At my company, we’ve had the questionable privilege to attend multiple audits of medical software manufacturers by the Berlin authorities. I’d like to share a few anecdotes. I’ll stick to the facts, and you can form your own opinion:
- We’d correspond with them mostly via email.
Any time we sent them an email, they went ahead and printed it out, then filed it into a physical folder labelled with our company name. - They mentioned that software solutions for “digital archives” exist, but they’re only now being rolled out in “pilot projects” in some German states. Note that each German state is working on their own solution. Berlin, like some others, is still paper-based.
- Any time they sent us an email, the email body was usually empty and contained a text along the lines of “please see the attached letter”. A PDF was attached with the actual letter they wanted to send us. Weirdly enough, I couldn’t select any text within the letter, like when you scan something and don’t run OCR software over it.
Here’s what had happened: Any time they sent us an email, they typed out the letter first, printed it (so that they could archive it in the physical folder), scanned it again (!), and attached it to an email. That was their workflow. - Their employees can work remotely, but they have to log into a VPN first to access internal work resources. The VPN only has limited connection slots. It happens quite often that those slots are full, and the last few people “signing on” in the morning can no longer connect to the VPN and therefore can’t work.
(I don’t know what those people do instead.) - They can only do video conferences with one specific software which they purchased from a “certified” provider, and that “certified” software doesn’t have the feature of sharing your screen. Therefore, audits of manufacturers generally have to take place in person, where the main activity consists of scrolling through PDFs together, something which could have been done remotely if the video conferencing software would support screen sharing.
- All of the auditors I met had never written a line of software code in their life.
- Two of the auditors openly asked me “what are ‘software libraries’?”.
Those are the facts. Now it’s up to you to decide:
- Is this a good setup for regulating medical software?
- Will this setup catch actual, important, technical software problems?
- Is it really “great” that the EU is regulating software so much (GDPR etc.)?
- Can we expect future EU software regulation (AI Act) to be done in a better way?
(Hint: Each German state will need their own AI Act authority, AI talent is very scarce, and any AI talent is unlikely to work in random small AI Act state authority offices)
I have my opinion – now you form yours.
Leave a Reply