because while I don't know from personal experience, I do know from personal experience, once removed.

As both my readers know, I've been working in Internet Security for a long time. The organizations that have always invested the most in security have been in one of three groups:
  1. The Fed.Gov. As we used to say back at Three Letter Intelligence Agency, "Security is our Middle Name." There really, really are spys out there, and they really, really want to get secret Defense Department stuff. Srlsy.
  2. Banks. Why do cyber crooks rob online banks? That's where the money is.
  3. Organizations who understand the value of Intellectual Property. The value of the geologic exploration data that shows where the next big oil field is - that's worth billions. The formula of the next blockbuster drug - again, billions.
These people are not afraid to spend money on security technology, and people to deploy and run it, and back things up with an executive management stick when they need to.

So let's just say that I know a bunch of people in the Pharmaceutical industry.

They have a problem. They don't patch their computers, for months and months after the patch is available. This is bad security juju, because once the patch is released, the Bad Guys can reverse-engineer it to come up with an exploit. The exploit code will take over unpatched computers.

Well sheesh, I hear you say - why don't they get their keisters in gear and get those patches out? Time's a-wastin' and all.

Simple: The FDA won't let them. All of the computers have to be configured per FDA standards. Changes all need FDA approval, to make sure that something doesn't throw off the clinical trial.

Security changes need to be FDA approved. Approval takes months. And so, the situation is that the FDA knows that all the computers used in all clinical trials are vulnerable for months. Actually, since there are new vulnerabilities discovered pretty much all the time, the situation is worse:

The FDA knows that every computer used in every clinical trial is likely vulnerable to exploit, 24/7/365. Their regulations are what makes sure that Disaster is not left to chance.

To the Progressives out there - this is what's going to produce new miracle drugs better than the private sector?

We'll leave the last word to McArdle, which is typically a good idea:
Maybe you think this can change. Great! Build the institutions to do it--I'm totally serious about supporting Dean Baker's plan to try to make a government agency to develop drugs. If they can develop more drugs more cost effectively than private pharma, that's a worthy use of tax dollars. Here's the thing: you have to do it before you dismantle the old system. Not after.

4 comments:

Paladin said...

That last paragraph highlights one of the prime differences between Conservative, and NOT Conservative.

Prudence.

Excellent post. Enjoyed it and the links much.

Ian Argent said...

I've found the best way to make anyone perioherally involved in pharma twitch is to whisper "22 CFR 11" into their ears.

Borepatch said...

Ian, that's just evil.

"Uh, there's a guy here who says he's our HIPAA auditor, and he want to see our vulnerability scan data."

Heh.

Ian Argent said...

I should correct myself - it's 21 CFR 11, no?

I had to take a short class in it since I was, at the time, working for a contractor to a pharma. We had a link into one of their IT ticketing systems, and great pains were taken to make us "aware" that it did not have to be compliant.

OTOH, my wife did a stint with that company doing a roll-out of new computers for a different pharma, and because of her previous work in the pharma field as a controls engineer (she was between jobs in her field at the time) knew to ask the guys whether certain machines were validated or not (and therefore immune to being "upgraded") and otherwise kept the contractor co from screwing up the customer's 21 CFR 11 compliance. (Name no names, but the primary site was in Kenilworth NJ... Just after thy had had some "full and frank" discussions with the FDA for violations)